"Recent posts
#91
26.1 Series / Re: Suricata - Divert (IPS)
Last post by szix96 - February 03, 2026, 03:07:59 PMHello,
sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?
as in the pic if i allow the 2 DIVERT rules?
Thank you all for the awesome work on this.
sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?
as in the pic if i allow the 2 DIVERT rules?
Thank you all for the awesome work on this.
#92
26.1 Series / Re: hostwatch db grows rapidly
Last post by franco - February 03, 2026, 03:03:04 PMIs hostwatch running and is 1.0.11 installed?
Cheers,
Franco
Cheers,
Franco
#93
26.1 Series / Re: hostwatch db grows rapidly
Last post by kopfschmerzen - February 03, 2026, 02:48:36 PMI too see a massive hostdb database. Much higher CPU and RAM usage too as it has been growing. I am running 26.1_4 and have rebooted several times. Any suggestions on how to shrink it or get it back to normal? Thanks!
Code Select
drwxr-xr-x 2 hostd hostd uarch 5B Jan 29 08:20 ./
drwxr-xr-x 25 root wheel uarch 35B Feb 3 08:27 ../
-rw-r--r-- 1 hostd hostd uarch 4.1M Feb 3 08:28 hosts.db
-rw-r--r-- 1 hostd hostd uarch 1.0G Feb 3 08:38 hosts.db-shm
-rw-r--r-- 1 hostd hostd uarch 1.0T Feb 2 07:53 hosts.db-wal
#94
26.1 Series / Re: The upgrade was aborted du...
Last post by eric_zrgoq14k - February 03, 2026, 02:36:17 PMWell the output is a surprise for me, lol ;-)
# opnsense-version kernel
26.1
# uname -a
FreeBSD OPNsense.localdomain 14.3-RELEASE-p7 FreeBSD 14.3-RELEASE-p7 stable/26.1-n271965-1bab7230df71 SMP amd64
But according to the GUI I am on:
System Information
Versions
OPNsense 25.7.11_9-amd64
FreeBSD 14.3-RELEASE-p7
And 25.7.11_9 is also showing in the console menu
Cheers, Eric
# opnsense-version kernel
26.1
# uname -a
FreeBSD OPNsense.localdomain 14.3-RELEASE-p7 FreeBSD 14.3-RELEASE-p7 stable/26.1-n271965-1bab7230df71 SMP amd64
But according to the GUI I am on:
System Information
Versions
OPNsense 25.7.11_9-amd64
FreeBSD 14.3-RELEASE-p7
And 25.7.11_9 is also showing in the console menu
Cheers, Eric
#95
26.1 Series / Re: Floating rules disappeard ...
Last post by Jose - February 03, 2026, 02:20:50 PMQuote from: fobe on February 03, 2026, 07:22:36 AMIf I do a fresh install, will this be "fixed"? (I mean the default lockout rules).
I always upgrade/test on new ZFS/BE, however this time I've performed a fresh install(VM) + Config Restore to see how things will be after recovering from hardware failures and the behavior you've described is just the same, so a reinstall may be unnecessary, just play with the filter as @Bob.Dig previously denoted.
That being said, this is simply a bulletproof/resilient firewall appliance when deployed on ZFS either bare-metal or virtualized, kudos to the OPNsense developer/contributor team.
Regards
#96
26.1 Series / Re: Destination NAT: Configura...
Last post by franco - February 03, 2026, 02:07:10 PMThis is strange. Maybe there's something wrong in the initial data?
# pluginctl -v
Ignore some of the noise. We want to find DNat-specific complaints.
The rules aren't gone since they were not migrated, which could also point to the fact that the model doesn't like something in the initial data.
A full dump can be done with
# pluginctl -g nat
but don't paste it here. Just see if your hidden rules are still there and maybe we can find out why they are different.
Cheers,
Franco
# pluginctl -v
Ignore some of the noise. We want to find DNat-specific complaints.
The rules aren't gone since they were not migrated, which could also point to the fact that the model doesn't like something in the initial data.
A full dump can be done with
# pluginctl -g nat
but don't paste it here. Just see if your hidden rules are still there and maybe we can find out why they are different.
Cheers,
Franco
#97
26.1 Series / Re: One of the two NICs stops ...
Last post by scottini - February 03, 2026, 02:04:32 PMThank you, the solution worked for me.
