"
It noticed an annoying (probably cosmetic) issue in my installation after migrating to new rules, although it may have been present before the migration to the new rules. I have multiple Port Forward rules - Now called Destination NAT in 26.1. The screen with the rules is only 1.5 lines big, that is unusable. It is scrollable though. See screenshot. I also tries the light theme, but the issue is still there.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
25.1, 25.4 Legacy Series / Enable DNSSEC in Dnsmasq on local domains | any (dis-)advantages?
June 14, 2025, 11:22:02 AM
I have setup Unbound with forwarding for my local domain to Dnsmasq per the docs: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
I have DNSSEC enabled in Unbound.
I noticed there is also a DNSSEC switch in the settings of Dnsmasq. If I switch this on, everything works the same as switched off. Is there any advantage or disadvantage switching this on in Dnsmasq? It seems useless to me, since it is for local lookups only... does it even do anything in this scenario?
I have DNSSEC enabled in Unbound.
I noticed there is also a DNSSEC switch in the settings of Dnsmasq. If I switch this on, everything works the same as switched off. Is there any advantage or disadvantage switching this on in Dnsmasq? It seems useless to me, since it is for local lookups only... does it even do anything in this scenario?
#3
25.1, 25.4 Legacy Series / [Unbound/Dnmasq] Register DHCP Static Mappings
June 07, 2025, 11:48:55 AM
Is the setting "Register DHCP Static Mappings" in Unbound not longer needed if internal queries are forwarded to Dnsmasq and you don't use ISC DHCP? It is my understanding that this setting refers to static mappings in ISC DHCP (seems logical), but I did not find a definite answer and I can't test it because I haven't set this up yet. If so, maybe add this to the help-description of this setting in Unbound.
EDIT: In the docs it's stated as "Register ISC DHCP Static Mappings": https://docs.opnsense.org/manual/unbound.html
That answers my question, but it's not the same text as in the Unbound Settings.
EDIT2: See this commit: https://github.com/opnsense/core/commit/139a3add4bb4360e2dda8f3251283e0173b0f980
Will be deleted as it's for Kea too.
EDIT: In the docs it's stated as "Register ISC DHCP Static Mappings": https://docs.opnsense.org/manual/unbound.html
That answers my question, but it's not the same text as in the Unbound Settings.
EDIT2: See this commit: https://github.com/opnsense/core/commit/139a3add4bb4360e2dda8f3251283e0173b0f980
Will be deleted as it's for Kea too.
#4
25.1, 25.4 Legacy Series / dnsmasq: SLAAC + DHCPv6 - Router Advertisements
May 24, 2025, 07:33:58 PM
I'm moving to dnsmasq from ISC DHCP4/6. I will use Router Advertisements offered by dnsmasq and disable the other one in Services (seems more logical to me). In the dnsmasq docs under dhcpv6 and router advertisements found here it is stated:
I wonder if this is correct (or maybe I do not understand this correctly).
I want clients to be able to use SLAAC and DHCPv6.
Per above statement I should set RA mode to slaac only (at least that's how I read this), while it seems to me that setting slaac and ra-stateless achieves this. Am I right, or is the statement right?
Quote! Attention
With ra-stateless, clients will only generate a SLAAC address. If clients should additionally receive a DHCPv6 address, set slaac instead.
I wonder if this is correct (or maybe I do not understand this correctly).
I want clients to be able to use SLAAC and DHCPv6.
Per above statement I should set RA mode to slaac only (at least that's how I read this), while it seems to me that setting slaac and ra-stateless achieves this. Am I right, or is the statement right?
#5
24.7, 24.10 Legacy Series / Port Forward to 127.0.0.1 works, but not to ::1 [+ workaround]
August 24, 2024, 07:59:08 PM
I wanted a PF rule so all DNS / NTP traffic on my network not going to my OPNsense would be redirected to localhost (the OPNsense box itself) in order to transparantly redirect this traffic. I have a dual stack (IPv4/IPv6) setup.
Easy enough for IPv4, for example DNS, but same for NTP (but different ports and only UDP).
I have allow rules for DNS / NTP under Firewall-Rules-WhateverInterface
NAT Port Forward:
Works perfectly for IPv4.
For IPv6 however, I would expect that the only things I have to change are:
The 2nd one: TCP/IP: IPv6
The 7th one: Redirect target IP: Single host or Network: ::1
I found out this is not working. Unbound and Chrony, which I use for DNS/NTP, apparently bind on 127.0.0.1, but not on the IPv6 counterpart ::1.
