!opnsense@lemmy.world
All discussions about the open source, FreeBSD-based firewall called OPNsense.
!opnsense
@lemmy.worldHello all you lovely people!
I'm trying to figure out if I can port forward to different servers based on the destination domain.
I have a domain with a wildcard cert and I'd like to be able to route all traffic headed towards "1.domain.com" to a server I'm calling "1". I'd still like traffic headed to domain.com to go to where it's currently going, we can call this server "0", and to be able to have a 2.domain.com or 3 or 4 in the future.
I thought that having a port forward rule with: interface: WAN Protocol: any source: any destination: a url alias including 1.domain.com redirect target ip: local ip
Would work, but it doesn't seem to. Any tips?
https://imgur.com/Igzjc6I
Discover the magic of the internet at Imgur, a community powered entertainment destination. Lift your spirits with funny jokes, trending memes, entertaining gifs, inspiring stories, viral videos, and so much more from users.
Hi all, I've got a cheap Celeron box running OPNSense and it's been pretty good so far, but I found twice that the device turned off at some point while I was at work, and I have been unable to figure out what's causing it.
The only change was that I enabled Monit to see if I could figure out what was causing crowdsec to stop sometimes but never ended up configuring anything. I've only been running it for a couple months though, so it's possible that that is not related.
I know that on a Mac (based on freebsd, right?) you can determine whether the shutdown reason was a hard shutdown, regular shutdown, or the power cable being unplugged. Is it possible to do that with OPNSense? I'd like to narrow it down to software or hardware ideally.
After a home rewire, I'm ready to bump up to 2.5GbE, and demote my old 1Gbps router/wifi box to "AP Only mode".
I want at least five six total ports, four of which need to be 2.5+ (three to different rooms, one for uplink, one 1G+ for the AP, and one "any speed is enough" for the networked printer :) )
It seems like the "mini-PC with a bunch of 2.5GbE ports running OPNSense" option fits neatly between "Build a router out of my old i5-2500K and some eBay NICs and ignore the USD450 electric bill", and "enterprise rackmount gear with Delta fans left over from people overclocking their Socket A Athlons."
I see a lot of machines of the form "fanless case with a little castle of fins on top, Intel N100 CPU, six 2.5G ports from I226 chipset". A representative example is https://www.aliexpress.us/item/3256806214512701.html
I suspect they may all be re-brands of the same basic product, but I wanted to know real-world experiences:
Basic question: can anyone vouch for any specific one of these devices/sellers and confirm it worked for them?
I understand the i225-v LAN chipset was much buggier than the i226-v and to be avoided; still the case? I see a few products that are like USD50 cheaper, with different CPUs and i225-based LAN.
For routing/firewall duties (probably 4 PCs, 3 phones, a couple printers, and some smart devices) , are the bottom-of-the-line configs (8GB RAM/128G disc) suitable? Is the CPU sufficient? The N100 makes me laugh-- Intel doesn't even want to give it a brand name.
Regarding WiFi, should I just block out that little Mini-PCIe slot on the board from my mind? I know that FreeBSD WiFi has been sort of a fourth-class citizen for years, but I was wondering if there had been a breakthrough, or at least a "here is one specific card you can buy for a largely drama-free experience"
Weird question: Any problems with RF noise? I have had some devices where the power brick made a mess of a neighbour's AM radio reception, and I don't want to start a war with him. I figure when you're buying a device with a 60w wall-wart from a random brand, it might not be the cleanest.
Just a few tips for installing on a Sophos SG135 (and perhaps others in the Sophos family?) using the serial build via usb
Sophos device starts at 38400,n,8,1 as com settings. OPNsense switches to 115200 after bios. If you set your session to 115200 prior to OPNsense taking over, this causes PuTTY to not be able to input keyboard characters until you kill and re-open the session. Something happens in the transition on either serial interface to cause problems.
