Recent posts

#91
25.7, 25.10 Series / Re: Firewall rules based on UR...
Last post by Monviech (Cedrik) - December 10, 2025, 03:29:59 PM
Nice, thanks for the feedback. :)
#92
25.7, 25.10 Series / Re: Firewall rules based on UR...
Last post by thorben83 - December 10, 2025, 03:19:17 PM
Hello,
sorry for the late reply... your suggestion worked perfectly. Really cool. I just had do tweak a few things because my firewall runs on an internal corporate network and my uplink has private IP addresses. Maybe this helps someone in future for a similar setup:

- Disable DNS Rebinding Checks in System -> settings -> administration.
- Services -> Unbound DNS -> Advanced -> Rebind protection networks -> remove internal networks that are on the uplink

Best regards
Thorben
#93
Announcements / OPNsense 25.10.1 business edit...
Last post by franco - December 10, 2025, 02:40:16 PM
This business release is based on the OPNsense 25.7.8 community version
with additional reliability improvements, but without revamped Unbound
blocklists for the time being.

Please be aware that during the update check the new package manager will be
installed, but will fail to report the update status like it always had before
and so you will end up with an error that will require checking for updates
again.  The fix is in this update, but impossible to install without upgrading
the package manager first.  We hope this will only be a minor inconvenience
during the process.

Also, Python has reported security issues of which a DoS in http.client could
potentially affect existing installations given that an HTTP server sends
a malicious response which "can consume a large amount of memory and CPU time
and cause swapping".  Python has not released an update for version 3.11 at
this point in time.

Here are the full patch notes:

