"Recent posts
#91
25.7, 25.10 Series / Re: Help Troubleshooting OPNse...
Last post by Patrick M. Hausen - December 11, 2025, 12:18:52 PMDouble NAT? Do you have a router in front of your OPNsense?
#92
25.7, 25.10 Series / Re: Help Troubleshooting OPNse...
Last post by mb19 - December 11, 2025, 12:01:39 PMHi, yes
For example rn the WAN interface is active:
I also read that there could be issues if there is double NAT, as well as with WireGuard, but I'm still lacking some networking knowledge in that area. In any case, here's the process with both WAN and LAN enabled (I stopped and restarted the service in foreground mode):
Regarding the ISP, I spoke with the provider a few months ago to ask if they were blocking the traffic, but they told us they were not
The status is still like this:
root@opnsense:~ # ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
0.es.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.001
1.es.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.001
2.es.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.001
3.es.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.001
0.europe.pool.n .POOL. 16 p - 64 0 0.000 +0.000 0.001
For example rn the WAN interface is active:
Code Select
root@opnsense:~ # cat /var/etc/ntpd.conf
#
# Autogenerated configuration file
#
tinker panic 0
# Orphan mode stratum
tos orphan 1
# Max number of associations
tos maxclock 10
# Upstream Servers
pool 0.es.pool.ntp.org iburst maxpoll 9 prefer
pool 1.es.pool.ntp.org maxpoll 9
pool 2.es.pool.ntp.org maxpoll 9
pool 3.es.pool.ntp.org maxpoll 9
pool 0.europe.pool.ntp.org maxpoll 9
enable stats
statistics clockstats loopstats peerstats
statsdir /var/log/ntp
logconfig =syncall +clockall +peerall +sysall
driftfile /var/db/ntpd.drift
restrict source
restrict default
restrict -6 default
restrict 127.0.0.1
restrict ::1
interface ignore all
interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
interface listen fe80::1%lo0
interface listen 192.168.45.1
interface listen 10.20.0.1
interface listen 192.168.10.2
root@opnsense:~ #
I also read that there could be issues if there is double NAT, as well as with WireGuard, but I'm still lacking some networking knowledge in that area. In any case, here's the process with both WAN and LAN enabled (I stopped and restarted the service in foreground mode):
Code Select
root@opnsense:/var/log/filter # service ntpd stop
ntpd does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
root@opnsense:/var/log/filter # ps axu | grep ntpd
root 67417 0.0 0.1 24776 8436 - Ss 11:19 0:00.19 /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf
root 83127 0.0 0.0 13744 2396 0 S+ 11:52 0:00.00 grep ntpd
root@opnsense:/var/log/filter # kill 67417
root@opnsense:/var/log/filter # ps axu | grep ntpd
root 99634 0.0 0.0 13744 2408 0 S+ 11:52 0:00.00 grep ntpd
root@opnsense:/var/log/filter # ntpd -n -d -c /var/etc/ntpd.conf
11 Dec 11:52:55 ntpd[3110]: ntpd 4.2.8p18@1.4062-o Wed Oct 22 02:05:50 UTC 2025 (1): Starting
11 Dec 11:52:55 ntpd[3110]: Command line: ntpd -n -d -c /var/etc/ntpd.conf
11 Dec 11:52:55 ntpd[3110]: ----------------------------------------------------
11 Dec 11:52:55 ntpd[3110]: ntp-4 is maintained by Network Time Foundation,
11 Dec 11:52:55 ntpd[3110]: Inc. (NTF), a non-profit 501(c)(3) public-benefit
11 Dec 11:52:55 ntpd[3110]: corporation. Support and training for ntp-4 are
11 Dec 11:52:55 ntpd[3110]: available at https://www.nwtime.org/support
11 Dec 11:52:55 ntpd[3110]: ----------------------------------------------------
11 Dec 11:52:55 ntpd[3110]: proto: precision = 0.838 usec (-20)
11 Dec 11:52:55 ntpd[3110]: basedate set to 2025-10-10