Perform the auto detection of interfaces. For some reason I got screwed up on the interfaces and couldn't for the life of me get LAN to come up to configure the box. I believe this was twofold: one, the interfaces were all down when I configured them - and two, that caused them to go into a state to where even if 'ifconfig' showed active as I moved my cabling around, pings would not work (LAN). Once I redid the usb live and utilized the auto detection feature properly, no issues occurred.
Hope this helps someone who may run into similar issues.
Hey all, I've been trying to figure out why enabling IPS kills my network. I have some services I host and would like to get some sort of IPS running. I used to have Snort running through pfSense and didn't experience issues like this.
Edit: as an update to this, I resolved it by installing the realtek plugin.
Hey all, recent convert from pfSense. I'm trying to make sure only the DNS servers I've defined are being used for lookups? I'm using Unbound and noticing a lot of traffic on port 53 to destinations other than the ones I've put in.
Hi There,
Please excuse the lenghty post, I wanted to explain/have all the information I can possibly write down
I've been trying to have "udpbroadcastrelay" plugin to relay SSDP (Simple Service Discovery Protocol) between two subnets, LAN and Bridge. However, I've hit a roadblock with this setup.
The peculiar thing is that mDNS (Multicast DNS) works flawlessly using the same plugin and setup!
I hope that someone can help shed some light on this issue and help me get SSDP relay working as smoothly as mDNS does in my setup. If anyone has experience with the "udpbroadcastrelay" plugin in OPNsense or has encountered a similar issue, your insights and guidance would be greatly appreciated. Thanks in advance for any assistance or suggestions!
SIDENOTE:-
I have used BOTH of :
- os-udpbroadcastrelay 1.0_3 (frpm repo)
- compiled from source (Github) so i can use --msearch option
My Setup
Troubleshooting Attempts:
I've tried various solutions from different sources to resolve this issue, including:
HOW TO - Configure OPNsense for TV7 (init7) Multicast Stream
LAN
First we have to enable allow options on the default LAN rule Default allow LAN to any rule.
- Navigate to Firewall -> Rules -> LAN
- Edit the rule with the description "Default allow LAN to any rule" by clicking the pencil.
- Scroll down until you see Advanced Options: and click on Show/Hide
- Make sure that the allow options checkbox is checked
- Click Save
- Back on Overview click on Apply changes to enable the changed rule
[SOLVED] - Multicast bridge problem | Proxmox Support Forum
maybe try to disable multicast snooping on bridges ?
echo 0 > /sys/class/net/vmbrX/bridge/multicast_snooping
Linux: Disabling Multicast snooping on bridges
Snooping should be enabled on either the router / switch or on the linux bridge, but it may not work if enabled on both. If you have a hosting provider that has igmp snooping enabled on the multicast switch, it may be necessary to disable snooping on the linux bridge. In that case use:
post-up ( echo 1 > /sys/devices/virtual/net/$IFACE/bridge/multicast_querier )
post-up ( echo 0 > /sys/class/net/$IFACE/bridge/multicast_snooping )
To help diagnose the issue effectively, here is what i managed to gather:
FW Ruleset
LAN Rule Set | |||||||
---|---|---|---|---|---|---|---|
Protocol | Source | Port | Destination | Port | Gateway | Schedule | Description |