o system: use new file_safe() in two instances
o system: improve the HA VIP sync code
o system: simplify RRD backup code and remove exec() usage[1] (reported by Alex Williams from Pellera Technologies working with Trend Zero Day Initiative)
o system: move valid_from search criteria to log_matcher for faster end of search
o system: use file_safe() in gateway monitor watcher
o system: refactor factory reset page to MVC and add a reset per component operating on models
o system: fix a HA sync regression introduced in 25.7.6 that prevented a sync from succeeding in an edge case
o system: defaults: properly delete empty model containers in the configuration
o system: switch int/bool to string in gateway properties
o system: ignore TypeErrors when parsing log lines in the backend
o system: replace various raw exec(), system(), passthru() and shell_exec() calls with safer variants
o system: add host route deletion support to system_host_route()
o system: move the general page host route removal to system_host_route()
o system: add CA chain to PKCS12 export
o system: fix hidden syslog HA XMLRPC sync option
o interfaces: fix permission of packet capture file in strict security mode
o interfaces: ifctl: always allow reads to internal state files
o interfaces: fix overview details button not working
o interfaces: support link-local IPv6 mode
o interfaces: also stop PPPoE connections when CARP is temporarily disabled (contributed by René Mayrhofer)
o interfaces: fix packet capture and ping buttons not working since 25.7.7
o interfaces: limit execution of sysctl scope in PPP device edit code
o interfaces: safer interfaces_pfsync_configure() handling
o firewall: refactor live log using a ring buffer
o firewall: add toggles to disable selected automatic rules
o firewall: enable "safe delete" for categories
o firewall: improved stats rendering on automation rules
o firewall: allow searching aliases in automation rules inspect mode by IP address
o firewall: automation: fix alias IP address search
o firewall: automation: allow interface parameter to contain a list of interfaces for API users
o firewall: aliases: replace invalid unicode chars (contributed by Marius Halden)
o firewall: live log: only execute redraw on visibility state transition
o firewall: live log: optimize viewbuffer rendering
o firewall: live log: prevent re-resolving in-flight requests and move host lookup to current filtered view
o firewall: live log: fix data ordering and add table/history limit options
o firewall: live log: use "badge" class like before
o firewall: live log: make this grid static and slightly adjust info column width
o firewall: live log: backwards compatibility for old "interface_name" field type
o firewall: live log: fix wrong variable scope
o firewall: live log: restructure DOM layout to reduce wasted header space
o firewall: live log: revert static property, persistence is disabled for this grid
o firewall: states: fix delete_selected firewall states (contributed by Alexander Sulfrian)
o firewall: do not allow nesting in GeoIP aliases
o firewall: automation: split search logic and normalize legacy output
o firewall: aliases: add a few GeoIP related logging messages
o firewall: mute pfctl-based table entry expire to avoid cron noise due to stderr use
o firewall: aliases: missing placeholder for username in basic auth type selection
o firewall: support "0" as valid rule ID in rule lookup redirect
o firewall: automation: add per-rule state timeouts for "udp.first", "udp.multiple" and "udp.single"
o captive portal: fix selectpicker #voucher-groups not being re-rendered after change event
o captive portal: move grid init to tab show event
o dnsmasq: strict hostname and domain validation plus improved ipset validations
o dnsmasq: add optgroup support to DHCP option fields and expose all DHCPv4 options
o dnsmasq: switch to file_safe() use in backend
o dnsmasq: minor safe execution changes in backend
o firmware: package manager upgrade changes for pkg 2.x
o intrusion detection: remove obsolete "ac-bs" pattern matcher algorithm
o ipsec: sessions: add datakey property for row mapping
o ipsec: status: search phase 2 triggered twice on click and cleanup tooltip event as well
o ipsec: disable model caching on SPD page
o ipsec: add AES256GCM16 to the child ESP proposals list
o ipsec: hide phase 2 output based on phase 1 status instead of the row count for phase 2
o ipsec: add "reqid_base" setting to advanced settings
o ipsec: sessions: fix missing commands translation
o ipsec: connections: prevent model caching when referring items within the same model
o isc-dhcp: adjust backend for safe execution
o kea-dhcp: automatic route support for PD leases
o kea-dhcp: case insensitive MAC address comparison
o openssh: minor safe execution change in backend
o openvpn: add support for pushing excluded routes via net_gateway (contributed by Patrice Damezin)
o openvpn: allow multiple domains settings for client connection (contributed by Krisztian Ivancso)
o openvpn: use file_safe() to write CRL files
o openvpn: swap description and mode in "tls_key" and require a description for static keys
o openvpn: one safe execution change
o openvpn: add fast-io option (contributed by mdten)
o radvd: safe execution changes
o unbound: use file_safe() for root hint creation
o unbound: deprecate unmaintained AdAway blocklist (contributed by Maurice Walker)
o unbound: duplicate pointer records due to not casting the field types
o unbound: missing lock in del_host_override action
o wireguard: add debug option to instances
o wireguard: fix wrong maximum value for "PersistentKeepalive"
o backend: add file_safe() helper for atomic file creation
o backend: rename "realif" variables to "device" in a number of spots
o backend: avoid the use of get_real_interface() when it does not matter and remove dead code associated with that
o backend: exend shell_safe() to emulate exec() $output argument magic
o backend: reimplement existing command execution functions with Shell class implementation
o backend: replace mwexecf_bg() with mwexecfb() for clarity
o mvc: add RegexField to properly validate PCRE2 syntax
o mvc: support arrays in search clauses
o mvc: OptionField: properly translate optgroup
o mvc: JsonKeyValueStoreField: fix race condition when using SourceField in the model
o mvc: persist models description in root attribute of its respective configuration
o mvc: move translation to menu system and add "FixedName" property
o mvc: extend ModelRelationField so it can optionally disable caching
o mvc: rewrite the old Shell class according to our current standards for safe command execution (exec_safe() wrapper)
o mvc: fix default sort order being ignored in fetchBindRequest()
o mvc: make "data_change_message_content" configurable
o rc: do not clear /tmp on a diskless install
o rc: secure an exec() in the recovery script
o shell: assorted cleanups in console menu related scripts
o ui: assorted adjustments for dark theme
o ui: always show bootgrid reset button
o ui: improve grid responsiveness via minWidth()
o ui: remove this.dataIdentifier as datakey defines the key to be used when asking "row-id" or getSelectedRows
o ui: SimpleActionButton: add support for icons in action buttons
o ui: recompile default themes using dart sass (1.93.2) which changes color rendering
o ui: keyboard shortcuts for "a"dvanced and "h"elp in MVC pages (contributed by Konstantinos Spartalis)
o ui: bail out on dynamic grid resize if data is loading
o ui: bootgrid: prevent full table redraw without onDataProcessed trigger
o ui: bootgrid: add missing datakeys to two pages
o ui: fix tokenizer event trigger loop
o plugins: os-OPNWAF 2.1
o plugins: os-ddclient 1.28[2]
o plugins: os-freeradius 1.9.28[3]
o plugins: os-frr 1.49[4]
o plugins: os-git-backup 1.1[5]
o plugins: os-ndp-proxy-go 1.0 is a hot-off-the-press userspace IPv6 Neighbor Discovery Proxy[6]
o plugins: os-q-feeds-connector 1.3[7]
o plugins: os-tailscale 1.3[8]
o plugins: os-tayga 1.3[9]
o plugins: os-theme-flexcolor 1.0 is a new 3-in one theme[10] (contributed by Schnuffel2008)
o plugins: os-zabbix-proxy 1.15[11]
o src: dhclient: improve UDP checksum handling
o src: dummynet: move excessive logging messages under debug output
o src: ice: add PCI IDs for E835 devices
o src: ice: add support for E835-XXV-4 adapter
o src: if_vxlan: fix byteorder of source port
o src: ifconfig: assorted stable branch improvements
o src: igb: fix out-of-bounds register access on VFs
o src: ipfw: check for errors from sooptcopyin() and sooptcopyout()
o src: ipfw: pmod: avoid further rule processing after tcp-mod failures
o src: ix/ixv: add support for new Intel Ethernet E610 family devices
o src: ixl: fix multicast promiscuous mode state tracking and filter management
o src: net: validate interface group names in ioctl handlers
o src: netlink: in snl_init_writer() do not overwrite error in case of failure
o src: pf: improve add state validation
o src: pf: improve DIOCRCLRTABLES validation
o src: pf: SCTP abort messages fully close the connection
o src: sctp, tcp, udp: improve deferred computation of checksums
o src: SO_REUSEPORT_LB breaks connect(2) for UDP sockets[12]
o src: vtnet: assorted stable branch improvements
o ports: curl 8.17.0[13]
o ports: kea 3.0.2[14]
o ports: libxml 2.14.6[15]
o ports: nss 3.118.1[16]
o ports: openssh 10.2p1[17]
o ports: openvpn 2.6.17[18]
o ports: pcre2 10.47[19]
o ports: php 8.3.28[20]
o ports: pkg 2.3.1
o ports: python 3.11.14[21]
o ports: sqlite 3.50.4[22]
o ports: strongswan 6.0.3[23]
o ports: suricata 8.0.2[24]
o ports: syslog-ng 4.10.2[25]
o ports: unbound 1.24.2[26]


