"Recent posts
#91
German - Deutsch / Re: HAProxy Real SRC IP auf ei...
Last post by MiRei - January 16, 2026, 01:18:14 PMHallo,
bei mir leider das gleiche Problem mit Opensense 25.7.10 oder 11.
Alle Konfigurations-Varianten im Backend, die ich im Forum oder Internet
finden konnte, habe ich ausprobiert. Immer mit dem selben Ergebnis,
es wird nur die Proxy-Adresse angezeigt. Somit können fail2ban
oder crowdsec nicht differenzieren.
Bei einem System mit Version 25.1.x funktioniert es einwandfrei.
Dort kann ich mit tcpdump die Clientadresse sehen.
(Ich habe das System noch parallel im Zugriff.)
Ich habe keine Idee mehr.
bei mir leider das gleiche Problem mit Opensense 25.7.10 oder 11.
Alle Konfigurations-Varianten im Backend, die ich im Forum oder Internet
finden konnte, habe ich ausprobiert. Immer mit dem selben Ergebnis,
es wird nur die Proxy-Adresse angezeigt. Somit können fail2ban
oder crowdsec nicht differenzieren.
Bei einem System mit Version 25.1.x funktioniert es einwandfrei.
Dort kann ich mit tcpdump die Clientadresse sehen.
(Ich habe das System noch parallel im Zugriff.)
Ich habe keine Idee mehr.
#92
Documentation and Translation / How do I find a corresponding ...
Last post by wrobelda - January 16, 2026, 01:15:48 PMI searched high and low and I absolutely don't understand why this crucial piece of information is not published by FreeBSD in their docs or manual. It's crucial because NVM firmware needs to match the driver to avoid issues.
Intel themselves *do* provide that information for their downstream ixl implementation: https://cdrdv2-public.intel.com/336882/336882_Intel%C2%AE%20Ethernet%20Connection%20X722%20Feature%20Support%20Matrix_rev3_6.pdf
However, upstream ixl driver version does not match Intel's. In fact, upstream version appears to be stuck at 2.3.3-k for several releases now despite seeing active development backporting code from downstream code.
I saw several similar questions asked over the years, e.g. https://forum.opnsense.org/index.php?topic=9354.msg42475#msg42475
They all point to release notes, but FreeBSD release notes said nothing about ixl for a while. What's even more interesting is that Intel EOLed their downstream FreeBSD driver as of 30.4, and the ixl development is now to take place exclusively in upstream.
Intel themselves *do* provide that information for their downstream ixl implementation: https://cdrdv2-public.intel.com/336882/336882_Intel%C2%AE%20Ethernet%20Connection%20X722%20Feature%20Support%20Matrix_rev3_6.pdf
However, upstream ixl driver version does not match Intel's. In fact, upstream version appears to be stuck at 2.3.3-k for several releases now despite seeing active development backporting code from downstream code.
I saw several similar questions asked over the years, e.g. https://forum.opnsense.org/index.php?topic=9354.msg42475#msg42475
They all point to release notes, but FreeBSD release notes said nothing about ixl for a while. What's even more interesting is that Intel EOLed their downstream FreeBSD driver as of 30.4, and the ixl development is now to take place exclusively in upstream.
#93
25.7, 25.10 Series / DEC2752 - Stop/Crash at 00:01 ...
Last post by stuckoff - January 16, 2026, 01:13:53 PMHi everyone,
I'm experiencing a recurring system instability issue with one of my appliances that started around December 21st, 2025. After 6 months of perfect stability, the system now becomes unresponsive almost every night at exactly 00:01.
Symptoms:
Connectivity: Internet access stops for the network.
Management: No access to WebGUI or SSH.
Persistence: The management IP still responds to Pings.
HA/CARP: Interestingly, services do not fail over to the secondary node because the primary node keeps its CARP VIPs (the kernel is still "alive" enough to prevent failover, but the userland is dead).
Logs: The system logs point clearly to an Out of Memory (OOM) event and swap exhaustion:
Scheduled Tasks: The crash timing (00:01) coincides with a cron job that I have set to run hourly:
My Questions:
Identification: How can I identify which process is actually causing the leak? The PIDs mentioned in the logs (i2RsVQl2, 8bcK6gTx, PfNxCZtE) have randomized/obfuscated names—is this normal for certain plugins, or a sign of something else?
