"Recent posts
#91
25.7, 25.10 Series / Re: 25.7.8 upgrade
Last post by Baron_Backdoor - November 27, 2025, 05:27:34 PMQuote from: meyergru on November 27, 2025, 04:46:36 PMThat looks as if 25.7.8 upgrade was done (potentially incomplete) and now you do not have internet access.
From what version did you start out? If it was < 25.7, see https://forum.opnsense.org/index.php?topic=48343.msg244891#msg244891
If that is your situation, you need to apply the fixes, preferably before the upgrade.
I want to say 25.7.5 so i'll lok at those fixes as luckily despit it being upset i still have internet (thank the lord as she is catching up on stranger things and i don't wish to stop that lol)
UPDATE
Yes 25.7.5 as under updates it still say to update despite dashboard saying all good.
#92
25.7, 25.10 Series / Re: 25.7.8 upgrade
Last post by Baron_Backdoor - November 27, 2025, 05:25:27 PMQuote from: SeeDrs on November 27, 2025, 04:33:57 PMHave you tried a different Mirror? You can change it under System > Firmware > Setting.
Thank you for the reply, yes 3 or 4 of them
#93
25.7, 25.10 Series / Re: Using Adguard Home and DNS...
Last post by meyergru - November 27, 2025, 05:00:45 PMQuote from: Patrick M. Hausen on November 27, 2025, 11:44:07 AMQuad9 are located in Switzerland and seem to be ok:
https://quad9.net/about/foundation-council/
1.1.1.1 also seems O.K. to me (and it is by far the fastest DNS resolver I know of).
#94
25.7, 25.10 Series / Re: Using Adguard Home and DNS...
Last post by JMini - November 27, 2025, 04:51:07 PMA lot of good info here. Thanks, all.
I'm located in the US and Verizon is my ISP. I'm pretty sure they mine DNS and sell the data. No GDPR here. CloudFlare has a good reputation for privacy. But any unencrypted DNS will be snooped by Verizon.
I don't care about "intelligence". I'm a nobody home user. They're gonna get what they get. I'd rather just not be snooped on by my ISP and have it sold to advertisers.
So, if I let Unbound use the authoritative servers it has compiled in, it's sending those requests in the clear over port 53 that can be seen by anyone along the way. Using DOH/DOT, it's at least hidden until it gets to CloudFlare/OpenDNS. Then I'm relying on their privacy promises. I get that part.
Thanks for the whole explanation of how the stepped approach to DNS resolution works. I thought there were these centralized DNS repositories that just served up the whole thing. Not org, then opnsense.org, then forums.opnsense.org.
Maybe I'll so some reading on the details of DNS. No idea it was that segmented.
I'm located in the US and Verizon is my ISP. I'm pretty sure they mine DNS and sell the data. No GDPR here. CloudFlare has a good reputation for privacy. But any unencrypted DNS will be snooped by Verizon.
I don't care about "intelligence". I'm a nobody home user. They're gonna get what they get. I'd rather just not be snooped on by my ISP and have it sold to advertisers.
So, if I let Unbound use the authoritative servers it has compiled in, it's sending those requests in the clear over port 53 that can be seen by anyone along the way. Using DOH/DOT, it's at least hidden until it gets to CloudFlare/OpenDNS. Then I'm relying on their privacy promises. I get that part.
Thanks for the whole explanation of how the stepped approach to DNS resolution works. I thought there were these centralized DNS repositories that just served up the whole thing. Not org, then opnsense.org, then forums.opnsense.org.
Maybe I'll so some reading on the details of DNS. No idea it was that segmented.
#95
25.7, 25.10 Series / Re: 25.7.8 upgrade
Last post by meyergru - November 27, 2025, 04:46:36 PMThat looks as if 25.7.8 upgrade was done (potentially incomplete) and now you do not have internet access.
From what version did you start out? If it was < 25.7, see https://forum.opnsense.org/index.php?topic=48343.msg244891#msg244891
If that is your situation, you need to apply the fixes, preferably before the upgrade.
