"Recent posts
#91
25.7, 25.10 Series / Re: Help Troubleshooting OPNse...
Last post by Patrick M. Hausen - December 11, 2025, 09:38:46 AMThis is not how NTP works.
OPNsense runs an NTP server that synchronises itself with public servers on the Internet. Once a synchronised state is reached that server directly answers requests by all local clients.
The "pending" is normal for the pool entries. But there should be one server labeled as "Active Peer" and some more labeled as "Candidate". If that is the case all is well.
OPNsense runs an NTP server that synchronises itself with public servers on the Internet. Once a synchronised state is reached that server directly answers requests by all local clients.
The "pending" is normal for the pool entries. But there should be one server labeled as "Active Peer" and some more labeled as "Candidate". If that is the case all is well.
#92
Virtual private networks / Re: WireGuard Exporter Tool
Last post by Patrick M. Hausen - December 11, 2025, 09:35:59 AMQuote from: JMini on December 11, 2025, 05:12:46 AMYou can't even build the conf file from the information in the peer details. No access to the Private Key
The private key should be created on the peer and never leave the peer. That's why it's called "private". The instance on OPNsense only needs the public key of every peer so that's what is saved in the configuration.
There are no clients and servers in WireGuard. It's all peers.
#93
25.7, 25.10 Series / WAN load balancing behavior
Last post by OPNenthu - December 11, 2025, 09:34:17 AMI don't know exactly when it started, but I think in the last few updates (currently I'm on 25.7.9) I'm seeing that the load on two VPN gateways is not being equally distributed anymore.
I have two Wireguard devices (wg0, wg1) and respective interfaces (WAN_VPN0, WAN_VPN1). The interfaces are enabled but not configured. I have a corresponding IPv4 and IPv6 gateway for each interface.
I then created two LB groups: one has the IPv4 members on a common tier, and the other has the IPv6 members on a common tier. I have a VLAN interface with policy routing to send non-local traffic out the respective IPv4 or IPv6 gateway. Within the gateway settings, all of them have the default weight (1). Both gateways are monitored and healthy.
There is a client VM connected to this VLAN. I started a few streams and am seeing that there is a very strong preference for one WG interface. In the past I would see the traffic more evenly split and both interfaces would show activity.
My expectation is that the client will choose either IPv4 or IPv6 and within the respective gateway group it should balance fairly between the two upstream devices. Is that a fair assumption or have I misunderstood? Also, I am curious what the selection criteria is for load balancing- does it distribute by 5-tuple?
Edit: although the screenshot shows "Round Robin with Sticky Address", I wasn't using that previously. Just changed it for testing.
I have two Wireguard devices (wg0, wg1) and respective interfaces (WAN_VPN0, WAN_VPN1). The interfaces are enabled but not configured. I have a corresponding IPv4 and IPv6 gateway for each interface.
I then created two LB groups: one has the IPv4 members on a common tier, and the other has the IPv6 members on a common tier. I have a VLAN interface with policy routing to send non-local traffic out the respective IPv4 or IPv6 gateway. Within the gateway settings, all of them have the default weight (1). Both gateways are monitored and healthy.
There is a client VM connected to this VLAN. I started a few streams and am seeing that there is a very strong preference for one WG interface. In the past I would see the traffic more evenly split and both interfaces would show activity.
My expectation is that the client will choose either IPv4 or IPv6 and within the respective gateway group it should balance fairly between the two upstream devices. Is that a fair assumption or have I misunderstood? Also, I am curious what the selection criteria is for load balancing- does it distribute by 5-tuple?
Edit: although the screenshot shows "Round Robin with Sticky Address", I wasn't using that previously. Just changed it for testing.
#94
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by Monviech (Cedrik) - December 11, 2025, 09:08:40 AMYou can do the same way simpler and lightweight with dnsmasq as alternative:
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
#95
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by bpill - December 11, 2025, 08:34:12 AMNo one? :)
#96
25.7, 25.10 Series / Help Troubleshooting OPNsense ...
Last post by mb19 - December 11, 2025, 08:30:33 AMHi everyone,
I'm trying to configure my OPNsense server (version OPNsense 25.7.7_4-amd64) as an NTP server for my LAN devices. My network layout looks like this:
Internet
│
│
┌─────────────────────────┐
│ Router ISP .│
│ 192.168.10.1 .│
└─────────────────────────┘
│
│ (192.168.10.0/24)
│
┌─────────────────────────┐
│ OPNsense .│
│ .│
│ WAN: igb0 .│
│ IP: 192.168.10.2/24 .│
│ .│
│ LAN: igb1 .│
│ IP: 192.168.45.1/24 .│
│ .│
│ OPT1: em0 ( empty ) .│
└─────────────────────────┘
│
│ (LAN 192.168.45.0/24)
│
┌─────────────────────────┐
│ LAN .│
│ (192.168.45.0/24) .│
└─────────────────────────┘
When I run the following command on a LAN computer and on OPNsense:
--> tcpdump -ni igb0 udp port 123
I get:
PC - LAN: 192.168.45.18.35966 > 5.250.184.159.123: NTPv4, Client, length 48
OpnSense: 192.168.10.2.21172 > 5.250.184.159.123: NTPv4, Client, length 48
OpnSense: 5.250.184.159.123 > 192.168.10.2.21172: NTPv4, Server, length 48
PC - LAN: 5.250.184.159.123 > 192.168.45.18.35966: NTPv4, Server, length 48
If I'm understanding this correctly:
1 - We can see NTP requests from the LAN reaching OPNsense
2 - OPNsense then forwards them to the router, which sends them out to the NTP pool server
3 - The NTP server replies
4 - The router forwards the reply back to OPNsense
5 - OPNsense performs the de-NAT and delivers the response to the LAN client
If this interpretation is correct, then I think I can rule out DNS issues or ISP-side blocking of NTP traffic.
