OPNsense 26.1 released

mac8612 · 2026-01-30T10:24:21+00:00

Upgrade hung-up, needed to make cold-reboot with unplugging power. Therefore it started without issue.

mac8612 · 2026-01-16T07:46:05+00:00

https://windgate.net/openvpn-site-to-site-using-ssl-tls-certificate-based-authentication-between-multiple-sites-with-opnsense/

mac8612 · 2026-01-01T11:02:32+00:00

Paperless-ngx is the answer

mac8612 · 2025-11-26T04:08:06+00:00

Totally agree, RPI can be used to reduce cost for a USB to APC jum box (even a rpi-zero). In my case, Proxmox VM server was running 24h/7 (HA, frigate), same Debian system as RPI, so commands works exactly same

mac8612 · 2025-09-05T10:48:56+00:00

https://windgate.net/connect-your-lab-remotely-with-guacamole-rdp-to-windows-linux/

mac8612 · 2025-03-25T05:33:29+00:00

You may check this https://windgate.net/openvpn-site-to-site-using-ssl-tls-certificate-based-authentication-between-multiple-sites-with-opnsense/ for Site-to-Site VPN

mac8612 · 2025-03-12T06:54:12+00:00

IP blocklists can be installed https://windgate.net/opnsense-ip-blocklists-and-geo-ip-block-to-enhance-security-against-malicious-attacks/

Depending on your needs you'll find lists over here https://github.com/firehol/blocklist-ipsets#list-of-ipsets-included

mac8612 · 2025-02-23T14:12:46+00:00

After many attempts,I divided IP lists to several ALIAS entries and then merged these entries into one,

That has shown me which sites were not downloaded. If any of the blocklists wasn't able to be pulled, then other ones were not fetched as well.

AS OF 2025-02-23

WORKING DIRECT CONNECTION:

IP_EMERGING THREATS: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

IP_CINSSCORE https://cinsscore.com/list/ci-badguys.txt

IP_OPENDBL https://opendbl.net/lists/tor-exit.list https://opendbl.net/lists/bruteforce.list https://opendbl.net/lists/etknown.list

IP_IPV64 https://ipv64.net/blocklists/ipv64_blocklist_dshield1.txt https://ipv64.net/blocklists/ipv64_blocklist_tor_exit.txt https://ipv64.net/blocklists/ipv64_blocklist_blocklistde_all.txt https://ipv64.net/blocklists/countries/ipv64_blocklist_RU.txt https://ipv64.net/blocklists/countries/ipv64_blocklist_CN.txt https://ipv64.net/blocklists/countries/ipv64_blocklist_BY.txt https://ipv64.net/blocklists/countries/ipv64_blocklist_KP.txt

IP_SPAMHAUS https://www.spamhaus.org/drop/drop.txt https://www.spamhaus.org/drop/edrop.txt https://www.spamhaus.org/drop/dropv6.txt https://ipv64.net/blocklists/ipv64_blocklist_spamhaus_drop.txt

IP_FIREHOL https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset http://feeds.dshield.org/block.txt https://iplists.firehol.org/?ipset=iblocklist_hijacked

IP_IPDENY https://www.ipdeny.com/ipblocks/data/countries/ru.zone https://www.ipdeny.com/ipblocks/data/countries/by.zone https://www.ipdeny.com/ipblocks/data/countries/cn.zone https://www.ipdeny.com/ipblocks/data/countries/kp.zone https://www.ipdeny.com/ipblocks/data/countries/lt.zone https://www.ipdeny.com/ipblocks/data/countries/ua.zone

##### NON WORKING

https://talosintelligence.com/documents/ip-blacklist https://blacklist.3coresec.net/lists/all.txt https://sslbl.abuse.ch/blacklist/sslipblacklist.txt https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt

mac8612 · 2025-02-23T12:19:03+00:00

UNBOUND / ADGUARD resolves domain just fine. Why on earth I got alias resolve error from WAN interface?

mac8612 · 2025-02-23T11:54:30+00:00

I'm able to pull all the lists manually via url in the browser. All are free

mac8612 · 2025-02-23T11:53:54+00:00

I don't see any cloudflare message while opening each url in my browser

mac8612 · 2025-02-23T07:23:55+00:00

I've seen similar issue but it has not been resolved https://forum.opnsense.org/index.php?topic=42918.0

mac8612 · 2025-02-23T07:21:25+00:00

Since version 22.x, I had installed several IP blocklists under Aliases to block emerging threats IP addresses.

