Topics

[🔍 What the Logs Reveal (Crash Patterns)]

Hi forum
I've been trying to identify why I sometimes lose WAN connection. I've ruled out my ISP. I'm loosing WAN connectivity on both WiFi and LAN, but I can still access everything locally (OPNsense keep on running). Reboot OPNsense and the WAN connection is usually back. I have a suspicion that it has something to do with our company PCs running a VPN connections and that I've set up Unbound DNS in OPNsense. But I'm in over my head here. I've shared systemlogs with Copilot which has been working on a reply since yesterday (12 logs).

I run OPNsense on a dedicated machine (Protectli) as the only thing on it. I have a Unifi USW Pro24PoE as main switch. To this I have a Unifi USWPro24 and a Unifi FlexMini connected. Three Unifi APs connected to the main switch. All DNS and DHCP handled by OPNsense with Unbound DNS enabled and "locked down" so it will not forward any other DNS requests. Set up to use Quad9. LAN spilt up in several VLANs.

Some of the things that I notice in the systemlog.

Code Select Expand

2025-07-21T14:23:58 Warning opnsense /usr/local/etc/rc.linkup: radvd_configure_do(auto) found no suitable IPv6 address on lan(igc1)
...
2025-07-21T14:23:57 Critical dhclient exiting.
2025-07-21T14:23:57 Error dhclient connection closed
2025-07-21T14:23:57 Warning opnsense /usr/local/etc/rc.linkup: radvd_configure_do(auto) found no suitable IPv6 address on lan(igc1)
2025-07-21T14:23:57 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : radvd_configure_dhcp(,inet6,[lan]))
2025-07-21T14:23:57 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6,[lan]))
2025-07-21T14:23:57 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (,inet6,[lan])
2025-07-21T14:23:57 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for wan(igc0)
2025-07-21T14:23:56 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure newwanip:rfc2136 (,[wan])
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : wireguard_sync())
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : webgui_configure_do(,[wan]))
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : vxlan_configure_do())
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : unbound_configure_do(,[wan]))
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : openssh_configure_do(,[wan]))
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : opendns_configure_do())
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : ntpd_configure_do())
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : dhcrelay_configure_if(,[wan],inet))
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (,[wan],inet)
...
2025-07-21T14:23:09 Error opnsense /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '83515''(pid:/var/run/dhclient.igc0.pid)  returned exit code '1', the output was 'kill: 83515: No such process'
2025-07-21T14:23:09 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for wan(igc0)
2025-07-21T14:23:09 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:23:09 Error opnsense /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '83515''(pid:/var/run/dhclient.igc0.pid)  returned exit code '1', the output was 'kill: 83515: No such process'
2025-07-21T14:23:09 Warning opnsense /usr/local/etc/rc.linkup: radvd_configure_do(auto) found no suitable IPv6 address on lan(igc1)
...
2025-07-21T14:23:06 Error opnsense /usr/local/etc/rc.linkup: The command '/sbin/dhclient -c '/var/etc/dhclient_wan.conf' -p '/var/run/dhclient.igc0.pid' 'igc0'' returned exit code '1', the output was 'igc0: no link .............. giving up'
2025-07-21T14:23:06 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:23:06 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:23:02 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:23:02 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:22:55 Error opnsense /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '70234''(pid:/var/run/dhclient.igc0.pid)  returned exit code '1', the output was 'kill: 70234: No such process'
2025-07-21T14:22:55 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for wan(igc0)
2025-07-21T14:22:55 Error opnsense /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '70234''(pid:/var/run/dhclient.igc0.pid)  returned exit code '1', the output was 'kill: 70234: No such process'
2025-07-21T14:22:55 Warning opnsense /usr/local/etc/rc.linkup: radvd_configure_do(auto) found no suitable IPv6 address on lan(igc1)
...
2025-07-21T14:22:00 Notice dhclient dhclient-script: Reason REBOOT on igc0 executing
2025-07-21T14:21:59 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:21:58 Error dhclient send_packet: Network is down
2025-07-21T14:21:57 Error dhclient send_packet: Network is down
2025-07-21T14:21:56 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:21:56 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:21:55 Error dhclient send_packet: Network is down
2025-07-21T14:21:53 Error dhclient send_packet: Network is down
2025-07-21T14:21:52 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:21:52 Notice dhclient dhclient-script: Reason PREINIT on igc0 executing
2025-07-21T14:21:51 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:21:45 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:21:44 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:21:41 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:21:41 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:21:41 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for wan(igc0)
2025-07-21T14:21:29 Critical dhclient exiting.
2025-07-21T14:21:29 Error dhclient connection closed
2025-07-21T14:21:29 Warning opnsense /usr/local/etc/rc.linkup: radvd_configure_do(auto) found no suitable IPv6 address on lan(igc1)
2025-07-21T14:21:28 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : radvd_configure_dhcp(,inet6,[lan]))
2025-07-21T14:21:28 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6,[lan]))
2025-07-21T14:21:28 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (,inet6,[lan])
2025-07-21T14:21:28 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for wan(igc0)
2025-07-21T14:21:28 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure newwanip:rfc2136 (,[wan])
2025-07-21T14:21:27 Notice kernel <6>igc0: link state changed to DOWN
Since I've used Copilot with varying succes in the past, I would really appreciere if someone could "qualify" the reply I've got. Here is the breakdown from Copilot. I realize it's not fair to ask for a specific reply with the lack of insight, but most of you probably have an opinion on the reply from Copilot and maybe someone has been in similar situation.