I already found a workaround after too many hours of research and trying:
To make things easier you could also make an alias under Firewall-Aliases to fd08::1/128 or whatever ULA you choose.
All set and done. Posted this for the benefit of the earth but also: I can't handle that I don't understand why it doesn't work with ::1? Or did I accidentally found a bug (probably not)? Maybe someone here could explain that, so I can sleep and give my brain some rest.
Thanks and cheers!
Easy enough for IPv4, for example DNS, but same for NTP (but different ports and only UDP).
I have allow rules for DNS / NTP under Firewall-Rules-WhateverInterface
NAT Port Forward:
- Interface: Interfaces I want
- TCP/IP: IPv4
- Protocol: TCP/UDP
- Destination / Invert: selected
- Destination: Alias of my OpnSense box
- Destination Port Range: DNS-DNS
- Redirect target IP: Single host or Network: 127.0.0.1
- Redirect target Port: DNS
Works perfectly for IPv4.
For IPv6 however, I would expect that the only things I have to change are:
The 2nd one: TCP/IP: IPv6
The 7th one: Redirect target IP: Single host or Network: ::1
I found out this is not working. Unbound and Chrony, which I use for DNS/NTP, apparently bind on 127.0.0.1, but not on the IPv6 counterpart ::1.
I already found a workaround after too many hours of research and trying:
- Under Interfaces-Virtual IP's make a virtual IPv6 ULA on the Loopback interface, for example fd08::1/128.
- Restart Unbound and Chrony (they now bind to fd08::1/128).
- Interface: Interfaces I want
- TCP/IP: IPv6
- Protocol: TCP/UDP
- Destination / Invert: selected
- Destination: Alias of my OpnSense box
- Destination Port Range: DNS-DNS
- Redirect target IP: Single host or Network: fd08::1/128
- Redirect target Port: DNS
To make things easier you could also make an alias under Firewall-Aliases to fd08::1/128 or whatever ULA you choose.
All set and done. Posted this for the benefit of the earth but also: I can't handle that I don't understand why it doesn't work with ::1? Or did I accidentally found a bug (probably not)? Maybe someone here could explain that, so I can sleep and give my brain some rest.
Thanks and cheers!
#6
24.1, 24.4 Legacy Series / Where to view IPv6 prefix assignment
February 17, 2024, 12:09:32 PM
Just updated to 24.1.1 and I spend last 30 minutes to look for my view IPv6 prefix assignment. I could usally view it in Interfaces-Overview-WAN, but I can't seem to find it now. I expanded it and looked at the datails... Where is it?
Edit: This issue is already discussed here.
Edit: This issue is already discussed here.
#7
23.7 Legacy Series / EOL OpenSSL 1.1.1 Sept 11 2023
September 12, 2023, 08:48:36 PM
OpenSSL 1.1.1 has ended their support for version 1.1.1 on sept 11 2023. OPNsense is on 1.1.1 and I think it's because of FreeBSD stable is still stuck on 1.1.1. There are packages on ports for OpenSSL 3+ though...
There are people warning for this for some time now. When is the switch to 3.0 or 3.1 planned? Is it posible OPNSense goes ahead with it before FreeBSD does, or is that too complex? Couldn't find info on this subject, except that FreeBSD is planning it fot 14.x somwhere in 2026! Shouldn't it be quite soon, because official support for 1.1.1 upstream has now come to an end?
There are people warning for this for some time now. When is the switch to 3.0 or 3.1 planned? Is it posible OPNSense goes ahead with it before FreeBSD does, or is that too complex? Couldn't find info on this subject, except that FreeBSD is planning it fot 14.x somwhere in 2026! Shouldn't it be quite soon, because official support for 1.1.1 upstream has now come to an end?
#8
22.7 Legacy Series / [Solved]PHP error on mongodb after installation to 22.7
July 31, 2022, 02:51:49 PM
I had serveral PHP errors after installation of 22.7 (problem detected in GUI). One of them displayed here:
Turns out it was a leftover from Sensei (probably) I had once installed.
Logging in via SSH and doing a
solved it. Thanks to the German forums.
Posting for reference.
Code Select
PHP Errors:
[31-Jul-2022 12:38:35 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'mongodb.so' (tried: /usr/local/lib/php/20200930/mongodb.so (Cannot open "/usr/local/lib/php/20200930/mongodb.so"), /usr/local/lib/php/20200930/mongodb.so.so (Cannot open "/usr/local/lib/php/20200930/mongodb.so.so")) in Unknown on line 0
Turns out it was a leftover from Sensei (probably) I had once installed.
