OPNsense

Hi! I'm currently trying to set up my network as seen in the image. USER VLAN has the tag 11, IOT VLAN has the tag 13 and GUEST VLAN has the tag 14. These are tagged by an Omada AP and Omada Switch on individual ports.

So far I have:

• Assigned igc1 (LAN) and igc2 (Wifi) and enabled them (no IP configured).

• Created a Bridge between igc1 and igc2 so they are in the same subnet, which I think of as some sort of management subnet.

• Configured a static IP (192.168.10.1/24) on this Bridge and enabled DHCP. All devices are reachable here and it is also possible to reach the internet from the Omada devices.

• Created VLANs vlan01.11, vlan01.13, vlan01.14 with their parent being igc1 (Omada Switch).

• Created VLANs vlan02.11, vlan02.13, vlan02.14 with their parent being igc2 (Omada AP)

• Assigned all of them and enabled them (no IP configured)

• Created a Bridge between each pair (vlan01.11 + vlan02.11 etc.)

Now my problem is that seemingly no matter what I do some devices on the VLANs cannot reach the internet because they cannot reach their Gateway.

I tried:

• Configuring a static IP to the VLAN Bridge (192.168.11.1 for USER VLAN) and enabling DHCP on it with the correct subnet. Doing so not a single device was able to reach the Gateway, but they were able to talk to each other. DHCP worked this way for both endpoints.
• Instead of configuring a static IP to the VLAN Bridge I configured it right on the vlan02.11 interface and enabled DHCP there. Doing so only the devices on the wifi are able to reach the Gateway but the devices connected via the Switch cannot. In addition DHCP does also not work for devices on the Switch.

Does anyone here maybe have a hint on what I am doing wrong?

Edit: I also tried:

• Combinations of net.link.bridge.pfil_member and net.link.bridge.pfil_bridge but that didnt work either.
• Removing the bridge and using only the vlans but with the same subnet

cross-posted from: https://infosec.pub/post/27200076

My first blog series on headscale with traefik through podman quadlets was pretty well received on here. I'm just getting started with this blog, and thought the second topic I recently worked on might be popular in this crowd too: a lower resource method of centralizing logs for OPNSense with Grafana Loki (and Alloy) including geoIP!

Hello I have some strange behavior with my suricata on opnsense and was wondering if anyone is experiencing the same:

I wanted to keep a IPS signature active, dropping the packages, but not get an alert every time, since the source is beyond the scope of my control (neighbour) and the alerts spamming my log.

Since this isn't implemented in the GUI yet, I manually added

include: threshold.config

To /usr/local/etc/suricata/custom.yaml

And added

suppress gen-id 1, sig-id 1234567

To /usr/local/etc/suricata/threshold.config

However after this suricata wouldn't start anymore, giving the error it couldn't load threshold.config, cause it needs to have YAML 1.1 and

as first lines.

Not only does this differ from the documentation, it also differs form the example file.

With this added anyway suricata will start, but have errors in the logs, it couldn't parse YAML 1.1 couldn't parse

And couldn't parse suppress gen-id 1, sig-id 1234567

So its still not working....

Anyone got an idea what's wrong here, or how I could drop packets silently?

EDIT: when changing the suppression to

suppress gen_id 1, sig_id 1234567

I get the warning

suppress gen_id 1, sig_id 1234567 is deprecated. Please use suppress gen-id 1, sig-id 1234567 on line 3

When starting suricata

BUT NO parsing error about the suppress line (only about the YAML and

lines), indicating it works now?

Seems not intended, or do I do something wrong?

I am thinking of building a router for OPNsense. I am familiar with building computers but I am not familiar with networking. What kind of hardware would I need to hit 1, 2.5 (my most likely target), 5 or 10 gigabit speeds on my local network?

I was thinking of buying a small form factor PC and sticking an Intel I226 Network Card or something similiar in it.

