Recent posts

#91

General Discussion / Re: My pf ruleset causing clie...

Last post by OPNenthu - December 27, 2025, 06:03:45 PM

Ayyy, this is a painful lesson.  I spent a couple days. :)

Thank you, Patrick.

#92

General Discussion / Re: community repo updated ...

Last post by newsense - December 27, 2025, 05:53:35 PM

PSA: Update your Unifi deployments - MongoDB - critical issue - patch available

https://www.bleepingcomputer.com/news/security/mongodb-warns-admins-to-patch-severe-vulnerability-immediately/

Code Select Expand

Installed packages to be UPGRADED:
        harfbuzz: 10.3.0 -> 12.2.0 [mimugmail]
        htop: 3.4.0 -> 3.4.1 [mimugmail]
        mongodb70: 7.0.24_1 -> 7.0.26 [mimugmail]
        openjdk17: 17.0.16+8.1_4 -> 17.0.17+10.1 [mimugmail]
        unifi9: 9.5.21 -> 9.5.21_1 [mimugmail]
Thanks again Michael and Happy Holidays

#93

General Discussion / Re: ECS and DNSSEC Setup

Last post by OPNenthu - December 27, 2025, 05:28:26 PM

Per Quad9, turn it off.

https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/

Disable DNSSEC Validation

Since Quad9 already performs DNSSEC validation, DNSSEC being enabled in the forwarder will cause a duplication of the DNSSEC process, significantly reducing performance and potentially causing false BOGUS responses.

#94

General Discussion / Re: My pf ruleset causing clie...

Last post by Patrick M. Hausen - December 27, 2025, 05:26:26 PM

TrueNAS does not support policy routing so if you have network interfaces in different networks it will always answer any client from

- the directly connected one, if present
- the one with the default gateway, otherwise

Specifically there is no separation of the UI and the file sharing services. Not possible, don't try it, you will fail.

All of TrueNAS runs on a single IP stack. Only VMs can be connected to a separate network via a bridge (without an IP address on the TrueNAS host for that bridge). Also allegedly for these "experimental" LXC containers.

But, repeating myself, not for any TN services. UI, SMB, NFS ... all share the same network stack. Even "apps" do. While you can set a separate IP for apps for ingress, they will always use the main NAS IP for egress.


HTH,
Patrick

#95

25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...

Last post by dmurphy - December 27, 2025, 05:22:18 PM

> Just following up that I still see a memory leak in dnsmasq even after a reboot and an update to 25.7.10.

I don't think it's surprising given the fact that the binary did not change.

Exactly the expected behavior.  Was curious if the reboot and any of the netmap changes might make any difference, but appears not.

We'll see what happens when dnsmasq $version++ hits.  If it continues to drip memory, I'll spin up a dev machine, replicate the config and get dtrace running against it.

Again, not a big deal as recycling the process occasionally solves the practical issue, but now I want to know what I'm doing wrong to trip it up. :-)

Happy new year!!

#96

General Discussion / My pf ruleset causing client t...

Last post by OPNenthu - December 27, 2025, 05:18:57 PM

Hello all, I'm wrestling with a first TrueNAS deployment and this issue is beyond my skillset.  Asking here because I think it's relevant to pf/OPNsense and maybe my particular rules causing the issue.

The NAS has two integrated NICs, an Intel I226-V (top) and an Aquantia AQC113 (bottom):

Code Select Expand

truenas_admin@truenas[~]$ ethtool -i enp6s0
driver: igc
version: 6.12.33-production+truenas
firmware-version: 2014:8877
expansion-rom-version:
bus-info: 0000:06:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes


Code Select Expand

truenas_admin@truenas[~]$ ethtool -i enp3s0
driver: atlantic
version: 6.12.33-production+truenas
firmware-version: 1.3.31
expansion-rom-version:
bus-info: 0000:03:00.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: no

At first I configured the management interface on enp6s0 with a static IP address, as per TrueNAS guidelines.  This interface has IP 192.168.1.118 on LAN.  It has the default gateway 192.168.1.1, DNS also 192.168.1.1, and the web UI is bound to this IP only.

