"Recent posts
#91
General Discussion / Latest OPNsense: libcrypto.so....
Last post by hakuna - December 27, 2025, 02:53:00 AMI have updated my system via terminal which only installed 4 packages I cannot remember but were small like os-upnp and 3 others.
If I run:
I get these 4 packages at the top which I believe they were the ones installed.
The UI stopped working, it was not longer responding, interfaces not showing, etc. Reboot.
After 1min, I didn't hear the beep sound and the terminal is stuck at:
Then I tried a hack not knowing much of it just to get the system started:
I gets other errors because of course, the versions are incompatible.
My system is running openssl-3.0.16 so I have no idea why it is requesting libcrypto.so.12 which no longer belongs to this system version.
So anyway, I have no idea what this update did, 4 packages, now it longer boots up and I have no much idea of what to do other than a clean install.
I am avoiding a clean install because I have soooooo many firewall rules and I cannot just import the backup, I need to install wireguard, os-upnp and others, otherwise, the importing the backup ends up a complete mess.
I also need to manually assign ports, it is a job and half.
I appreciate any help
If I run:
Code Select
pkg info -a -O '%t %n' | sort -rnI get these 4 packages at the top which I believe they were the ones installed.
Code Select
png-1.6.52
pkg-2.3.1_1
os-upnp-1.8
os-lcdprod-sdeclcd-1.1_1The UI stopped working, it was not longer responding, interfaces not showing, etc. Reboot.
After 1min, I didn't hear the beep sound and the terminal is stuck at:
Code Select
Shared object "libcrypto.so.12" not found, required by phpThen I tried a hack not knowing much of it just to get the system started:
Code Select
echo "libcrypto.so.12 libcrypto.so.30" >> /etc/libmap.conf
echo "libssl.so.12 libssl.so.30" >> /etc/libmap.conf
I gets other errors because of course, the versions are incompatible.
My system is running openssl-3.0.16 so I have no idea why it is requesting libcrypto.so.12 which no longer belongs to this system version.
So anyway, I have no idea what this update did, 4 packages, now it longer boots up and I have no much idea of what to do other than a clean install.
I am avoiding a clean install because I have soooooo many firewall rules and I cannot just import the backup, I need to install wireguard, os-upnp and others, otherwise, the importing the backup ends up a complete mess.
I also need to manually assign ports, it is a job and half.
I appreciate any help
#92
25.7, 25.10 Series / Re: dnsmasq and ipv6 config
Last post by OPNenthu - December 27, 2025, 02:45:27 AMQuote from: muchacha_grande on December 26, 2025, 11:46:31 PMThe only caveat is that static configured addresses are not resolved by Dnsmasq. So I had to add them manually in Unbound overrides.
If the device is configured to get the IP via DHCP the name resolution work with both dynamic and reserved addresses, but if the IP is fixed on the device and it doesn't get it from DHCP, the name resolution doesn't work.
With ISC-DHCP, the name resolution worked both in the cases of static IPs configured on the devices and in IPs assigned via DHCP.
I'm not sure which approach is better (appreciate advice from others), but I have been adding Host entries in Dnsmasq even for statically configured ones. They don't show up in Leases, but they do get added to DNS and I presume also marks that IP as reserved from the pool.
I make sure all the static IPs I use fall within the Dnsmasq range, which is a difference from ISC. This can obviously leave unused IPs if your Dnsmasq pool is, for example, .100 to .254. Then the entire range .2 to .99 is wasted.
I can think of a couple solutions:
1) Define the Dnsmasq range as .2 to .254 (.1 being for the gateway in this example)
2) Define two ranges: 192.168.1.2 - 192.168.1.99 (static pool) and 192.168.1.100 - 192.168.1.254 (DHCP pool) for the same domain
Question for @Monviech/@Maurice or others - is #2 viable and a good idea? I haven't tested.
#93
General Discussion / Re: NAXSI
Last post by OPNenthu - December 27, 2025, 02:34:13 AMIf you're saying that legitimate websites like this forum are hosting malicious payloads, then please show us. You have the burden of proof.