Logging in via SSH and doing a
Code Select
pkg remove php74-pecl-mongodbsolved it. Thanks to the German forums.
Posting for reference.
#9
General Discussion / Firewall Rules: Use "Foo.net" in source or "any"
March 25, 2022, 10:19:55 AM
This bugged me for a long time and I cannot find a clear answer. Suppose I want a rule to give all devices on one VLAN access to one device on another VLAN - all ports, IPv4. You can make a rule like this:
But in many tutorials I see this:
It seems to me that both rules do exactly the same and that you could go for the first one. Why should you put VLAN10_net in there with the Source? The rule already applies to Interface VLAN10 only right?
| Action | Pass |
| Interface | VLAN10 |
| Protocol | IPv4 |
| Source | any |
| Source Port | Any |
| Destination | 192.168.20.10 |
| Destination Port | any |
| Description | Allow VLAN 10 access to device |
But in many tutorials I see this:
| Action | Pass |
| Interface | VLAN10 |
| Protocol | IPv4 |
| Source | VLAN10_net |
| Source Port | Any |
| Destination | 192.168.20.10 |
| Destination Port | any |
| Description | Allow VLAN 10 access to device |
It seems to me that both rules do exactly the same and that you could go for the first one. Why should you put VLAN10_net in there with the Source? The rule already applies to Interface VLAN10 only right?
#10
20.7 Legacy Series / Local DNS not in /etc/resolv.conf with Unbound after reboot
January 17, 2021, 05:59:56 PM- OPNSense is 10.0.0.1
- I have PiHole IP in Settings-System-General-DNS Server: 10.0.4.2
- OPNSense is DHCP server
- I have Unbound on the OPNSense box for local resolution of DHCP handed out IP's. Forwarding Mode OFF.
Desectected: Do not use the local DNS service as a nameserver for this system in Settings-System-General, so OPNSense asks local DNS first for Aliases and so on. - PiHole asks Unbound for local hostnames via Conditional Forwarding and talks to external DNS for all the other stuff
This works like a charm. I never see the OPNSense box in my PiHole logs asking for local hostnames.
However I had to reboot OPNSense and now I see OPNSense asking for local hostnames every 10 minutes in the PiHole log. Not a big problem, because PiHole simply asks Unbound and it is resolved via a small detour. But it is not the expected behaviour
I checked /etc/resolv.conf and noticed only the PiHole IP is there. That is the explenation of this behaviour.
When I click Save once in Settings-System-General OPNSense, the issue is resolved and I can see that now both 127.0.0.1 and my PiHole IP are in /etc/resolv.conf
This could be a bug, I think that after a reboot /etc/resolv.conf should contain 127.0.0.1 as DNS server (besides the one mentioned in Settings-System-General-DNS Server) when Do not use the local DNS service as a nameserver for this system is desleceted.
Or am I wrong?
OPNsense 20.7.7_1-amd64
FreeBSD 12.1-RELEASE-p11-HBSD
OpenSSL 1.1.1i 8 Dec 2020
#11
Zenarmor (Sensei) / Errors Out on VLANs in non-Passive mode
January 08, 2021, 12:12:29 PM
I noticed Interface Out errors (Atachment) on my VLANS when they where very active dowloading. Tracked it down to Sensei. The errors only occur in non-Passive mode (both L3 native and generic). So, the errors stop occuring in Passive mode.
I have two VLANS and the errors do not occur on the parent LAN. Only the Parrent LAN is selected in Protected Interfaces. Everything is still in default mode (I'm testing this out), I have nothing blocked.
I tried to Enable and Disable VLAN Hardening in Interface settings, that did not help. Hardware CRC, TSO en LRO are disabled.
Opnsense is running in a qemu VM in Proxmox on a Dell Poweredge T330. The VM has two network cards assigned that are Linux Bridges of the original network cards, which are Broadcom Gigabit Ethernet BCM 5720.
Any ideas why the errors are occuring?
I have two VLANS and the errors do not occur on the parent LAN. Only the Parrent LAN is selected in Protected Interfaces. Everything is still in default mode (I'm testing this out), I have nothing blocked.
I tried to Enable and Disable VLAN Hardening in Interface settings, that did not help. Hardware CRC, TSO en LRO are disabled.
Opnsense is running in a qemu VM in Proxmox on a Dell Poweredge T330. The VM has two network cards assigned that are Linux Bridges of the original network cards, which are Broadcom Gigabit Ethernet BCM 5720.
Any ideas why the errors are occuring?
#12
General Discussion / Rule in FW matched (in log), but why?
