Recent posts

#91
General Discussion / Re: Fresh install blocking mos...
Last post by Petski - December 29, 2025, 11:29:30 PM
coffeecup25,

I agree about the Cisco switch but I got it cheap and needed at least 16 ports. Yes, it is factory reset and in dumb switch mode with the only change being to move the management GUI address to be within my DHCP range.

When I tried to use KEA, the MAC address binding table appeared to be ignored and all ports were assigned dynamically. Since I have spent many days just to get where I am now, I'm reluctant to attempt switching back to KEA again... Does dnsmasq allow for the same DNS override? What I want is for the DHCP portion of dnsmasq to tell the clients that PiHole (Statically positioned within my subnet) is the primary DNS serve. Right now, it is sending clients the OPNsense gateway address (192.168.1.1) which subsequently gets forwarded on to PiHole. Currently my only drawback is that PiHole's statistics are all pointing to the single gateway address instead of breaking up the statistics based on which client is requesting.

Another observation I made was that in order for the MAC address reservations to take effect, I had to power cycle every client. Rebooting OPNsense had no effect. I never had this issue or this much trouble when using the old Cisco router.
#92
General Discussion / Re: My pf ruleset causing clie...
Last post by OPNenthu - December 29, 2025, 11:27:32 PM
Thanks again, Patrick.  This little bit of new understanding made all the difference and it seems I may have misjudged the AQC113 NIC earlier.  I got the layered setup working, finally.

Since they're asymmetrical I bonded them in active/backup with the 10GbE member as primary.  Then I added br1 for native access (in case I want some VMs or UniFi OS on there later) and assigned it the main IP.  Then added a few VLANs on the bond and separate bridges for each VLAN.  Finally assigned an IP to br30 and bound the web UI to this as well (at least temporarily), so now I'm able to access it from my client network for configuration changes without any hiccups.

truenas_admin@truenas[~]$ ip -brief a                   
lo               UNKNOWN        127.0.0.1/8 ::1/128
enp6s0           UP            
enp3s0           UP            
bond1            UP             fe80::<redacted>:4109/64
vlan20@bond1     UP             fe80::<redacted>:4109/64
vlan30@bond1     UP             fe80::<redacted>:4109/64
vlan60@bond1     UP             fe80::<redacted>:4109/64
br1              UP             192.168.1.118/24 fe80::<redacted>:850b/64
br20             UP             fe80::<redacted>:9746/64
br30             UP             172.21.30.118/24 fe80::<redacted>:435e/64
br60             UP             fe80::<redacted>:952c/64

If I did this correctly with the separate bridges, then there shouldn't be any RA spillover when I enable IPv6 auto-config in TN.

I don't have a 10GbE client to test with, but I'm at least able to saturate a 2.5GbE link from my client to the NAS using iperf3:

$ iperf3 -c truenas.clear.h1.internal
Connecting to host truenas.clear.h1.internal, port 5201
[  5] local 172.21.30.100 port 46912 connected to 172.21.30.118 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   283 MBytes  2.37 Gbits/sec    0    311 KBytes      
[  5]   1.00-2.00   sec   281 MBytes  2.36 Gbits/sec    0    291 KBytes      
[  5]   2.00-3.00   sec   281 MBytes  2.36 Gbits/sec    0    297 KBytes      
[  5]   3.00-4.00   sec   280 MBytes  2.35 Gbits/sec    0    303 KBytes      
[  5]   4.00-5.00   sec   280 MBytes  2.35 Gbits/sec    0    294 KBytes      
[  5]   5.00-6.00   sec   281 MBytes  2.36 Gbits/sec    0    300 KBytes      
[  5]   6.00-7.00   sec   280 MBytes  2.35 Gbits/sec    0    291 KBytes      
[  5]   7.00-8.00   sec   280 MBytes  2.35 Gbits/sec    0    291 KBytes      
[  5]   8.00-9.00   sec   281 MBytes  2.36 Gbits/sec    0    294 KBytes      
[  5]   9.00-10.00  sec   281 MBytes  2.35 Gbits/sec    0    291 KBytes      
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  2.74 GBytes  2.36 Gbits/sec    0             sender
[  5]   0.00-10.00  sec  2.74 GBytes  2.35 Gbits/sec                  receiver