Timing: If the cron job runs every hour, why does the crash only occur at the midnight (00:01) run and not at 23:01 or 01:01?
Root Cause: Since this was stable for 6 months, could this be related to log rotation/archiving of a specifically large "daily" log file that builds up?
Any advice on how to debug this via console or remote logging before the crash occurs would be greatly appreciated.
I'm experiencing a recurring system instability issue with one of my appliances that started around December 21st, 2025. After 6 months of perfect stability, the system now becomes unresponsive almost every night at exactly 00:01.
Symptoms:
Connectivity: Internet access stops for the network.
Management: No access to WebGUI or SSH.
Persistence: The management IP still responds to Pings.
HA/CARP: Interestingly, services do not fail over to the secondary node because the primary node keeps its CARP VIPs (the kernel is still "alive" enough to prevent failover, but the userland is dead).
Logs: The system logs point clearly to an Out of Memory (OOM) event and swap exhaustion:
Code Select
2026-01-06T00:11:26 Notice lockout_handler lockout 138.197.98.69 [using table sshlockout] after 6 attempts
2026-01-06T00:06:30 Notice kernel swp_pager_getswapspace(15): failed
2026-01-06T00:06:26 Notice kernel <3>pid 67504 (i2RsVQl2), jid 0, uid 0, was killed: failed to reclaim memory
2026-01-06T00:06:21 Notice kernel swp_pager_getswapspace(14): failed
2026-01-06T00:06:21 Notice kernel swap_pager: out of swap space
2026-01-06T00:05:41 Notice kernel <3>pid 70232 (i2RsVQl2), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:05:26 Notice kernel <3>pid 66425 (8bcK6gTx), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:05:06 Notice kernel <3>pid 64687 (8bcK6gTx), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:04:47 Notice kernel <3>pid 62108 (8bcK6gTx), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:04:22 Notice kernel <3>pid 61411 (i2RsVQl2), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:04:07 Notice kernel <3>pid 60957 (8bcK6gTx), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:03:53 Notice kernel <3>pid 59937 (i2RsVQl2), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:03:33 Notice kernel <3>pid 59157 (8bcK6gTx), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:03:14 Notice kernel <3>pid 59042 (i2RsVQl2), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:02:54 Notice kernel <3>pid 57475 (8bcK6gTx), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:02:37 Notice kernel <3>pid 57642 (i2RsVQl2), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:02:24 Notice kernel <3>pid 54836 (8bcK6gTx), jid 0, uid 0, was killed: failed to reclaim memory
2026-01-06T00:02:21 Notice kernel <3>pid 54500 (i2RsVQl2), jid 0, uid 0, was killed: failed to reclaim memory
2026-01-06T00:02:20 Notice kernel <3>pid 50993 (i2RsVQl2), jid 0, uid 0, was killed: failed to reclaim memory
2026-01-06T00:02:18 Notice kernel <3>pid 51388 (8bcK6gTx), jid 0, uid 0, was killed: failed to reclaim memory
2026-01-06T00:02:13 Notice kernel swp_pager_getswapspace(24): failed
2026-01-06T00:02:13 Notice kernel swap_pager: out of swap space
2026-01-06T00:02:01 Notice kernel swap_pager: out of swap space
2026-01-06T00:02:00 Notice kernel <3>pid 40094 (i2RsVQl2), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:01:47 Notice kernel <3>pid 40583 (8bcK6gTx), jid 0, uid 0, was killed: a thread waited too long to allocate a page
2026-01-06T00:01:10 Notice kernel <3>pid 49376 (PfNxCZtE), jid 0, uid 0, was killed: a thread waited too long to allocate a pageScheduled Tasks: The crash timing (00:01) coincides with a cron job that I have set to run hourly:
Code Select
1 * * * * (/usr/local/sbin/configctl -d syslog archive) > /dev/nullMy Questions:
Identification: How can I identify which process is actually causing the leak? The PIDs mentioned in the logs (i2RsVQl2, 8bcK6gTx, PfNxCZtE) have randomized/obfuscated names—is this normal for certain plugins, or a sign of something else?
