"Recent posts
#91
25.7, 25.10 Series / Re: 25.7.9: pkg exited on sign...
Last post by kozistan - December 06, 2025, 03:46:42 PMUnderstood. What I did is set the remaining tunables and reboot, but this did not fix the issue.
Then I removed SunnyValley from the active repos and reset the pkg state:
After that I reinstalled pkg using pkg-static:
So I downgraded pkg and
Does this mean there is something wrong with the pkg 2.4.2 version on this hardware/setup?
Code Select
vm.pmap.pcid_enabled="0"
hw.ibrs_disable="0"
vm.pmap.pti="1"Then I removed SunnyValley from the active repos and reset the pkg state:
Code Select
mv /usr/local/etc/pkg/repos/SunnyValley.conf /usr/local/etc/pkg/repos/SunnyValley.conf.DISABLED
rm -rf /var/cache/pkg/*
rm -f /var/db/pkg/*.sqliteAfter that I reinstalled pkg using pkg-static:
Code Select
/usr/local/sbin/pkg-static install -f pkg # installed pkg-2.3.1_1So I downgraded pkg and
Code Select
pkg update -f now runs cleanly and no longer faults.Does this mean there is something wrong with the pkg 2.4.2 version on this hardware/setup?
#92
General Discussion / Re: Unbound strange behavior
Last post by ricksense - December 06, 2025, 02:00:53 PMQuote from: Patrick M. Hausen on December 06, 2025, 11:57:37 AMIn general it doesn't. I run it at multiple offices and an entire data centre with that setting and no problems at all.
Something about your configuration must be unusual. Still pondering what that might be. Did you change the interfaces setting for Unbound, possibly? Something in private networks?
I read about another user on Reddit who is dealing with the same issue as mine. Anyway, I've never complained about OPNsense, but I have already run across a couple of problems with the last version.
#93
25.7, 25.10 Series / Re: 25.7.9: pkg exited on sign...
Last post by meyergru - December 06, 2025, 01:09:26 PMASPM is your smallest problem. That is neither the first nor the only thing in point 23. You need to use the os-microcode-intel plugin and the tuneables from the linked posting in point 23 with your Alder Lake CPU.
You also do not need to add anything to any files, just use the web UI to enter the tuneables and reboot afterwards.
You also do not need to add anything to any files, just use the web UI to enter the tuneables and reboot afterwards.
#94
General Discussion / Re: Seeking advice for first G...
Last post by meyergru - December 06, 2025, 12:59:06 PMThere are lots of problems with those rules.
First, you have to ask yourself what you want to achieve by separating out a guest VLAN.
Usually, this is used to protect your "valuable assets" in your main LAN from anyone who may just use your internet connection. In order to do this, you should have rules in place to protect your LAN from the guest VLAN.
Your rules show an attempt to further regulate the traffic originating from your guest network. This is debatable at best and your rules do not provide that, either. The way you currently do it would keep most guests from browsing anything at all, because current browsers use DoT on port 853, which you do not allow. On the other hand, because you allow port 443, anybody could use DNS via DoH, so you do not block external DNS requests effectively.
Before I go on to show what is wrong with your rules, I tell you what mine are:
1. I have floating rules to allow traffic that I need to allow basic network functions for all local networks - that includes the guest VLAN.
Those would be DNS (53/UDP) and NTP (123/UDP). I also allow access to specific resources there, like a printer on my IoT VLAN.
2. In the VLAN-specific rules, I have one rule to allow any to any, like the default LAN rule. This will allow guest clients to access anything on the internet. Why? Frankly, because you cannot effectively regulate traffic, there anyway. The only thing you have to do there is a block rule to an alias "RFC1918", which has to be placed before the "allow any" rule, in order to keep guests from accessing your local networks.
That is about it.
Now for your rules:
- Allow DHCP Port 67/UDP: This rule is unneccesary AFAIR, because that is allowed in the "Automatically generated rules" already. Delete it.
- Allow DNS Port 53: Only needed with UDP and should beplace in floating rules for all local network interfaces. Move it there.
- Block External DNS Port 53: Why would you? These days, browsers mostly do DoT or DoH, anyway. As long as you do not block that, either, this is fruitless. If you want to block it: This is very complex and frankly, at your current level, you would not succeed in doing it. Leave it be, delete the rule.
- Block access to firewall management: Since this rule comes before the next rules, it would block anything after it, like "Allow NTP", so it is misplaced. If at all, you should move it further down in the list. Then again, it is not needed at all, because there already is an implicit "block all" rule at the end of the list. Rule of thumb: order matters! Delete it.
