"Recent posts
#91
German - Deutsch / Re: Hetzner Cloud Server Wire...
Last post by Peter68 - December 29, 2025, 07:22:57 PMDanke für eure Antworten. Hat sich erledigt
#92
General Discussion / Re: FIB/VRF support in OPNsens...
Last post by pfry - December 29, 2025, 06:34:16 PMQuote from: Fredouil on December 27, 2025, 11:44:41 AM[...]it should be a priority[...]
Heh. Whose confirmation bias is justified? (Does that matter?)
I'd implement it, as I come from a routing background. (Note that I started with firewalls at the same time.) I'm a lousy persuader; money talks, but I don't have enough for this one.
#93
German - Deutsch / Re: ISC DHCP - neu angelegte N...
Last post by mkreu - December 29, 2025, 06:30:56 PMHi observing0436,
danke für den Tipp. Funktioniert tatsächlich so. Habe es gerade auf meiner Testmaschine ausprobiert, da ich die produktive OPNsense in meiner Verzweiflung schon auf Dnsmasq umgebaut habe...
Super, dass es so klappt, aber das kann doch eigentlich nicht der gewünschte Weg sein, oder..?
Wünsche dann noch einen "Guten Rutsch" und viele Grüße,
mkreu
danke für den Tipp. Funktioniert tatsächlich so. Habe es gerade auf meiner Testmaschine ausprobiert, da ich die produktive OPNsense in meiner Verzweiflung schon auf Dnsmasq umgebaut habe...
Super, dass es so klappt, aber das kann doch eigentlich nicht der gewünschte Weg sein, oder..?
Wünsche dann noch einen "Guten Rutsch" und viele Grüße,
mkreu
#94
25.7, 25.10 Series / Re: LAN unreachble from OPNSen...
Last post by TheAutomationGuy - December 29, 2025, 06:23:58 PMWhat is the IP address that your computer is assigned? Is it is something like 169.254.x.x? That would indicate a connection problem between the computer and firewall where the computer failed to get a DHCP address because of this connection problem. I would suggest that you connect the computer directly to the LAN port of the firewall. If you are already doing this, change the network cable to a known working cable. If that still fails, then it is likely a hardware or driver problem with the LAN port on the firewall.
If you can access OPNsense's command line interface, you should be able to confirm what your LAN subnet is set to. It's possible that you originally had changed it to something other than the stock configuration and when you reset the box it set the LAN subnet back to the stock configuration (which is 192.168.1.0/24 with the firewall getting the 192.168.1.1 address). You can always reassign the LAN interface to another physical port (if available), choose a different LAN subnet address if desired, and also make sure that DHCP is turned on for that LAN subnet.
If you can access OPNsense's command line interface, you should be able to confirm what your LAN subnet is set to. It's possible that you originally had changed it to something other than the stock configuration and when you reset the box it set the LAN subnet back to the stock configuration (which is 192.168.1.0/24 with the firewall getting the 192.168.1.1 address). You can always reassign the LAN interface to another physical port (if available), choose a different LAN subnet address if desired, and also make sure that DHCP is turned on for that LAN subnet.
#95
General Discussion / Re: TUI for viewing and analys...
Last post by patient0 - December 29, 2025, 06:14:21 PMQuote from: allddd on December 29, 2025, 01:53:12 PMJumping to the beginning/end would require checking the view length on every render ... I looked at how less handles it to get an idea, and even there you can scroll infinitely...Fair point and you can plant an easter egg if someone scroll for 10000 characters the OPNsense maskot jumps up :)
QuoteDoes your terminal support formatting/colors? I haven't updated the screenshot in the repo yet since the view may still change a bit, but I've added formatting that makes it easy to see the difference between IPs and ports:Yep, the formatting work, 'block' is red and the IPs are in bold, that work well. Did you experiment with the ports being in color and/or the direction being bold or in color?
#96
25.7, 25.10 Series / Re: DNS failures after upgrade...
Last post by ESClaus76 - December 29, 2025, 06:05:58 PMNot wanting to take over this post. Here is my issues.
I was running OPNsense for about a year and had my hard drive crash and lost everything. My setup was simple as it could get. No VLANs or segmented networks. Just serving as a DHCP server and DNS server. I would create static IPs for various things on my network and a couple of firewall rules for reverse proxy.
I replaced my hard drive and was starting over and saw that ISC DHCPv4 wasn't default DHCP anymore. Reading on the forums and reddit I found that ISC is depreciated and recommendations are to use DNSmasq or KEA DHCP. Along with that it is recommended to use Unbound.
This is where my issues start. I noticed that my PCs sometimes can't resolve DNS. It is random but I know it is something with my OPNsense because if manually change DNS on my PC to a public DNS like 8.8.8.8 it works everytime.