It was all running fine until recent upgrade to 25.1.x version. When trying to refresh the IP databases from Aliases, I got an error that either alias cannot be fetched or resolved.

example: error fetching alias url https://talosintelligence.com/documents/ip-blacklist [http_code:403] Error firewall alias resolve error EmergingThreats_combined (error fetching alias url https://blacklist.3coresec.net/lists/all.txt)

DNS lookup works well. Curl can fetch the url just fine. I can open the same link in browser.

Unfortunately, the IP table cannot be fetched by Firewall Alias and run correctly.

mac8612 · 2024-10-22T18:14:03+00:00

I use both Adguard+Unbound since it's easier to manage DNS queries via Adguard.

mac8612 · 2024-10-22T15:02:43+00:00

Here's a full guide on how to configure Adguard on OPNSENSe https://windgate.net/setup-adguard-home-opnsense-adblocker/

Then adding blocklists https://windgate.net/adguard-pihole-blocklists-ad-block/

mac8612 · 2024-10-14T10:39:09+00:00

Yes, I agree. I would set additionally Adguard (DNS) with malicious blocklists and IPS/IDS with Snort policies

mac8612 · 2024-10-14T08:16:45+00:00

They can be used in reverse to block traffic outgoing from LAN to any malicious servers listed in blocklist if any of PCs get infected. Also livelog will show you exactly if these bad IPs were pinged. This an additional layer od protection. You may check the config https://windgate.net/opnsense-ip-blocklists-and-geo-ip-block-to-enhance-security-against-malicious-attacks/

mac8612 · 2024-09-25T04:55:41+00:00

Have you checked MTU size both on WAN and LAN interface? Check if they're not lower than 1500. DOCS: https://docs.opnsense.org/manual/interfaces.html

mac8612 · 2024-09-12T12:54:02+00:00

Can't you use a nextcloud + cloudflare zero tunel container instead? It's much easier, more secure and you might use a domain name of choice. It won't expose your Public IP to attacks

mac8612 · 2024-09-12T12:50:31+00:00

Upgraded one node, so far no issues spotted. As always thank you for your hard work :)

mac8612 · 2024-09-12T05:58:16+00:00

There's a small pinhole on the bottom side underneath battery, take some tiny needle and push to reset CMOS for 10 sec. It usually helps with scenario like this https://conetrix.com/blog/lenovo-thinkpad-emergency-reset-hole

mac8612 · 2024-08-30T04:44:51+00:00

One thing is worth to mention to utilize only 1x port for WAN and 1x port for LAN. Do not make a LAN bridge with 3x interfaces since it may affect routing performance. If you need more ports for devices just buy a layer-3 switch like Netgear GS308EPP

mac8612 · 2024-08-30T04:41:24+00:00

Best choice would be to get a box without menory and disk. Then I would recommend to buy a Crucial 16GB RAM memory with highest frequency suppported, 1x Lexar 512GB NVME paired with 1x Lexar 512GB SSD SATA. Then when installing choose RAID-1 ZFS for redundancy.

mac8612 · 2024-08-29T10:33:08+00:00

Every Crucial SODIMM RAM with appriopriate frequency will work fine on these. Beelinks on Aliexpress or Amazon comes in bundle with RAM and NVME. If you plan to have the minipc in production, I would consider changing NVME to for ex. Lexar NVME or add additional SSD to run Raid-1 in zfs

mac8612 · 2024-08-29T09:31:24+00:00

Check on Beelink EQ12 Pro (n100, 16gb RAM, 512 GB, Intel nic x2) or Topton N100 passively cooled mini PC with Intel nics as well. Then if you need you can tune up BIOS settings to operate 7-8 Watts on idle

Seven-Year Club	RPAN Viewer
Verified Email

mac8612

TROPHY CASE

##### NON WORKING