Timing: If the cron job runs every hour, why does the crash only occur at the midnight (00:01) run and not at 23:01 or 01:01?
Root Cause: Since this was stable for 6 months, could this be related to log rotation/archiving of a specifically large "daily" log file that builds up?
Any advice on how to debug this via console or remote logging before the crash occurs would be greatly appreciated.
#94
General Discussion / Re: Wireless Access Points
Last post by marjohn56 - January 16, 2026, 01:11:01 PMHaving used both Omada for 4 years until I moved house and Unifi devices for nearly years two since I moved, I will give an honest opinion.
TP Omada are cheaper and they work fine, however I have found that the Unifi devices are more stable and allow a greater degree of 'tweaking'.
I'm currently using 4 Unifi U6 Mesh devices, 3 of these are wired and one is mesh, and one Unifi AC mesh with a directional antenna in the garden, the garden one meshes with a U6 Mesh located under the eves of the house. You can try and set them all up with a phone app, but it's not fun. If you are going to use VLANs then create your own self-hosted server, it's pretty easy. It doesn't need to run all the time, there's also a plugin for Opnsense which Micheal maintains, though mine is running on a VM on my server.
The mesh works really well providing you make sure there's a good signal between the master and slave device. Preferably only slave one device to each wired master.
One final note, if you go down the U6 mesh route, don't use one outside, they are not weatherproof, as experience has taught me, or at least use a silicone cover which are available.
TP Omada are cheaper and they work fine, however I have found that the Unifi devices are more stable and allow a greater degree of 'tweaking'.
I'm currently using 4 Unifi U6 Mesh devices, 3 of these are wired and one is mesh, and one Unifi AC mesh with a directional antenna in the garden, the garden one meshes with a U6 Mesh located under the eves of the house. You can try and set them all up with a phone app, but it's not fun. If you are going to use VLANs then create your own self-hosted server, it's pretty easy. It doesn't need to run all the time, there's also a plugin for Opnsense which Micheal maintains, though mine is running on a VM on my server.
The mesh works really well providing you make sure there's a good signal between the master and slave device. Preferably only slave one device to each wired master.
One final note, if you go down the U6 mesh route, don't use one outside, they are not weatherproof, as experience has taught me, or at least use a silicone cover which are available.
#95
General Discussion / Re: Why I am retiring from con...
Last post by franco - January 16, 2026, 12:50:12 PMWell, the situation is simple: either the CoC stands and the core team enforces it on everyone including committers, or they let CoC violations slide for arbitrary reasons especially for committers, which means the CoC is already dead.
Looking at mailing list entries such as
https://lists.freebsd.org/archives/freebsd-ports/2023-October/004629.html
https://lists.freebsd.org/archives/freebsd-hackers/2025-December/005412.html
My greatest crime is acting like a committer and being punished for it while the core team watches its committers violate the CoC. :)
It's not hard to reply to an email and people act like nobody is entitled to responses. Which is funny, because bug reports also need responses and you don't get them either.
My biggest gripe with all of this is "haha you're so stupid for not having commit rights" which would have been the easiest way to avoid all the trouble and just let the work speak for itself. Instead asking for committers to commit something which takes 5 seconds is "entitlement" and a human response is something nobody can afford to volunteer.
I'm not buying it, because we've run a project on different core values for 10 years and it works.
And if I'm asking the release engineer to do a cherry-pick and I get lamentation about how everyone is fallible ignoring my requests for help and I should do more for the projects I have my doubts about the culture that is being curated there:
https://bsky.app/profile/fitch.bsky.social/post/3ly4n6jsocs2b
Standards are important. Morale is required. Communication is key.
Cheers,
Franco
Looking at mailing list entries such as
https://lists.freebsd.org/archives/freebsd-ports/2023-October/004629.html
https://lists.freebsd.org/archives/freebsd-hackers/2025-December/005412.html
My greatest crime is acting like a committer and being punished for it while the core team watches its committers violate the CoC. :)
It's not hard to reply to an email and people act like nobody is entitled to responses. Which is funny, because bug reports also need responses and you don't get them either.