I have no idea where to even troubleshoot. I know I can go back to ISC DHCPv4 but with it eventually going away I should use the recommended.
I was running OPNsense for about a year and had my hard drive crash and lost everything. My setup was simple as it could get. No VLANs or segmented networks. Just serving as a DHCP server and DNS server. I would create static IPs for various things on my network and a couple of firewall rules for reverse proxy.
I replaced my hard drive and was starting over and saw that ISC DHCPv4 wasn't default DHCP anymore. Reading on the forums and reddit I found that ISC is depreciated and recommendations are to use DNSmasq or KEA DHCP. Along with that it is recommended to use Unbound.
This is where my issues start. I noticed that my PCs sometimes can't resolve DNS. It is random but I know it is something with my OPNsense because if manually change DNS on my PC to a public DNS like 8.8.8.8 it works everytime.
I have no idea where to even troubleshoot. I know I can go back to ISC DHCPv4 but with it eventually going away I should use the recommended.
#97
Zenarmor (Sensei) / Re: Provide firm date on multi...
Last post by FullyBorked - December 29, 2025, 06:04:08 PMJust a quick glance at a home user, with 10G backbone, but currently nearly pinning a core with only ~600Mbps file transfer. This is a Intel i3-9100 Please @Zenarmor re-consider this decision. I've promoted this product since inception, this is a big thorn I'm struggling with.
#98
General Discussion / Re: Why I am retiring from con...
Last post by trasz@ - December 29, 2025, 05:14:14 PMFWIW, core team is not responding to emails from FreeBSD committers anymore either. They know they screwed up badly by trying to kick me out at request of certain youtuber, then were forced to (partially) confess to developers@. I guess they have learned they can just ignore the developer community.
#99
25.7, 25.10 Series / Re: ice driver (ddp) / latest ...
Last post by pfry - December 29, 2025, 04:21:30 PMThey're not paired. The driver will work fine (and not complain) with a "later-than-recommended" NVM. I'd always go for the latest NVM, but the E810 has been around for long enough (2019?) that the major bugs should have been killed by now. I'd have to look at the release notes to be sure. At any rate, I'll update if convenient or necessary (I experienced the latter with some old X710s).
What issue were you having with the update? Your link is for Windows; I don't know what the package includes. (I use the EFI updater.)
What issue were you having with the update? Your link is for Windows; I don't know what the package includes. (I use the EFI updater.)
#100
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by humnab - December 29, 2025, 04:00:15 PM/usr/local/etc/apache24/extra/wsmail03.conf
Code Select
# Tipp von Bernd Krumböck wegen Sicherheitsproblemen mit dem MPM Modul und NTLM Authentifizierung
# Clients welche EWS verwenden (z.B. AquaMail) bekommen E-Mails anderer Sitzungen synchronisiert
# ServerLimit und MaxRequestWorkers ggf. an die Anzahl der vorhandenen Clients anpassen
#ServerLimit 300
#MaxRequestWorkers 300
MaxConnectionsPerChild 1
<VirtualHost 192.168.80.43:80>
ServerName mail.example.com
ServerAlias autodiscover.example.com
ServerAdmin webmaster@znil.org
ErrorLog /var/log/apache2/error.log
# Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
CustomLog /var/log/apache2/access.log combined
#CustomLog /dev/null common
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
RequestHeader unset Expect early
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
ProxyRequests Off
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/owa(.*) https://mail.example.com/owa$1 [R,L]
RewriteRule ^/ecp(.*) https://mail.example.com/ecp$1 [R,L]
RewriteRule ^/Microsoft-Server-ActiveSync(.*) https://mail.example.com/Microsoft-Server-ActiveSync$1 [R,L]
DocumentRoot /var/www/mail.example.com/web
<Directory />
Order deny,allow
Deny from all
</Directory>
<Directory /var/www/mail.example.com/web>
DirectoryIndex index.php index.html
Options -Indexes +FollowSymLinks
Order allow,deny
Allow from all
</Directory>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
<VirtualHost 192.168.80.43:443>
DocumentRoot /var/www/mail.example.com/web
ServerName mail.example.com
ServerAlias autodiscover.example.com
ServerAdmin webmaster@znil.org
ErrorLog /var/log/apache2/error.log
# Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
CustomLog /var/log/apache2/access.log combined
#CustomLog /dev/null common
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
# 10.12.2020: Nachfolgende Zeilen würden eine Standardauthentifizierung erzwingen, ist nun nicht mehr Notwendig
# Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
# Header unset WWW-Authenticate
# Header add WWW-Authenticate "Basic realm=mail.example.com"
ProxyRequests Off
ProxyPreserveHost On
#abgeschaut von https://github.com/phr0gz/Apache-reverse-proxy-for-Exchange-2010-2013-2016/blob/master/webmail.conf
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Ende abgeschaut
SSLProxyEngine On
# Problemen mit Kommunikation zwischen Apache-Proxy und Exchange-Server aus dem Wege gehen
# Alle SSL Prüfungen werden damit ausgeschaltet. So kann z.B. auch intern ein Selbstsigniertes Zertifikat verwendet werden
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
#Nachfolgende Zeile bewirkt das ein Aufruf von nur https://sub.name.suffix auf https://sub.name.suffix/owa weiter geleitet wird.