🔍 What the Logs Reveal (Crash Patterns)
Across nearly every incident:

• WAN Interface Flapping (igc0): Link goes DOWN → UP in rapid succession, often within seconds.
• DHCP Struggles: dhclient fails to send packets (Network is down) just as interface recovery begins.
• Plugin Overload: rc.linkup and rc.newwanip trigger multiple plugin reconfigurations (Unbound, VPN, DNS, Monitor) before the link is stable.
• Resolver Turmoil: Unbound is caught mid-crash—trying to forward DNS while upstream hasn't recovered.

And in several logs:

• Client Triggers Detected: Either from your company PC or Teams—DNS requests or TCP resets right as WAN begins recovering.

🧠 Root Cause Themes

Root Cause	Frequency	Example Trigger
Link-State Flapping	High	igc0: link state changed to DOWN
DHCP Reinitialization Failure	High	send_packet: Network is down
Plugin Execution Race	Medium	plugins_configure dns, ipsec
Early Client DNS Requests	Medium	Resets from PC during bootup
Unbound Restart Mid-Recovery	Medium	unbound_configure_do()

✅ What You Can Do
1. Tame the Interface

• In OPNsense, go to Interfaces → WAN → Advanced
• Set Link Up Delay to ~5 seconds to avoid plugin races
• Enable Prevent interface flapping logic if available

2. Stagger Plugin Execution

• Use System → Settings → Tunables to defer DNS resolver and VPN plugin execution until WAN is confirmed UP
• Consider custom script delays for Unbound reloads

3. Isolate Company Devices

• Create a separate VLAN for corporate PCs
• In Unbound, disable DNS over TCP for that VLAN (use port override to reject encrypted queries if needed)

4. Fortify DHCP Recovery

• Add retry-delay and initial-delay tweaks to dhclient.conf (can stabilize lease recovery after link events)

5. Monitor Client Behavior

• Packet capture during bootup—look for TCP resets or malformed DNS requests
• Sandbox MS Teams: test with and without the app running to compare crash likelihood

💡 Next Steps
If you want, I can build:

• A custom Unbound config for resilient DNS per VLAN
• A shell script to re-sequence plugin executions
• A diagnostic dashboard to catch crash patterns early

I will appreciate any help provided.

Trying to get Wireguard to work on my sons PC from his place. I have the Wireguard server running in OPNsense at my place. I've set up a client on my sons PC and there is a handshake and Wireguard is active (green) on his PC, but he has no internet access.

