"Recent posts
#81
Intrusion Detection and Prevention / Re: IPS PPPoE Interface
Last post by nicholaswkc - December 15, 2025, 10:08:07 AMCan someone help to highlight this issue to FreeBSD Developers?
#82
25.7, 25.10 Series / Re: Unbound Blocklists - How t...
Last post by OPNenthu - December 15, 2025, 10:03:58 AMAre we sure that the Unbound blocklists feature really supports targeting individual hosts? The only place where it's hinted at is in the helptext for the Source Net(s) field, which gives 192.168.1.1 as an example input. However, the field itself and the rest of the helptext talks only about networks.
Same for the docs: https://docs.opnsense.org/manual/unbound.html#blocklists
Might be good to raise a GitHub issue, at least for clarification.
EDIT: the helptext also says something about equally sized networks:
... not sure if that's per-blocklist entry or across all of them.
Same for the docs: https://docs.opnsense.org/manual/unbound.html#blocklists
QuoteMultiple policies can be defined, each separated by one or more source nets. This means you can use blocklists or specific (wildcard) domains on specific networks, allowing more fine-grained control over your setup. The algorithm selects the most specific subnet when domains overlap across subnet sizes.
Might be good to raise a GitHub issue, at least for clarification.
EDIT: the helptext also says something about equally sized networks:
QuoteAll specified networks should use the same protocol family and have equal sizes to avoid priority issues.
... not sure if that's per-blocklist entry or across all of them.
#83
25.7, 25.10 Series / Re: Unbound Blocklists - How t...
Last post by Patrick M. Hausen - December 15, 2025, 09:42:35 AMOr use AdGuard Home which has a much nicer UI for tasks like this one.
#84
25.7, 25.10 Series / Re: Unbound Blocklists - How t...
Last post by gspannu - December 15, 2025, 09:39:34 AMI have managed to workaround this in a way by defining multiple CIDRs... Not the best solution, but it works.
1) Do not set any Unbound DNS blocklist for Guest clients
2) Change my static DHCP settings for main LAN clients; and assigned each a static IP
I segregated into 4 groups - just for ease of management
192.168.1.0/26: 192.168.1.1 - 192.168.1.62
192.168.1.64/26: 192.168.1.65 - 192.168.1.126 (clients that do not need adblocking)
192.168.1.128/26: 192.168.1.129 - 192.168.1.190
192.168.1.192/26: 192.168.1.193 - 192.168.1.254
Now created an entry in Unbound Blocklists
- Choose blocklists as desired
- Set source as 192.168.1.0/26, 192.168.1.128/26, 192.168.192/26 - so now all LAN clients except in range (192.168.1.65 - 192.168.1.126) get ad-blocking.
I still feel that Unbound ad-blocking should either work sequentially and use the rules on first match or each Unbound Blocklist entry should also have an exclude source list - This would make it much easier to use adblocking feature.
1) Do not set any Unbound DNS blocklist for Guest clients
2) Change my static DHCP settings for main LAN clients; and assigned each a static IP
I segregated into 4 groups - just for ease of management
192.168.1.0/26: 192.168.1.1 - 192.168.1.62
192.168.1.64/26: 192.168.1.65 - 192.168.1.126 (clients that do not need adblocking)
192.168.1.128/26: 192.168.1.129 - 192.168.1.190
192.168.1.192/26: 192.168.1.193 - 192.168.1.254
Now created an entry in Unbound Blocklists
- Choose blocklists as desired
- Set source as 192.168.1.0/26, 192.168.1.128/26, 192.168.192/26 - so now all LAN clients except in range (192.168.1.65 - 192.168.1.126) get ad-blocking.
I still feel that Unbound ad-blocking should either work sequentially and use the rules on first match or each Unbound Blocklist entry should also have an exclude source list - This would make it much easier to use adblocking feature.
#85
25.7, 25.10 Series / Re: Suricata IPS Mode
Last post by nicholaswkc - December 15, 2025, 09:39:18 AMQuote from: turipriv on December 03, 2025, 11:10:11 AMDid you take a look at this topic?I tried read the posts but still not understand it.
https://forum.opnsense.org/index.php?topic=9741.0
1. Configure the WAN interface as none (IPv4 Configuration Type none)
2. Add a new OPT interface with the PPPoE configuration just like it was a WAN PPPoE.
3. Configure Suricata as IPS on WAN.
#86
25.7, 25.10 Series / Re: random sFTP connection att...
Last post by Patrick M. Hausen - December 15, 2025, 09:12:03 AMQuote from: franco on December 15, 2025, 08:43:35 AMSo you can already add a cron job with any kind of schedule, right?
Yes, but you cannot disable or change the default which is the entire point of this conversation.
#87
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by humnab - December 15, 2025, 08:52:34 AMHello,
Caddy works in my Environment with Exchange 2016 CU22 (Windows Server 2016), in the same Environment the UTM also works but the OPNWAF does not.
Extended Security requires the same certificate on the Exchange IIS and the reverse Proxy, we have that in those three configurations.
I will try OPNWAF wit a Exchange 2019 and report the results.
Caddy works in my Environment with Exchange 2016 CU22 (Windows Server 2016), in the same Environment the UTM also works but the OPNWAF does not.
Extended Security requires the same certificate on the Exchange IIS and the reverse Proxy, we have that in those three configurations.
I will try OPNWAF wit a Exchange 2019 and report the results.
#88
General Discussion / Re: Squid crashing
Last post by ponchotear - December 15, 2025, 08:45:02 AMA real quick discovery. This is important for being able to fix and manage access effectively. It's interesting to research and explore more about the auto-proxy configuration that Debian commonly uses.
#89
General Discussion / Re: Captive portal configurati...
Last post by tritesequence - December 15, 2025, 08:43:51 AMThis is an interesting question, but it requires understanding of captive portals shared across multiple VPN tunnels. The fact that four tunnels work normally but the fifth one fails is very likely due to a threshold issue. Please check if the portal is properly bound.
#90
25.7, 25.10 Series / Re: random sFTP connection att...
Last post by franco - December 15, 2025, 08:43:35 AMSo you can already add a cron job with any kind of schedule, right?
I don't mind disabling the default one or adding a visibility in cron for it which may be even better. It's just something that needs to be done in the right way and the current settings page where it sits is still a static PHP page we don't want to make more complex unless we have to. All input on GitHub regarding a dependable solution or an actual feature request is welcome.
Cheers,
Franco
I don't mind disabling the default one or adding a visibility in cron for it which may be even better. It's just something that needs to be done in the right way and the current settings page where it sits is still a static PHP page we don't want to make more complex unless we have to. All input on GitHub regarding a dependable solution or an actual feature request is welcome.
Cheers,
Franco