IPv4 | LAN net | * | * | * | * | * | Default allow LAN to any |
Bridge Rule Set | |||||||
---|---|---|---|---|---|---|---|
Protocol | Source | Port | Destination | Port | Gateway | Schedule | Description |
IPv4 | Bridge net | * | * | * | * | * | Allow Bridge to any rule (Manual Entry) |
cat /tmp/rules.debug
LAN Rule Set
pass in log quick on vtnet0 inet from {(vtnet0:network)} to {any} keep state label "3070463c8d527cf93da451fa4f88c7cb" # Default allow LAN to any rule
Bridge Rule Set
pass in log quick on vtnet1 inet from {(vtnet1:network)} to {any} keep state label "2681e3c4a046e0ab9b3ab64679df3edc" # Allow Bridge to any rule
Interfaces
igc0: flags=8963 metric 0 mtu 1500
description: WAN (wan)
options=4802028
ether xx:xx:xx:xx:xx:xx
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (1000baseT )
status: active
nd6 options=29
vtnet0: flags=8963 metric 0 mtu 1500
description: LAN (lan)
options=800a8
ether xx:xx:xx:xx:xx:xx
inet 192.168.100.3 netmask 0xffffff00 broadcast 192.168.100.255
media: Ethernet autoselect (10Gbase-T )
status: active
nd6 options=29
vtnet1: flags=8963 metric 0 mtu 1500
description: Bridge (opt1)
options=800a8
ether xx:xx:xx:xx:xx:xx
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
media: Ethernet autoselect (10Gbase-T )
status: active
nd6 options=29
CLI USED
./udpbroadcastrelay -d -d --id 1 --port 1900 --dev vtnet1 --dev vtnet0 --multicast 239.255.255.250 --msearch dial
2023/12/29 21:48:17.555 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=438 tos=0x00 DSCP=0 ttl=4)
Found NOTIFY search term upnp:rootdevice
2023/12/29 21:48:17.555 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=438 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:17.593 <- [ 10.10.10.46:52323 -> 239.255.255.250:1900 (iface=vtnet1 len=462 tos=0x00 DSCP=0 ttl=4)
Found NOTIFY search term urn:schemas-sony-com:service:Party:1
2023/12/29 21:48:17.593 -> [ 10.10.10.46:52323 -> 239.255.255.250:1900 (iface=vtnet0 len=462 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:17.593 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=447 tos=0x00 DSCP=0 ttl=4)
Found NOTIFY search term uuid:00000001-0000-1010-8000-045d4bdcbc2f
2023/12/29 21:48:17.593 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=447 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:17.614 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=490 tos=0x00 DSCP=0 ttl=4)
Found NOTIFY search term urn:schemas-upnp-org:device:MediaServer:1
2023/12/29 21:48:17.614 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=490 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:17.637 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=502 tos=0x00 DSCP=0 ttl=4)
Found NOTIFY search term urn:schemas-upnp-org:service:ContentDirectory:1
2023/12/29 21:48:17.637 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=502 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:17.663 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=504 tos=0x00 DSCP=0 ttl=4)
Found NOTIFY search term urn:schemas-upnp-org:service:ConnectionManager:1
2023/12/29 21:48:17.663 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=504 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:18.315 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
Applying default action FORWARD
2023/12/29 21:48:18.315 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:18.373 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
Applying default action FORWARD
