"Recent posts
#91
Web Proxy Filtering and Caching / Re: HAProxy to home server not...
Last post by satcomjimmy - November 22, 2025, 09:43:03 PMFound the fix on the haproxy, the iphones stopped sending a hostname in the packet header so it didn't match any of my rules. I had to add a default backend server, and now iphones work again.
#92
General Discussion / Missing Interfaces
Last post by Unregistered Member - November 22, 2025, 07:38:43 PMHello,
I'm new to OPNsense and have been really enjoying working with this firewall. However, I'm encountering a strange issue with my setup and am not sure whether it's a bug or something I've configured incorrectly.
I'm running OPNsense v25.7.7_4 and have a dozen VLANs configured with IPv4 Static IPs (except for the IPs themselves, the VLANs are all setup the same way with the LAN port as the parent). DHCP is being handled by Dnsmasq DNS & DHCP.
Here's where the issue comes in: when I go to the Leases section under Dnsmasq DNS & DHCP, the drop-down menu for interfaces is missing a few VLANs. However, I can confirm that the VLANs are configured correctly, as clients are able to connect and receive the correct IPs.
Strangely, two of the missing VLANs are showing up under the WAN interface in the lease list, with the correct IP addresses. These clients are functioning normally, with internet access and proper firewall rule enforcement. But there are still three other VLANs that are missing from the lease drop-down altogether.
My question is: Does the lease drop-down only show interfaces that have been assigned IPs? Could it be that if an interface doesn't register an IP, it doesn't show up in the list? And if that's the case, how do you explain the two VLANs that are showing up under WAN?
Additionally, I've noticed some errors in the console from time to time (the first set of numbers 015.xxxxxxx is different but the message about ixl0 full is consistent). Not sure if this is related or a separate issue related to netmap. On the WAN port (ixl0), I'm only running Suricata in IPS mode, and the error message I'm seeing is as follows:
015.030954 [4335] netmap_transmit ixl0 full hwcur 205 hwtail 645 qlen 583
I've been troubleshooting this issue with ChatGPT, and after working through a few tests, it was suggested that this might be a cosmetic bug in OPNsense, with no significant impact.
Has anyone encountered something similar? Any advice or thoughts on this issue would be greatly appreciated!
I'm new to OPNsense and have been really enjoying working with this firewall. However, I'm encountering a strange issue with my setup and am not sure whether it's a bug or something I've configured incorrectly.
I'm running OPNsense v25.7.7_4 and have a dozen VLANs configured with IPv4 Static IPs (except for the IPs themselves, the VLANs are all setup the same way with the LAN port as the parent). DHCP is being handled by Dnsmasq DNS & DHCP.
Here's where the issue comes in: when I go to the Leases section under Dnsmasq DNS & DHCP, the drop-down menu for interfaces is missing a few VLANs. However, I can confirm that the VLANs are configured correctly, as clients are able to connect and receive the correct IPs.
Strangely, two of the missing VLANs are showing up under the WAN interface in the lease list, with the correct IP addresses. These clients are functioning normally, with internet access and proper firewall rule enforcement. But there are still three other VLANs that are missing from the lease drop-down altogether.
My question is: Does the lease drop-down only show interfaces that have been assigned IPs? Could it be that if an interface doesn't register an IP, it doesn't show up in the list? And if that's the case, how do you explain the two VLANs that are showing up under WAN?
Additionally, I've noticed some errors in the console from time to time (the first set of numbers 015.xxxxxxx is different but the message about ixl0 full is consistent). Not sure if this is related or a separate issue related to netmap. On the WAN port (ixl0), I'm only running Suricata in IPS mode, and the error message I'm seeing is as follows:
015.030954 [4335] netmap_transmit ixl0 full hwcur 205 hwtail 645 qlen 583
I've been troubleshooting this issue with ChatGPT, and after working through a few tests, it was suggested that this might be a cosmetic bug in OPNsense, with no significant impact.
Has anyone encountered something similar? Any advice or thoughts on this issue would be greatly appreciated!
#93
Hardware and Performance / Re: Dec740 connected to a USW-...
Last post by meyergru - November 22, 2025, 07:36:32 PMI have never encountered any compatibility problems with 10G DAC cables.
#94
German - Deutsch / Re: Kann curl nicht auf die im...
Last post by meyergru - November 22, 2025, 07:34:30 PMAh, verstehe. Du verwendest gar nicht die OpnSense CA. Normalerweise sollte curl alle Zertifikate, die in System: Trust: Authorities eingetragen sind, akzeptieren. Bei mir tut es das, ich verwende auch eine eigene, externe CA.
#95
German - Deutsch / Re: Kann curl nicht auf die im...
