"Recent posts
#91
General Discussion / Re: *Internal Only* Caddy Conf...
Last post by meyergru - September 16, 2025, 11:36:09 PMIf you use wildcard certificates, you do not need internet access to your HTTP(S) services. AFAIK, wildcard certificates work only via the ACME plugin, not via Caddy's own certificate mechanism.
I would always do it like that and also NOT use specific subdomain(s) besides the wildcard domain, which I explained here.
I would always do it like that and also NOT use specific subdomain(s) besides the wildcard domain, which I explained here.
#92
25.7 Series / Re: Telemetry widget fails to ...
Last post by BrandyWine - September 16, 2025, 11:33:16 PMQuote from: franco on September 16, 2025, 09:20:12 AMNow a proper bug report would go a long way compared to bro-opting on an already fixed issue reported here walking back concluding "it" is "broken". I mean you just saw how the support process works and chose to undermine it.Again, a widget, which has nothing to do with the functionality of the actual plugin, hence I am not doing the effort to create a bug report for a non-working widget. I only do effort on functionality issues (i226-V nvm, text that is not readable in gui, etc), and even then I probably won't open a bug report.
Cheers,
Franco
I stated the facts, widget is(was) broken.
Where/when did it get fixed?
Cheerio.
#93
25.7 Series / how to allow for TCPTRACEROUTE...
Last post by Noci - September 16, 2025, 11:31:31 PMWhen running traceroute a trace is show.
Because current network configuration may send port X to a different destination as port Y, there is an issue using traceroute.
(besides the obvious blocking of UDP traceroute packets ...)
Problem with tcptraceroute is:
Where i expected some ip addresses. Regular traceroute shows a nice trace until the end.
With IPv6 it is a little better..., at least the OpnSense & One upstream are shown.
Nothing after that.
The way it works is the same as with UDP traceroute a packet is sent with increasing TTL times.
Except there is never a SYN/ACK... just a SYN.
Obviously resulting in some ICMP that the packet died..., OR accepted on end of the chain with SYN/ACK.
How should a rule to allow for this be setup.
Because current network configuration may send port X to a different destination as port Y, there is an issue using traceroute.
(besides the obvious blocking of UDP traceroute packets ...)
Problem with tcptraceroute is:
Code Select
# tcptraceroute 1.1.1.1
Selected device wlp45s0, address 192.168.7.72, port 45737 for outgoing packets
Tracing the path to 1.1.1.1 on TCP port 80 (http), 30 hops max
1 * * * (OpnSense)
2 * * * (ISP)
3 * * * Where i expected some ip addresses. Regular traceroute shows a nice trace until the end.
With IPv6 it is a little better..., at least the OpnSense & One upstream are shown.
Nothing after that.
The way it works is the same as with UDP traceroute a packet is sent with increasing TTL times.
Except there is never a SYN/ACK... just a SYN.
Obviously resulting in some ICMP that the packet died..., OR accepted on end of the chain with SYN/ACK.
How should a rule to allow for this be setup.
#94
Tutorials and FAQs / Re: Script to automate interfa...
Last post by meyergru - September 16, 2025, 11:26:30 PMTo disable all types of offloading is a recommendation in the official docs, anyway. You can do this globally or for the individual NICs, or, for some drivers, as sysctl parameters. Neither do you have to do that manually in /boot/loader.conf, nor should you do that, because system tunables could overwrite such settings.
The recommendation to disable hardware checksumming is explicitely noted in the Proxmox guide, as well.
Yes, the situation will hopefully get better once the offloading will be implemented per default.
However, as is also explained in the Proxmox guide, for very high speeds > 1 GBit/s, a passthru will give you speed gains.
The recommendation to disable hardware checksumming is explicitely noted in the Proxmox guide, as well.
Yes, the situation will hopefully get better once the offloading will be implemented per default.
However, as is also explained in the Proxmox guide, for very high speeds > 1 GBit/s, a passthru will give you speed gains.
