Recent posts

#91

25.7, 25.10 Series / Re: Local DNS overrides no lon...

Last post by empty.watch - December 10, 2025, 10:55:11 PM

I'm not using Unbound, it's disabled. The upstream DNS is required so that OPNsense can resolve its package mirrors. I tried leaving the DNS servers empty anyway, and there was no change to the local DNS behaviour.

#92

25.7, 25.10 Series / Re: Blocking traffic? what am ...

Last post by Jeffrey - December 10, 2025, 10:53:58 PM

clearing the states seems to have done it.

I did go back and create an alias and applied it to the NAT rule.  Personally I would have thought "block rules" applied to an interface would have been processed before NAT, I guess there is a reason it isn't. I need to look at the documentation to see what the processing order is.

Thanks, I knew this shouldn't have been very difficult.

Jeff

#93

General Discussion / Re: TUI for viewing and analys...

Last post by patient0 - December 10, 2025, 10:40:00 PM

I'm still not sure how well this will work though since the filter log directory can contain >30GB of files.

What behaviour would you expect from an application in such an situation? Many apps just freeze or crash :)

Personally I would try to evaluate if the app can handle it and if not show a pop-up. Either abort with that pop-up so that the user can select less files. Or fallback to load only what you can load and let the user know what was loaded and what not.

Although the fallback is probably not a good idea since the user had an idea what she wanted to look through and then wouldn't be sure what is included and what not. It is probably better to let the user know and abort so she knows that it will require two steps to look through all files.

#94

General Discussion / [SOLVED] Re: VLAN DHCP not wor...

Last post by ivpenna - December 10, 2025, 10:20:02 PM

It worked! Thank you very much.

But I had to take one step further: change the PVID settings on the 5 port switch (connected to the Access Point)

https://ibb.co/nN1vkRFD

This video also helped me: https://www.youtube.com/watch?v=4JNptgMWUi0&t=356s



Thank you!

#95

25.7, 25.10 Series / Re: Blocking traffic? what am ...

Last post by Patrick M. Hausen - December 10, 2025, 10:19:53 PM

Did you clear the firewall states after the change?

#96

25.7, 25.10 Series / Re: Blocking traffic? what am ...

Last post by Jeffrey - December 10, 2025, 10:17:22 PM

With the NAT disabled I do see much of the traffic being blocked but not all of it...

Code Select Expand

# tcpdump "tcp[tcpflags] & (tcp-ack) = 0" and port 443 and net 170.239.160.0/24 -n -c20
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp6s0f0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:08:41.852675 IP 170.239.160.240.18672 > 172.18.19.2.https: Flags [S], seq 1368460929, win 64240, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
16:08:41.854005 IP 170.239.160.240.18672 > 172.18.19.2.https: Flags [S], seq 1368460929, win 64240, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
16:08:41.854053 IP 170.239.160.240.18672 > 172.18.19.2.https: Flags [S], seq 1368460929, win 64240, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
16:08:44.481879 IP 170.239.160.4.51266 > 172.18.19.2.https: Flags [S], seq 465277211, win 65535, options [mss 1460,sackOK,TS val 2434516034 ecr 0,nop,wscale 8], length 0
16:08:44.481880 IP 170.239.160.4.51266 > 172.18.19.2.https: Flags [S], seq 465277211, win 65535, options [mss 1460,sackOK,TS val 2434516034 ecr 0,nop,wscale 8], length 0
16:08:44.483950 IP 170.239.160.4.51266 > 172.18.19.2.https: Flags [S], seq 465277211, win 65535, options [mss 1460,sackOK,TS val 2434516034 ecr 0,nop,wscale 8], length 0
16:08:44.852749 IP 170.239.160.4.51266 > 172.18.19.2.https: Flags [S], seq 465277211, win 65535, options [mss 1460,sackOK,TS val 2434516034 ecr 0,nop,wscale 8], length 0
16:08:49.442890 IP 170.239.160.37.57579 > 172.18.19.2.https: Flags [S], seq 3965481071, win 29200, options [mss 1460,sackOK,TS val 1886380011 ecr 0,nop,wscale 5], length 0
16:08:49.443691 IP 170.239.160.37.57579 > 172.18.19.2.https: Flags [S], seq 3965481071, win 29200, options [mss 1460,sackOK,TS val 1886380011 ecr 0,nop,wscale 5], length 0


#97

Hardware and Performance / Re: DEC750 Questions

Last post by ProximusAl - December 10, 2025, 10:13:59 PM

Joy. Shipped email received, should get it tomorrow. Happy days

#98

25.7, 25.10 Series / Re: Blocking traffic? what am ...

Last post by Jeffrey - December 10, 2025, 10:01:16 PM

I disabled the NAT rule temporarily (image attached) and the traffic continues

#99

General Discussion / Re: VLAN DHCP not working

Last post by viragomann - December 10, 2025, 09:59:26 PM

- Every device connected to ports 4 or 5 TL-SG105E would get an IP address from 192.168.101.0/24 subnet (tag 20)

So if the AP has no VLAN configuration, you have to add these port as untagged to the VLAN20.

The other settings should be fine.

#100

25.7, 25.10 Series / Re: Blocking traffic? what am ...

Last post by Patrick M. Hausen - December 10, 2025, 09:50:05 PM

NAT rules take precedence over firewall rules. So if you have a NAT > Port forwarding rule that forwards e.g. WAN address:443 to 172.18.19.2:443 and if you have the "Firewall rule association" for that NAT rule set to "pass" - that will permit the traffic.

Either change that "pass" to an explicit rule and then e.g. put all those networks supposed to be blocked in a network or group alias and use "source invert" to only allow "! bad boys". Or place the block rules into the floating category with an explicit "WAN" interface selection, because also: floating before interface.