11 Dec 11:52:55 ntpd[3110]: gps base set to 2025-10-12 (week 2388)
11 Dec 11:52:55 ntpd[3110]: initial drift restored to 0.000000
11 Dec 11:52:55 ntpd[3110]: Listen normally on 0 igb0 192.168.10.2:123
11 Dec 11:52:55 ntpd[3110]: Listen normally on 1 igb1 192.168.45.1:123
11 Dec 11:52:55 ntpd[3110]: Listen normally on 2 lo0 [::1]:123
11 Dec 11:52:55 ntpd[3110]: Listen normally on 3 lo0 [fe80::1%4]:123
11 Dec 11:52:55 ntpd[3110]: Listen normally on 4 lo0 127.0.0.1:123
11 Dec 11:52:55 ntpd[3110]: Listen normally on 5 wg0 10.20.0.1:123
11 Dec 11:52:55 ntpd[3110]: Listening on routing socket on fd #26 for interface updates
11 Dec 11:52:55 ntpd[3110]: 0.0.0.0 8811 81 mobilize assoc 20628
11 Dec 11:52:55 ntpd[3110]: 0.0.0.0 8811 81 mobilize assoc 20629
11 Dec 11:52:55 ntpd[3110]: 0.0.0.0 8811 81 mobilize assoc 20630
11 Dec 11:52:55 ntpd[3110]: 0.0.0.0 8811 81 mobilize assoc 20631
11 Dec 11:52:55 ntpd[3110]: 0.0.0.0 8811 81 mobilize assoc 20632
11 Dec 11:52:55 ntpd[3110]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
11 Dec 11:52:55 ntpd[3110]: 0.0.0.0 c01d 0d kern kernel time sync enabled
11 Dec 11:52:55 ntpd[3110]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
11 Dec 11:52:55 ntpd[3110]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
11 Dec 11:52:55 ntpd[3110]: 0.0.0.0 c016 06 restart
11 Dec 11:52:56 ntpd[3110]: Soliciting pool server 92.113.12.78
11 Dec 11:52:58 ntpd[3110]: Soliciting pool server 195.20.235.143
11 Dec 11:52:58 ntpd[3110]: Soliciting pool server 194.164.164.175
11 Dec 11:52:59 ntpd[3110]: Soliciting pool server 94.143.139.219
11 Dec 11:53:00 ntpd[3110]: Soliciting pool server 178.62.68.79
11 Dec 11:54:01 ntpd[3110]: Soliciting pool server 162.159.200.123
......
Regarding the ISP, I spoke with the provider a few months ago to ask if they were blocking the traffic, but they told us they were not
The status is still like this:
root@opnsense:~ # ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
0.es.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.001
1.es.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.001
2.es.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.001
3.es.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.001
0.europe.pool.n .POOL. 16 p - 64 0 0.000 +0.000 0.001
#93
25.7, 25.10 Series / Re: OPNCentral cannot provisio...
Last post by franco - December 11, 2025, 11:41:12 AMThe downgrade is painless and on the fly. It only replaces the bad plugin update. Just need to issue the following command on each node in the shell:
# opnsense-revert -r 25.10p1 os-OPNBEcore
Cheers,
Franco
# opnsense-revert -r 25.10p1 os-OPNBEcore
Cheers,
Franco
#94
25.7, 25.10 Series / Re: Possible firewall bug?
Last post by Patrick M. Hausen - December 11, 2025, 11:37:06 AMYou have blanks/spaces in these strings. Remove them.
#95
25.7, 25.10 Series / Possible firewall bug?
Last post by Lymba_Sysm - December 11, 2025, 11:35:24 AMSo i've been trying to add these to my firewall aliases but every time I've tried to do so, It doesn't work. I was watching Homenetworkguy do this on youtube in the exact same manner except an older version of opnsense. I presume this is a bug? If so how can I get around it?
#96
25.7, 25.10 Series / Re: Help Troubleshooting OPNse...
Last post by Patrick M. Hausen - December 11, 2025, 11:35:11 AMSynchronisation takes a while and of course the service *must* be active on WAN or it cannot communicate with the public NTP servers.
Did you try the ntpdate command? Sometimes ISPs block NTP and ask people to only use the servers provided by them. NTP can be used for reflection DDoS attacks if configured improperly.