#95
Hardware and Performance / Re: Adding Speed Parameters to...
Last post by BrandyWine - September 16, 2025, 11:26:16 PM1st thing to try is what meyergru mentions, hard set both sides and see what you get.
After that, go see if there's some new firmware available from the Intel 34.0 bundle download.
I forget what driver is used for x550, but maybe try "dmesg |grep x550" and lets see where its at on nvm version.
After that, go see if there's some new firmware available from the Intel 34.0 bundle download.
I forget what driver is used for x550, but maybe try "dmesg |grep x550" and lets see where its at on nvm version.
#96
General Discussion / Re: *Internal Only* Caddy Conf...
Last post by fakebizprez - September 16, 2025, 10:36:14 PMQuote from: Monviech (Cedrik) on September 16, 2025, 09:35:00 AMOnly if you want automatic certificates.
Thank you for the response. Can you elaborate on this more? What are the alternatives?
I am trying to setup a wildcard certificate so all addresses on the LAN have a secure connection.
I'm hesitant in setting up this way because I currently do not have any ports open (everything is configured via tunnels) and was hoping to keep it that way, if possible.
#97
Tutorials and FAQs / Re: Script to automate interfa...
Last post by deajan - September 16, 2025, 10:30:59 PMhonestly, I've fiddled around with like all possible solutions, tried on qemu v8 and v9, with various cpus.
Finally, I came up with this solution to add in `/boot/loader.conf` to get good performance.
```
hw.vtnet.X.tso_disable="1"
hw.vtnet.tso_disable="1"
hw.vtnet.lro_disable="1"
hw.vtnet.X.lro_disable="1"
hw.vtnet.csum_disable="1"
hw.vtnet.X.csum_disable="1"
```
Took the solution from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059
Even with those settings, speed is good but far from what it should be (other people had the same https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059#c44).
Since I didn't check this bug report up for a while, I noticed that vtnet offload improvements landed in freebsd only a couple of days ago.
Perhaps things will be better now. I'll definitly need some testing.
In the meantime, I have a made that basic script to "cold" modify / inject data into an offline opnsense VM that solves an issue that may be gone soon.
Finally, I came up with this solution to add in `/boot/loader.conf` to get good performance.
```
hw.vtnet.X.tso_disable="1"
hw.vtnet.tso_disable="1"
hw.vtnet.lro_disable="1"
hw.vtnet.X.lro_disable="1"
hw.vtnet.csum_disable="1"
hw.vtnet.X.csum_disable="1"
```
Took the solution from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059
Even with those settings, speed is good but far from what it should be (other people had the same https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059#c44).
Since I didn't check this bug report up for a while, I noticed that vtnet offload improvements landed in freebsd only a couple of days ago.
Perhaps things will be better now. I'll definitly need some testing.
In the meantime, I have a made that basic script to "cold" modify / inject data into an offline opnsense VM that solves an issue that may be gone soon.
#98
Hardware and Performance / Re: Adding Speed Parameters to...
Last post by meyergru - September 16, 2025, 09:36:37 PMThose adapters cannot reliably auto-negotiate the intermediate speeds, and they cannot do this on other OSes, either.
This has been the case since 23.1 - potentially because of the underlying FreeBSD version, see https://github.com/opnsense/core/issues/6526
Thus, you can only do as much as advertise the capability on OpnSense and force the 2.5 Gpbs speed from the other side.
See also:
https://forum.opnsense.org/index.php?topic=33154.0
(and other topics in this forum)
This has been the case since 23.1 - potentially because of the underlying FreeBSD version, see https://github.com/opnsense/core/issues/6526
Thus, you can only do as much as advertise the capability on OpnSense and force the 2.5 Gpbs speed from the other side.
See also:
https://forum.opnsense.org/index.php?topic=33154.0
(and other topics in this forum)
#99
Zenarmor (Sensei) / Re: Elasticsearch service fail...