- Block access to private/internal networks. Yes, keep it.
- Allow Inbound Connection Ports 80-443: Problem here is, you allow not only ports 80 and 443 ofr HTTP and HTTPS, but anything in between, including NTP (123) and many others. If you really want ports 80 and 443 only, you need either two rules or a "Port" alias for web traffic consisting of port 80 and 443. I would say, delete the rule and replace it by an "allow any" rule.
- Allow Outbound traffic Port 443-80: You never need to have a firewall rule for outbound directions (with only a few exceptions), even less so for an existing inbound rule. The responses to allowed traffic are always allowed. Delete it.
- Allow NTP Port 123: Move the rule to floating.
First, you have to ask yourself what you want to achieve by separating out a guest VLAN.
Usually, this is used to protect your "valuable assets" in your main LAN from anyone who may just use your internet connection. In order to do this, you should have rules in place to protect your LAN from the guest VLAN.
Your rules show an attempt to further regulate the traffic originating from your guest network. This is debatable at best and your rules do not provide that, either. The way you currently do it would keep most guests from browsing anything at all, because current browsers use DoT on port 853, which you do not allow. On the other hand, because you allow port 443, anybody could use DNS via DoH, so you do not block external DNS requests effectively.
Before I go on to show what is wrong with your rules, I tell you what mine are:
1. I have floating rules to allow traffic that I need to allow basic network functions for all local networks - that includes the guest VLAN.
Those would be DNS (53/UDP) and NTP (123/UDP). I also allow access to specific resources there, like a printer on my IoT VLAN.
2. In the VLAN-specific rules, I have one rule to allow any to any, like the default LAN rule. This will allow guest clients to access anything on the internet. Why? Frankly, because you cannot effectively regulate traffic, there anyway. The only thing you have to do there is a block rule to an alias "RFC1918", which has to be placed before the "allow any" rule, in order to keep guests from accessing your local networks.
That is about it.
Now for your rules:
- Allow DHCP Port 67/UDP: This rule is unneccesary AFAIR, because that is allowed in the "Automatically generated rules" already. Delete it.
- Allow DNS Port 53: Only needed with UDP and should beplace in floating rules for all local network interfaces. Move it there.
- Block External DNS Port 53: Why would you? These days, browsers mostly do DoT or DoH, anyway. As long as you do not block that, either, this is fruitless. If you want to block it: This is very complex and frankly, at your current level, you would not succeed in doing it. Leave it be, delete the rule.
- Block access to firewall management: Since this rule comes before the next rules, it would block anything after it, like "Allow NTP", so it is misplaced. If at all, you should move it further down in the list. Then again, it is not needed at all, because there already is an implicit "block all" rule at the end of the list. Rule of thumb: order matters! Delete it.
- Block access to private/internal networks. Yes, keep it.
- Allow Inbound Connection Ports 80-443: Problem here is, you allow not only ports 80 and 443 ofr HTTP and HTTPS, but anything in between, including NTP (123) and many others. If you really want ports 80 and 443 only, you need either two rules or a "Port" alias for web traffic consisting of port 80 and 443. I would say, delete the rule and replace it by an "allow any" rule.
- Allow Outbound traffic Port 443-80: You never need to have a firewall rule for outbound directions (with only a few exceptions), even less so for an existing inbound rule. The responses to allowed traffic are always allowed. Delete it.
- Allow NTP Port 123: Move the rule to floating.
#95
General Discussion / Re: Unbound strange behavior
Last post by Patrick M. Hausen - December 06, 2025, 11:57:37 AMIn general it doesn't. I run it at multiple offices and an entire data centre with that setting and no problems at all.
Something about your configuration must be unusual. Still pondering what that might be. Did you change the interfaces setting for Unbound, possibly? Something in private networks?
Something about your configuration must be unusual. Still pondering what that might be. Did you change the interfaces setting for Unbound, possibly? Something in private networks?
#96
25.7, 25.10 Series / Re: 25.7.9: pkg exited on sign...
Last post by kozistan - December 06, 2025, 11:04:51 AMThank you for the tip! I've performed diagnostics following point 23. Here are my findings:
I've tried:
Disabled ASPM by adding hw.pci.enable_aspm="0" to /boot/loader.conf → reboot
Cleared pkg cache: rm -rf /var/cache/pkg/*
Ran pkg update -f again and problem persists. The segmentation fault still occurs at exactly the same point:
This issue appeared only after upgrading to 25.7.9 (worked fine on previous versions)
Opnsense is installed on Vault Pro VP6650 – Intel i5 with X710 NIC's (ixl)
Any advice?
