"Recent posts
#91
Hardware and Performance / power management under coreboo...
Last post by OPNenthu - December 08, 2025, 01:42:58 PMFor those with coreboot firmware, particularly Protectli units that have the optional UEFI, I'm curious if you have control over power management (e.g. ASPM and PowerD/SpeedStep) at the OS level?
The coreboot/Dasharo menu itself doesn't have options for those, so I'm not sure if that means the functions are locked at whatever the manufacturer set them to. I have disabled PowerD in OPNsense and also set the tunable 'hw.pci.enable_aspm=0,' but this is what I see on reboot:
If I'm interpreting correctly, the settings had no effect and power management is still fully active. Is that correct/expected?
The coreboot/Dasharo menu itself doesn't have options for those, so I'm not sure if that means the functions are locked at whatever the manufacturer set them to. I have disabled PowerD in OPNsense and also set the tunable 'hw.pci.enable_aspm=0,' but this is what I see on reboot:
Code Select
root@firewall:~ # sysctl hw.pci.enable_aspm
hw.pci.enable_aspm: 0
Code Select
root@firewall:~ # pciconf -lcv igc2
igc2@pci0:4:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
vendor = 'Intel Corporation'
device = 'Ethernet Controller I226-V'
class = network
subclass = ethernet
cap 01[40] = powerspec 3 supports D0 D3 current D0
cap 05[50] = MSI supports 1 message, 64 bit, vector masks
cap 11[70] = MSI-X supports 5 messages, enabled
Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]
cap 10[a0] = PCI-Express 2 endpoint max data 256(512) FLR RO NS
max read 512
link x1(x1) speed 5.0(5.0) ASPM L1(L1)
ecap 0001[100] = AER 2 0 fatal 0 non-fatal 0 corrected
ecap 0003[140] = Serial 1 <redacted>
ecap 0018[1c0] = LTR 1
ecap 001f[1f0] = Precision Time Measurement 1
ecap 001e[1e0] = L1 PM Substates 1
Code Select
root@firewall:~ # sysctl dev.cpu.0
dev.cpu.0.temperature: 34.0C
dev.cpu.0.coretemp.throttle_log: 0
dev.cpu.0.coretemp.tjmax: 105.0C
dev.cpu.0.coretemp.resolution: 1
dev.cpu.0.coretemp.delta: 71
dev.cpu.0.cx_method: C1/mwait/hwc C2/mwait/hwc C3/mwait/hwc
dev.cpu.0.cx_usage_counters: 347858 0 0
dev.cpu.0.cx_usage: 100.00% 0.00% 0.00% last 322us
dev.cpu.0.cx_lowest: C1
dev.cpu.0.cx_supported: C1/1/1 C2/2/127 C3/3/253
dev.cpu.0.freq_levels: 2001/10000 2000/10000 1800/8793 1600/7632 1400/6524 1200/5466 1000/4445 800/3472
dev.cpu.0.freq: 2001
dev.cpu.0.%iommu:
dev.cpu.0.%parent: acpi0
dev.cpu.0.%pnpinfo: _HID=ACPI0007 _UID=0 _CID=none
dev.cpu.0.%location: handle=\_SB_.CP00
dev.cpu.0.%driver: cpu
dev.cpu.0.%desc: ACPI CPU
If I'm interpreting correctly, the settings had no effect and power management is still fully active. Is that correct/expected?
#92
25.7, 25.10 Series / Re: Resolved: Update 25.7 -> 2...
Last post by gdur - December 08, 2025, 01:41:39 PMSame here. Unclear which log to check to see what went wrong. Other than that it seems to run fine...
I found this error
I found this error
Quoteuser root failed authentication for sshd on OPNsense\Auth\Services\System via OPNsense\Auth\LDAPcould this be the case?
#93
25.7, 25.10 Series / 25.7.9 update and WireGuard
Last post by s1l3nce - December 08, 2025, 01:28:10 PMI have a WireGuard server running on my OPNsense firewall. After the last update (25.7.9) none of the WG clients could connect to the server. I checked the log and this is what it said:
/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'> returned exit code 1 and the output was "Name does not resolve: `DNS_NAME:PORT' Configuration parsing error"
I censored the DNS names. I have 2 errors because I have 2 configurations/2 DNS.
Disabling and re-enabling WireGuard from the GUI fixed the problem.
To temporarily fix the issue I had to do the following:
1. Log into the firewall through ssh.
2. Create the script file:
3. Input this text in the file:
4. Add execution rights to the file:
I suppose this issue is caused by an improper order in the execution of certain services.
/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'> returned exit code 1 and the output was "Name does not resolve: `DNS_NAME:PORT' Configuration parsing error"
I censored the DNS names. I have 2 errors because I have 2 configurations/2 DNS.
Disabling and re-enabling WireGuard from the GUI fixed the problem.