From what version did you start out? If it was < 25.7, see https://forum.opnsense.org/index.php?topic=48343.msg244891#msg244891
If that is your situation, you need to apply the fixes, preferably before the upgrade.
#96
General Discussion / PSA: recent Comcast firmware s...
Last post by really_lost - November 27, 2025, 04:45:26 PMI lost my IPv6 prefix delegation about a week ago. Seriously dug into it yesterday and have packet captures of the modem telling me no prefix delegation.
For anyone else using anything besides the base /64 of your IPv6 statics, don't waste much time on this. There's a forum thread on the Comcast support that makes it clear this is an issue with the latest firmware. It even includes someone who got their modem swapped out. The swapped out modem came with older firmware. Prefix delegation worked again. A few days later, the new modem switched to the latest firmware and prefix delegation broke.
https://forums.businesshelp.comcast.com/conversations/ipv6/prefix-delegation-disabled/690fa973a2c50219bf21c6e6
It's pretty clear that firmware CGA4332COM_8.2p5s1_PROD_sey breaks prefix delegation for Comcast customers.
For anyone else using anything besides the base /64 of your IPv6 statics, don't waste much time on this. There's a forum thread on the Comcast support that makes it clear this is an issue with the latest firmware. It even includes someone who got their modem swapped out. The swapped out modem came with older firmware. Prefix delegation worked again. A few days later, the new modem switched to the latest firmware and prefix delegation broke.
https://forums.businesshelp.comcast.com/conversations/ipv6/prefix-delegation-disabled/690fa973a2c50219bf21c6e6
It's pretty clear that firmware CGA4332COM_8.2p5s1_PROD_sey breaks prefix delegation for Comcast customers.
#97
General Discussion / Re: TUI for viewing and analys...
Last post by allddd - November 27, 2025, 04:44:15 PMI'm glad you liked it :)
This is already on my todo list because, even with larger screens, it's an issue if the terminal is not running in fullscreen mode, which is often the case. I even have a bit of code for this in a local branch, but I haven't really decided what would be the best way to do this.
One approach would be to dynamically truncate the columns based on window size, but that would cause an issue on smaller screens where you could not see part of the date, IP, etc., which isn't ideal.
Another approach, as you mentioned, would be to implement horizontal scrolling. This would be more tricky to implement and might not look as good, but at least it would not cut off parts of IPs or other fields.
Currently, it is not possible to filter based on IP version, but adding this as an option would be easy. Documentation on the filter.log format:
The proto filter is used to filter by protoname. The reason you get any results with a filter query such as proto ip, is because some protocol names contain ip* (e.g. ipv6-icmp) and the value does not have to be an exact match. To implement this, I would either have to abuse the proto keyword or add a new one used specifically for matching the ipversion field. The latter option would probably be less confusing.
If you have a Gitlab account, feel free to open an issue if you notice any bugs or have suggestions.
Quote from: patient0 on November 27, 2025, 10:24:48 AMmy screen is quite small (1280x800) and not all columns fit on the screen. It would be helpful if I could scroll horizontally with e.g. either the left/right arrow keys and/or 'h'/'l' (like in vim).
This is already on my todo list because, even with larger screens, it's an issue if the terminal is not running in fullscreen mode, which is often the case. I even have a bit of code for this in a local branch, but I haven't really decided what would be the best way to do this.
One approach would be to dynamically truncate the columns based on window size, but that would cause an issue on smaller screens where you could not see part of the date, IP, etc., which isn't ideal.
Another approach, as you mentioned, would be to implement horizontal scrolling. This would be more tricky to implement and might not look as good, but at least it would not cut off parts of IPs or other fields.
Quote from: patient0 on November 27, 2025, 10:24:48 AMright now filtering for 'proto ip6' doesn't show any results. But filtering for 'proto ip' shows only the ip6 traffic. I would prefer if 'proto ip' would show the ipv4 entries and 'proto ip6' the ipv6. Maybe even a shortcut like in 'pftop' 'ip' and 'ip6' showing the ipv4 and ipv6 entries.