2023/12/29 21:48:18.373 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:18.460 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
Applying default action FORWARD
2023/12/29 21:48:18.460 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:24.824 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=127 tos=0x00 DSCP=0 ttl=4)
Found M-SEARCH search term urn:schemas-upnp-org:device:MediaServer:1
Applying default action FORWARD
2023/12/29 21:48:24.824 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=127 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:24.924 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=127 tos=0x00 DSCP=0 ttl=4)
Found M-SEARCH search term urn:schemas-upnp-org:device:MediaServer:1
Applying default action FORWARD
2023/12/29 21:48:24.924 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=127 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:25.425 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=118 tos=0x00 DSCP=0 ttl=4)
Found M-SEARCH search term urn:ses-com:device:SatIPServer:1
Applying default action FORWARD
2023/12/29 21:48:25.425 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=118 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:48:25.525 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=118 tos=0x00 DSCP=0 ttl=4)
Found M-SEARCH search term urn:ses-com:device:SatIPServer:1
Applying default action FORWARD
2023/12/29 21:48:25.525 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=118 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:49:16.556 <- [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet1 len=267 tos=0x00 DSCP=0 ttl=4)
Found NOTIFY search term upnp:rootdevice
2023/12/29 21:49:16.556 -> [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet0 len=267 tos=0x04 DSCP=1 ttl=4)
2023/12/29 21:49:16.577 <- [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet1 len=276 tos=0x00 DSCP=0 ttl=4)
Found NOTIFY search term uuid:00000004-0000-1010-8000-045d4bdcbc2f
2023/12/29 21:49:16.577 -> [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet0 len=276 tos=0x04 DSCP=1 ttl=4)
Lan Wireshark Capture
No. | Time | Source | Destination | Protocol | Length | Info |
---|---|---|---|---|---|---|
920 | 09:13:01.207756 | 10.10.10.46 | 239.255.255.250 | SSDP | 349 | NOTIFY * HTTP/1.1 |
921 | 09:13:01.229336 | 10.10.10.46 | 239.255.255.250 | SSDP | 349 | NOTIFY * HTTP/1.1 |
922 | 09:13:01.290046 | 192.168.100.75 | 239.255.255.250 | SSDP | 217 | M-SEARCH * HTTP/1.1 |
923 | 09:13:01.292706 | 10.10.10.46 | 192.168.100.75 | UDP | 354 | 50201 → 59796 Len=312 |
924 | 09:13:02.292100 | 192.168.100.75 | 239.255.255.250 | SSDP | 217 | M-SEARCH * HTTP/1.1 |
925 | 09:13:02.294187 | 10.10.10.46 | 192.168.100.75 | UDP | 354 | 50201 → 59796 Len=312 |
926 | 09:13:03.308643 | 192.168.100.75 | 239.255.255.250 | SSDP | 217 | M-SEARCH * HTTP/1.1 |
928 | 09:13:03.310873 | 10.10.10.46 | 192.168.100.75 | UDP | 354 | 50201 → 59796 Len=312 |
929 | 09:13:04.309797 | 192.168.100.75 | 239.255.255.250 | SSDP | 217 | M-SEARCH * HTTP/1.1 |
930 | 09:13:04.311739 | 10.10.10.46 | 192.168.100.75 | UDP | 354 | 50201 → 59796 Len=312 |
932 | 09:13:04.803218 | 192.168.100.75 | 239.255.255.250 | SSDP | 143 | M-SEARCH * HTTP/1.1 |
933 | 09:13:04.805015 | 10.10.10.46 | 192.168.100.75 | UDP | 306 | 50201 → 53037 Len=264 |
934 | 09:13:05.800708 | 10.10.10.46 | 192.168.100.75 | UDP | 306 | 37333 → 53037 Len=264 |
936 | 09:13:07.799676 | 192.168.100.75 | 239.255.255.250 | SSDP | 143 | M-SEARCH * HTTP/1.1 |
