Recent posts

#91
General Discussion / Degraded printer functionality...
Last post by Lu - Today at 01:56:02 AM
I'm posting this in the hope others benefit from our pain. After a large Toshiba printer/MFC was replaced on our network with a newer model (an e-STUDIO3525AC), it had a great deal of trouble. The previous model had worked fine, and there were no changes to the OPNsense box's config between the two. Despite trying both dynamic and static network configs, IPv4-only, IPv6-only, etc., the new one could not get DNS resolution of any address, could not ping public IP addresses (even directly, like 8.8.8.8), and was generally poor at obtaining and holding onto its network config. It even complained at various points that the network cable wasn't connected. I used OPNsense's Interfaces > Diagnostics > Packet Capture, limited to the printer's MAC, and saw it was fairly chatty. I tested the new printer on a secondary physical network and all was okay, so it was something about the main network.

When I realised I could ping public addresses from my own PC, but not the firewall's, I found this thread about it. I enabled ICMP with this rule on the LAN interface, in order to test ping from the printer again:

ProtocolSourcePortDestinationPortGatewaySchedule
IPv4+6 ICMP**This Firewall***

To my surprise, everything started behaving. I'm not blaming OPNsense; I think the printer was deciding it wouldn't or couldn't do basic communication without the router responding to certain queries, or something. If you're experiencing such issues, they may be being triggered by default firewall policies.
#92
25.7, 25.10 Series / Re: Unable to watch Yortube
Last post by nicholaswkc - Today at 01:53:40 AM
Other sites working perfectly, just youtube didn't working. I don't have squid.
#93
General Discussion / boost-libs: missing redis
Last post by Lucid1010 - Today at 12:53:03 AM

- check health

>>> Check for missing or altered package files
Checking all packages:
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/adapt.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/any_adapter.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/detail/adapters.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/detail/response_traits.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/detail/result_traits.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/ignore.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/result.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/config.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/connection.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/connection_logger.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/coroutine.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/exec_fsm.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/health_checker.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/helper.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/multiplexer.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/reader_fsm.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/redis_stream.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/resp3_handshaker.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/write.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/error.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/ignore.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/connection.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/connection_logger.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/error.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/exec_fsm.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/ignore.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/log_to_file.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/logger.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/multiplexer.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/reader_fsm.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/request.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/resp3_handshaker.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/response.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/logger.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/operation.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/request.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/impl/parser.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/impl/serialization.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/impl/type.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/node.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/parser.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/serialization.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/type.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/response.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/src.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/usage.hpp
Checking all packages............. done
>>> Check for core packages consistency
Core package "opnsense" at 25.7.8 has 67 dependencies to check.
Checking packages: .................................................................... done
***DONE***

 I previously installed and removed Redis for ntopng.
Given that boost-libs has a dependency on Redis, is it necessary to reinstall os-redis?
#94
General Discussion / How to block specific trackers...
Last post by Plus0974 - Today at 12:46:06 AM
I'm setting up ad/tracker blocking for the first time using the blocklists in unbound DNS and after doing some adblock tests I keep getting something saying it failed to stop the google domain tracker "https://pagead2.googlesyndication.com" I tried adding it to the block list domain but it still didn't show as successfully blocked. Is there somewhere else I'm supposed to paste it into or something else I'm supposed to do?
#95
25.7, 25.10 Series / Re: MIgrating IPsec Legacy to ...
Last post by thorstenR - Today at 12:16:05 AM
BTW: 25.7.8
#96
25.7, 25.10 Series / MIgrating IPsec Legacy to Conn...
Last post by thorstenR - Today at 12:08:53 AM
I'm about to migrate 25.7.8 IPsec configuration from legacy tunnels to the new connections mode. I read the migration hints at https://docs.opnsense.org/manual/vpnet.html#migrating-from-tunnels-to-connections using the sdwanctl.conf download & comparison method. Seemed pretty straight forward. But the new config fails to work at all.

