"Recent posts
#91
General Discussion / Re: Caddy, Cloudflare proxy an...
Last post by Patrick M. Hausen - January 09, 2026, 03:44:53 PMWhy would you prefer to bounce in Caddy instead of just blocking the IP address in pf on WAN? I am not arguing against acquiring via Caddy and Caddy logs - I specifically implemented the "plain text access log" feature for that. But once you register a malicious host, I'd block it at the frontmost point of my network available before it even reaches and application. That's firewall on WAN.
#92
General Discussion / Re: Caddy, Cloudflare proxy an...
Last post by Monviech (Cedrik) - January 09, 2026, 03:40:01 PMHey, you can use my fork of the caddy plugin which allows you to compile any modules into it that you want:
I can't give more help or support though nor provide a step by step guide, I don't know how these modules work, or what they require. Can only give pointers.
https://github.com/Monviech/os-caddy
To configure modules, they will not be exposed in the GUI, you need a custom caddyfile import most likely:
https://docs.opnsense.org/manual/how-tos/caddy.html#custom-configuration-files
I can't give more help or support though nor provide a step by step guide, I don't know how these modules work, or what they require. Can only give pointers.
https://github.com/Monviech/os-caddy
To configure modules, they will not be exposed in the GUI, you need a custom caddyfile import most likely:
https://docs.opnsense.org/manual/how-tos/caddy.html#custom-configuration-files
#93
German - Deutsch / Re: IPV6 von OpnSense lokal ni...
Last post by patient0 - January 09, 2026, 03:31:02 PMQuote from: Zapad on January 09, 2026, 02:54:28 PMnur mal ganz schnell....Ich bin nicht der OP, aber ja das ist eine ULA und ich NAT-e es weil es einfach ging mit dem Hetzner /64 Prefix und dem Proxmox Server der drauf läuft.
das ist doch ULA!?
#94
General Discussion / Re: Caddy, Cloudflare proxy an...
Last post by tennents - January 09, 2026, 03:15:50 PMQuote from: Monviech (Cedrik) on March 29, 2025, 12:31:14 PMThanks for looking into this.
It is feasable to add it but I dont really want to add it since every compiled package more just makes maintanance harder in the long run.
Though there is always "caddy add-package" for the more adventurous :)
Hi
sorry to bump this old post... but I'm in the same exact situation (Cloudflare proxy --> OPNSense --> Caddy plugin) and I'd like to understand how to implement the bouncer directly in caddy.
I can test and break my installation if needed... can you provide a step-by-step? thanks!
#95
German - Deutsch / Re: IPV6 von OpnSense lokal ni...
Last post by Patrick M. Hausen - January 09, 2026, 03:02:15 PMQuote from: Zapad on January 09, 2026, 02:54:28 PMnur mal ganz schnell....
das ist doch ULA!?
Hätte auch nochmal lesen können statt nachzufragen - natürlich ist das ULA: fc00::/7.
Damit als Source-Adresse kommt man nicht ins Internet. Ist wie ein Transfernetz mit RFC 1918 in IPv4.
@balkemueller probier mal eine einzelne Adresse aus dem /64 an LAN mit einer /128 Prefixlänge als Alias auf WAN zu legen. So machen wir das mit unseren Hosting-Servern bei Hetzner.
#96
German - Deutsch / Re: IPV6 von OpnSense lokal ni...
Last post by Zapad - January 09, 2026, 02:54:28 PMnur mal ganz schnell....
das ist doch ULA!?
Internet6:
Destination Gateway Flags Netif Expire
default fdaa:b2b4:d8b2:1000:fdaa::1 UGS vtnet0
::1 link#4 UHS lo0
Solltew da nicht NAT ins Spiel kommen?
das ist doch ULA!?
Internet6:
Destination Gateway Flags Netif Expire
default fdaa:b2b4:d8b2:1000:fdaa::1 UGS vtnet0
::1 link#4 UHS lo0
Solltew da nicht NAT ins Spiel kommen?
#97
German - Deutsch / Re: IPV6 von OpnSense lokal ni...
Last post by Patrick M. Hausen - January 09, 2026, 02:44:46 PMIst das Transfernetz denn GUA? Hast du den ISP mal gefragt, ob man mit dem ins Internet raus kommen sollte?
#98
German - Deutsch / Re: IPV6 von OpnSense lokal ni...
Last post by patient0 - January 09, 2026, 02:31:38 PMGeht DNS auf der OPNsense selber, also wird z.B. im Shell z.B. 'host one.one.one.one' aufgelöst. Wie ist DNS umgesetzt (DNSmasq, Unbound)?