937 | 09:13:07.801449 | 10.10.10.46 | 192.168.100.75 | UDP | 306 | 50201 → 53037 Len=264 |
938 | 09:13:08.045029 | 10.10.10.46 | 192.168.100.75 | UDP | 306 | 37333 → 53037 Len=264 |
962 | 09:13:10.807982 | 192.168.100.75 | 239.255.255.250 | SSDP | 143 | M-SEARCH * HTTP/1.1 |
963 | 09:13:10.811017 | 10.10.10.46 | 192.168.100.75 | UDP | 306 | 50201 → 53037 Len=264 |
964 | 09:13:12.695351 | 10.10.10.46 | 192.168.100.75 | UDP | 306 | 37333 → 53037 Len=264 |
1068 | 09:14:02.720283 | 192.168.100.75 | 239.255.255.250 | UDP | 1123 | 49620 → 3702 Len=1081 |
1080 | 09:14:02.977262 | 192.168.100.75 | 239.255.255.250 | UDP | 1123 | 49620 → 3702 Len=1081 |
1119 | 09:14:03.205658 | 192.168.100.75 | 239.255.255.250 | UDP | 666 | 59260 → 3702 Len=624 |
1152 | 09:14:03.442876 | 192.168.100.75 | 239.255.255.250 | UDP | 1123 | 49620 → 3702 Len=1081 |
1237 | 09:14:03.907019 | 192.168.100.75 | 239.255.255.250 | UDP | 1123 | 49620 → 3702 Len=1081 |
1284 | 09:14:04.593450 | 192.168.100.75 | 239.255.255.250 | SSDP | 143 | M-SEARCH * HTTP/1.1 |
1285 | 09:14:04.595580 | 10.10.10.46 | 192.168.100.75 | UDP | 306 | 50201 → 52272 Len=264 |
1286 | 09:14:04.608593 | 192.168.100.75 | 239.255.255.250 | SSDP | 179 | M-SEARCH * HTTP/1.1 |
1301 | 09:14:04.862324 | 192.168.100.75 | 239.255.255.250 | UDP | 666 | 59260 → 3702 Len=624 |
1324 | 09:14:05.215444 | 10.10.10.46 | 192.168.100.75 | UDP | 306 | 37333 → 52272 Len=264 |
1371 | 09:14:06.231131 | 192.168.100.75 | 239.255.255.250 | SSDP | 217 | M-SEARCH * HTTP/1.1 |
1372 | 09:14:06.233068 | 10.10.10.46 | 192.168.100.75 | UDP | 354 | 50201 → 58452 Len=312 |
1392 | 09:14:06.865155 | 192.168.100.75 | 239.255.255.250 | UDP | 666 | 59260 → 3702 Len=624 |
1401 | 09:14:07.232162 | 192.168.100.75 | 239.255.255.250 | SSDP | 217 | M-SEARCH * HTTP/1.1 |
1402 | 09:14:07.234422 | 10.10.10.46 | 192.168.100.75 | UDP | 354 | 50201 → 58452 Len=312 |
1408 | 09:14:07.595062 | 192.168.100.75 | 239.255.255.250 | SSDP | 143 | M-SEARCH * HTTP/1.1 |
1409 | 09:14:07.597369 | 10.10.10.46 | 192.168.100.75 | UDP | 306 | 50201 → 52272 Len=264 |
1410 | 09:14:07.610422 | 192.168.100.75 | 239.255.255.250 | SSDP | 179 | M-SEARCH * HTTP/1.1 |
1443 | 09:14:08.234467 | 192.168.100.75 | 239.255.255.250 | SSDP | 217 | M-SEARCH * HTTP/1.1 |
1444 | 09:14:08.234644 | 192.168.100.75 | 239.255.255.250 | SSDP | 143 | M-SEARCH * HTTP/1.1 |
1445 | 09:14:08.236807 | 10.10.10.46 | 192.168.100.75 | UDP | 354 | 50201 → 58452 Len=312 |
1446 | 09:14:08.237538 | 10.10.10.46 | 192.168.100.75 | UDP | 306 | 50201 → 52272 Len=264 |
1448 | 09:14:08.265899 | 192.168.100.75 | 239.255.255.250 | SSDP | 175 | M-SEARCH * HTTP/1.1 |
1450 | 09:14:08.297109 | 192.168.100.75 | 239.255.255.250 | SSDP | 169 | M-SEARCH * HTTP/1.1 |
1453 | 09:14:08.334904 | 192.168.100.75 | 239.255.255.250 | SSDP | 167 | M-SEARCH * HTTP/1.1 |
Hi everyone,
I’m at my wits end here getting port forwarding working on my setup with Nginx Proxy Manager (NPM) and OPNsense.
I recently upgraded my networking gear, and everything is working great, I’m loving OPNsense and 10G networking. I’ve had the same setup for port forwarding for years and never had issues, the main change was the addition of OPNsense and a switch.
Previous setup (I realize this wasn’t the best):
ISP modem -> DHCPv4 with ports 80/443 forwarded to ASUS wireless router WAN -> DHCPv4 with ports 80/443 forwarded to VM on proxmox running NPM -> NPM set up with hosts to proxy services on other VMs/server.