Last post by richaras - September 16, 2025, 09:23:34 PMI restarted the firewall to generate the error again. The elasticsearch service failed to start...and as before, I click on SAVE for the elasticsearch service and it starts with no issues.
I grabbed text from both sides of the error to include the manual start of the service.
2025-09-10T11:06:25-08:00 Informational configd.py message 038dad05-ca24-4c00-8e6c-21593a4db120 ['os-elasticsearch7-maxit'] returned OK
2025-09-10T11:06:25-08:00 Notice configd.py [038dad05-ca24-4c00-8e6c-21593a4db120] Installing firmware package os-elasticsearch7-maxit
2025-09-10T11:05:33-08:00 Notice configd.py [a95f98ef-239d-42e1-81cd-5d5124d3021b] Querying os-elasticsearch7-maxit package details
2025-09-10T11:03:04-08:00 Informational configd.py message 0aeb38b6-b85b-4c91-8083-484f20ad0bba ['os-elasticsearch7-maxit'] returned OK
2025-09-10T11:03:04-08:00 Notice configd.py [0aeb38b6-b85b-4c91-8083-484f20ad0bba] Remove firmware package os-elasticsearch7-maxit
2025-09-10T11:01:56-08:00 Debug configd.py OPNsense/Elasticsearch generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:01:56-08:00 Notice configd.py generate template container OPNsense/Elasticsearch
2025-09-10T11:01:56-08:00 Notice configd.py [73328207-bb86-4856-82b9-16fdedd79a59] generate template OPNsense/Elasticsearch
2025-09-10T11:01:56-08:00 Notice configd.py [9ca3f9be-4413-4126-9608-a8169f7c7ee2] stopping Elasticsearch
2025-09-10T11:01:51-08:00 Notice configd.py [469ecf3e-46f0-4689-bf19-6b98031e0352] request Elasticsearch status
2025-09-10T11:01:16-08:00 Notice configd.py [d2a0f271-2ac5-461d-9491-04156c8839e0] request Elasticsearch status
2025-09-10T11:00:49-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:49-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:49-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:48-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:48-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:48-08:00 Error configd.py [e03fa892-b455-4ecf-8ae9-ba7d6de572f4] Script action failed with Command '/usr/local/zenarmor/scripts/installers/elasticsearch/create_indices.py '' ''' returned non-zero exit status 5. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 78, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/zenarmor/scripts/installers/elasticsearch/create_indices.py '' ''' returned non-zero exit status 5.
2025-09-10T11:00:48-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:48-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:47-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:47-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:28-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:26-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:25-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:00-08:00 Notice configd.py [24c03cea-085a-4335-af13-c91130b61710] checked remote elasticsearch
2025-09-10T10:56:45-08:00 Notice configd.py [f874d17d-f0d4-4142-970f-2870dafac254] request Elasticsearch status
2025-09-10T10:55:00-08:00 Notice configd.py [82e79511-44fd-46d3-9df5-9832832c8b09] checked remote elasticsearch
2025-09-10T10:50:00-08:00 Notice configd.py [fb95610c-b5ab-4542-8e20-17007ea874c9] checked remote elasticsearch
2025-09-
I grabbed text from both sides of the error to include the manual start of the service.