#98
26.1 Series / Re: The upgrade was aborted du...
Last post by franco - February 03, 2026, 02:02:54 PMHi Eric,
Ok I think there's something wrong with the fact that your system is not downloading a kernel anymore.
Can you show me the following?
# opnsense-version kernel
# uname -a
Cheers,
Franco
Ok I think there's something wrong with the fact that your system is not downloading a kernel anymore.
Can you show me the following?
# opnsense-version kernel
# uname -a
Cheers,
Franco
#99
26.1 Series / IPSec VTI and Reply-TO problem
Last post by d4rkd3n1337 - February 03, 2026, 01:54:43 PMHello!
I have the following topology:
VPS (iptables) <‑‑ IPSec VTI <‑‑ OPNsense <‑‑ WebServer
3.3.3.3 | [10.64.0.2/30 <‑‑ 10.64.0.1/30] | 2.2.2.2 <‑‑ 192.168.100.4
The tunnel is up and functioning.
When an inbound packet arrives from the VPS side, I can see it reach OPNsense and then be delivered to the WebServer (TCP SYN). However, the client never receives a reply.
What I have tried:
1) Policy‑Based Routing (PBR) on the WebServer's network – set 192.168.100.4 to use ipsecX(10.64.0.2) as the next‑hop. Traceroute shows the traffic follows the expected path.
2) Reply‑to rule on enc0 (the IPSec interface) – added reply‑to ipsecX(10.64.0.2) in the allow rules. (src: any, src_port: any, dst: 192.168.100.4, dst_port: 443, reply_to: ipsecX(10.64.0.2).
tcpdump on enc0 shows the outbound traffic attempting to go to the client (192.168.100.4 → client IP). No return traffic is observed on the opposite side of the tunnel. The VPS has IP forwarding enabled, NAT configured to its public IP, and port‑forwarding rules in place. There are no firewall rules that would block the traffic.
Observation: If I add a static route on OPNsense such as client‑IP/32 → 10.64.0.2, the communication works immediately.
Question: Any ideas why the reply traffic does not traverse the tunnel without the explicit host route? Could my reply‑to configuration be incorrect?
I have the following topology:
VPS (iptables) <‑‑ IPSec VTI <‑‑ OPNsense <‑‑ WebServer
3.3.3.3 | [10.64.0.2/30 <‑‑ 10.64.0.1/30] | 2.2.2.2 <‑‑ 192.168.100.4
- 3.3.3.3 – public IP address of the VPS.
- 2.2.2.2 – public IP address of the OPNsense box.
- 10.64.0.0/30 – address space used for the IPSec VTI tunnel.
- 10.64.0.2 is advertised as the gateway on the tunnel side of OPNsense.
The tunnel is up and functioning.
When an inbound packet arrives from the VPS side, I can see it reach OPNsense and then be delivered to the WebServer (TCP SYN). However, the client never receives a reply.
What I have tried:
1) Policy‑Based Routing (PBR) on the WebServer's network – set 192.168.100.4 to use ipsecX(10.64.0.2) as the next‑hop. Traceroute shows the traffic follows the expected path.
2) Reply‑to rule on enc0 (the IPSec interface) – added reply‑to ipsecX(10.64.0.2) in the allow rules. (src: any, src_port: any, dst: 192.168.100.4, dst_port: 443, reply_to: ipsecX(10.64.0.2).
tcpdump on enc0 shows the outbound traffic attempting to go to the client (192.168.100.4 → client IP). No return traffic is observed on the opposite side of the tunnel. The VPS has IP forwarding enabled, NAT configured to its public IP, and port‑forwarding rules in place. There are no firewall rules that would block the traffic.
Observation: If I add a static route on OPNsense such as client‑IP/32 → 10.64.0.2, the communication works immediately.
Question: Any ideas why the reply traffic does not traverse the tunnel without the explicit host route? Could my reply‑to configuration be incorrect?
#100
26.1 Series / Re: Suricata - Divert (IPS)
Last post by phanos - February 03, 2026, 01:40:49 PMQuote from: QuisaZaderak on February 03, 2026, 08:45:42 AMQuote from: phanos on February 02, 2026, 12:22:53 PMI understand I should configure at least the two allow rules to divert traffic to suricata but what happens with the block rule? I do nothing?If it is already blocked by the FW rule, it does not need to be diverted further.
Right but what about port forwarding? How you handle these? They do not seem to have direct to...