#94
25.7, 25.10 Series / LAN breaks when moving from on...
Last post by tdpolo26 - December 27, 2025, 02:26:36 AMHardware:
Supermicro X10SLM 1U
OPNsense
Onboard NICs: originally igb0 + em0
Added Intel i350-T4 (now shows as igb0–igb3)
After install, the onboard NIC that used to be igb0 is now igb4
No VLANs
AdGuard for DNS (including IPv6 filtering)
A few static IPv6 assignments
Background:
I installed an Intel i350-T4 because the onboard NICs seemed flaky occasionally, and several threads recommended the i350 as a solid choice.
Once installed, the first port on the i350 became the new igb0, so I reassigned WAN to that (since WAN was originally on igb0). WAN worked fine.
LAN was previously on em0, so I went into Interfaces → Assignments and changed LAN to igb1.
That's where things fell apart.
Symptoms after moving LAN to igb1:
Wi-Fi devices appeared to still work
Wired computers could not reach the internet
Some local hosts resolving through AdGuard rewrites still worked
DNS logs showed queries hitting AdGuard, but browsing failed
Reboots changed behavior (sometimes slightly different failure)
I don't use VLANs, bridging, or anything exotic — just standard LAN/WAN plus AdGuard and some static IPv6.
After several hours of troubleshooting, I changed LAN back to em0, and everything immediately worked again.
Current working setup:
WAN = i350 (igb0)
LAN = onboard (em0)
Network stable again
My question:
What would cause LAN to break simply by moving it from em0 to igb1, especially considering the onboard NIC renumbering (igb0 → igb4)?
Possible culprits I'm wondering about:
stale interface bindings left behind
spoof-checking behavior tied to old interface identity
NAT expectations based on the previous LAN interface
IPv6/RA/static address behavior still tied to em0
FreeBSD driver/ordering oddities when NIC indexes change
I expected this to be a straightforward interface move, but clearly something subtle is happening. I'd like to understand why before trying again.
Thanks for any insight — especially from folks who have swapped NICs on existing installs.
Supermicro X10SLM 1U
OPNsense
Onboard NICs: originally igb0 + em0
Added Intel i350-T4 (now shows as igb0–igb3)
After install, the onboard NIC that used to be igb0 is now igb4
No VLANs
AdGuard for DNS (including IPv6 filtering)
A few static IPv6 assignments
Background:
I installed an Intel i350-T4 because the onboard NICs seemed flaky occasionally, and several threads recommended the i350 as a solid choice.
Once installed, the first port on the i350 became the new igb0, so I reassigned WAN to that (since WAN was originally on igb0). WAN worked fine.
LAN was previously on em0, so I went into Interfaces → Assignments and changed LAN to igb1.
That's where things fell apart.
Symptoms after moving LAN to igb1:
Wi-Fi devices appeared to still work
Wired computers could not reach the internet
Some local hosts resolving through AdGuard rewrites still worked
DNS logs showed queries hitting AdGuard, but browsing failed
Reboots changed behavior (sometimes slightly different failure)
I don't use VLANs, bridging, or anything exotic — just standard LAN/WAN plus AdGuard and some static IPv6.
After several hours of troubleshooting, I changed LAN back to em0, and everything immediately worked again.
Current working setup:
WAN = i350 (igb0)
LAN = onboard (em0)
Network stable again
My question:
What would cause LAN to break simply by moving it from em0 to igb1, especially considering the onboard NIC renumbering (igb0 → igb4)?
Possible culprits I'm wondering about:
stale interface bindings left behind
spoof-checking behavior tied to old interface identity
NAT expectations based on the previous LAN interface
IPv6/RA/static address behavior still tied to em0
FreeBSD driver/ordering oddities when NIC indexes change
I expected this to be a straightforward interface move, but clearly something subtle is happening. I'd like to understand why before trying again.
Thanks for any insight — especially from folks who have swapped NICs on existing installs.
