Recent posts

#91
General Discussion / Browser Intrusion which opnsen...
Last post by someone - December 23, 2025, 06:40:19 PM
There are two types of threats, one I have discovered recently on my own
One: Say your computer is on and no browser open:
     That is new connection based, in which a new connection is required, Opnsense firewall and suricata handles these very good.
     No one can just make a connection to your computer you didnt ask for. Attackers and bots cant get in
Two: Browser based connections three types, opnsense cannot protect against
     One: A connection made by something you clicked on, hovered over
     Two: Automatic connection by a connected server, connects you to other servers without permission, also from embedded scripts in webpages
     Three: Stolen connections such as cross platform scripts inside websites

If they have a connection they can do what they want on your computer
So how do you protect your operating system and opnsense
I use apparmor and install its extra profiles, it protects your operating system endpoints so bad guys cant destroy or takeover your computer or opnsense. There are many different types of endpoint protection. They also differ in what they trigger off of. Apparmor is access control of endpoints. Endpoints are apps that operate your computer. It is working for me in default configuration once you add the extra profiles with a software manager. If they have access to your computer they have very easy access to opnsense LAN side. I would think everyone needs some type of endpoint protection if you can.

Careful which type of endpoint protection you use, they are not created equal. And I dont care to bash them. Pun.
Protection such as apparmor monitors all commands on your computer, aka access control, others monitor IPs only, others just key words, etc.
I install auditd also so I can see which commands apparmor blocked which are coming through the browser

Suricata is working on decryption where they can scan all incoming traffic. Which will take a large burden off of endpoint protection.
If you are a business there are services offering this.
At home decryption can be done and traffic scanned.

I call it browser intrusion, it has many names and many attacks
#93
25.7, 25.10 Series / Re: dnsmasq and ipv6 config
Last post by Patrick M. Hausen - December 23, 2025, 05:36:19 PM
3. Kick your ISP until they follow recommended practice 🙂

https://www.rfc-editor.org/rfc/rfc3177

3. Address Delegation Recommendations

   The IESG and the IAB recommend the allocations for the boundary
   between the public and the private topology to follow those general
   rules:

      -  /48 in the general case, except for very large subscribers.
      -  /64 when it is known that one and only one subnet is needed by
         design.
      -  /128 when it is absolutely known that one and only one device
         is connecting.

   In particular, we recommend:

      -  Home network subscribers, connecting through on-demand or
         always-on connections should receive a /48.
      -  Small and large enterprises should receive a /48.
      -  Very large subscribers could receive a /47 or slightly shorter
         prefix, or multiple /48's.
[...]

So even a /56 is debatable although in most cases enough (I can theoretically have 256 VLANs with my /56 I get from Deutsche Telekom).
#94
25.7, 25.10 Series / Re: 25.4 to 25.10 Business Edi...
Last post by lawrencedudley - December 23, 2025, 05:33:49 PM
I'm having real issues with Captive Portal with like 1 concurrent user right now (we're mostly off for the holidays).

First time I've had an issue with an OpnSense upgrade in a decade or so. But it is a problem.

There's a python request that eats up CPU and I was having one of the interfaces flap which just made everything even worse (I'm not sure if this related or not).
#95
25.7, 25.10 Series / Re: dnsmasq and ipv6 config
Last post by Maurice - December 23, 2025, 05:29:35 PM
Why do you feel the need to internally use /80s based on your public /64? You could choose any unused /48 and subnet it into /64s for your VLANs. Since you use NAT anyway, your internal addresses don't really matter.

The ND proxy solution (without NAT) is preferrable though.

While it's technically possible to use prefixes longer than /64, it's not recommended and issues are to be expected.
#96
French - Français / Re: Redirections HTTP, HTTPS, ...
Last post by Tipper7042 - December 23, 2025, 05:25:12 PM
Bonjour,

Si ton port d'entrée de NAT pour le FTP est 61221, dans ce cas la règle de WAN doit être similaire à mon avis. Là tu indiques laisser passer le port 21 alors que tu NAT le port 61221.

A tester ...


#97
25.7, 25.10 Series / Re: dnsmasq and ipv6 config
Last post by muchacha_grande - December 23, 2025, 05:23:12 PM
Ok, from what Patrick said, if I can't subnet a /64 I have two options from here:

1. Pin to ISC that will be soon a plugin and discontinued afterwards

2. Implement NDP and forget about subnets (have to change my mind) and after that migrate to Dnsmask


Thank you Patrick and Monviech for you advice. I think I'll go on with the second option. Will post the results here of course.
#98
25.7, 25.10 Series / Re: IGMP Proxy broken after up...
Last post by Rene78 - December 23, 2025, 05:12:08 PM
Quote from: Shoog on December 23, 2025, 12:04:20 PMMy IGMP Proxy is definitely throwing errors and the behaviour of my network is entirely in keeping with what you would expect from IGMP failure.
I wonder if the error i saw when performing the upgrade is the cause.
Is it possible to rerun the upgrade over the top of the existing upgrade (ie 25.10.7 over 25.10.7) to eliminate this as the possible root cause.

Maybe it is a better idea to uninstall the IGMP Proxy plugin first, reboot the system, reinstall the IGMP Proxy plugin and configure it from scratch. Reinstalling the plugin will trigger the system to register everything (whatever it requires) again from scratch. Maybe there is a corrupt file or something. If that doesn't do the trick, you may need a reinstall. Dunno if you can reinstall the upgrade the way you describe.
#99
25.7, 25.10 Series / Re: dnsmasq and ipv6 config
Last post by Monviech (Cedrik) - December 23, 2025, 05:11:03 PM
Or you use the ndp proxy from earlier which helps you to provide the same /64 to any amount of downstream vlans. You dont need to think about subnetting when using it since it targets each individual host automatically via host routes.

Just turn off any dhcpv6 and RA service when using it.
#100
25.7, 25.10 Series / Re: 25.7.10 update fails with...
Last post by SOUK - December 23, 2025, 05:06:00 PM
Quote from: Maurice on December 19, 2025, 09:58:24 PMTry a different mirror. base is by far the largest "package", so the download might time out if the connection to the mirror is slow for some reason.

Cheers
Maurice

I get the exact same identical issue, sadly changing mirrors for the last few days does nothing to fix the issue.