Last post by u.n.known - November 22, 2025, 07:15:14 PMOkay... Ich hab hier einen Vault, das ist ein Server, der Vault von Hashicorp laufen hat. Dies beinhaltet den ACME Endpunkt, den ich von der OpnSense mit dem ACME-Plugin erreichen will. Dieser Vault hat ein Zertifikat von einer Kompletten CA, die in OpnSense verfügbar ist, also im Trust gespeichert.
Wenn ich das ACME-Plugin daraufhin konfiguriere, von diesem Vault-Server (NICHT von der opnsense) zu holen, dann fliegt er auf die Nase, weil CURL das Zertifikat nicht validieren kann. Auf dem Vault-Server ist ein valides Zertifikat hinterlegt (Name, Gültigkeit etc). Die dazugehörige CA im OpnSense unter trust. Gibt es also in der OpnSense eine möglichkeit dem curl noch zusätzlich ein Zertifikat hinzuzufügen, damit er kein Problem mit dem Endpunkt hat?
Wenn ich das ACME-Plugin daraufhin konfiguriere, von diesem Vault-Server (NICHT von der opnsense) zu holen, dann fliegt er auf die Nase, weil CURL das Zertifikat nicht validieren kann. Auf dem Vault-Server ist ein valides Zertifikat hinterlegt (Name, Gültigkeit etc). Die dazugehörige CA im OpnSense unter trust. Gibt es also in der OpnSense eine möglichkeit dem curl noch zusätzlich ein Zertifikat hinzuzufügen, damit er kein Problem mit dem Endpunkt hat?
#96
German - Deutsch / Re: Routing-Performance
Last post by meyergru - November 22, 2025, 06:33:24 PMIch denke, es ist Zenarmor - auch ohne Blocking. Die Hardware sollte locker 1 GBit/s schaffen, siehe meine Signatur.
#97
Hardware and Performance / Re: Dec740 connected to a USW-...
Last post by pfry - November 22, 2025, 06:33:06 PMQuote from: DEC670airp414user on November 22, 2025, 04:28:01 PMwhat in addition to [...]
For connecting the firewall to the switch, nothing at all. I wasn't critiquing your choice of cable - I was just attempting to avoid endorsing a particular length, as the only critical element is "long enough", and that's your choice.
Heh. Someone here must have an identical setup to your planned one. Just for the paranoia endorsement.
My own is random PC with Intel x710, with random TAA DACs to two servers, also with x710s. My (Netgear) switch uplink is fiber, as it's in another room - a bit far for a DAC. I had to get an Intel ID'd optic (I got genuine Intel, surplus) for the uplink; the DACs don't require any branding with the Intel cards. Not a concern with your setup as described.
#98
German - Deutsch / Re: Problem mit sftp Backup üb...
Last post by viragomann - November 22, 2025, 06:24:21 PMIch vermisse da die Gateways. Eine Route auf einem Interface reicht nicht fürs Routing, es braucht eine konkrete Ziel-IP innerhalb des Interface-Subnetzes.
Bist du dir sicher, dass du die Gateways und Routen korrekt gesetzt hast?
Bezügliche Wireguard, bedenke auch, dass Server IP in den erlaubten IPs auf OPNsense2 enthalten sein muss, wenn nicht genattet.
Bist du dir sicher, dass du die Gateways und Routen korrekt gesetzt hast?
Bezügliche Wireguard, bedenke auch, dass Server IP in den erlaubten IPs auf OPNsense2 enthalten sein muss, wenn nicht genattet.
#99
25.7, 25.10 Series / Re: Adding a VLAN takes 26 cli...
Last post by pfry - November 22, 2025, 06:11:02 PMQuote from: mtlynch on November 22, 2025, 04:57:30 PMWhat is the correct way for OPNsense customers to give feedback? [...]
Personally, I think the forum is the place to start. Naturally, in an ideal world everyone would research their issue and incorporate prior discussion and work, but this isn't always realistic, for a number of reasons. For myself, I like to throw stuff out and get feedback, and then perhaps open an issue on github if I think it actually has merit. I try to see the legacy and direction of the project, but I don't always succeed, of course.
As far as your suggestions, they don't strike me as significant. That is, filling in some default values would make no difference to me, just as a lots of clicking and typing to set up a VLAN doesn't bother me. Oh, and I care little for/about wizards, and I'm not likely to use the API. My $.02, and worth every penny.
Quote from: franco on November 22, 2025, 09:05:07 AM[...] I don't enjoy starting at the "but what if we just did it this way". [...]
Understandable. All I can say is "Y'all keep up the good work", because occasionally I'm going to have this great idea that I can't believe y'all haven't considered...
#100
25.7, 25.10 Series / Re: Adding a VLAN takes 26 cli...
Last post by Monviech (Cedrik) - November 22, 2025, 05:44:02 PMYou dont have to input anything into the vlan field, the name gets auto generated if you leave it empty.