Did you try the ntpdate command? Sometimes ISPs block NTP and ask people to only use the servers provided by them. NTP can be used for reflection DDoS attacks if configured improperly.
#97
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by bpill - December 11, 2025, 11:23:03 AMThanks @Monviech
This would still allow connections to IP adresses i guess?
This would still allow connections to IP adresses i guess?
#98
25.7, 25.10 Series / Re: Help Troubleshooting OPNse...
Last post by mb19 - December 11, 2025, 11:23:01 AMThanks to both of you.
On the one hand, I don't think this is a DNS issue, since name resolution does work:
And on the other hand, my system clock is also correct (I'm in Spain) and here's the output:
root@opnsense:/var/log/filter # date
Thu Dec 11 11:08:38 CET 2025
root@opnsense:/var/log/filter #
https://ibb.co/QF2bkBcm
Here is the drill test as well:
Finally, I've tried different combinations about the interfaces (out of lack of knowledge and some desperation, hoping that one of them would work by elimination).
In the screenshot I shared earlier I only had LAN selected, but I can leave it by default with all of them, I restart the service, and it still remains in "pending":
https://ibb.co/TxjNtrpj
On the one hand, I don't think this is a DNS issue, since name resolution does work:
Code Select
root@opnsense:/var/log/filter # dig pool.ntp.org
; <<>> DiG 9.20.15 <<>> pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60156
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pool.ntp.org. IN A
;; ANSWER SECTION:
pool.ntp.org. 130 IN A 162.159.200.1
pool.ntp.org. 130 IN A 195.95.153.59
pool.ntp.org. 130 IN A 194.164.164.175
pool.ntp.org. 130 IN A 92.113.12.77
;; Query time: 454 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Dec 11 11:06:49 CET 2025
;; MSG SIZE rcvd: 105
And on the other hand, my system clock is also correct (I'm in Spain) and here's the output:
root@opnsense:/var/log/filter # date
Thu Dec 11 11:08:38 CET 2025
root@opnsense:/var/log/filter #
https://ibb.co/QF2bkBcm
Here is the drill test as well:
Code Select
root@opnsense:/var/log/filter # drill 0.europe.pool.ntp.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 22650
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 0.europe.pool.ntp.org. IN A
;; ANSWER SECTION:
0.europe.pool.ntp.org. 130 IN A 193.219.94.180
0.europe.pool.ntp.org. 130 IN A 193.1.8.98
0.europe.pool.ntp.org. 130 IN A 193.32.222.35
0.europe.pool.ntp.org. 130 IN A 188.225.9.167
;; Query time: 581 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu Dec 11 11:11:23 2025
;; MSG SIZE rcvd: 103
root@opnsense:/var/log/filter #
Finally, I've tried different combinations about the interfaces (out of lack of knowledge and some desperation, hoping that one of them would work by elimination).
In the screenshot I shared earlier I only had LAN selected, but I can leave it by default with all of them, I restart the service, and it still remains in "pending":
https://ibb.co/TxjNtrpj
#99
25.7, 25.10 Series / Re: OPNCentral cannot provisio...
Last post by nono - December 11, 2025, 11:19:22 AMI can confirm that the issue continues when all nodes are up to date.
But I'm not willing to downgrade my productive nodes honestly ... They are "heavily" used for business purpose so this is something I would like to avoid.
But I'm not willing to downgrade my productive nodes honestly ... They are "heavily" used for business purpose so this is something I would like to avoid.
#100
Announcements / Re: OPNsense 25.7.9 released
Last post by franco - December 11, 2025, 11:14:28 AMA hotfix release was issued as 25.7.9_7:
o system: fix hidden syslog HA XMLRPC sync option
o firewall: aliases: add has_parser() to check if an alias has a valid parser available
o firewall: clean up rules edit cancel button
o unbound: fix condition in safesearch template
o unbound: fix "configctl unbound check" after 25.7.8
o system: fix hidden syslog HA XMLRPC sync option
o firewall: aliases: add has_parser() to check if an alias has a valid parser available
o firewall: clean up rules edit cancel button
o unbound: fix condition in safesearch template
o unbound: fix "configctl unbound check" after 25.7.8