This (or a variation thereof) has all been working great for years, along with ddns set up as I have a dynamic IP.
New setup:
ISP modem -> DHCP off with ports 80/443 forwarded to OPNsense WAN via MAC address -> OPNsense NAT-Port Forwarding set up to the NPM host/port, rest is the same as before.
The settings for the port forward are the standard I’ve found in guides. WAN address, any source/port, redirect to NPM host and ports. Tried the domain I usually use, no luck. Port checker shows the ports are closed.
Tried the following:
I’m between all these steps, I rebooted OPNsense, proxmox, switches, etc.
Any ideas on what I could try for next steps? All of the local networking and external connections work awesome, it’s just the port forwarding as the last piece. Thanks!
Edit 2023-01-03:
I finally solved this, turned out the OPNSense and NPM configuration was all correct.
The problem was a glitch in the docker compose/portainer. I had my ports in docker compose set to 80:80/443:443, but when the container was deployed, it assigned 1880:80/18443:443 because of…reasons, and I didn’t notice until going through it all line by line 🤦.
Redeploying the stack/container didn’t solve it, so I changed the time zone to another city, redeployed and viola, everything works perfect as it should!
This comes with some fixes to the new openVPN system, and route-gateway was added (a big oversight imo). More updates to wireguard and improvements have been added, and are still ongoing.
Here are the full patch notes:
system: correctly set RFC 5424 on remote TLS system logging
system: remove hasGateways() and write DHCP router option unconditionally
system: avoid plugin system for gateways monitor status fetch
system: remove passing unused ifconfig data to Gateways class on static pages
system: remove passing unused ifconfig data on gateway monitor status fetch
system: remove the unused "alert interval" option from the gateway configuration
interfaces: calculate_ipv6_delegation_length() should take advanced and custom dhcp6c into account
interfaces: teach ifctl to dump all files and its data for an interface
interfaces: remove dead link/hint in GIF table
interfaces: avoid duplicating $vfaces array
interfaces: introduce interfaces_restart_by_device()
firewall: remove old __empty__ options trick from shaper model
firewall: update models for clarity
firmware: update model for clarity
ipsec: omit conditional authentication properties when not applicable on connections
ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)
ipsec: allow the use of eap_id = %any in instances
openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)
openvpn: add CARP VHID tracking for client instances
openvpn: add tun-mtu/fragment/mssfix combo for instances
openvpn: add "route-gateway" advanced option to CSO
openvpn: use new File::file_put_contents() wrapper for instances
openvpn: updated model and clarified "auth" default option
mvc: remove "non-functional" hints from form input elements
mvc: uppercase default label in BaseListField is more likely
ui: add bytes format to standard formatters list
plugins: os-ddclient 1.16[1]
plugins: os-frr 1.36[2]
plugins: os-wireguard 2.1[3]
plugins: os-tinc 1.7 adds support for "StrictSubnets" variable (contributed by andrewhotlab)
lang: update translations and add Polish
src: bring back netmap tun(4) ethernet header emulation (contributed by Sunny Valley Networks)
src: axgbe: gracefully handle i2c bus failures
src: bnxt: do not restart on VLAN changes
src: ice: do not restart on VLAN changes
src: net: do not overwrite VLAN PCP
src: net: remove VLAN metadata on PCP / VLAN encapsulation
src: if_vlan: always default to 802.1
src: iflib: fix panic during driver reload stress test
src: iflib: fix white space and reduce some line lengths
src: ixgbe: define IXGBE_LE32_TO_CPUS
src: ixgbe: check for fw_recovery
src: net80211: fail for unicast traffic without unicast key[4]
src: pcib: allocate the memory BAR with the MSI-X table[5]
ports: php 8.2.10[6]
ports: python 3.9.18[7]
ports: unbound 1.18.0[8]