Up to this point everything is working with a stable connection.  I'm able to access the web UI from a client on VLAN 30 ("CLEAR net") using a Floating rule with direction IN on the CLEAR interface that allows the client to "any" on LAN.

The problem comes when I configure the second interface.  I assign it a static IP 172.21.30.118 which is from the CLEAR subnet as this will be my data interface for SMB shares (the SMB service will bind to it).  I don't assign any additional gateway or DNS, and no static routes.  Just the IP on the interface.  IPv6 auto-config is still disabled in TrueNAS.

After this step, my TrueNAS web UI becomes unstable.  I'm still able to log in, but after some seconds I'm kicked off.  This process repeats itself ad-infinitum and I'm not able to stay in the UI long enough to get work done.  This dialog appears in between when I'm kicked off and the login prompt follows it.

You cannot view this attachment.

If I remove the IP on the second interface, then everything becomes stable again.

Checking the firewall logs while this happens I can see the initial request is allowed as it's matching the Floating rule, and it gets a response.  I don't know why the DNS lookups in between are logged at all as those are within the same subnet (this is a group rule).  Finally another interface group rule is matching instead which is rejecting and causing me to get kicked off.

You cannot view this attachment.

This happens in a loop as mentioned above.  I can see that the source ports changed in between the login and the rejected packets.  This also repeats and is reflected in the state table with new states being generated each cycle.

Also, there is a group 'pass' rule which is supposed to be overriding this 'reject' rule in any case, but that's not happening.

Floating:
You cannot view this attachment.

Group rules (from the CLEAR interface's view):
You cannot view this attachment.

The "PORTS_OUT_LAN" alias already has port 443 included.

Did I set up some kind of asymmetric routing condition when I configured the second NIC?  Is this a TrueNAS quirk? 

I do have Proxmox management on the same LAN network and with a separate VM bridge, but no problems at all there.  That's been stable for a while now.

TrueNAS ip/route info:

Code Select Expand

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 6c:xx:xx:xx:41:0a brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.118/24 brd 192.168.1.255 scope global enp6s0
       valid_lft forever preferred_lft forever
    inet6 fe80::xxxx:xxxx:xxxx:410a/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
3: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 6c:xx:xx:xx:41:09 brd ff:ff:ff:ff:ff:ff
    inet 172.21.30.118/24 brd 172.21.30.255 scope global enp3s0
       valid_lft forever preferred_lft forever
    inet6 fe80::xxxx:xxxx:xxxx:4109/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever


Code Select Expand

truenas_admin@truenas[~]$ route   
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         firewall        0.0.0.0         UG    0      0        0 enp6s0
172.21.30.0     0.0.0.0         255.255.255.0   U     0      0        0 enp3s0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 enp6s0


#97

25.7, 25.10 Series / Re: DNSmasq and Unbound Peacef...

Last post by vimage22 - December 27, 2025, 04:56:24 PM

Great. And you needed to add a forward from unbound to dnsmasq, right? As for DNSEC, I have been reading up on this:
https://blog.cloudflare.com/dns-encryption-explained/
https://www.cloudflare.com/learning/dns/dns-security/
https://security.stackexchange.com/questions/239698/does-cloudflares-dns-over-tls-dot-implement-dnssec-too

I think DSNSEC should be enabled. It is a client/server situation.
"DNSSEC allows clients to verify the integrity of the returned DNS answer"
It seems like a provider, like cloudflare, will use DNSSEC flags and the client, like OPNsense, will process them. If you turn off DNSSEC, then you can no longer trust the answer you get was from your provider.

In summary:
DoT: Encrypts your DNS query.
DNSSEC: cryptographically verifies DNSSEC-signed records. (only within unbound)

Therefore, these are two different functions that work together to increase DNS security. Quite fascinating.