Stay safe,
Your OPNsense team

--
[1] https://www.cve.org/cverecord?id=CVE-2025-13698
[2] https://github.com/opnsense/plugins/blob/stable/25.7/dns/ddclient/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/net/freeradius/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/sysutils/git-backup/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/25.7/security/q-feeds-connector/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/25.7/security/tailscale/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/25.7/net/tayga/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/25.7/misc/theme-flexcolor/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09.netinet.asc
[13] https://curl.se/changes.html#8_17_0
[14] https://downloads.isc.org/isc/kea/3.0.2/Kea-3.0.2-ReleaseNotes.txt
[15] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[16] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_118_1.html
[17] https://www.openssh.com/txt/release-10.2
[18] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.17
[19] https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.47
[20] https://www.php.net/ChangeLog-8.php#8.3.28
[21] https://docs.python.org/release/3.11.14/whatsnew/changelog.html
[22] https://sqlite.org/releaselog/3_50_4.html
[23] https://github.com/strongswan/strongswan/releases/tag/6.0.3
[24] https://suricata.io/2025/11/06/suricata-8-0-2-and-7-0-13-released/
[25] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.10.2
[26] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2
#94
Quote from: kevingg on November 23, 2025, 06:37:35 PMI have increase my RAM. But still issues. Now I am using texttoolz.

I also use this tool; it is good. Thanks for sharing it.
#95
German - Deutsch / Re: GeoIP (Maxmind) nicht mehr...
Last post by kosta - December 10, 2025, 02:35:03 PM
Quote from: viragomann on December 10, 2025, 09:04:14 AMWenn ich einen neuen Geo-Alias anlege, bekomme ich sofort die Länderauswahl.

Hm, das bekomme ich auch. Vielleicht ist irgendwie noch mein alter Maxmind irgendwo gespeichert und der "neue" nicht funktioniert?
Ich muss aber auch sagen, dass der Restore des Backups gut funktioniert hat, bis auf GeoIP, da war noch der alte URL drin, aber mehr auch nicht. Trotz alten Konfig, ist die Fehlermeldung gekommen nach den Restore.
#96
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by Monviech (Cedrik) - December 10, 2025, 02:23:29 PM
Question, is it new that it happens?
Or did it work and stopped working at some point?