My biggest gripe with all of this is "haha you're so stupid for not having commit rights" which would have been the easiest way to avoid all the trouble and just let the work speak for itself. Instead asking for committers to commit something which takes 5 seconds is "entitlement" and a human response is something nobody can afford to volunteer.
I'm not buying it, because we've run a project on different core values for 10 years and it works.
And if I'm asking the release engineer to do a cherry-pick and I get lamentation about how everyone is fallible ignoring my requests for help and I should do more for the projects I have my doubts about the culture that is being curated there:
https://bsky.app/profile/fitch.bsky.social/post/3ly4n6jsocs2b
Standards are important. Morale is required. Communication is key.
Cheers,
Franco
#96
German - Deutsch / Re: VPN Verbindung zwischen zw...
Last post by userbenutzer - January 16, 2026, 12:28:29 PMSuper, dass Du es so schnell hinkriegen konntest!
DNS bin ich nicht ganz so tief drin.
Aber wenn ich dein Problem jetzt richtig verstehe, werden die Geräte im LAN der OPN2 als DNS Server vermutlich direkt die OPN2 haben.
Und diesem müssen dann die PC-Namen der anderen Seite bekannt gemacht werden.
Wenn du es manuell pflegen kannst, kannst du im DNS das einfach hinterlegen. Bei Unbound unter Unbound DNS - Overrides den Host anlegen.
Dnsmasq nutze ich (noch) nicht, da gibt es aber den Menüpunkt Hosts.
DNS bin ich nicht ganz so tief drin.
Aber wenn ich dein Problem jetzt richtig verstehe, werden die Geräte im LAN der OPN2 als DNS Server vermutlich direkt die OPN2 haben.
Und diesem müssen dann die PC-Namen der anderen Seite bekannt gemacht werden.
Wenn du es manuell pflegen kannst, kannst du im DNS das einfach hinterlegen. Bei Unbound unter Unbound DNS - Overrides den Host anlegen.
Dnsmasq nutze ich (noch) nicht, da gibt es aber den Menüpunkt Hosts.
#97
25.7, 25.10 Series / Re: DEC2752 - How to check har...
Last post by stuckoff - January 16, 2026, 12:01:26 PMI managed to run memtest86 using uefi boot following these instructions:
https://www.yosoygames.com.ar/wp/2020/03/installing-memtest86-on-uefi-grub2-ubuntu/
It can be helpful to someone.
https://www.yosoygames.com.ar/wp/2020/03/installing-memtest86-on-uefi-grub2-ubuntu/
It can be helpful to someone.
#98
General Discussion / Re: Is there a way to emulate ...
Last post by Monviech (Cedrik) - January 16, 2026, 11:55:16 AMA way on layer 3 to attach some sort of identity to a device is using the Captive Portal, but every client needs their own unique voucher. The portal can then track clients via IP address and its all firewall rule based. But it will never be VLAN based.
#99
General Discussion / Re: Is there a way to emulate ...
Last post by meyergru - January 16, 2026, 11:49:18 AMWhat you are looking for is outside the scope of OpnSense, because it has to happen on the network access layer. The only thing OpnSense can provide is the VLANs themselves and a FreeRADIUS inventory for your devices.
The standard is IEEE 802.1x, but you need to have a switch or AP that conforms to it. Also, you need either certificates on all of your clients in order to be able to identify them or you rely on their MACs to sort them into different VLANs. As you already know, MACs can be spoofed.
The standard is IEEE 802.1x, but you need to have a switch or AP that conforms to it. Also, you need either certificates on all of your clients in order to be able to identify them or you rely on their MACs to sort them into different VLANs. As you already know, MACs can be spoofed.
#100
General Discussion / Re: Why I am retiring from con...
Last post by trasz@ - January 16, 2026, 11:36:29 AMI'm not sure it's a problem with CoC, or if it's being use by core@ as an excuse for their arbitrary decisions. In my case last summer, core first determined that I hadn't violated CoC (acc to Gleb's writeup), and then proceeded to straight out lie to me about it.