So, what kind of processor would I need?

cross-posted from: https://lemmy.dbzer0.com/post/33789945

Is it possible to set up an i2p gateway in opnsense so that everyone on the network can access i2p?

Hello all you lovely people!

I'm trying to figure out if I can port forward to different servers based on the destination domain.

I have a domain with a wildcard cert and I'd like to be able to route all traffic headed towards "1.domain.com" to a server I'm calling "1". I'd still like traffic headed to domain.com to go to where it's currently going, we can call this server "0", and to be able to have a 2.domain.com or 3 or 4 in the future.

I thought that having a port forward rule with: interface: WAN Protocol: any source: any destination: a url alias including 1.domain.com redirect target ip: local ip

Would work, but it doesn't seem to. Any tips?

Hi!

I have a question. If I enable IPS mode, my outbound traffic graphs stop working.

This is a known bug? Is there something that I can do?

https://imgur.com/Igzjc6I

I'm running OPNsense 24.1.3_1.

Thanks!

Hi all, I've got a cheap Celeron box running OPNSense and it's been pretty good so far, but I found twice that the device turned off at some point while I was at work, and I have been unable to figure out what's causing it.

The only change was that I enabled Monit to see if I could figure out what was causing crowdsec to stop sometimes but never ended up configuring anything. I've only been running it for a couple months though, so it's possible that that is not related.

I know that on a Mac (based on freebsd, right?) you can determine whether the shutdown reason was a hard shutdown, regular shutdown, or the power cable being unplugged. Is it possible to do that with OPNSense? I'd like to narrow it down to software or hardware ideally.

After a home rewire, I'm ready to bump up to 2.5GbE, and demote my old 1Gbps router/wifi box to "AP Only mode".

I want at least ~~five~~ six total ports, four of which need to be 2.5+ (three to different rooms, one for uplink, one 1G+ for the AP, and one "any speed is enough" for the networked printer :) )

It seems like the "mini-PC with a bunch of 2.5GbE ports running OPNSense" option fits neatly between "Build a router out of my old i5-2500K and some eBay NICs and ignore the USD450 electric bill", and "enterprise rackmount gear with Delta fans left over from people overclocking their Socket A Athlons."

I see a lot of machines of the form "fanless case with a little castle of fins on top, Intel N100 CPU, six 2.5G ports from I226 chipset". A representative example is https://www.aliexpress.us/item/3256806214512701.html

I suspect they may all be re-brands of the same basic product, but I wanted to know real-world experiences:

• Basic question: can anyone vouch for any specific one of these devices/sellers and confirm it worked for them?

• I understand the i225-v LAN chipset was much buggier than the i226-v and to be avoided; still the case? I see a few products that are like USD50 cheaper, with different CPUs and i225-based LAN.

• For routing/firewall duties (probably 4 PCs, 3 phones, a couple printers, and some smart devices) , are the bottom-of-the-line configs (8GB RAM/128G disc) suitable? Is the CPU sufficient? The N100 makes me laugh-- Intel doesn't even want to give it a brand name.

• Regarding WiFi, should I just block out that little Mini-PCIe slot on the board from my mind? I know that FreeBSD WiFi has been sort of a fourth-class citizen for years, but I was wondering if there had been a breakthrough, or at least a "here is one specific card you can buy for a largely drama-free experience"

• Weird question: Any problems with RF noise? I have had some devices where the power brick made a mess of a neighbour's AM radio reception, and I don't want to start a war with him. I figure when you're buying a device with a 60w wall-wart from a random brand, it might not be the cleanest.

Just a few tips for installing on a Sophos SG135 (and perhaps others in the Sophos family?) using the serial build via usb

1. Sophos device starts at 38400,n,8,1 as com settings. OPNsense switches to 115200 after bios. If you set your session to 115200 prior to OPNsense taking over, this causes PuTTY to not be able to input keyboard characters until you kill and re-open the session. Something happens in the transition on either serial interface to cause problems.