The last time I checked it was when I created the template for this feature, I created a full Exchange (2019) + AD (server 2022) test environment and used Outlook (Office 2019) to verify it.

If somebody could help to debug a few assumptions that would help, because a test setup will always be a test setup and not reality.
#97
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by SBN-EP - December 10, 2025, 01:53:49 PM
We have the same problem with several customers.

Your suggestion didn't help me.
The login window still appeared intermittently.
Do you have any other ideas?

@humnab, did Monviech's (Cedrik) suggestion help you?

Thanks
#98
General Discussion / Re: still see traffic going ou...
Last post by RamSense - December 10, 2025, 01:17:59 PM
Firewall rules are processed from top to bottom, so top
#99
25.7, 25.10 Series / Re: Time based Shaper?
Last post by knebb - December 10, 2025, 12:51:21 PM
Hi,

meanwhile I used the Shaper-rules and it is working so far.

I re-checked the Shaper documentation and the provided examples. I re-created my rules (and re-check pipes and queue settings).
Now the setup is as follows:
Pipes (low limits for testing purposes)
  • Global Upload --> 70Mb/s
  • Global Download --> 80MB/s

Queues
  • VOIP Upload, weight 80 --> Global Upload Pipe
  • VOIP Download, weight 80 --> Global Download Pipe
  • LAN Uplaod, weight 15 --> Global Upload Pipe
  • LAN Download, weight 15 --> Global Download Pipe

Rules (192.168.9.0/24 is the remote VPN LAN while 192.168.1.0/24, 192.168.30.0/24 are the local ones)
  • Seq 3, WireguardGroup, SRC 192.168.9.0/24, DST any, IN --> LAN Download Queue
  • Seq 4, WireguardGroup, SRC any, DST 192.168.9.0/24, OUT --> LAN Upload Queue
  • Seq 10, WAN, SRC 192.168.30.0/24, DST any, OUT --> VOIP Upload Queue
  • Seq 11, WAN, SRC 192.168.1.0/24, DST any, OUT --> LAN Upload Queue
  • Seq 20, WAN, SRC any, DST 192.168.30.0/24, IN --> VOIP Download Queue
  • Seq 21, WAN, SRC any, DST 192.168.1.0/24, IN --> LAN Download Queue

Now I can see the limits working fine on traffic between LAN and Internet, in both directions.

BUT!
Traffic to/ from Wireguard VPN is not limited at all. So I guess the weighting is not taken into account here. Which might interfere with the VOIP traffic beeing capped by a large VPN traffic...

Before going further (and trying to start with the FW rules) I need to know why the Wireguad traffic is not limited? Even when the interface (wireguardGroup) is wrong it should be limited by the default LAN rule, shouldn't it?

Confused,

/KNEBB



#100
Italian - Italiano / Fastweb FTTH 2.5GB ONT TIM con...
Last post by maverick59 - December 10, 2025, 12:29:45 PM
Ciao a tutti

Sto' tentando di configurare il Beelink EQ14 con OPNsense 25.7 al posto del router Cisco che ho sulla FTTH Fastweb 2.5G con ONT TIM(2.5G) IP pubblico dedicato.

Fastweb non utilizza il PPoE, bensi' verifica il MAC-Address del device collegato all'ONT. Ho quindi configurato la VLAN 835 ed associata alla interfaccia WAN di OPNsense.
IPv4 in modalita' DHCP, mac-address uguale a quello della interfaccia del Cisco cui era collegata l'ONT (G0/0/1.835).
Non ho impostato alcuna opzione, in quanto non utilizzo, come detto, il Fastgate, ma gia' un router libero, perfettamente funzionante, ma con la limitazione dell'interfaccia WAN ad 1 Gb.

Non riesco a far assegnare l'IP pubblico alla interfaccia. Il link della porta WAN e' ovviamente UP, negozia a 2,5 Gbit/sec.

Qualcuno si e' trovato nelle stesse condizioni ? Vi sono altri parametri da impostare ? Il setup dell'interfaccia WAN del Cisco e' impostata cosi':

interface GigabitEthernet0/0/1.835
 description TO_TIM_FW_25_ONT
 encapsulation dot1Q 835
 ip address dhcp
 ip nat outside
 ip access-group ALLOWED in
end

Qui sotto le impostazioni delle interfacce WAN e WAN_835 di OPNsense.

Qualcuno si e' gia' trovato in queste condizioni ?
Grazie