Ping von der Shell aus? Wenn es nicht klappt, was ist die Fehlermeldung?
Hat die WAN Schnittstelle eine IP aus dem Transfernetz und ist eine Defaultroute gesetzt?
Wie weit kommt ein traceroute6?
Code Select
root@OPNsense:~ # host one.one.one.one
one.one.one.one has address 1.0.0.1
one.one.one.one has address 1.1.1.1
one.one.one.one has IPv6 address 2606:4700:4700::1111
one.one.one.one has IPv6 address 2606:4700:4700::1001
Ping von der Shell aus? Wenn es nicht klappt, was ist die Fehlermeldung?
Code Select
root@OPNsense:~ # ping6 -c3 2606:4700:4700::1111
PING(56=40+8+8 bytes) fdaa:b2b4:d8b2:1000:fdaa::46 --> 2606:4700:4700::1111
16 bytes from 2606:4700:4700::1111, icmp_seq=0 hlim=56 time=5.648 ms
16 bytes from 2606:4700:4700::1111, icmp_seq=1 hlim=56 time=5.555 ms
16 bytes from 2606:4700:4700::1111, icmp_seq=2 hlim=56 time=5.594 ms
--- 2606:4700:4700::1111 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 5.555/5.599/5.648/0.038 ms
Hat die WAN Schnittstelle eine IP aus dem Transfernetz und ist eine Defaultroute gesetzt?
Code Select
root@OPNsense:~ # netstat -rnf inet6
Routing tables
Internet6:
Destination Gateway Flags Netif Expire
default fdaa:b2b4:d8b2:1000:fdaa::1 UGS vtnet0
::1 link#4 UHS lo0
...
Wie weit kommt ein traceroute6?
Code Select
root@OPNsense:~ # traceroute6 -n 2606:4700:4700::1111
traceroute6 to 2606:4700:4700::1111 (2606:4700:4700::1111) from fdaa:b2b4:d8b2:1000:fdaa::46, 64 hops max, 28 byte packets
1 fdaa:b2b4:d8b2:1000:fdaa::1 0.224 ms 0.090 ms 0.035 ms
2 ...:11:a 0.357 ms 0.245 ms 2.893 ms
3 2a01:4f8:0:3::1b5 0.354 ms 0.656 ms
2a01:4f8:0:3::695 4.053 ms
4 2a01:4f8:0:3::4da 4.938 ms 4.960 ms
2a01:4f8:0:3::4ce 4.925 ms
5 2a01:4f8:0:3::2fe 5.277 ms 5.284 ms
2a01:4f8:0:3::7e 5.333 ms
6 2400:cb00:71:2:2:4940:: 23.006 ms
2a01:4f8:0:e0f0::6a 6.145 ms
2400:cb00:71:2:2:4940:: 14.647 ms
7 2400:cb00:71:2::1 8.519 ms 24.217 ms 6.528 ms
8 2400:cb00:470:3:: 29.866 ms
2400:cb00:636:3:: 6.318 ms
2400:cb00:472:3:: 5.867 ms
9 2400:cb00:636:1024::a29e:5def 5.747 ms
2400:cb00:636:1024::a29e:5dea 5.810 ms
2400:cb00:696:1024::ac45:9560 5.616 ms #99
German - Deutsch / Re: Firewallregeln lassen sich...
Last post by patient0 - January 09, 2026, 02:20:22 PMIn dem Falle sagen Bilder mehr als Worte, ein Bild vom der Liste der Regeln und eines einer neuen Regel wo der Port ausgegraut ist. Inklusive linker Spalte, damit man sieht wo Du bist. Plus natürlich das übliche, OPNsense Version, Hardware/VM, mit welchem Benutzer eingeloggt?
#100
25.7, 25.10 Series / os-acme-client 4.11 on Busines...
Last post by greY - January 09, 2026, 02:15:38 PMHi,
I'm running OPNsense Business Edition 25.10.1_2 and noticed that the Community Edition already ships os-acme-client 4.11, which includes additional DNS providers (Hetzner Cloud).
On Business, the plugin is still on an older version and the provider is therefore not available.
My question:
Is there any supported way to pull os-acme-client 4.11 into the current Business release (25.10.1_2), or is this strictly tied to the Business plugin freeze and only possible with a future Business update?
I'm running OPNsense Business Edition 25.10.1_2 and noticed that the Community Edition already ships os-acme-client 4.11, which includes additional DNS providers (Hetzner Cloud).
On Business, the plugin is still on an older version and the provider is therefore not available.
My question:
Is there any supported way to pull os-acme-client 4.11 into the current Business release (25.10.1_2), or is this strictly tied to the Business plugin freeze and only possible with a future Business update?