2. Perform the auto detection of interfaces. For some reason I got screwed up on the interfaces and couldn't for the life of me get LAN to come up to configure the box. I believe this was twofold: one, the interfaces were all down when I configured them - and two, that caused them to go into a state to where even if 'ifconfig' showed active as I moved my cabling around, pings would not work (LAN). Once I redid the usb live and utilized the auto detection feature properly, no issues occurred.

Hope this helps someone who may run into similar issues.

Hey all, I've been trying to figure out why enabling IPS kills my network. I have some services I host and would like to get some sort of IPS running. I used to have Snort running through pfSense and didn't experience issues like this.

Edit: as an update to this, I resolved it by installing the realtek plugin.

Hey all, recent convert from pfSense. I'm trying to make sure only the DNS servers I've defined are being used for lookups? I'm using Unbound and noticing a lot of traffic on port 53 to destinations other than the ones I've put in.

Hi There,

Please excuse the lenghty post, I wanted to explain/have all the information I can possibly write down

I've been trying to have "udpbroadcastrelay" plugin to relay SSDP (Simple Service Discovery Protocol) between two subnets, LAN and Bridge. However, I've hit a roadblock with this setup.

The peculiar thing is that mDNS (Multicast DNS) works flawlessly using the same plugin and setup!

I hope that someone can help shed some light on this issue and help me get SSDP relay working as smoothly as mDNS does in my setup. If anyone has experience with the "udpbroadcastrelay" plugin in OPNsense or has encountered a similar issue, your insights and guidance would be greatly appreciated. Thanks in advance for any assistance or suggestions!

SIDENOTE:-

I have used BOTH of :

- os-udpbroadcastrelay 1.0_3 (frpm repo)
- compiled from source (Github) so i can use --msearch option

1. My Setup

   • Virtualized OPNsense in Proxmox
     • Pass-Through (WAN)
     • 2 VirtIO Interfaces (LAN & Bridge)
   • OPNsense Version: OPNsense 23.7.10_1-amd64 FreeBSD 13.2-RELEASE-p7
   • Proxmox Version: proxmox-ve: 8.1.0 (running kernel: 6.5.11-7-pve)

2. Troubleshooting Attempts:

I've tried various solutions from different sources to resolve this issue, including:

• HOW TO - Configure OPNsense for TV7 (init7) Multicast Stream

  LAN
  First we have to enable allow options on the default LAN rule Default allow LAN to any rule.

  • Navigate to Firewall -> Rules -> LAN
  • Edit the rule with the description "Default allow LAN to any rule" by clicking the pencil.
  • Scroll down until you see Advanced Options: and click on Show/Hide
  • Make sure that the allow options checkbox is checked
  • Click Save
  • Back on Overview click on Apply changes to enable the changed rule

• [SOLVED] - Multicast bridge problem | Proxmox Support Forum

  maybe try to disable multicast snooping on bridges ?

  echo 0 > /sys/class/net/vmbrX/bridge/multicast_snooping

• Multicast notes - Proxmox VE

  Linux: Disabling Multicast snooping on bridges

  Snooping should be enabled on either the router / switch or on the linux bridge, but it may not work if enabled on both. If you have a hosting provider that has igmp snooping enabled on the multicast switch, it may be necessary to disable snooping on the linux bridge. In that case use:

  post-up ( echo 1 > /sys/devices/virtual/net/$IFACE/bridge/multicast_querier )

  post-up ( echo 0 > /sys/class/net/$IFACE/bridge/multicast_snooping )

To help diagnose the issue effectively, here is what i managed to gather:

FW Ruleset

cat /tmp/rules.debug

LAN Rule Set
pass in log quick on vtnet0 inet from {(vtnet0:network)} to {any} keep state label "3070463c8d527cf93da451fa4f88c7cb" # Default allow LAN to any rule