January 06, 2021, 10:56:55 AM
I have a LAN, 2 (child) VLANS and OpenVPN.
My DNS Server (10.0.4.2) is on VLAN called VL_Serv (it's Pihole).
I wanted to ensure all DNS on my network goes to the DNS server so I made a rule for that (see attachmant).
The rules does what I want, if I try to do a DNS request to 1.1.1.1, I see it logged in my DNS server (do it is redirected)
However, when I set logging Enabled on the rule and check the log, I see that this rule is always logged, even when I do a DNS request to 10.0.4.2. In my understanding, when I do a DNS request to 10.0.4.2 it shouldn't be logged, because it doesn't match the rule I made. Why is it matched/logged? It's probably something I don't understand...
My DNS Server (10.0.4.2) is on VLAN called VL_Serv (it's Pihole).
I wanted to ensure all DNS on my network goes to the DNS server so I made a rule for that (see attachmant).
The rules does what I want, if I try to do a DNS request to 1.1.1.1, I see it logged in my DNS server (do it is redirected)
However, when I set logging Enabled on the rule and check the log, I see that this rule is always logged, even when I do a DNS request to 10.0.4.2. In my understanding, when I do a DNS request to 10.0.4.2 it shouldn't be logged, because it doesn't match the rule I made. Why is it matched/logged? It's probably something I don't understand...
#13
Zenarmor (Sensei) / Protected Interfaces: what to add?
January 03, 2021, 10:48:54 PM
Running latest OpnSense with Sensei 1.6.2
On Free right now, but will surely switch to paid if this works well. Just beginning.
I have LAN (vtnet0), that is parent to 2 VLANS (vtnet0_vlan10 and vtnet0_vlan20)
I have a OpenVPN Server running (ovpns1) to connect to my home network when away.
Most my network traffic is ging out via a OpenVPN client (I use ProtonVPN): ovpns2
Some clients are going out via normal WAN (Netflix hates VPN).
Which clients to add in proctected interfaces?
I figured:
Does it make sense to protect the ovpns2 interface? As it is a client, similar to WAN interface and WAN isn't proctected too (as advised per the manual).
On Free right now, but will surely switch to paid if this works well. Just beginning.
I have LAN (vtnet0), that is parent to 2 VLANS (vtnet0_vlan10 and vtnet0_vlan20)
I have a OpenVPN Server running (ovpns1) to connect to my home network when away.
Most my network traffic is ging out via a OpenVPN client (I use ProtonVPN): ovpns2
Some clients are going out via normal WAN (Netflix hates VPN).
Which clients to add in proctected interfaces?
I figured:
- LAN (vtnet0) -- Than my 2 VLANS are protected too.
- VPNServer (ovpns1)
Does it make sense to protect the ovpns2 interface? As it is a client, similar to WAN interface and WAN isn't proctected too (as advised per the manual).
#14
20.7 Legacy Series / Default Flavour switches after switching to LibreSSL and back
November 25, 2020, 09:13:29 AM
I switched my OPNSense to LibreSSL, but I switched back to OpenSSL because I noticed very choppy internet after the switch to LibreSSL (I will investigate that problem later, no idea why that happened, but that is not why I'm writing this post).
I noticed that before the switch from OpenSSL to LibreSSL Firmware Flavour was on default, so OpenSSL is/was the default. When I wanted to switch back from LibreSSL to OpenSSL I set Firmware Flavour back to default, but noting happened after checking for updates. I had to switch to OpenSSL specifically. I tested some furher and noticed that the new default was indeed LibreSSL and not OpenSSL.
Is this supposed to happen, or is this a bug?
I noticed that before the switch from OpenSSL to LibreSSL Firmware Flavour was on default, so OpenSSL is/was the default. When I wanted to switch back from LibreSSL to OpenSSL I set Firmware Flavour back to default, but noting happened after checking for updates. I had to switch to OpenSSL specifically. I tested some furher and noticed that the new default was indeed LibreSSL and not OpenSSL.
Is this supposed to happen, or is this a bug?
#15
19.7 Legacy Series / How to actually use os-backup-api
August 12, 2019, 11:15:55 PM
I want to use the plugin os-backup-api, but I found a complete absence of documentation how to actually use it. I did find this, but I cannot find where to configure "key" and "secret" anywhere in the GUI. Is there any GUI element? Am I overlooking something? The documentation found here is not very helpful either. The "info" of the plugin is not helpful either, stating
Can anyone point me in the right direction?
QuoteProvide the functionality to download the config.xml
Can anyone point me in the right direction?