Code Select
PU: 12th Gen Intel Core i5-1235U (Alder Lake)
hw.pci.enable_aspm: 0 (disabled in /boot/loader.conf)
Microcode: no matching update foundI've tried:
Disabled ASPM by adding hw.pci.enable_aspm="0" to /boot/loader.conf → reboot
Cleared pkg cache: rm -rf /var/cache/pkg/*
Ran pkg update -f again and problem persists. The segmentation fault still occurs at exactly the same point:
Code Select
SunnyValley repository update completed. 66 packages processed.
All repositories are up to date.
Child process pid=58709 terminated abnormally: Segmentation fault
This issue appeared only after upgrading to 25.7.9 (worked fine on previous versions)
Opnsense is installed on Vault Pro VP6650 – Intel i5 with X710 NIC's (ixl)
Any advice?
#97
General Discussion / Re: Unbound strange behavior
Last post by ricksense - December 06, 2025, 10:27:44 AMI realized that Unbound, in this scenario (without checking the "use name server" button), works intermittently and unpredictably.
#98
25.7, 25.10 Series / Re: KEA IPv6 Leases
Last post by meyergru - December 06, 2025, 10:27:14 AMAs long as Kea DHCPv6 is not active for an interface, it is neither shown nor selectable in the interface filter of the "leases" display.
SLAAC is never shown at all, because those are no leases - the clients decide for themselves, which suffix they use. You would see SLAAC assigments in the NDP table only. If you ever had DHCPv6 leases, they will show up for a long time after they have been handed out, though.
SLAAC is never shown at all, because those are no leases - the clients decide for themselves, which suffix they use. You would see SLAAC assigments in the NDP table only. If you ever had DHCPv6 leases, they will show up for a long time after they have been handed out, though.
#99
Hardware and Performance / My Experience with the SG330 &...
Last post by famyfa - December 06, 2025, 10:24:38 AMHi, i wanted to share my Experience with a Sophos SG330 Rev1. and Opnsense since other Posts, Knowledge on the Internet is a littlebit older.
Opnsense on an SG330 Works. well who tought elsewise.
Problems i occourd:
Installation: I had to remove the Drive and install Opnsense using a diffrent device. After that it booted opnsense.
Console Port doesn't work per default after the installation, you need to change it in the settings of Opnsense.
Interface Mappings: IGB(InterfaceNumber visible on the Device). So if you don't know which interface is what, check on the Device and you have the . . numbers.
LCD: you need the Plugin to get it working otherwise it shows "ALWAYS" Sophos Protection.
Interfaces: Im still trying to get the SFP+ Interfaces working. The Trancievers are working (Ooh a red light is shining in them) but i cant get the interface online so i might send an update for that in the Future.
Overall: I think this is a nice & cheap opertunity for some Homelabs to get a decent Firewall Appliance.
Opnsense on an SG330 Works. well who tought elsewise.
Problems i occourd:
Installation: I had to remove the Drive and install Opnsense using a diffrent device. After that it booted opnsense.
Console Port doesn't work per default after the installation, you need to change it in the settings of Opnsense.
Interface Mappings: IGB(InterfaceNumber visible on the Device). So if you don't know which interface is what, check on the Device and you have the . . numbers.
LCD: you need the Plugin to get it working otherwise it shows "ALWAYS" Sophos Protection.
Interfaces: Im still trying to get the SFP+ Interfaces working. The Trancievers are working (Ooh a red light is shining in them) but i cant get the interface online so i might send an update for that in the Future.
Overall: I think this is a nice & cheap opertunity for some Homelabs to get a decent Firewall Appliance.
#100
25.7, 25.10 Series / KEA, PiHole and IPv6
Last post by rjopn - December 06, 2025, 10:22:28 AMHello,
is there a tutorial to integrate PiHole?
a) Docker/k3s-container on a server with IPv6 only and NAT64
b) IPv6 clients with SLAAC
c) IPv4 clients with KEA DHCP
No idea weather this should work.
is there a tutorial to integrate PiHole?
a) Docker/k3s-container on a server with IPv6 only and NAT64
b) IPv6 clients with SLAAC
c) IPv4 clients with KEA DHCP
No idea weather this should work.
