"Recent posts
#91
25.7, 25.10 Series / Re: GeoIP list no more correct...
Last post by Monviech (Cedrik) - January 21, 2026, 12:45:01 PMDo these steps, first execute:
/usr/local/opnsense/scripts/filter/download_geoip.py
Then go to "Firewall - Aliases" and create a new alias that contains Belgium.
After saving and apply, go to "Firewall - Diagnostics - Aliases" and check the contents of the alias you just created.
/usr/local/opnsense/scripts/filter/download_geoip.py
Then go to "Firewall - Aliases" and create a new alias that contains Belgium.
After saving and apply, go to "Firewall - Diagnostics - Aliases" and check the contents of the alias you just created.
#92
25.1, 25.4 Series / Re: Wireguard issue(s)
Last post by Bob.Dig - January 21, 2026, 12:16:57 PMFor Android there is "WG Tunnel", that can cope with dynamic IPs. If your resolution is to restart WG on OPNsens though, you might have another problem und upgrading OPNsense is strongly advised to begin with.
#93
General Discussion / Re: Where is TCP processed - C...
Last post by Seimus - January 21, 2026, 12:12:44 PMTo be honest usually you want to disable. e.g force disabled ASPM off globally on OS level cause the per-device per-line disabling may not work always as it should... I usually disable ASPM in BIOS on everything or if not available or I have suspicions its not enough I force disable it globally in Linux.
https://wiki.archlinux.org/title/Power_management#Active_State_Power_Management
Regards,
S.
https://wiki.archlinux.org/title/Power_management#Active_State_Power_Management
Regards,
S.
#94
General Discussion / Re: Where is TCP processed - C...
Last post by OPNenthu - January 21, 2026, 12:07:05 PMUnderstood, although there might be a reason why Protectli found that ASPM must be disabled globally rather than disabling it on a per-device basis with PCI sysctls. Usually you don't use the nuclear option unless there's a reason, but who knows.
#95
General Discussion / Re: subdomains / haproxy not w...
Last post by Patrick M. Hausen - January 21, 2026, 11:57:07 AMYou need to whitelist your internal addresses.
Either with this parser:
https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/whitelists
or manually following the documentation:
https://doc.crowdsec.net/u/getting_started/post_installation/whitelists/
Either with this parser:
https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/whitelists
or manually following the documentation:
https://doc.crowdsec.net/u/getting_started/post_installation/whitelists/
#96
25.7, 25.10 Series / Re: GeoIP list no more correct...
Last post by meyergru - January 21, 2026, 11:56:43 AMI neither use the business edition nor have I monitored the size of the Ipinfo database over time. I use it with the community edition and for me, it works:
Seems like there is some kind of extraction process from the Ipinfo CSV that failed to generate all entries, maybe because of a subtle syntax error in the CSV. For example, I find this line inside the CSV:
Note the multiple quotes. Also, there are missing ASNs in some lines. So maybe this is a parsing error within OpnSense code, but probably in the business edition only?
Code Select
# wc /usr/local/share/GeoIP/alias/BE-IPv?
9736 9736 158563 /usr/local/share/GeoIP/alias/BE-IPv4
24323 24323 566429 /usr/local/share/GeoIP/alias/BE-IPv6
34059 34059 724992 total
# fgrep ,BE, ipinfo_lite.csv | wc
34059 64340 2112133
Seems like there is some kind of extraction process from the Ipinfo CSV that failed to generate all entries, maybe because of a subtle syntax error in the CSV. For example, I find this line inside the CSV:
Code Select
2a14:3d02::/35,Belgium,BE,Europe,EU,AS57234,"LLC ""IT NETWORKS CHAT""",ichatua.com.ua
Note the multiple quotes. Also, there are missing ASNs in some lines. So maybe this is a parsing error within OpnSense code, but probably in the business edition only?
#97
General Discussion / Re: Where is TCP processed - C...
Last post by chemlud - January 21, 2026, 11:47:48 AM@OPNenthu Thanks for reading, yes, ASPM and offloading are apparently off the list at that point.
EEE (enabled, but apparently "inactive", see above) and the "wrong" driver (8169, which works perfectly on another Tumbleweed with old ATOM CPU with legacy BIOS and Realtek 8168 hardware, btw...) are on the list.
Not much left, apparently...
EEE (enabled, but apparently "inactive", see above) and the "wrong" driver (8169, which works perfectly on another Tumbleweed with old ATOM CPU with legacy BIOS and Realtek 8168 hardware, btw...) are on the list.
Not much left, apparently...
#98
General Discussion / Re: subdomains / haproxy not w...
Last post by kasperski1868 - January 21, 2026, 11:44:02 AMFound the issue: I installed crowdsec recently .. this seems to be the culprit. Guess I' ll have to learn some more about that one before I turn it on again. Thanks!
#99
25.7, 25.10 Series / Re: GeoIP list no more correct...
Last post by DEC740airp414user - January 21, 2026, 11:42:53 AMQuote from: meyergru on January 20, 2026, 10:00:17 PMAFAIK, the business edition uses IPinfo per default, if not configured otherwise.
i noticed the numbers(addresses) decreased in total by about 10k. is this the reason why those numbers changed so much?
within the last month. maybe 2?
#100
General Discussion / Re: Where is TCP processed - C...
Last post by OPNenthu - January 21, 2026, 11:35:46 AMIt will be interesting if ASPM with coreboot is the culprit, as there is a very similar issue affecting a particular Protectli device: https://protectli.com/news/vp2440-coreboot-issue/
So that may not be limited to just Realtek NICs. It could be an issue with coreboot handling of ASPM.
(EDIT: I saw that @chemlud's PCI link has ASPM disabled already, so am not sure if this still applies. The Protectli work-around is to disable ASPM altogether at the OS level until a coreboot update is available.)
So that may not be limited to just Realtek NICs. It could be an issue with coreboot handling of ASPM.
(EDIT: I saw that @chemlud's PCI link has ASPM disabled already, so am not sure if this still applies. The Protectli work-around is to disable ASPM altogether at the OS level until a coreboot update is available.)