#16
General Discussion / [SOLVED] Rule order
January 21, 2019, 09:22:08 AM
I understand that rules are executed from top to bottom.
That is why "block" rules come after "allow" rules.
One thing is hard to grasp for me and I can't find the answer on internet or this forum (or maybe the answer is there, but I don't see it):
When I add a rule to the firewall for something to pass, let's say this simple rule:
- LAN segment pass all DNS (53).
And AFTER that:
- Specific host (but IN the LAN segment above) block DNS (53)
Will the second rule be effective? In my tests it is effective, so there's my answer. But shouldn't the rule execution STOP after the first rule (because it matched)... Am I missing something?
edit: typo
That is why "block" rules come after "allow" rules.
One thing is hard to grasp for me and I can't find the answer on internet or this forum (or maybe the answer is there, but I don't see it):
When I add a rule to the firewall for something to pass, let's say this simple rule:
- LAN segment pass all DNS (53).
And AFTER that:
- Specific host (but IN the LAN segment above) block DNS (53)
Will the second rule be effective? In my tests it is effective, so there's my answer. But shouldn't the rule execution STOP after the first rule (because it matched)... Am I missing something?
edit: typo
#17
18.7 Legacy Series / Cron job does not run at desired time
October 02, 2018, 08:14:45 AM
I have 1 cron job (remote backup of config) set for runnig at 05:25 every day. (25 5 * * *).
However, it runs every day at exactly 01:00.
I checked the server time: good
I restarted cron and I restarted the server, both without luck
Strangely, if I set this job to run a few minutes ahead of the current time (eg 15.30 when it's 15.28) it will run at that time exactly.
This instance is running as a VM in ESXi on a server.
Anyone else with this kind of problem? How to troubleshoot this further?
Edit:
Found out that no matter what time you put in: it will always run at 01.00.
According to crontab -l that is... is there a default cron for this job? When I delete it, the job stays.
Still: Strangely, if I set this job to run a few minutes ahead of the current time (eg 15.30 when it's 15.28) it will run at that time exactl, although contab -l shows to run at 01.00...
However, it runs every day at exactly 01:00.
I checked the server time: good
I restarted cron and I restarted the server, both without luck
Strangely, if I set this job to run a few minutes ahead of the current time (eg 15.30 when it's 15.28) it will run at that time exactly.
This instance is running as a VM in ESXi on a server.
Anyone else with this kind of problem? How to troubleshoot this further?
Edit:
Found out that no matter what time you put in: it will always run at 01.00.
According to crontab -l that is... is there a default cron for this job? When I delete it, the job stays.
Still: Strangely, if I set this job to run a few minutes ahead of the current time (eg 15.30 when it's 15.28) it will run at that time exactl, although contab -l shows to run at 01.00...
#18
18.7 Legacy Series / OpenVPN: OpenVPNServer Interface - usefull?
September 28, 2018, 04:08:00 PM
I have a working OpenVPN server on my up-to date OPNsense (18.7.4) box.
In the Firewall-Rules tab there are 2 instances related to this server:
1 OpenVPN
2 OpenVPNServer
1. there is a rule here to pass traffic from the tunnel to my LAN
2. is empty.
Furthermore:
2. corresponds to a interface with the same name.
This interface get's the first IP of my tunnel network (I don't know how it knows that, because the settings in the interface are empty).
I can disable this interface - and the VPN still works!
If I, however, check "Block Private Networks" in the interface settings: I can connect to the VPN but I can not use internet (everything seems blocked) - So it seems to have some sort of function.
Questions bothering me:
- What is the function of the Firewall instance of OpenVPNServer?
- What is the function of the OpenVPNServer interface and why can I disable it without consequence?
- How does the OpenVPNServer interface gets it's IP?
In the Firewall-Rules tab there are 2 instances related to this server:
1 OpenVPN
2 OpenVPNServer
1. there is a rule here to pass traffic from the tunnel to my LAN
2. is empty.
Furthermore:
2. corresponds to a interface with the same name.
This interface get's the first IP of my tunnel network (I don't know how it knows that, because the settings in the interface are empty).
I can disable this interface - and the VPN still works!
If I, however, check "Block Private Networks" in the interface settings: I can connect to the VPN but I can not use internet (everything seems blocked) - So it seems to have some sort of function.
Questions bothering me:
- What is the function of the Firewall instance of OpenVPNServer?
- What is the function of the OpenVPNServer interface and why can I disable it without consequence?
- How does the OpenVPNServer interface gets it's IP?
Pages1