Bridge Rule Set
 pass in log quick on vtnet1 inet from {(vtnet1:network)} to {any} keep state label "2681e3c4a046e0ab9b3ab64679df3edc" # Allow Bridge to any rule

Interfaces

igc0: flags=8963 metric 0 mtu 1500
	description: WAN (wan)
	options=4802028
	ether xx:xx:xx:xx:xx:xx
	inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
	media: Ethernet autoselect (1000baseT )
	status: active
	nd6 options=29
vtnet0: flags=8963 metric 0 mtu 1500
	description: LAN (lan)
	options=800a8
	ether xx:xx:xx:xx:xx:xx
	inet 192.168.100.3 netmask 0xffffff00 broadcast 192.168.100.255
	media: Ethernet autoselect (10Gbase-T )
	status: active
	nd6 options=29
vtnet1: flags=8963 metric 0 mtu 1500
	description: Bridge (opt1)
	options=800a8
	ether xx:xx:xx:xx:xx:xx
	inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
	media: Ethernet autoselect (10Gbase-T )
	status: active
	nd6 options=29

CLI USED

./udpbroadcastrelay -d -d --id 1 --port 1900 --dev vtnet1 --dev vtnet0 --multicast 239.255.255.250 --msearch dial

2023/12/29 21:48:17.555 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=438 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term upnp:rootdevice
2023/12/29 21:48:17.555 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=438 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.593 <- [ 10.10.10.46:52323 -> 239.255.255.250:1900 (iface=vtnet1 len=462 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-sony-com:service:Party:1
2023/12/29 21:48:17.593 -> [ 10.10.10.46:52323 -> 239.255.255.250:1900 (iface=vtnet0 len=462 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.593 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=447 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term uuid:00000001-0000-1010-8000-045d4bdcbc2f
2023/12/29 21:48:17.593 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=447 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.614 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=490 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:device:MediaServer:1
2023/12/29 21:48:17.614 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=490 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.637 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=502 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:service:ContentDirectory:1
2023/12/29 21:48:17.637 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=502 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.663 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=504 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:service:ConnectionManager:1
2023/12/29 21:48:17.663 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=504 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.315 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.315 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.373 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.373 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.460 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.460 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:24.824 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=127 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaServer:1
   Applying default action FORWARD
2023/12/29 21:48:24.824 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=127 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:24.924 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=127 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaServer:1
   Applying default action FORWARD
2023/12/29 21:48:24.924 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=127 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:25.425 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=118 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:ses-com:device:SatIPServer:1
   Applying default action FORWARD
2023/12/29 21:48:25.425 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=118 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:25.525 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=118 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:ses-com:device:SatIPServer:1
   Applying default action FORWARD
2023/12/29 21:48:25.525 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=118 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:49:16.556 <- [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet1 len=267 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term upnp:rootdevice
2023/12/29 21:49:16.556 -> [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet0 len=267 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:49:16.577 <- [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet1 len=276 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term uuid:00000004-0000-1010-8000-045d4bdcbc2f
2023/12/29 21:49:16.577 -> [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet0 len=276 tos=0x04 DSCP=1 ttl=4)

Lan Wireshark Capture

Hi everyone,

I’m at my wits end here getting port forwarding working on my setup with Nginx Proxy Manager (NPM) and OPNsense.

I recently upgraded my networking gear, and everything is working great, I’m loving OPNsense and 10G networking. I’ve had the same setup for port forwarding for years and never had issues, the main change was the addition of OPNsense and a switch.

Previous setup (I realize this wasn’t the best):

ISP modem -> DHCPv4 with ports 80/443 forwarded to ASUS wireless router WAN -> DHCPv4 with ports 80/443 forwarded to VM on proxmox running NPM -> NPM set up with hosts to proxy services on other VMs/server.

This (or a variation thereof) has all been working great for years, along with ddns set up as I have a dynamic IP.

New setup:

ISP modem -> DHCP off with ports 80/443 forwarded to OPNsense WAN via MAC address -> OPNsense NAT-Port Forwarding set up to the NPM host/port, rest is the same as before.