However, in the OPNsense GUI the NTP service status is always shown as "pending", which makes me suspect that the issue is happening somewhere around this point in the network diagram:
Internet
│
│
┌─────────────────────────┐
│ Router ISP .│
│ 192.168.10.1 .│
└─────────────────────────┘
│
│ (192.168.10.0/24)
│<-----------------------------------HERE
┌─────────────────────────┐
│ OPNsense .│
│ .│
│ WAN: igb0 .│
│ IP: 192.168.10.2/24 .│
│ .│
│ LAN: igb1 .│
│ IP: 192.168.45.1/24 .│
│ .│
│ OPT1: em0 ( empty ) .│
└─────────────────────────┘
│
│ (LAN 192.168.45.0/24)
│
┌─────────────────────────┐
│ LAN .│
│ (192.168.45.0/24) .│
└─────────────────────────┘
I'm not sure whether I'm misunderstanding a concept (and therefore troubleshooting in the wrong direction), or if this is a technical issue I'm missing. The goal is simply to use OPNsense as an NTP server for the LAN.
Any help or guidance would be greatly appreciated.
Thanks!
I'm trying to configure my OPNsense server (version OPNsense 25.7.7_4-amd64) as an NTP server for my LAN devices. My network layout looks like this:
Internet
│
│
┌─────────────────────────┐
│ Router ISP .│
│ 192.168.10.1 .│
└─────────────────────────┘
│
│ (192.168.10.0/24)
│
┌─────────────────────────┐
│ OPNsense .│
│ .│
│ WAN: igb0 .│
│ IP: 192.168.10.2/24 .│
│ .│
│ LAN: igb1 .│
│ IP: 192.168.45.1/24 .│
│ .│
│ OPT1: em0 ( empty ) .│
└─────────────────────────┘
│
│ (LAN 192.168.45.0/24)
│
┌─────────────────────────┐
│ LAN .│
│ (192.168.45.0/24) .│
└─────────────────────────┘
When I run the following command on a LAN computer and on OPNsense:
--> tcpdump -ni igb0 udp port 123
I get:
PC - LAN: 192.168.45.18.35966 > 5.250.184.159.123: NTPv4, Client, length 48
OpnSense: 192.168.10.2.21172 > 5.250.184.159.123: NTPv4, Client, length 48
OpnSense: 5.250.184.159.123 > 192.168.10.2.21172: NTPv4, Server, length 48
PC - LAN: 5.250.184.159.123 > 192.168.45.18.35966: NTPv4, Server, length 48
If I'm understanding this correctly:
1 - We can see NTP requests from the LAN reaching OPNsense
2 - OPNsense then forwards them to the router, which sends them out to the NTP pool server
3 - The NTP server replies
4 - The router forwards the reply back to OPNsense
5 - OPNsense performs the de-NAT and delivers the response to the LAN client
If this interpretation is correct, then I think I can rule out DNS issues or ISP-side blocking of NTP traffic.
However, in the OPNsense GUI the NTP service status is always shown as "pending", which makes me suspect that the issue is happening somewhere around this point in the network diagram:
Internet
│
│
┌─────────────────────────┐
│ Router ISP .│
│ 192.168.10.1 .│
└─────────────────────────┘
│
│ (192.168.10.0/24)
│<-----------------------------------HERE
┌─────────────────────────┐
│ OPNsense .│
│ .│
│ WAN: igb0 .│
│ IP: 192.168.10.2/24 .│
│ .│
│ LAN: igb1 .│
│ IP: 192.168.45.1/24 .│
│ .│
│ OPT1: em0 ( empty ) .│
└─────────────────────────┘
│
│ (LAN 192.168.45.0/24)
│
┌─────────────────────────┐
│ LAN .│
│ (192.168.45.0/24) .│
└─────────────────────────┘
I'm not sure whether I'm misunderstanding a concept (and therefore troubleshooting in the wrong direction), or if this is a technical issue I'm missing. The goal is simply to use OPNsense as an NTP server for the LAN.
Any help or guidance would be greatly appreciated.
Thanks!
#97
Q-Feeds (Threat intelligence) / Re: q-feeds feedback
Last post by Monviech (Cedrik) - December 11, 2025, 06:26:58 AMThe second point is normal and happens everywhere because there is no forced non-interactive redirect to the login page in general once the session timeout has been reached.
#98
25.7, 25.10 Series / Re: MIgrating IPsec Legacy to ...
Last post by Monviech (Cedrik) - December 11, 2025, 06:23:46 AMYou posted no logs that show the issue. Without logs its impossible to help.
#99
25.7, 25.10 Series / Re: WebGUI isn't accessible. L...
Last post by Lymba_Sysm - December 11, 2025, 06:12:29 AMNever mind I've fixed it!
#100
25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...
Last post by Monviech (Cedrik) - December 11, 2025, 05:59:39 AMThats really weird mine stays at around below 10mb RAM used.
Here:
40886 nobody 1 20 0 17M 4920K select 2 36:51 0.00% dnsmasq
What kinda configuration do you run with it? If you share maybe we can see something.
/usr/local/etc/dnsmasq.conf
Also how many leases in total?
Here:
40886 nobody 1 20 0 17M 4920K select 2 36:51 0.00% dnsmasq
What kinda configuration do you run with it? If you share maybe we can see something.
/usr/local/etc/dnsmasq.conf
Also how many leases in total?