#95
General Discussion / Re: NAXSI
Last post by someone - December 27, 2025, 01:50:28 AMYou guys are great and the forum
So I want to mention something if you dont mind, i am not always watching
While you are on the forum sometimes, have a terminal open watching for connections as you go through the pages
This checks the forum for some types of malware should a bad guy do such
This is checking for embedded software in icons and photos and anything uploaded
It is undetectible by programs, takes me days with specialized hacking programs and AI to check a single small photo
cyberchef and a couple others and google AI really speeds it up
So I wanted to mention watching connections is a way faster method in one respect
Files is another thing, thought I would mention it
So I want to mention something if you dont mind, i am not always watching
While you are on the forum sometimes, have a terminal open watching for connections as you go through the pages
This checks the forum for some types of malware should a bad guy do such
This is checking for embedded software in icons and photos and anything uploaded
It is undetectible by programs, takes me days with specialized hacking programs and AI to check a single small photo
cyberchef and a couple others and google AI really speeds it up
So I wanted to mention watching connections is a way faster method in one respect
Files is another thing, thought I would mention it
#96
General Discussion / Re: Struggles scripting with t...
Last post by allddd - December 27, 2025, 01:24:14 AMQuote from: ASteve on December 27, 2025, 12:16:30 AMand triggers an action if either of the upstream gateways is down.
Not sure about the API, but have you considered using Monit? It's designed to do exactly that.
It can notify you, execute a script, or basically do anything else you want it to.
https://docs.opnsense.org/manual/monit.html
#97
General Discussion / Struggles scripting with the r...
Last post by ASteve - December 27, 2025, 12:16:30 AMI want to write a script that polls my opnsense server [ Version 22.7.11 ] and triggers an action if either of the upstream gateways is down. Essentially, I want a 'health-check' of my (two) internet connections from a script on my local LAN.
My first idea was to use the published Rest API. I configured an user, generated an API Key and started to experiment with the APIs I found in the documentation.
I was able to use Curl to GET from https://$OPNSENSEHOST/api/core/firmware/status - which yielded sensible-looking JSON. Things didn't go so well when I tried to find an API call to give me the status of my two gateway interfaces. For example, I tried using https://$OPNSENSEHOST/api/interfaces/overview/export - but it returned code 400 with the message: "controller OPNsense\\Interfaces\\Api\\OverviewController not found". I'm not sure why - as this API call does seem to have (sparse) documentation.
My first idea was to use the published Rest API. I configured an user, generated an API Key and started to experiment with the APIs I found in the documentation.
I was able to use Curl to GET from https://$OPNSENSEHOST/api/core/firmware/status - which yielded sensible-looking JSON. Things didn't go so well when I tried to find an API call to give me the status of my two gateway interfaces. For example, I tried using https://$OPNSENSEHOST/api/interfaces/overview/export - but it returned code 400 with the message: "controller OPNsense\\Interfaces\\Api\\OverviewController not found". I'm not sure why - as this API call does seem to have (sparse) documentation.
- Am I misinterpreting the API documentation?
- Does OpnSense support scripted (Restful) queries about the status of gateway interfaces? (I'm running dpinger Gateway Monitor services - and the information I want in my script is presented in the dashboard under "Gateways")
- Is the Rest API the best way to query gateway status from a script run on a host on my LAN?
#98
General Discussion / Re: change the Web UI certific...
Last post by mccasian - December 26, 2025, 11:57:40 PMHi ProximusAl
You made my day, thank you very much. I can now update the firewall certificate in place. It still does not solve changing the Web UI certificate via the API, but once the correct certificate is selected in the UI, being able to renew it in place through the API is sufficient for me.
For anyone looking for the cURL way of updating the certificate in-place, here it is:
###
POST https://opnsense.example.com/api/trust/cert/set/<cert_uuid> HTTP/1.1
Authorization: Basic {{key}}:{{secret}}
Content-Type: application/json
{"cert":
{
"action":"import",
"descr":"dummy_description",
"cert_type":"usr_cert",
"private_key_location":"firewall",
"crt_payload":"-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----",
"prv_payload":"-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----",
"csr_payload":""
}
}
Best regards
Casian
You made my day, thank you very much. I can now update the firewall certificate in place. It still does not solve changing the Web UI certificate via the API, but once the correct certificate is selected in the UI, being able to renew it in place through the API is sufficient for me.