The settings for the port forward are the standard I’ve found in guides. WAN address, any source/port, redirect to NPM host and ports. Tried the domain I usually use, no luck. Port checker shows the ports are closed.

Tried the following:

1. DMZ on the ISP modem keeping WAN IP default/automatic and adding OPNsense to the DMZ, no change.
2. Advanced DMZ on ISP, WAN is the external IP, no change
3. Same as 2, but changed OPNsense WAN settings from DHCPv4 to PPPoE, and added the ISP login info. Received new IP, updated ddns, still no change.
4. Checked over port forwarding settings, enabled NAT reflection, still nothing.

I’m between all these steps, I rebooted OPNsense, proxmox, switches, etc.

Any ideas on what I could try for next steps? All of the local networking and external connections work awesome, it’s just the port forwarding as the last piece. Thanks!

Edit 2023-01-03:

I finally solved this, turned out the OPNSense and NPM configuration was all correct.

The problem was a glitch in the docker compose/portainer. I had my ports in docker compose set to 80:80/443:443, but when the container was deployed, it assigned 1880:80/18443:443 because of…reasons, and I didn’t notice until going through it all line by line 🤦.

Redeploying the stack/container didn’t solve it, so I changed the time zone to another city, redeployed and viola, everything works perfect as it should!

This comes with some fixes to the new openVPN system, and route-gateway was added (a big oversight imo). More updates to wireguard and improvements have been added, and are still ongoing.

Here are the full patch notes:

system: correctly set RFC 5424 on remote TLS system logging

system: remove hasGateways() and write DHCP router option unconditionally

system: avoid plugin system for gateways monitor status fetch

system: remove passing unused ifconfig data to Gateways class on static pages

system: remove passing unused ifconfig data on gateway monitor status fetch

system: remove the unused "alert interval" option from the gateway configuration

interfaces: calculate_ipv6_delegation_length() should take advanced and custom dhcp6c into account

interfaces: teach ifctl to dump all files and its data for an interface

interfaces: remove dead link/hint in GIF table

interfaces: avoid duplicating $vfaces array

interfaces: introduce interfaces_restart_by_device()

firewall: remove old __empty__ options trick from shaper model

firewall: update models for clarity

firmware: update model for clarity

ipsec: omit conditional authentication properties when not applicable on connections

ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)

ipsec: allow the use of eap_id = %any in instances

openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)

openvpn: add CARP VHID tracking for client instances

openvpn: add tun-mtu/fragment/mssfix combo for instances

openvpn: add "route-gateway" advanced option to CSO

openvpn: use new File::file_put_contents() wrapper for instances

openvpn: updated model and clarified "auth" default option

mvc: remove "non-functional" hints from form input elements

mvc: uppercase default label in BaseListField is more likely

ui: add bytes format to standard formatters list

plugins: os-ddclient 1.16[1]

plugins: os-frr 1.36[2]

plugins: os-wireguard 2.1[3]

plugins: os-tinc 1.7 adds support for "StrictSubnets" variable (contributed by andrewhotlab)

lang: update translations and add Polish

src: bring back netmap tun(4) ethernet header emulation (contributed by Sunny Valley Networks)

src: axgbe: gracefully handle i2c bus failures

src: bnxt: do not restart on VLAN changes

src: ice: do not restart on VLAN changes

src: net: do not overwrite VLAN PCP

src: net: remove VLAN metadata on PCP / VLAN encapsulation

src: if_vlan: always default to 802.1

src: iflib: fix panic during driver reload stress test

src: iflib: fix white space and reduce some line lengths

src: ixgbe: define IXGBE_LE32_TO_CPUS

src: ixgbe: check for fw_recovery

src: net80211: fail for unicast traffic without unicast key[4]

src: pcib: allocate the memory BAR with the MSI-X table[5]

ports: php 8.2.10[6]

ports: python 3.9.18[7]

ports: unbound 1.18.0[8]

This is an open ended question, it seems we need to encourage people to join here as well as being on their preferred platform (which is not ours to discourage or be derogatory about).

