"Recent posts
#91
25.7, 25.10 Series / Why can't you host the ISO som...
Last post by ttyyuu12345 - December 30, 2025, 08:24:11 AMHere's the reason:
My home internet is 400down/30-35 up. My computers pretty fast, but to get fiber internet means we have to trust AT&T to dig up and fix THEIR cable, and charge me the same for the same bandwidth I get on my cloud. If AT&T did fix their cable, the physical cable in clay would easily break again and I'd lose connection due to their failure to protect the cable to cut corners.
I have a cloud server that's got 8c/16t (AMD Ryzen 7 3800X), 500Mbps up and down, and 128GB RAM, but the baremetal server runs 128GB of RAM. I have 3 IPs, and I don't want to run only 3 virtual machines on it.
I think its irresponsible for OPNsense to expect us to not provide a direct iso link when there's plenty of mirrors I can cancel, and turn around and copy link/paste. Heck, I could get a Windows ISO on my hypervisor faster than I could OPNSense.
My home internet is 400down/30-35 up. My computers pretty fast, but to get fiber internet means we have to trust AT&T to dig up and fix THEIR cable, and charge me the same for the same bandwidth I get on my cloud. If AT&T did fix their cable, the physical cable in clay would easily break again and I'd lose connection due to their failure to protect the cable to cut corners.
I have a cloud server that's got 8c/16t (AMD Ryzen 7 3800X), 500Mbps up and down, and 128GB RAM, but the baremetal server runs 128GB of RAM. I have 3 IPs, and I don't want to run only 3 virtual machines on it.
I think its irresponsible for OPNsense to expect us to not provide a direct iso link when there's plenty of mirrors I can cancel, and turn around and copy link/paste. Heck, I could get a Windows ISO on my hypervisor faster than I could OPNSense.
#92
25.7, 25.10 Series / os-c-icap and os-clamav Incomp...
Last post by Dreu - December 30, 2025, 07:12:34 AM Hello,
I am having trouble integrating Squid, C-ICAP, and ClamAV on OPNsense version 25.7.10. The Squid service is consistently crashing, and I believe the root cause is a version
incompatibility between the os-c-icap and os-clamav plugins.
Symptoms:
* The Squid service crashes on startup with a "signal 11 (segmentation fault)" error.
* The "ICAP Settings" section is completely missing from the Web Proxy administration page, even in advanced mode.
* The clamav_mod configuration section is missing from the C-ICAP advanced settings page.
Relevant Log Entries:
The C-ICAP logs show a versioning error when trying to load the ClamAV module:
1 main proc, WARNING: Can not check the used c-icap release to build service clamd_mod.so
It also shows a subsequent connection error because the service is not running correctly:
1 main proc, clamd_connect: Can not connect to clamd server on 127.0.0.1:3310!
The main system log confirms the Squid crash:
1 pid XXXXX (squid), jid 0, uid 100: exited on signal 11 (no core dump - bad address)
Troubleshooting Steps Taken:
* Verified all three plugins (os-squid, os-c-icap, os-clamav) are installed.
* Performed multiple reboots.
* Performed a full uninstall of all three plugins, refreshed the package repositories via the UI, and did a clean reinstall of all three plugins. The problem persists even after a clean
install.
It appears the versions of the C-ICAP and ClamAV plugins currently in the repository for my OPNsense version are not compatible. Any guidance on how to resolve this would be greatly
appreciated.
Thank you.
I am having trouble integrating Squid, C-ICAP, and ClamAV on OPNsense version 25.7.10. The Squid service is consistently crashing, and I believe the root cause is a version
incompatibility between the os-c-icap and os-clamav plugins.
Symptoms:
* The Squid service crashes on startup with a "signal 11 (segmentation fault)" error.
* The "ICAP Settings" section is completely missing from the Web Proxy administration page, even in advanced mode.
* The clamav_mod configuration section is missing from the C-ICAP advanced settings page.
Relevant Log Entries:
The C-ICAP logs show a versioning error when trying to load the ClamAV module:
1 main proc, WARNING: Can not check the used c-icap release to build service clamd_mod.so
It also shows a subsequent connection error because the service is not running correctly:
1 main proc, clamd_connect: Can not connect to clamd server on 127.0.0.1:3310!