To temporarily fix the issue I had to do the following:
1. Log into the firewall through ssh.
2. Create the script file:
Code Select
nano /usr/local/etc/rc.syshook.d/start/99-wireguard-restart3. Input this text in the file:
Code Select
#!/bin/sh
# Wait for WAN + DNS (AdGuard/Unbound) to be ready
sleep 10
# Fully restart all WireGuard instances (same effect as GUI Enable/Apply)
/usr/local/bin/php /usr/local/opnsense/scripts/wireguard/wg-service-control.php -a restart
exit 0
4. Add execution rights to the file:
Code Select
chmod +x /usr/local/etc/rc.syshook.d/start/99-wireguard-restartI suppose this issue is caused by an improper order in the execution of certain services.
#94
25.7, 25.10 Series / Re: Exclude domain from firewa...
Last post by meyergru - December 08, 2025, 01:10:31 PMFirewall aliases are meant to be used with pf rules. pf acts on IPs and subnets. So what should a DNS "domain" mean in that context?
It is not even a specific hostname within a domain, which could at least be resolved to an IP (or a set of IPs).
You can use domains in DNSBL lists to block DNS resolution of specific names, but that is another concept that has nothing to do with firewall rules (and aliases).
It is not even a specific hostname within a domain, which could at least be resolved to an IP (or a set of IPs).
You can use domains in DNSBL lists to block DNS resolution of specific names, but that is another concept that has nothing to do with firewall rules (and aliases).
#95
25.7, 25.10 Series / Re: 25.7.8 Wireguard road warr...
Last post by FredFresh - December 08, 2025, 12:59:36 PMHave you tried to use trace route instead of ping?
#96
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feed...
Last post by vpx - December 08, 2025, 12:55:42 PMHi Q-Feeds,
I just wanted to mention that the banner in your notification mails doesn't look right in Outlook Classic, it's way too big. At home in my browser on outlook.com it looked fine.
Maybe you can fix this. If you don't have Outlook Classic for testing I can look at it after you did some changes.
I just wanted to mention that the banner in your notification mails doesn't look right in Outlook Classic, it's way too big. At home in my browser on outlook.com it looked fine.
Maybe you can fix this. If you don't have Outlook Classic for testing I can look at it after you did some changes.
#97
25.7, 25.10 Series / [SOLVED] KEA hostnames in the...
Last post by FredFresh - December 08, 2025, 12:39:54 PMHi,
there is a way to see the host names specified in the KEA dhcp reservations (internal subnets) inside the firewall live view log?
In the live view page, activating " Lookup hostnames", I see two times the IP address (for internal IPs) and the domain for the external IPs.
Thanks
there is a way to see the host names specified in the KEA dhcp reservations (internal subnets) inside the firewall live view log?
In the live view page, activating " Lookup hostnames", I see two times the IP address (for internal IPs) and the domain for the external IPs.
Thanks
#98
General Discussion / Struggling with OPNsense in a ...
Last post by Untoasted9563 - December 08, 2025, 12:05:51 PMHi all,
Recently I switched to fiber and got a new router/modem from my ISP. That damn thing does not have a bridge mode and on top of that the subnet cannot be changed (192.168.1.0/24). Unfortunately, I have a contract period of two years, and it looks like I have to accept that.
Like many of those routers, it offers a DMZ feature, which as I understand is just port forwarding of everything to the DMZ host and placing the host in a /32 network for isolation (192.168.1.254/32 in my case). Generally, this worked, but I have some issues with that.
A bit of background info:
- I run HAproxy for different self-hosted services (originally based on the Hellsite tutorial: https://forum.opnsense.org/index.php?topic=23339.0)
- As per that tutorial, I created a virtual IP (IP Alias 127.4.4.3/32 on Loopback interface), which is set as a listen address on the public server in HAproxy. Alongside the SNI listening on 0.0.0.0:443
- the services are in different DMZ vlans
- i have an MGMT network for Ubiquity gear and some other admin webUIs. Before, this was 192.168.1.0/24, which i moved to 192.168.5.0/24 in order to prevent overlap with the ISP subnet.
- I have a WAN firewall rule, that allows IPv4 TCP 443/80 to "WAN address", which was allowing for remote access on HAproxy, when OPNsense was having a public IP at the WAN interface (remember, now it has 192.168.1.254).
- Gateway for 192.168.1.1 was created (Upstream and Far checked) and specified in the WAN interface.
Now the strange thing happens, when I am trying to connect to one of my services from remote:
I see the attempt being routed to 192.168.5.254 and therefore be default-denied. What is this IP? I have never typed it anywhere. Of course it could be a typo, but the only place, where I have typed 1.254 is the static IP at the WAN interface, and this is correct (otherwise the external connection attempt would not even be registered).
Since it is not "WAN address", it does not trigger the existing rule.
Trying to circumvent this, I added the 192.168.5.254 IP alongside "WAN Address", but HAproxy is not catching those requests and lists nothing in the log.