I still frequent the "that site" because I want to help - but honestly I dont want to help "that site". Not that I am really doing so.

However, it feels weird if I do have to say "we are also on fede.. blah blah" and lets be honest about this -- its less support, but by more knowledgeable people (??probably I believe so).

How do we get them (and lets face it, Franco) over here to support OSS.

I know Franco has paid subscriptions but opnsense is OSS, the community is more than happy to help out if it is not paywalled.

https://forum.opnsense.org/index.php?topic=35682.msg173524#msg173524

Will I be able to use proton vpn .conf for WireGuard so I can run all my devices in that tunnel

https://forum.opnsense.org/index.php?topic=35554.msg172727#msg172727

• system: close boot file after probing to avoid lock inheritance
• system: fix lock() inheriting the lock state
• system: give more context in process kill error case since we operate PID numbers only
• firewall: groups were not correctly parsed for menu post-migration
• firewall: hide row command buttons for internal groups
• firewall: add "ipv6-icmp" to protocol list in shaper
• firewall: fix PHP warnings on the rules pages
• dhcp: check if manufacturer exists for IPv4 lease page to prevent error
• dhcp: use base16 for iaid_duid decode for IPv6 lease page to prevent error
• dhcp: fix validation for static entry requirement
• firmware: revoke 23.1 fingerprint
• network time: support pool directive and maxclock (contributed by Kevin Fason)
• openvpn: fix static key delete
• openvpn: fix "mode" typo and push auth "digest" into export config
• openvpn: fix race condition when using CRLs in instances
• openvpn: remove arbitrary upper bounds on some integer values in instances
• unbound: migration of empty nodes failed from 23.1.11 to 23.7
• unbound: fix regression when disabling first domain override
• mvc: fix empty item selection issue in BaseListField
• plugins: os-ddclient 1.14
• plugins: os-acme-client 3.19
• src: bhyve: fully reset the fwctl state machine if the guest requests a reset
• src: frag6: avoid a possible integer overflow in fragment handling
• src: amdtemp: Fix missing 49 degree offset on current EPYC CPUs
• src: libpfctl: ensure the initial allocation is large enough
• src: pf: handle multiple IPv6 fragment headers
• ports: curl 8.2.1
• ports: nss 3.92
• ports: openssl 1.1.1v
• ports: perl 5.34.1
• ports: py-dnspython 2.4.1
• ports: strongswan 5.9.11
• ports: syslog-ng 4.3.1

Four days ago it was looking on track: https://forum.opnsense.org/index.php?topic=35041.0

As per the roadmap, https://opnsense.org/about/road-map/ it will come soon.

The main points to note about this release (See https://forum.opnsense.org/index.php?topic=34948.0 for everything):

o php8.2 updates

o allow “.” in DNS search override

o extend/modify IPv6 primary address behaviour

o rewrote OpenVPN configuration as “Instances” using MVC/API available as a separate configuration

o move unbound-blocklists.conf to configuration location

Updates to these plugins:

o plugins: os-acme-client 3.18[3]

o plugins: os-dnscrypt-proxy 1.14[4]

o plugins: os-dyndns removed due to unmaintained code base

o plugins: os-frr 1.34[5]

o plugins: os-telegraf 1.12.8[6]

However, there are a lot of known issues and migration considerations:

o The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups – especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.

o Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility “monitor” still exists but is only provided for compatibility reasons with existing user scripts.

o IPsec “tunnel settings” GUI is now deprecated and manual migration to the “connections” GUI is recommended. An appropriate EoL annoucement will be made next year.

o The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.

o The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.

https://forum.opnsense.org/index.php?topic=34948.msg169272

There is no better feeling in the world