"Recent posts
#91
General Discussion / Best firewall solution for gam...
Last post by mnhim001 - December 11, 2025, 05:42:35 PMI have 3 kids at home that are gamers and streamers. I have setup OPNsense and enabled Unbound DNS using the AdGuard List. This caused all their gaming sites to no longer work. I added a bunch of sites to the Allowlist Domains.
My question is, is this the best solution? or is there another solution? I was thinking of installing AdGuard Home plugin, but not sure if its just going to give me the same results.
What I am looking for is an ongoing Allow list that I don't have to come back up update manually.
My question is, is this the best solution? or is there another solution? I was thinking of installing AdGuard Home plugin, but not sure if its just going to give me the same results.
What I am looking for is an ongoing Allow list that I don't have to come back up update manually.
#92
General Discussion / Re: ISC DHCP seesm to keep res...
Last post by Oli_wachno - December 11, 2025, 05:27:02 PMTo add some more information:
All clients are connected to the FW via a LAG (two physical ports)
All clients are connected to the FW via a LAG (two physical ports)
#93
Q-Feeds (Threat intelligence) / Re: q-feeds feedback
Last post by dirtyfreebooter - December 11, 2025, 05:23:47 PMi would agree on 3, the new top level menu item is a bit much. annoyed that zenarmor does it, annoyed that qfeeds does it. just put your service/plugin in the services menu imo
#94
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by Monviech (Cedrik) - December 11, 2025, 04:57:49 PMSorry to be really specific but in the first virtual host you have
"LocatioN"
and in the second virtual host you dont have any location. Can you put the same location in there?
Could you fix that and retry just to be 100% sure?
------
A tangent, I dont think the password input is relevant, I think it also work if you click the popup away without entering anything (I assume).
------
EDIT: I will test this again with my own exchange server so I can iterate faster over possible solutions and come back here if I find something.
"LocatioN"
and in the second virtual host you dont have any location. Can you put the same location in there?
Could you fix that and retry just to be 100% sure?
------
A tangent, I dont think the password input is relevant, I think it also work if you click the popup away without entering anything (I assume).
------
EDIT: I will test this again with my own exchange server so I can iterate faster over possible solutions and come back here if I find something.
#95
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by humnab - December 11, 2025, 04:51:40 PMHello,
no difference, I have to enter the Password 3 time after starting Outlook before I can read the body of a Mail:
no difference, I have to enter the Password 3 time after starting Outlook before I can read the body of a Mail:
Code Select
ServerName mail.example.com
Listen 443
<VirtualHost *:443>
ServerName mail.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols http/1.1
SSLCertificateFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
# Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
<LocatioN />
SetEnv proxy-initial-not-pooled
SetEnv proxy-aside-c
ProxyPass https://10.10.10.5/ connectiontimeout=900
ProxyPassReverse https://10.10.10.5/
</Location>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<VirtualHost *:443>
ServerName autodiscover.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols http/1.1
SSLCertificateFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
# Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
#96
General Discussion / Re: Some sites think I live in...
Last post by meyergru - December 11, 2025, 04:51:26 PMI did not see that one coming, nice one, Cedrik! There goes your next USA trip... ;-)
#97
General Discussion / Re: Some sites think I live in...
Last post by Monviech (Cedrik) - December 11, 2025, 04:46:39 PMThe most pragmatic fix would be moving to Canada, maybe its destiny :)
#98
General Discussion / Re: Some sites think I live in...
Last post by coffeecup25 - December 11, 2025, 04:40:04 PMThe Xfinity gateway was received, installed, and placed into bridge mode. All successful and Xfinity made it easy. My WAN IP is clearly not Canadian. OPNsense still runs everything thanks to bridge mode. No double nat.
The internet no longer thinks I live in Canada. Weirdly, when the internet thought I lived in Canada, some sites became difficult to use. Some had no problem with knowing i did not live in Canada.
The internet no longer thinks I live in Canada. Weirdly, when the internet thought I lived in Canada, some sites became difficult to use. Some had no problem with knowing i did not live in Canada.
#99
25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...
Last post by franco - December 11, 2025, 04:38:56 PMTo be a bit more clear: we'll try to see if 2.92 RC3 behaves normally memory leaks aside and provide a test package here if it looks ok some time next week.
Cheers,
Franco
Cheers,
Franco
#100
25.7, 25.10 Series / Re: Help Troubleshooting OPNse...
Last post by Patrick M. Hausen - December 11, 2025, 04:35:13 PMQuote from: Monviech (Cedrik) on December 11, 2025, 04:33:15 PMJust a tangent there are also dedicated timeserver appliances available from other vendors that do not need internet but use GPS and Radio.
Very satisfied with one of these.