Look like the AQC113 is so far not falling down :)  Hope this keeps up.
#93
German - Deutsch / Re: ISC DHCP - neu angelegte N...
Last post by Patrick M. Hausen - December 29, 2025, 11:16:59 PM
Habt ihr nach dem Zuweisen und Konfigurieren der neuen Schnittstelle das UI mal neu geladen?
#94
Hardware and Performance / Re: which coreboot payload
Last post by senser - December 29, 2025, 10:46:18 PM
Legacy BIOS (seabios) has fewer coreboot configuration options and is probably the safest option? For UEFI (edk2) there is the choice of mrchromebox fork or original for example.

But using ,,current" (UEFI) solutions seems like a good idea. :) Should I just choose the default selection for UEFI (which is: edk2 - mrchromebox fork)?
#95
Tutorials and FAQs / Re: Tutorial: Caddy (Reverse P...
Last post by Loïc_bzh - December 29, 2025, 10:37:58 PM
Quote from: ceeeeej on March 08, 2025, 12:56:41 AMI have OPNSense setup with Adguard Home and Unbound with DNS over TLS.

I was having some trouble getting the Caddy access lists working to restrict some services to my LAN IPs only. To get this all working I had to setup overrides in Unbound that point these URLs back to my Caddy when on my LAN. i.e. I setup example.website.com in Caddy and then in Unbound I had to setup an override to point this URL back to 192.168.1.1 (where Caddy is running on my opnsense router).

My assumption was that because they were encrypted with DNS over TLS that the Caddy reverse proxy can't intercept them?

Just posting in case anyone has feedback or other ideas here. I was hoping to not require setting these up but it works now.

Hello

You may no longer be concerned about this, but it could help others in the future.

When using AdGuard with DNS over TLS and LAN IP only, you need to use the DNS rewrite of AdGuard.

Go to AdGuard then menu Filter > DNS rewrite > Add DNS rewrite.
For "domain name or wildcard", I specified *.mydomain.tld
For "Enter IP address or domaine name", I specified the IP address of Caddy host so OPNSense IP address.
#96
Hardware and Performance / Re: which coreboot payload
Last post by Maurice - December 29, 2025, 10:28:27 PM
Not sure what the benefits of legacy BIOS would be, but maybe I'm not seeing the full picture.
#97
Zenarmor (Sensei) / CVE-2025-14847 vulnerability M...
Last post by PencilHCV - December 29, 2025, 10:22:04 PM
hi!
Is Mongo Database vulnerable to CVE-2025-14847?

best regards,
Hugo C.V.
#98
Hardware and Performance / Re: which coreboot payload
Last post by senser - December 29, 2025, 10:21:45 PM
So we can chose either edk2 OR seabios payload and we should be re-booting fine?
So what should I choose? :)
#99
25.7, 25.10 Series / Pointing to adguard DNS server
Last post by CursedGravity - December 29, 2025, 09:49:28 PM
I am running a adguard vm.  I am trying to point my dhcp dns config to the adguard server ip.  When I check my dns server from my dhcp config on my client, it's pointing to my opnsense router.  I try to visit a website, like hp.com, and adguard does not show that the domain was queried for.  I do a nslookup hp.com <adguard-ip>, and now hp.com shows up in the query log in adguard. 
Currently, I'm pointing to the adguard server under unbound dns -> query forwarding.  I can confirm adguard is listening on port 53.
#100
25.7, 25.10 Series / Re: Dashboard/WebGUI slows, ha...
Last post by lpe397 - December 29, 2025, 09:41:03 PM
This is still an issue with the latest build. I'm just seeing this so I'll do some investigating however I can say that this is cross-platform as Firefox (140.6.0esr) for Linux (Debian 12) has the same issues. I run a pretty "busy" dashboard for five different OPNsense firewalls all running the latest open source version (OPNsense 25.7.10-amd64 : FreeBSD 14.3-RELEASE-p7 : OpenSSL 3.0.18) with only one of them crashing. That instance has only one dashboard widget different than the others, and that is the Certificates widget. Absolutely not sure if any of this will help, but if someone has something to try I can easily be a lab rat.