"Recent posts
#81
Hardware and Performance / Re: power management under cor...
Last post by OPNenthu - December 08, 2025, 01:48:46 PMOn second thought, I think at least the PowerD disablement worked. "dev.cpu.0.cx_lowest: C1"
Not sure why the NIC still says ASPM L1(L1), which is the same as before the change.
Not sure why the NIC still says ASPM L1(L1), which is the same as before the change.
#82
25.7, 25.10 Series / Re: 25.7.9 update and WireGuar...
Last post by meyergru - December 08, 2025, 01:47:04 PMThe problem is / was probably present before. If you use DNS names for wireguard peers, then the daemon will only resolve them once on start and never recognizes if the peer's IP changes. There is a cron job "Renew DNS for Wireguard on stale connections" which will restart Wireguard. You can run that job every 5 minutes and it will probably fix the DNS resolution problem during startup, too (at least after 5 minutes).
This has been reported over an over, so now I appended it as point 30 here: https://forum.opnsense.org/index.php?topic=42985.0
This has been reported over an over, so now I appended it as point 30 here: https://forum.opnsense.org/index.php?topic=42985.0
#83
25.7, 25.10 Series / Re: 25.7.8 Wireguard road warr...
Last post by s1l3nce - December 08, 2025, 01:45:52 PMCould your issue be related to this?
#84
Hardware and Performance / power management under coreboo...
Last post by OPNenthu - December 08, 2025, 01:42:58 PMFor those with coreboot firmware, particularly Protectli units that have the optional UEFI, I'm curious if you have control over power management (e.g. ASPM and PowerD/SpeedStep) at the OS level?
The coreboot/Dasharo menu itself doesn't have options for those, so I'm not sure if that means the functions are locked at whatever the manufacturer set them to. I have disabled PowerD in OPNsense and also set the tunable 'hw.pci.enable_aspm=0,' but this is what I see on reboot:
If I'm interpreting correctly, the settings had no effect and power management is still fully active. Is that correct/expected?
The coreboot/Dasharo menu itself doesn't have options for those, so I'm not sure if that means the functions are locked at whatever the manufacturer set them to. I have disabled PowerD in OPNsense and also set the tunable 'hw.pci.enable_aspm=0,' but this is what I see on reboot:
Code Select
root@firewall:~ # sysctl hw.pci.enable_aspm
hw.pci.enable_aspm: 0
Code Select
root@firewall:~ # pciconf -lcv igc2
igc2@pci0:4:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
vendor = 'Intel Corporation'
device = 'Ethernet Controller I226-V'
class = network
subclass = ethernet
cap 01[40] = powerspec 3 supports D0 D3 current D0
cap 05[50] = MSI supports 1 message, 64 bit, vector masks
cap 11[70] = MSI-X supports 5 messages, enabled
Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]
cap 10[a0] = PCI-Express 2 endpoint max data 256(512) FLR RO NS
max read 512
link x1(x1) speed 5.0(5.0) ASPM L1(L1)
ecap 0001[100] = AER 2 0 fatal 0 non-fatal 0 corrected
ecap 0003[140] = Serial 1 <redacted>
ecap 0018[1c0] = LTR 1
ecap 001f[1f0] = Precision Time Measurement 1
ecap 001e[1e0] = L1 PM Substates 1
Code Select
root@firewall:~ # sysctl dev.cpu.0
dev.cpu.0.temperature: 34.0C
dev.cpu.0.coretemp.throttle_log: 0
dev.cpu.0.coretemp.tjmax: 105.0C
dev.cpu.0.coretemp.resolution: 1
dev.cpu.0.coretemp.delta: 71
dev.cpu.0.cx_method: C1/mwait/hwc C2/mwait/hwc C3/mwait/hwc
dev.cpu.0.cx_usage_counters: 347858 0 0
dev.cpu.0.cx_usage: 100.00% 0.00% 0.00% last 322us
dev.cpu.0.cx_lowest: C1
dev.cpu.0.cx_supported: C1/1/1 C2/2/127 C3/3/253
dev.cpu.0.freq_levels: 2001/10000 2000/10000 1800/8793 1600/7632 1400/6524 1200/5466 1000/4445 800/3472
dev.cpu.0.freq: 2001
dev.cpu.0.%iommu:
dev.cpu.0.%parent: acpi0
dev.cpu.0.%pnpinfo: _HID=ACPI0007 _UID=0 _CID=none
dev.cpu.0.%location: handle=\_SB_.CP00
dev.cpu.0.%driver: cpu
dev.cpu.0.%desc: ACPI CPU
If I'm interpreting correctly, the settings had no effect and power management is still fully active. Is that correct/expected?