2025-09-10T11:06:25-08:00 Informational configd.py message 038dad05-ca24-4c00-8e6c-21593a4db120 ['os-elasticsearch7-maxit'] returned OK
2025-09-10T11:06:25-08:00 Notice configd.py [038dad05-ca24-4c00-8e6c-21593a4db120] Installing firmware package os-elasticsearch7-maxit
2025-09-10T11:05:33-08:00 Notice configd.py [a95f98ef-239d-42e1-81cd-5d5124d3021b] Querying os-elasticsearch7-maxit package details
2025-09-10T11:03:04-08:00 Informational configd.py message 0aeb38b6-b85b-4c91-8083-484f20ad0bba ['os-elasticsearch7-maxit'] returned OK
2025-09-10T11:03:04-08:00 Notice configd.py [0aeb38b6-b85b-4c91-8083-484f20ad0bba] Remove firmware package os-elasticsearch7-maxit
2025-09-10T11:01:56-08:00 Debug configd.py OPNsense/Elasticsearch generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:01:56-08:00 Notice configd.py generate template container OPNsense/Elasticsearch
2025-09-10T11:01:56-08:00 Notice configd.py [73328207-bb86-4856-82b9-16fdedd79a59] generate template OPNsense/Elasticsearch
2025-09-10T11:01:56-08:00 Notice configd.py [9ca3f9be-4413-4126-9608-a8169f7c7ee2] stopping Elasticsearch
2025-09-10T11:01:51-08:00 Notice configd.py [469ecf3e-46f0-4689-bf19-6b98031e0352] request Elasticsearch status
2025-09-10T11:01:16-08:00 Notice configd.py [d2a0f271-2ac5-461d-9491-04156c8839e0] request Elasticsearch status
2025-09-10T11:00:49-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:49-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:49-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:48-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:48-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:48-08:00 Error configd.py [e03fa892-b455-4ecf-8ae9-ba7d6de572f4] Script action failed with Command '/usr/local/zenarmor/scripts/installers/elasticsearch/create_indices.py '' ''' returned non-zero exit status 5. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 78, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/zenarmor/scripts/installers/elasticsearch/create_indices.py '' ''' returned non-zero exit status 5.
2025-09-10T11:00:48-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:48-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:47-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:47-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:28-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:26-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:25-08:00 Debug configd.py OPNsense/Zenarmor generated //etc/rc.conf.d/elasticsearch
2025-09-10T11:00:00-08:00 Notice configd.py [24c03cea-085a-4335-af13-c91130b61710] checked remote elasticsearch
2025-09-10T10:56:45-08:00 Notice configd.py [f874d17d-f0d4-4142-970f-2870dafac254] request Elasticsearch status
2025-09-10T10:55:00-08:00 Notice configd.py [82e79511-44fd-46d3-9df5-9832832c8b09] checked remote elasticsearch
2025-09-10T10:50:00-08:00 Notice configd.py [fb95610c-b5ab-4542-8e20-17007ea874c9] checked remote elasticsearch
2025-09-
#100
Hardware and Performance / Adding Speed Parameters to X55...
Last post by spetrillo - September 16, 2025, 09:18:30 PMHello all,
My firewall is running with a 2 port X550. I have these ports connected to a 2.5 gig switch. When I look at the switch these ports are running at 1 gig. In doing some research here I found that I need to augment the config of the X550 ports, to support 2.5 gig. Out of the gate the OS supports 100M, 1 gig, and 10 gig. I want to add support for 2.5 gig. I added sysctl dev.ix.0.advertise_speed=23 to /boot/loader.conf but it looks to get overwritten at OS boot time. The file's documentation tells me to add this to the tunables section in the GUI, so I did that and rebooted but my switch is still showing that the ports are running at 1 gig.
The tunables section has a type selection, which is boot-time, runtime, or environment. I have no ability to change this so my additions are running as environment. This could be the problem. Has anyone had success in get the X550 ports to support 2.5 gig?
Thanks,
Steve
My firewall is running with a 2 port X550. I have these ports connected to a 2.5 gig switch. When I look at the switch these ports are running at 1 gig. In doing some research here I found that I need to augment the config of the X550 ports, to support 2.5 gig. Out of the gate the OS supports 100M, 1 gig, and 10 gig. I want to add support for 2.5 gig. I added sysctl dev.ix.0.advertise_speed=23 to /boot/loader.conf but it looks to get overwritten at OS boot time. The file's documentation tells me to add this to the tunables section in the GUI, so I did that and rebooted but my switch is still showing that the ports are running at 1 gig.
The tunables section has a type selection, which is boot-time, runtime, or environment. I have no ability to change this so my additions are running as environment. This could be the problem. Has anyone had success in get the X550 ports to support 2.5 gig?
Thanks,
Steve