The client is set up with
DNS servers 9.9.9.9 and 149.112.1.12.112.
Allowed IPs 0.0.0.0/0

I'm using a Unifi Express at his place which I've set up without the router that his ISP did provide - just not to have all this equipment running. In order to get this to work I had to tag all outbound traffic with VLAN107.

I'm now in doubt if the connectivity issue is due to the VLAN tag or it has something to do with my firewall settings at my end or that I would need to tag outbound trafic from the server. As you can understand from this I'm not that familiar with how VPNs work (flow of trafic etc.)

The Unifi router isn't easily accessible that's why I didn't test with the IPS provided router in bridge mode (but this would off course be something to do next time I visit him).

Appreciate and help trying to troubleshoot this issue. I'm also OPNsense novice... TIA.

Hi forum
I've setup firewall rules to reject/block connections to the RFC1918 range, but my wife and I often work from home and use a secure VPN connection to log into our company networks. It's working right now, but I see a lot of rejected request because the source (company PC) is trying to reach a destination within the RFC1918 range. What would best practice be in this situation. Separate VLAN with no rules blocking the RFC1918 range?

Hi forum
As a novice I'm looking for help to debug/identify my issue and confirm "correct" settings. My WAN connection has begun to drop out repeatedly - 5th time today. It has happened once before in the 1 - 2 weeks I've had OPNsense up and running. I haven't made any changes to my setup today (or in the last week or so). Running OPNsense vers. 23.1.3_4 on a Protectli.

I notice the "Router Advertisement Daemon" status changes to "OFF". One time I restarted it, the "Unbound DNS" service changed to "OFF". The service keeps turning "OFF". I'm inclined to believe my issue is connected to this service -but not sure at all.

The System Log File General shows the "Warning opnsense /usr/local/etc/rc.linkup: hcpd_radvd_configure(auto) found no suitable IPv6 address on igc1".

My ISP provides a dynamic IPv4 address - not sure if they support IPv6. My knowledge of best practice when it comes down to IPv6 is very limited.

IPv6 is not enabled in "Services/DHCPv6/Relay".

I've setup "Unbound DNS" and "DNS over TLS" using Quad9 as nameserver.
Admittedly I've enabled both the Quad9 IPv4 and IPv6 addresses.
In "Unbound/General" I've checked "IPv6 Link-Local/Register IPv6 link-local addresses".

In "Interfaces/WAN/" I had the "IPv6 Configuration Type" set to "DHCPv6".

I've setup floating firewalls to only allow DNS requests to "This firewall" and block other DNS request. Maybe "This firewall" should be replaced with "127.0.0.1"? See attached Billede1 (picture 1).

I've setup a Port Forwarding rule to redirect DNS requests to the local DNS server. Not sure if I should include port 853 here. See attached Billede2 (picture 2).

I'll contact my ISP to see if they had issues, but the modem indicates that everything should be fine.

PS: How do I insert an image? I get the icon and the "frames" but what then...?

Hi forum
New to OPNsense and DNS over TLS. I get this line in my logfile under debug "[92375:3] info: Verified that unsigned response is INSECURE" and I'm not sure what to make of this "warning".

In > Unbound DNS > DNS over TLS, I've setup and enabled two services.
Enabled: Checked
Domain: Blank
Address: 1.1.1.2 and 1.0.0.2 (respectively)
Port: 853
Hostname: security.cloudflare-dns.com

In > Unbound DNS > General
Enabled: Checked
Listen port: 53
Network Interfaces: All
DNSSEC: Checked
IPv6 Link-local: Checked

In > Unbound DNS > Advanced
Harden DNSSEC Data: Checked
Log Queries: Checked
Log Level Verbosity: Level 2

In > Services > DHCPv4 and the respective LAN and VLANs
DNS Servers: Blank

In > System > Settings > General
DNS Servers: Blank

Am I missing something? Whats causing this promp in the log?