For anyone looking for the cURL way of updating the certificate in-place, here it is:
###
POST https://opnsense.example.com/api/trust/cert/set/<cert_uuid> HTTP/1.1
Authorization: Basic {{key}}:{{secret}}
Content-Type: application/json
{"cert":
{
"action":"import",
"descr":"dummy_description",
"cert_type":"usr_cert",
"private_key_location":"firewall",
"crt_payload":"-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----",
"prv_payload":"-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----",
"csr_payload":""
}
}
Best regards
Casian
#99
General Discussion / Re: Set WebUI Certificate via ...
Last post by mccasian - December 26, 2025, 11:52:33 PMHi
I am afraid you can't do that, not yet.
But what you can do, is to manually set your WebUI certificate using the UI, and then update it in-place whenever you want. Use identical body as for "/add" but point it to "/set/<type_here_the_uuid_you_find_with_search_request>"
###
POST https://opnsense.example.com/api/trust/cert/set/<cert_uuid> HTTP/1.1
Authorization: Basic {{key}}:{{secret}}
Content-Type: application/json
{"cert":
{
"action":"import",
"descr":"testdummy3",
"cert_type":"usr_cert",
"private_key_location":"firewall",
"crt_payload":"-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----",
"prv_payload":"-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----",
"csr_payload":""
}
}
Best regards
Casian
I am afraid you can't do that, not yet.
But what you can do, is to manually set your WebUI certificate using the UI, and then update it in-place whenever you want. Use identical body as for "/add" but point it to "/set/<type_here_the_uuid_you_find_with_search_request>"
###
POST https://opnsense.example.com/api/trust/cert/set/<cert_uuid> HTTP/1.1
Authorization: Basic {{key}}:{{secret}}
Content-Type: application/json
{"cert":
{
"action":"import",
"descr":"testdummy3",
"cert_type":"usr_cert",
"private_key_location":"firewall",
"crt_payload":"-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----",
"prv_payload":"-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----",
"csr_payload":""
}
}
Best regards
Casian
#100
25.7, 25.10 Series / Re: dnsmasq and ipv6 config
Last post by muchacha_grande - December 26, 2025, 11:46:31 PMFinally I went with changing the local IPv6 addresses to an ULA range maintaining NAT66.
I didn't implement ndp-proxy-go yet because as soon as I started to plan the migration I realized that the amount of work to be done was too much.
My main goal was to migrate from ISC to Dnsmasq and now it's working fine with DHCPv4 and DHCPv6, RA and static entries are being assigned.
In a future instance I will implement ndp-proxy-go.
The only caveat is that static configured addresses are not resolved by Dnsmasq. So I had to add them manually in Unbound overrides.
If the device is configured to get the IP via DHCP the name resolution work with both dynamic and reserved addresses, but if the IP is fixed on the device and it doesn't get it from DHCP, the name resolution doesn't work.
With ISC-DHCP, the name resolution worked both in the cases of static IPs configured on the devices and in IPs assigned via DHCP.
I didn't implement ndp-proxy-go yet because as soon as I started to plan the migration I realized that the amount of work to be done was too much.
My main goal was to migrate from ISC to Dnsmasq and now it's working fine with DHCPv4 and DHCPv6, RA and static entries are being assigned.
In a future instance I will implement ndp-proxy-go.
The only caveat is that static configured addresses are not resolved by Dnsmasq. So I had to add them manually in Unbound overrides.
If the device is configured to get the IP via DHCP the name resolution work with both dynamic and reserved addresses, but if the IP is fixed on the device and it doesn't get it from DHCP, the name resolution doesn't work.
With ISC-DHCP, the name resolution worked both in the cases of static IPs configured on the devices and in IPs assigned via DHCP.