The main system log confirms the Squid crash:
1 pid XXXXX (squid), jid 0, uid 100: exited on signal 11 (no core dump - bad address)
Troubleshooting Steps Taken:
* Verified all three plugins (os-squid, os-c-icap, os-clamav) are installed.
* Performed multiple reboots.
* Performed a full uninstall of all three plugins, refreshed the package repositories via the UI, and did a clean reinstall of all three plugins. The problem persists even after a clean
install.
It appears the versions of the C-ICAP and ClamAV plugins currently in the repository for my OPNsense version are not compatible. Any guidance on how to resolve this would be greatly
appreciated.
Thank you.
#93
General Discussion / Simple Port Forward Failing
Last post by kojak - December 30, 2025, 03:12:14 AMI have an OPNsense router connected to a lab network (10.10.20.1/24) so I can test it before putting it in PROD. The WAN IP of the OPNsense router is 10.10.20.50, and I am trying to forward port 8080 to a host (10.0.0.14) on my OPNsense MGMT network (10.0.0.1/24).
I can see that traffic reaches my OPNsense router and is redirected by NAT to the correct internal IP (10.0.0.14), passing through the WAN and onto the MGMT network. However, I do not see any traffic in the HTTP server's log, and I get no response to my curl request from 10.10.20.28. I have verified that I can successfully curl the HTTP server running on 10.0.0.14 from another host on the 10.0.0.x network. I'm stumped. Here are some screenshots of my setup...
FW Logs:
The NAT:
The WAN
The MGMT Network
I can see that traffic reaches my OPNsense router and is redirected by NAT to the correct internal IP (10.0.0.14), passing through the WAN and onto the MGMT network. However, I do not see any traffic in the HTTP server's log, and I get no response to my curl request from 10.10.20.28. I have verified that I can successfully curl the HTTP server running on 10.0.0.14 from another host on the 10.0.0.x network. I'm stumped. Here are some screenshots of my setup...
FW Logs:
The NAT:
The WAN
The MGMT Network
#94
25.7, 25.10 Series / Re: NAT reflection rules being...
Last post by gerardo - December 30, 2025, 02:16:48 AMOk, solved by adding a custom rule to allow any LAN IP to hit the specific redirected host, which is nginx proxy mgr. All the other hosts are still inaccessible behind npm.
#95
25.7, 25.10 Series / Re: NAT reflection rules being...
Last post by gerardo - December 30, 2025, 01:57:54 AMI've got the exactly same problem after I upgraded to the latest version (from a year ago).
#96
25.7, 25.10 Series / Re: Pointing to adguard DNS se...
Last post by mpoldphone191 - December 30, 2025, 01:05:49 AMNot sure why Unbound isn't sending the requests to the other server, I would check to see if the Opnsense instance can hit the other AdGuard server. Easy way to do that is to open a Shell in Opnsense then do a dig command to do a DNS query. The command line should be something along the lines of dig @IP of Adguard hp.com, though that is the Linux command so I am unsure if it will work in BSD. If it can't communicate then check the Opnsense and local firewall settings.
The way I would prefer to do it is change the DNS server in the DHCP settings to issue the AdGuard IP to your clients. This will point all devices that request an IP to use the AdGuard IP, the nice thing about this is that the AdGuard logs will show the source IP of the query instead of the OpnSense IP to make troubleshooting other issues easier. The setting will in the DHCP Server settings in services.
If you don't want to change it in DHCP you can alternatively set it on the OS to use a certain one, though this is not recommended for mobile devices since it will try to use your IP server when you connect to other networks.
The way I would prefer to do it is change the DNS server in the DHCP settings to issue the AdGuard IP to your clients. This will point all devices that request an IP to use the AdGuard IP, the nice thing about this is that the AdGuard logs will show the source IP of the query instead of the OpnSense IP to make troubleshooting other issues easier. The setting will in the DHCP Server settings in services.
If you don't want to change it in DHCP you can alternatively set it on the OS to use a certain one, though this is not recommended for mobile devices since it will try to use your IP server when you connect to other networks.
#97
General Discussion / Re: [solved] pf ruleset causin...
Last post by OPNenthu - December 30, 2025, 12:25:15 AMI did also drop a note in the Hardware section topic to correct the record :)
#98
General Discussion / Re: [solved] pf ruleset causin...
Last post by nero355 - December 30, 2025, 12:15:11 AMQuote from: Patrick M. Hausen on December 27, 2025, 05:26:26 PMTrueNAS does not support policy routing so if you have network interfaces in different networks it will always answer any client fromWhat is TrueNAS based on these days ?!