Few important things to notice: my local opnsense sits behind NAT-T, so my CARP-IP and my identifier are not identical. Beside of the installed policy routes, there must be a 1:1 rule in between my local BGP running in the opnsense os-frr module (10.205.11.1) and the BGP peer on the other end (10.205.208.30), otherwise all routes back to my environment wouldn't work - it initially only knows the BGP route and nothing else. The other end claims either the BGP peer on my end could not be contacted (no TCP 179 traffic in logs) and/or the tunnel is not established at all. The shared secret is 100% accurate.

this is my running and working legacy config according to export file:

connections {
    con4 {
        unique = replace
        aggressive = no
        version = 2
        mobike = yes
        local_addrs = 10.205.11.1
        local-0 {
            id = 195.62.45.163
            auth = psk
        }
        remote-0 {
            id = 13.95.14.84
            auth = psk
        }
        encap = no
        remote_addrs = 13.95.14.84
        proposals = aes256-sha256-modp1024
        children {
            con4 {
                start_action = trap
                policies = yes
                mode = tunnel
                sha256_96 = no
                local_ts = 0.0.0.0/0,10.205.11.1
                remote_ts = 10.205.208.0/21,10.205.208.30,10.205.72.0/22,10.205.92.0/22
                reqid = 63
                esp_proposals = aes256-sha256-modp1024
                life_time = 27000 s
            }
        }
    }
}
pools {
}
secrets {
    ike-p1-0 {
        id-0 = 13.95.14.84
        secret = xxxx
    }
}

this is my migrated counterpart:

connections {
    a2840a37-e9f9-413d-804c-27c20b2eb2e6 {
        proposals = aes256-sha256-modp1024
        unique = replace
        aggressive = no
        version = 2
        mobike = yes
        local_addrs = 10.205.11.1
        remote_addrs = 13.95.14.84
        encap = no
        send_certreq = no
        send_cert = never
        local-36f8606f-f753-447c-b540-f13b16e388d9 {
            round = 0
            auth = psk
            id = 195.62.45.163
        }
        remote-17e2d106-2cbd-4618-aff5-556002a6d703 {
            round = 0
            auth = psk
            id = 13.95.14.84
        }
        children {
            631762c1-93bc-4c8d-8b85-e632d87d0dab {
                reqid = 1000
                esp_proposals = aes256-sha256-modp1024
                sha256_96 = no
                start_action = trap|start
                close_action = trap
                dpd_action = trap
                mode = tunnel
                policies = yes
                local_ts = 0.0.0.0/0,10.205.11.1
                remote_ts = 10.205.208.0/21,10.205.208.30,10.205.72.0/22,10.205.92.0/22
                rekey_time = 3600
                updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child 631762c1-93bc-4c8d-8b85-e632d87d0dab
            }
        }
    }
}
pools {
}
secrets {
    ike-246570cb-9b0f-40b9-91d2-eee09afabd4e {
        id-0 = 10.205.11.1
        id-1 = 13.95.14.84
        secret = xxxx
    }
    ike-159cd80d-4fb5-479f-b263-8a7b74292b33 {
        id-0 = 195.62.45.163
        id-1 = 13.95.14.84
        secret = xxxx
    }
}

Can someone give me some advice where my copy & paste artwork has gone in such faulty wrong direction? Do I have to put in more details in case of NAT-T? I added the shared secret with both the local IP and the NAT identitier, just to make sure. With just one of both, it worked even worse for phase 2. The original legacy-based configuration was created using the opnsense UI years ago, with no customizations beyond that.

I'm lost.

Thank you!
Thorsten
#97
Zenarmor (Sensei) / Re: Zenarmor Packet Engine Not...
Last post by dirtyfreebooter - November 30, 2025, 11:20:56 PM
the answer is in the output

[589] 040.632011 [1363] netmap_config_obj_allocator requested objtotal 2048 out of range [2, 1024]

maybe stop setting sysctls you don't understand?
#98
25.7, 25.10 Series / Re: DNS Leaks on WG with Proto...
Last post by pitoucol - November 30, 2025, 11:19:55 PM
Hello

I am also facing the DNS leak issue.
Have you managed to get the correct configuration to avoid DNS leak?


Everything works fine, except that I cannot complete part 6 of https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html

Can you tell me what I need to set in the source field (IP address of your DNS server)? When I set it to 10.2.0.1, I get an error: nothing found.

Should I set my VPN interface instead?
Thanks
#99
General Discussion / Re: Is public-dns.info still a...
Last post by Mpegger - November 30, 2025, 11:10:54 PM
Already have 53 and 853 blocked, and 53 forwarded. I'm more concerned about DNS over HTTP and supposedly that site also tracked DoH sites, and thier list was updated daily. Keyword there seeming to be "was". Even looking at the country listings shows everything lat being checked 2 or more years ago.