Another issue (maybe related, thats why I shortly mention it here) is the lack of internet access in the MGMT network, and that network alone. All other networks and VLANs under OPNsense have internet access.
ping -S 192.168.10.1 8.8.8.8 is successful
ping -S 192.168.5.1 8.8.8.8 fails.
Despite having a temporary allow all protocols from any to any on all ports, in/out as top rule in MGMT rules.
Can anybody make some sense of this? did I forget anything due to the fact that OPNsense has a private IP on the WAN?
Thankful for all help and pointers
Cheers,
Untoasted
Recently I switched to fiber and got a new router/modem from my ISP. That damn thing does not have a bridge mode and on top of that the subnet cannot be changed (192.168.1.0/24). Unfortunately, I have a contract period of two years, and it looks like I have to accept that.
Like many of those routers, it offers a DMZ feature, which as I understand is just port forwarding of everything to the DMZ host and placing the host in a /32 network for isolation (192.168.1.254/32 in my case). Generally, this worked, but I have some issues with that.
A bit of background info:
- I run HAproxy for different self-hosted services (originally based on the Hellsite tutorial: https://forum.opnsense.org/index.php?topic=23339.0)
- As per that tutorial, I created a virtual IP (IP Alias 127.4.4.3/32 on Loopback interface), which is set as a listen address on the public server in HAproxy. Alongside the SNI listening on 0.0.0.0:443
- the services are in different DMZ vlans
- i have an MGMT network for Ubiquity gear and some other admin webUIs. Before, this was 192.168.1.0/24, which i moved to 192.168.5.0/24 in order to prevent overlap with the ISP subnet.
- I have a WAN firewall rule, that allows IPv4 TCP 443/80 to "WAN address", which was allowing for remote access on HAproxy, when OPNsense was having a public IP at the WAN interface (remember, now it has 192.168.1.254).
- Gateway for 192.168.1.1 was created (Upstream and Far checked) and specified in the WAN interface.
Now the strange thing happens, when I am trying to connect to one of my services from remote:
I see the attempt being routed to 192.168.5.254 and therefore be default-denied. What is this IP? I have never typed it anywhere. Of course it could be a typo, but the only place, where I have typed 1.254 is the static IP at the WAN interface, and this is correct (otherwise the external connection attempt would not even be registered).
Since it is not "WAN address", it does not trigger the existing rule.
Trying to circumvent this, I added the 192.168.5.254 IP alongside "WAN Address", but HAproxy is not catching those requests and lists nothing in the log.
Another issue (maybe related, thats why I shortly mention it here) is the lack of internet access in the MGMT network, and that network alone. All other networks and VLANs under OPNsense have internet access.
ping -S 192.168.10.1 8.8.8.8 is successful
ping -S 192.168.5.1 8.8.8.8 fails.
Despite having a temporary allow all protocols from any to any on all ports, in/out as top rule in MGMT rules.
Can anybody make some sense of this? did I forget anything due to the fact that OPNsense has a private IP on the WAN?
Thankful for all help and pointers
Cheers,
Untoasted
#99
Hardware and Performance / Re: DEC750 Questions
Last post by Monviech (Cedrik) - December 08, 2025, 11:52:20 AMThe plugins are not automatically installed. They will show in the Firmware page as missing after config import. Just don't install the ones you do not need.
I wouldn't update the bios nor install a microcode plugin, just keep it as it is. I'd only update or install these if there is a serious reason to do so, and currently I don't know of any (does not mean I assume I'm 100% right, "Jeder ist seines Glückes Schmied").
I wouldn't update the bios nor install a microcode plugin, just keep it as it is. I'd only update or install these if there is a serious reason to do so, and currently I don't know of any (does not mean I assume I'm 100% right, "Jeder ist seines Glückes Schmied").
#100
Hardware and Performance / Re: DEC750 Questions
Last post by ProximusAl - December 08, 2025, 11:35:31 AMSo just to be extremely clear for me:
1. Should I install the AMD Microcode plugin on a DEC750, or not? Whats the recommended idealogy.
2. I'm assuming I'll update the BIOS day 1, to make sure it's fully up to date.
3. Is there any value in enabling HyperThreading? AMD CBS -> Zen Common Options -> Core/Thread Enablement -> SMTEN
I'm just looking at the BIOS update instructions, and 1 and 3 are mentioned, but no recommendation.
The final thing, is my current backup came from an install with the Intel Microcode plugin installed, which obviously I dont want with this device.
Is this easy to remove from the config before importing?
TIA
1. Should I install the AMD Microcode plugin on a DEC750, or not? Whats the recommended idealogy.
2. I'm assuming I'll update the BIOS day 1, to make sure it's fully up to date.
3. Is there any value in enabling HyperThreading? AMD CBS -> Zen Common Options -> Core/Thread Enablement -> SMTEN
I'm just looking at the BIOS update instructions, and 1 and 3 are mentioned, but no recommendation.
The final thing, is my current backup came from an install with the Intel Microcode plugin installed, which obviously I dont want with this device.
Is this easy to remove from the config before importing?
TIA