Redirect / /owa/
# owa
ProxyPass /owa https://192.168.80.112/owa
ProxyPassReverse /owa https://192.168.80.112/owa
ProxyPass /OWA https://192.168.80.112/OWA
ProxyPassReverse /OWA https://192.168.80.112/OWA
ProxyPass /Owa https://192.168.80.112/Owa
ProxyPassReverse /Owa https://192.168.80.112/Owa
# ecp = Adminoberfläche - falls Zugriff nicht gewünscht einfach auskommentieren!
ProxyPass /ecp https://192.168.80.112/ecp
ProxyPassReverse /ecp https://192.168.80.112/ecp
ProxyPass /ECP https://192.168.80.112/ECP
ProxyPassReverse /ECP https://192.168.80.112/ECP
ProxyPass /Ecp https://192.168.80.112/Ecp
ProxyPassReverse /Ecp https://192.168.80.112/Ecp
# mapi
ProxyPass /mapi https://192.168.80.112/mapi
ProxyPassReverse /mapi https://192.168.80.112/mapi
# ews -> Exchange Web Services
ProxyPass /ews https://192.168.80.112/ews
ProxyPassReverse /ews https://192.168.80.112/ews
ProxyPass /EWS https://192.168.80.112/EWS
ProxyPassReverse /EWS https://192.168.80.112/EWS
ProxyPass /Ews https://192.168.80.112/Ews
ProxyPassReverse /Ews https://192.168.80.112/Ews
ProxyPass /exchange https://192.168.80.112/exchange
ProxyPassReverse /exchange https://192.168.80.112/exchange
ProxyPass /Exchange https://192.168.80.112/Exchange
ProxyPassReverse /Exchange https://192.168.80.112/Exchange
ProxyPass /exchweb https://192.168.80.112/exchweb
ProxyPassReverse /exchweb https://192.168.80.112/exchweb
ProxyPass /public https://192.168.80.112/public
ProxyPassReverse /public https://192.168.80.112/public
# oab (Offline Address Book)
ProxyPass /oab https://192.168.80.112/oab
ProxyPassReverse /oab https://192.168.80.112/oab
ProxyPass /OAB https://192.168.80.112/OAB
ProxyPassReverse /OAB https://192.168.80.112/OAB
# RPC over http(s) / Outlook Anywhere
#OutlookAnywherePassthrough On
ProxyPass /rpc https://192.168.80.112/rpc
ProxyPassReverse /rpc https://192.168.80.112/rpc
ProxyPass /Rpc https://192.168.80.112/Rpc
ProxyPassReverse /Rpc https://192.168.80.112/Rpc
# Microsoft-Server-ActiveSync
ProxyPass /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
ProxyPassReverse /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync
# Problem mit dem Versenden von Dateianhängen > 128KByte per ActiceSync umgehen (neuer Wert 30MByte)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
# AutoDiscover -> Autodiscover for non-AD integrated Clients (Mac, eg.)
ProxyPass /autodiscover https://192.168.80.112/autodiscover
ProxyPassReverse /autodiscover https://192.168.80.112/autodiscover
ProxyPass /Autodiscover https://192.168.80.112/Autodiscover
ProxyPassReverse /Autodiscover https://192.168.80.112/Autodiscover
ProxyPass /AutoDiscover https://192.168.80.112/AutoDiscover
ProxyPassReverse /AutoDiscover https://192.168.80.112/AutoDiscover
# Zeichensatz spezifieren fuer Umlaute
AddDefaultCharset ISO-8859-1
<Directory />
Order deny,allow
Deny from all
</Directory>
<Directory /var/www/mail.example.com/web>
DirectoryIndex index.php index.html
Options -Indexes +FollowSymLinks
Order allow,deny
Allow from all
</Directory>
<Proxy *>
# 10.12.2020: Nachfolgende 2 Zeilen sind nicht mehr Notwendig
# Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
# SetEnv proxy-nokeepalive 1
# SetEnv force-proxy-request-1.0 1
Order deny,allow
Allow from all
</Proxy>
# Nach extern ein Lets Encrypt Zertifikat nutzen:
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/wsmail03.pem
SSLCertificateKeyFile /etc/ssl/private/wsmail03.key
SSLCertificateChainFile /etc/ssl/certs/r13.pem
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