I should probably ask if there is a known realiable regularly updated list of DoH servers to use for blocking purposes?
#100
Zenarmor (Sensei) / Re: Zenarmor Packet Engine Not...
Last post by GuruLee - November 30, 2025, 11:03:48 PM
Packet engine unexpectedly stopping again:

"netmap_register_if: igc2: NIOCREGIF ioctl failed for the interface: Cannot allocate memory"


sysctl -a | grep netmap
<6>[1] igc0: netmap queues/slots: TX 4/1024, RX 4/1024
<6>[1] igc1: netmap queues/slots: TX 4/1024, RX 4/1024
<6>[1] igc2: netmap queues/slots: TX 4/1024, RX 4/1024
<6>[1] igc3: netmap queues/slots: TX 4/1024, RX 4/1024
[589] 040.632011 [1363] netmap_config_obj_allocator requested objtotal 2048 out of range [2, 1024]
[589] 040.736991 [1167] generic_netmap_attach     Emulated adapter for wg1 created (prev was NULL)
[589] 040.746149 [1072] generic_netmap_dtor       Emulated netmap adapter for wg1 destroyed
[4282] 733.380066 [1167] generic_netmap_attach     Emulated adapter for igc2 created (prev was igc2)
[4282] 733.388577 [1068] generic_netmap_dtor       Native netmap adapter for igc2 restored
[4282] 733.396065 [1072] generic_netmap_dtor       Emulated netmap adapter for igc2 destroyed
[4283] 734.450093 [1167] generic_netmap_attach     Emulated adapter for wg1 created (prev was NULL)
[4283] 734.458409 [1072] generic_netmap_dtor       Emulated netmap adapter for wg1 destroyed
[612457] 909.096900 [1167] generic_netmap_attach     Emulated adapter for wg1 created (prev was NULL)
[612457] 909.105824 [1072] generic_netmap_dtor       Emulated netmap adapter for wg1 destroyed
[612457] 909.115040 [1167] generic_netmap_attach     Emulated adapter for wg1 created (prev was NULL)
[612460] 911.336512 [1032] netmap_obj_malloc         netmap_ring request size 65792 too large
[612460] 911.344542 [2017] netmap_mem2_rings_create  Cannot allocate RX_ring
[612460] 911.358322 [1072] generic_netmap_dtor       Emulated netmap adapter for wg1 destroyed
[612460] 911.369441 [ 853] iflib_netmap_config       txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
[612460] 911.381402 [ 853] iflib_netmap_config       txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
[612460] 911.390313 [1032] netmap_obj_malloc         netmap_ring request size 16640 too large
[612460] 911.397998 [2017] netmap_mem2_rings_create  Cannot allocate RX_ring
[619551] 003.041224 [ 853] iflib_netmap_config       txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
[619551] 003.060934 [ 853] iflib_netmap_config       txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
[619551] 003.069113 [1032] netmap_obj_malloc         netmap_ring request size 16640 too large
[619551] 003.077824 [2017] netmap_mem2_rings_create  Cannot allocate RX_ring
[619551] 003.094391 [1167] generic_netmap_attach     Emulated adapter for wg1 created (prev was NULL)
[619551] 003.102632 [1072] generic_netmap_dtor       Emulated netmap adapter for wg1 destroyed
[619551] 003.110504 [1167] generic_netmap_attach     Emulated adapter for wg1 created (prev was NULL)
[619551] 003.119470 [1032] netmap_obj_malloc         netmap_ring request size 65792 too large
[619551] 003.130807 [2017] netmap_mem2_rings_create  Cannot allocate RX_ring
[619551] 003.141617 [1072] generic_netmap_dtor       Emulated netmap adapter for wg1 destroyed
device netmap
dev.netmap.iflib_rx_miss_bufs: 0
dev.netmap.iflib_rx_miss: 0
dev.netmap.iflib_crcstrip: 1
dev.netmap.max_bridges: 8
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.port_numa_affinity: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size: 2048
dev.netmap.buf_curr_num: 1000000
dev.netmap.buf_num: 1000000
dev.netmap.buf_curr_size: 2048
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 1024
dev.netmap.ring_num: 1024
dev.netmap.ring_curr_size: 4096
dev.netmap.ring_size: 4096
dev.netmap.priv_if_num: 2
dev.netmap.priv_if_size: 1024
dev.netmap.if_curr_num: 100
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 1024
dev.netmap.if_size: 1024
dev.netmap.ptnet_vnet_hdr: 1
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 4096
dev.netmap.generic_mit: 100000
dev.netmap.generic_hwcsum: 0
dev.netmap.admode: 0
dev.netmap.fwd: 0
dev.netmap.txsync_retry: 2
dev.netmap.no_pendintr: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0