Currently, it is not possible to filter based on IP version, but adding this as an option would be easy. Documentation on the filter.log format:
Code Select
IPv4
====
[Packetfilter], ipversion, tos, ecn, ttl, id, offset, flags, protonum, protoname, length, src, dst
The protonum/protoname order is reversed compared to IPv6.
IPv6
====
[Packetfilter], ipversion, class, flow, hoplimit, protoname, protonum, length, src, dst
The protonum/protoname order is reversed compared to IPv4.
The proto filter is used to filter by protoname. The reason you get any results with a filter query such as proto ip, is because some protocol names contain ip* (e.g. ipv6-icmp) and the value does not have to be an exact match. To implement this, I would either have to abuse the proto keyword or add a new one used specifically for matching the ipversion field. The latter option would probably be less confusing.
If you have a Gitlab account, feel free to open an issue if you notice any bugs or have suggestions.
#98
Hardware and Performance / Re: Network behind a double NA...
Last post by meyergru - November 27, 2025, 04:42:36 PMThe GMKtec has 2x I226, so that is better than Realtek NICs (although you will want to use the NICs as virtio interfaces).
I see a problem with the WiFi uplink, though. You want that to be the WAN of your OpnSense, yet WiFi chipsets are badly supported under FreeBSD and OpnSense. You cannot set it up under Proxmox, either, because that should be connected only to your OpnSense's LAN side.
That was less of a problem if the WAN uplink were through one of the RJ45 interfaces and the other one was used for the LAN - but that would mean you need a switch to conenct both your main desktop and an AP.
Do not underestimate the setup, because OpnSense on Proxmox is special.
I personally do not like Router-behind-Router scenarios, because they tend to give all kinds of problems, see https://forum.opnsense.org/index.php?topic=42985.0, point 4. For one, you will have to do port forwards on both OpnSense and your outer router in order to give access from outside.
Also, if you need IPv6, this might get difficult to set up (if it works at all).
I do not really understand why you would want to keep the TP-Link in the loop, because that is a standard router without any ONT/modem inside, so OpnSense can do its jobs all on its own, so it is not needed (unless you must extend the reach via WiFi, which is problematic anyway).
I see a problem with the WiFi uplink, though. You want that to be the WAN of your OpnSense, yet WiFi chipsets are badly supported under FreeBSD and OpnSense. You cannot set it up under Proxmox, either, because that should be connected only to your OpnSense's LAN side.
That was less of a problem if the WAN uplink were through one of the RJ45 interfaces and the other one was used for the LAN - but that would mean you need a switch to conenct both your main desktop and an AP.
Do not underestimate the setup, because OpnSense on Proxmox is special.
I personally do not like Router-behind-Router scenarios, because they tend to give all kinds of problems, see https://forum.opnsense.org/index.php?topic=42985.0, point 4. For one, you will have to do port forwards on both OpnSense and your outer router in order to give access from outside.
Also, if you need IPv6, this might get difficult to set up (if it works at all).
I do not really understand why you would want to keep the TP-Link in the loop, because that is a standard router without any ONT/modem inside, so OpnSense can do its jobs all on its own, so it is not needed (unless you must extend the reach via WiFi, which is problematic anyway).
#99
25.7, 25.10 Series / Re: 25.7.8 upgrade
Last post by SeeDrs - November 27, 2025, 04:33:57 PMHave you tried a different Mirror? You can change it under System > Firmware > Setting.
#100
General Discussion / Re: OPNsense does not generate...
Last post by Monviech (Cedrik) - November 27, 2025, 04:12:59 PMBoth the route-to (Force Gateway) and reply-to rules can be deactivated in "Firewall - Settings - Advanced"
If you do not have multi WAN its highly recommended to disable them.
If you do not have multi WAN its highly recommended to disable them.