#85
25.7, 25.10 Series / Re: Resolved: Update 25.7 -> 2...
Last post by gdur - December 08, 2025, 01:41:39 PMSame here. Unclear which log to check to see what went wrong. Other than that it seems to run fine...
I found this error
I found this error
Quoteuser root failed authentication for sshd on OPNsense\Auth\Services\System via OPNsense\Auth\LDAPcould this be the case?
#86
25.7, 25.10 Series / 25.7.9 update and WireGuard
Last post by s1l3nce - December 08, 2025, 01:28:10 PMI have a WireGuard server running on my OPNsense firewall. After the last update (25.7.9) none of the WG clients could connect to the server. I checked the log and this is what it said:
/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'> returned exit code 1 and the output was "Name does not resolve: `DNS_NAME:PORT' Configuration parsing error"
I censored the DNS names. I have 2 errors because I have 2 configurations/2 DNS.
Disabling and re-enabling WireGuard from the GUI fixed the problem.
To temporarily fix the issue I had to do the following:
1. Log into the firewall through ssh.
2. Create the script file:
3. Input this text in the file:
4. Add execution rights to the file:
I suppose this issue is caused by an improper order in the execution of certain services.
/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'> returned exit code 1 and the output was "Name does not resolve: `DNS_NAME:PORT' Configuration parsing error"
I censored the DNS names. I have 2 errors because I have 2 configurations/2 DNS.
Disabling and re-enabling WireGuard from the GUI fixed the problem.
To temporarily fix the issue I had to do the following:
1. Log into the firewall through ssh.
2. Create the script file:
Code Select
nano /usr/local/etc/rc.syshook.d/start/99-wireguard-restart3. Input this text in the file:
Code Select
#!/bin/sh
# Wait for WAN + DNS (AdGuard/Unbound) to be ready
sleep 10
# Fully restart all WireGuard instances (same effect as GUI Enable/Apply)
/usr/local/bin/php /usr/local/opnsense/scripts/wireguard/wg-service-control.php -a restart
exit 0
4. Add execution rights to the file:
Code Select
chmod +x /usr/local/etc/rc.syshook.d/start/99-wireguard-restartI suppose this issue is caused by an improper order in the execution of certain services.
#87
25.7, 25.10 Series / Re: Exclude domain from firewa...
Last post by meyergru - December 08, 2025, 01:10:31 PMFirewall aliases are meant to be used with pf rules. pf acts on IPs and subnets. So what should a DNS "domain" mean in that context?
It is not even a specific hostname within a domain, which could at least be resolved to an IP (or a set of IPs).
You can use domains in DNSBL lists to block DNS resolution of specific names, but that is another concept that has nothing to do with firewall rules (and aliases).
It is not even a specific hostname within a domain, which could at least be resolved to an IP (or a set of IPs).
You can use domains in DNSBL lists to block DNS resolution of specific names, but that is another concept that has nothing to do with firewall rules (and aliases).
#88
25.7, 25.10 Series / Re: 25.7.8 Wireguard road warr...
Last post by FredFresh - December 08, 2025, 12:59:36 PMHave you tried to use trace route instead of ping?
#89
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feed...
Last post by vpx - December 08, 2025, 12:55:42 PMHi Q-Feeds,
I just wanted to mention that the banner in your notification mails doesn't look right in Outlook Classic, it's way too big. At home in my browser on outlook.com it looked fine.
Maybe you can fix this. If you don't have Outlook Classic for testing I can look at it after you did some changes.
I just wanted to mention that the banner in your notification mails doesn't look right in Outlook Classic, it's way too big. At home in my browser on outlook.com it looked fine.
Maybe you can fix this. If you don't have Outlook Classic for testing I can look at it after you did some changes.
#90
25.7, 25.10 Series / [SOLVED] KEA hostnames in the...
Last post by FredFresh - December 08, 2025, 12:39:54 PMHi,
there is a way to see the host names specified in the KEA dhcp reservations (internal subnets) inside the firewall live view log?
In the live view page, activating " Lookup hostnames", I see two times the IP address (for internal IPs) and the domain for the external IPs.
Thanks
there is a way to see the host names specified in the KEA dhcp reservations (internal subnets) inside the firewall live view log?
In the live view page, activating " Lookup hostnames", I see two times the IP address (for internal IPs) and the domain for the external IPs.
Thanks