- the directly connected one, if present
- the one with the default gateway, otherwise
Specifically there is no separation of the UI and the file sharing services. Not possible, don't try it, you will fail.
First it was FreeBSD and then they switched to Linux as far as I know ?
Sounds like very bad decisions were made the last couple of years if it for example doesn't have SystemD and it's Policy Routing/Source Based Routing onboard like you would expect it to have...
Quote from: Patrick M. Hausen on December 28, 2025, 10:30:30 AMYou can bind different services to different interfaces, of course. But if your management desktop and TN share a common network and you define "management" to be a different one to be accessed through a firewall, TN will send the replies through the common network bypassing the firewall, because that's how routing works.I had that issue (A-Symmetrical Routing blocked by the OPNsense Default Block Rule) after switching from my old Ubiquiti USG 3P Router to OPNsense and solved it via SystemD Network Configuration for :
eth0
eth0.10 VLAN
eth0.any other VLAN
Now my Traffic is no longer blocked when accessing this Multi-VLAN Interface device from VLAN 10 to it's Management eth0 address and my SSH connection for example doesn't time out! :)
QuoteA separate storage network for e.g. iSCSI assumes that all clients and the TN server share that network, so no asymmetric routing occurs. That of course is perfectly reasonable. Same for e.g. NFS for VMware.As long as you keep things 1:1 connected in the same subnet there are no issues indeed :)
QuoteBut placing mangement in a separate network does not work unless the management station is in that same network. Just like with the storage examples.Unless you can manipulate the Routing Table on the device you are accessing ofcourse!
Quote from: OPNenthu on December 29, 2025, 11:27:32 PMit seems I may have misjudged the AQC113 NIC earlier.I hope so too for you, because I have just read your other topic about the NIC and I am really disappointed that the driver support is not all that great/how it should be or could have been...
Look like the AQC113 is so far not falling down :)
Hope this keeps up.
It was soo promising when it was announced many years ago : Just € 95 for a 1 port 10 Gbps NIC with RJ45 was WOW!!! at the time!
#99
25.7, 25.10 Series / Re: Upgrade version discrepanc...
Last post by erwinvanlonden - December 30, 2025, 12:07:44 AMQuote from: franco on December 22, 2025, 08:10:28 AMYou're not posting your update attempt logs here either. I'm not sure how to help in that case other than give moral rubber duck support. ;)
Cheers,
Franco
Hello Franco,
Apologies for the late reply. Attached is the last report I got when doing an audit on the upgrade. Not sure what to make of this. I'm just trying to figure out why the Status and Changelog page shows that I'm on the latest version but when the "Check Update" has ran the result is that Opnsense thinks I'm still on 25.7.8
Code Select
Type opnsense
Version 25.7.10
Architecture amd64
Commit c2f076f30
Mirror https://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:14:amd64/25.7
Repositories OPNsense (Priority: 11)
Updated on Fri Dec 19 17:20:40 AEST 2025
Checked on Tue Dec 30 08:22:05 AEST 2025
Code Select
Version Date
25.7.10 (installed) 2025-12-18
25.7.9 2025-12-04
Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.7.10 (amd64) at Tue Dec 30 09:00:56 AEST 2025
Fetching changelog information, please wait... fetch: transfer timed out
fetch: /usr/local/opnsense/changelog/changelog.txz appears to be truncated: 0/195380 bytes
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 928 packages processed.
All repositories are up to date.
Checking for upgrades (82 candidates): .......... done
Processing candidates (82 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
When this finishes I see this.
Code Select
Package name Current version New version Required action Repository
base 25.7.8 25.7.10 upgrade OPNsense
kernel 25.7.8 25.7.10 upgrade OPNsense
#100
25.7, 25.10 Series / Re: Dashboard/WebGUI slows, ha...
Last post by ChrisChros - December 29, 2025, 11:55:48 PMI experience the same with the Chrome Browser on my MacBook. With Safari I have no issues.
I deleted all widgets and start rebuilding when I recognized that Chrome will hang up also when I move the widgets.
At the moment Chrome is not usable with the new WebUi.
I deleted all widgets and start rebuilding when I recognized that Chrome will hang up also when I move the widgets.
At the moment Chrome is not usable with the new WebUi.
