"Recent posts
#91
25.7, 25.10 Series / Re: Version 25.7.9 did not cha...
Last post by kozistan - December 19, 2025, 07:01:19 PMBefore proceeding with `pkg install opnsense`, the system wants to install 105 new packages:
Many of these packages (like php83, ca_root_nss, etc.) are already installed according to `pkg info`.
Current package count: 134
After this operation: 239 packages
Should I proceed with this, or is there a better way to register the opnsense package without reinstalling dependencies?
Would `pkg install -f opnsense` be more appropriate?
Code Select
root@fw:~# pkg install opnsense
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
pkg: warning: database version 37 is newer than libpkg(3) version 36, but still compatible
The following 105 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
beep: 1.0_2 [OPNsense]
boost-libs: 1.89.0_1 [OPNsense]
ca_root_nss: 3.117_2 [OPNsense]
choparp: 20150613_1 [OPNsense]
cpdup: 1.22_1 [OPNsense]
...
php83: 8.3.28 [OPNsense]
php83-ctype: 8.3.28 [OPNsense]
php83-curl: 8.3.28 [OPNsense]
...
opnsense: 25.7.10 [OPNsense]
opnsense-update: 25.7.10 [OPNsense]
...
Number of packages to be installed: 105
The process will require 728 MiB more space.
117 MiB to be downloaded.
Many of these packages (like php83, ca_root_nss, etc.) are already installed according to `pkg info`.
Current package count: 134
After this operation: 239 packages
Should I proceed with this, or is there a better way to register the opnsense package without reinstalling dependencies?
Would `pkg install -f opnsense` be more appropriate?
#92
General Discussion / Re: Seemingly straightforward ...
Last post by brigmaticlaw - December 19, 2025, 06:55:47 PMThank you, Seimus.
I created a rule to allow my two host aliases to reach NPM. I am able to resolve those domains while on the Main network. However, it looks like I now need to set up some ACLs within NPM to restrict access to only those services on that side as well. I will have a go at that and if I can figure that out and get it working, I'll mark this as solved.
I created a rule to allow my two host aliases to reach NPM. I am able to resolve those domains while on the Main network. However, it looks like I now need to set up some ACLs within NPM to restrict access to only those services on that side as well. I will have a go at that and if I can figure that out and get it working, I'll mark this as solved.
#93
25.7, 25.10 Series / Re: No more IP address + hostn...
Last post by bamf - December 19, 2025, 06:49:29 PMI just found it very convenient being able to add the hostnames to the table with a click. Now that click removes the IP addresses which are my primary reference when using the live log. I do not necessarily know in the first place to which subnet a hostname belongs. So I have to disable / enable that checkmark multiple times while looking at the logs. In my eyes this is a step backwards in terms of usability.
Maybe this can be optional?
Maybe this can be optional?
#94
General Discussion / Web Interface Not Secure
Last post by t84a - December 19, 2025, 06:44:34 PMAt some point, when accessing the web interface, it now shows it as NOT SECURE. The https is red and crossed out. I don't remember changing anything. I did a search and it told me to find the certificate SYSTEM -> TRUST -> AUTHORITIES but there are no certificates. There is one under CERTIFICATES. Any help would be appreciated. Thanks
#95
Virtual private networks / Re: Unable to stablish first I...
Last post by malhal - December 19, 2025, 06:24:55 PMI was following the guide for Roadwarrior EAP-MSCHAPv2 and trying with macOS. Spent hours trying to debug the same problem as the OP, ends with "deleting half open IKE_SA with client after timeout".
What resolved it for me was just deleting the macOS IKEv2 VPN configuration and re-adding it. My theory is something got broken in it when trial and error editing local ID and authentication method. Since this UI is just updating config files maybe certain edits can leave the config in a broken state.
edit: did a quick test and if the macOS IKEv2 VPN is set to user authentication and is working. If changing it to authentication None with any shared secret entered, then attempting to change it back to User authentication with the same info as before then that config will never work again.
In case it helps anyone else, to get EAP-MSCHAPv2 working, in Remote Authentication I set the EAP Id to the client's username and in the Pre-Shared Key->Remote Identifier I leave blank. The seems the only way to get the username to actually be verified. E.g. if EAP Id is set to %any then during connection the username is just ignored and can be set to anything, even if it is set in the Pre-Shared Key->Remote Identifier, which seems strange to me.
What resolved it for me was just deleting the macOS IKEv2 VPN configuration and re-adding it. My theory is something got broken in it when trial and error editing local ID and authentication method. Since this UI is just updating config files maybe certain edits can leave the config in a broken state.
edit: did a quick test and if the macOS IKEv2 VPN is set to user authentication and is working. If changing it to authentication None with any shared secret entered, then attempting to change it back to User authentication with the same info as before then that config will never work again.
In case it helps anyone else, to get EAP-MSCHAPv2 working, in Remote Authentication I set the EAP Id to the client's username and in the Pre-Shared Key->Remote Identifier I leave blank. The seems the only way to get the username to actually be verified. E.g. if EAP Id is set to %any then during connection the username is just ignored and can be set to anything, even if it is set in the Pre-Shared Key->Remote Identifier, which seems strange to me.
#96
German - Deutsch / Re: Dual WAN Setup mit IPv6 Pr...
Last post by Maurice - December 19, 2025, 06:14:50 PMIn deinem Beitrag sind hier keine Bilder zu sehen. Falls Du die selbst hostest, dann prüfe mal deine Server-Konfiguration und -Erreichbarkeit. Oder einfach direkt hier hochladen.
Grüße
Maurice
Quote from: martine on December 19, 2025, 04:57:24 PMUngern möchte ich die Clients in zwei Netze TeilenDas wäre aber genau die richtige Lösung. Alles andere geht - falls überhaupt - nur mit viel Gebastel und Workarounds.
Grüße
Maurice
#97
Tutorials and FAQs / Re: [HOWTO] Configure IPv6 in ...
Last post by Maurice - December 19, 2025, 06:03:50 PMThe "track interface" feature for NPT uses the prefix which is on-link on the selected interface. When using NPT for Internet access, this will typically be the WAN interface. This has several disadvantages; most importantly, you can only use NPT for a single LAN subnet.
What would make more sense is using a subnet of the delegated prefix (like it's done for "track interface" type LAN interfaces), but that's currently not supported.
What would make more sense is using a subnet of the delegated prefix (like it's done for "track interface" type LAN interfaces), but that's currently not supported.
#98
High availability / Re: HAProxy not working / star...
Last post by rohitashs - December 19, 2025, 06:02:16 PMQuote from: Patrick M. Hausen on December 18, 2025, 06:24:03 PMNotice the small triangles on every tab but the introduction? These open up the menues.
Ah ok! Duh! And for whatever reason the earlier error message has gone away. Did not make any changes but it all seems to be working now.
#99
General Discussion / Re: Unable to remove neighbor ...
Last post by franco - December 19, 2025, 05:21:09 PMI tested on 25.7.10 and it adds and deletes the neighbor entry from the configuration.
It likely does not remove the neighbor from the ARP table until a reboot. Static ARP in ISC DHCP may change that if you apply there but that's for historic reasons. There are upcoming changes related to these topics in 26.1.
So in case I haven't answered your question or bug can you be more precise?
Thanks,
Franco
It likely does not remove the neighbor from the ARP table until a reboot. Static ARP in ISC DHCP may change that if you apply there but that's for historic reasons. There are upcoming changes related to these topics in 26.1.
So in case I haven't answered your question or bug can you be more precise?
Thanks,
Franco
#100
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by franco - December 19, 2025, 05:11:33 PMGreat, thank you! :)