#98

General Discussion / Re: ECS and DNSSEC Setup

Last post by vimage22 - December 27, 2025, 04:34:45 PM

I have been reading up on this.
https://blog.cloudflare.com/dns-encryption-explained/
https://www.cloudflare.com/learning/dns/dns-security/
https://security.stackexchange.com/questions/239698/does-cloudflares-dns-over-tls-dot-implement-dnssec-too

I think DSNSEC should be enabled. It is a client/server situation.
"DNSSEC allows clients to verify the integrity of the returned DNS answer"

It seems like a provider, like cloudflare, will use DNSSEC flags and the client, like OPNsense, will process them.

In summary:
DoT: Encrypts your DNS query
DNSSEC: cryptographically verifies DNSSEC-signed records (only within unbound)

Therefore, these are two different functions that work together to increase DNS security. Quite fascinating.

[configctl]

#99

General Discussion / Re: Struggles scripting with t...

Last post by ASteve - December 27, 2025, 03:39:18 PM

Does it have to be an LAN host, or would it be OK for an external service to notify you?

You could use a service like https://healthchecks.io in combination with Monit. This would be even more reliable, since you would receive a notification regardless of whether you are currently using the system or not.

While a service like healthchecks.io would be fantastic in lots of scenarios, it isn't a good solution for the problem I'm trying to solve.

The risk I'm trying to eliminate is one in which things stop working while I'm at my desk... in a location where I could address any transitory problem - if I had noticed the issue.  I have poor mobile phone signal and rely upon Wi-Fi calling (which relies upon my router) and all email is also dependent upon the same local networks and services.  I plan to write a script that will make many checks - covering all sorts of services I run on my LAN... and to have it drive a small GUI app on my desktop computer report a green ":-)" or red ":-(" icon on my task bar (alongside any error message generated from my script).

I've already evaluated services that (try to) push notifications to me over the Internet. I see such facilities as being very useful in some circumstances... but I particularly want to be able to monitor from my LAN to verify that everything on my router is 'happy' - and that my local services have not failed/stopped.  I can only administer my OpnSense router and local services from my LAN - so I gain little if I get notifications on my mobile phone when I'm not at my desk. I'm aware of two potential strategies to query the status of my internet up-links from a host on my LAN:

• Use the restful API for OpnSense.  I'm not sure which API calls I should use as the documentation doesn't seem very helpful/informative/accurate/complete.
• Run some command-line tool(s) on the OpnSense host over SSH. I'm aware of configctl, for example, but I'm not sure which OpenSSH command-line tool would give the most appropriate diagnostic output.

I had hoped that the Rest API would be perfect for my purposes (though I'm struggling to establish how to use it in practise).  I'm aware of tools like configctl, which I can run over SSH, but it's not clear to me how I can get them to yield the status information that's of interest to me.  For the problem I'm trying to tackle, I definitely want to automate my own scripted checks.. that I will write, which will be run on a host connected to my LAN, rather than purchase some additional external service.  I'm surprised at how difficult this has proven to be with OpnSense.

P.S.  I've found this thread - which suggests the API endpoint /api/routing/settings/searchGateway should do what I want.  When I try to call it, I get a 400 response with the message "controller OPNsense\\Core\\Api\\IndexController not found"  - I get the same thing if I substitute "search_gateway" for "searchGateway" in the URL.

P.P.S. I've discovered pluginctl -r return_gateways_status - which generates relevant diagnostics... but it needs to be run as root on the OpnSense host... over SSH.  This is a bit cumbersome - a restful API to yield similar diagnostics would be much better.

P.P.P.S.  I've discovered the API /api/routes/gateway/status - which seems to do what I need.  My big problem has been finding documentation for these APIs.

#100

German - Deutsch / Re: Caddy Wildcard-Zertifikat ...

Last post by Monviech (Cedrik) - December 27, 2025, 03:24:46 PM

Das generierte Caddyfile ist richtig, hier die PRs die es erklären:

https://github.com/opnsense/plugins/pull/4673

https://github.com/caddyserver/caddy/pull/6959