"Recent posts
#1
General Discussion / Re: Dell R620 as an OPNsense h...
Last post by coatmaker618 - Today at 05:07:36 AMUpdating that interface on 25 Gbe NIC works now, was just a cable that got loose.
#2
26.1 Series / Can Unbound DNSSEC be used wit...
Last post by LemurTech - Today at 04:25:18 AMI'm running OPNsense 26.1.1 with:
Internal DNS domains
Architecture
Behavior
With DNSSEC disabled in Unbound, everything works:
If I enable DNSSEC, resolution for iot.lan starts failing within 30 seconds:
Example (works, then stops working):
I've tried:
The issue persists as long as DNSSEC is enabled.
I have been all over the interwebs and have had long discussions with the AI oracles. Is it expected behavior that Unbound DNSSEC validation conflicts with forwarding a private, non-delegated TLD like .lan to Dnsmasq?
- Unbound as the main DNS resolver (full recursion)
- Dnsmasq for DHCP for two VLANs (1 and 12); DNS listening on port 53053
- Windows AD domain: sarangan.lan (VLAN 1, AD DNS forwards to Unbound
Internal DNS domains
- sarangan.lan - Windows domain, VLAN 1
- iot.lan - IoT devices, VLAS 12 - pointed to Unbound
- infra.lan - APs, switches in both VLANs - pointed to Unbound
Architecture
- VLAN 1 domain clients use AD DNS
- DCs forward all non-AD queries to Unbound (192.168.2.1)
- Unbound does full recursion for public domains
- Domain Override in Unbound: iot.lan -> 127.0.0.1:53053 so Unbound forwards iot.lan to Dnsmasq
- Dnsmasq has DHCP reservations with hostnames under iot.lan
Behavior
With DNSSEC disabled in Unbound, everything works:
- somedevice.iot.lan resolves (from VLAN 1 or from OPNsense)
- DCs forward iot.lan queries properly
- Unbound forwards to Dnsmasq correctly
If I enable DNSSEC, resolution for iot.lan starts failing within 30 seconds:
- Queries return NXDOMAIN
- Disabling DNSSEC immediately fixes it
Example (works, then stops working):
Code Select
root@fw01:~ # nslookup emporia.iot.lan 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: emporia.iot.lan
Address: 192.168.12.86
root@fw01:~ # nslookup emporia.iot.lan 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find emporia.iot.lan: NXDOMAIN
I've tried:
- Adding iot.lan, infra.lan, and sarangan.lan to Insecure Domains (these seem to be added automatically in the config when forwarding to Dnsmasq is configured, but I added them anyways).
- Disabling Strict QNAME Minimisation
- Disabling DNSSEC hardening
- Clearing caches
- Restarting services
The issue persists as long as DNSSEC is enabled.
I have been all over the interwebs and have had long discussions with the AI oracles. Is it expected behavior that Unbound DNSSEC validation conflicts with forwarding a private, non-delegated TLD like .lan to Dnsmasq?
#3
General Discussion / An error has occured "Sorry Gu...
Last post by zz00mm - Today at 03:59:14 AMAll,
My workstation that I use a VPN on is showing the following:
An error has occured, Sorry Guest, you are banned from using this forum!
The ban is not set to expire.
I cleared the browser cache and it worked for a few minutes. Then the above appeared again.
Am I doing anything wrong? How do I get questions answered regarding this?
Thanks
Zz00mm
My workstation that I use a VPN on is showing the following:
An error has occured, Sorry Guest, you are banned from using this forum!
The ban is not set to expire.
I cleared the browser cache and it worked for a few minutes. Then the above appeared again.
Am I doing anything wrong? How do I get questions answered regarding this?
Thanks
Zz00mm
#4
General Discussion / Are my dhcp starting and endin...
Last post by TrafficChaos - Today at 03:12:35 AMHi everyone.
I installed OPNsense and changed the IP from the default to 192.168.1.50
Is there anything else I need to change.
When I look at my DHCP LAN settings
I see the available range is from 192.168.1.1-192.168.1.254
yet the line below this shows from 192.168.1.100 to 192.168.1.199
I find this confusing and do not know how if I need to change anything
given I changed the IP I log into OPNsense on from the default to 192.168.1.50.
Can anyone explain what these IP's above relate to and if they are ok.
Thanks to anyone who can help
I will add a screen shot of what the above settings reffer to on my system.
I installed OPNsense and changed the IP from the default to 192.168.1.50
Is there anything else I need to change.
When I look at my DHCP LAN settings
I see the available range is from 192.168.1.1-192.168.1.254
yet the line below this shows from 192.168.1.100 to 192.168.1.199
I find this confusing and do not know how if I need to change anything
given I changed the IP I log into OPNsense on from the default to 192.168.1.50.
Can anyone explain what these IP's above relate to and if they are ok.
Thanks to anyone who can help
I will add a screen shot of what the above settings reffer to on my system.
#5
Virtual private networks / Re: Mullvad WireGuard crashing...
Last post by MyUsername0861 - Today at 02:36:04 AMThanks OPNenthu! It's a start.
I am indeed running coreboot and was unaware of this issue/TSB!
I am adding the Tunable and rebooting now and will report back.
I am indeed running coreboot and was unaware of this issue/TSB!
I am adding the Tunable and rebooting now and will report back.
#6
Virtual private networks / Re: Mullvad WireGuard crashing...
Last post by OPNenthu - Today at 02:27:14 AMAre you running your VP2440 with coreboot or AMI? If coreboot, there is an open TSB for the 2.5GbE ports related to ASPM:
https://protectli.com/news/vp2440-coreboot-issue/
https://kb.protectli.com/wp-content/uploads/sites/9/2025/12/TSB-2025-001_-VP2440-ASPM-Network-Performance-Issue_v1_1_0.pdf
Not sure if this is the issue in your case, though.
https://protectli.com/news/vp2440-coreboot-issue/
https://kb.protectli.com/wp-content/uploads/sites/9/2025/12/TSB-2025-001_-VP2440-ASPM-Network-Performance-Issue_v1_1_0.pdf
Not sure if this is the issue in your case, though.
#7
Virtual private networks / Mullvad WireGuard crashing; mo...
Last post by MyUsername0861 - Today at 01:54:49 AMHello
Long time lurker, first time poster.
New to OPNsense but used pfSense for years. I am pulling my hair out and need some advice.
Long story kinda short, I had my pfSense (Netgate SG-2100) using a selective routing setup to Mullvad via WireGuard (VPN1) for my primary VLAN (VLAN10) and I also ran a Raspberry Pi on VLAN 50. VLAN 50 did not use VPN1 but connected using WireGuard client on the Debian running Raspberry Pi.
All worked fine and I could use my full bandwidth (I get ~400/10 from my ISP) to download files using a bittorrent client.
I migrated to an OPNsense (Protectli VP2440; running 26.1.1) and "moved the config over" (this may be a point of contention later but withhold judgment temporarily). After some minor hiccups and new Rule changes that didn't adapt, I got everytihng running! It is a beast and I love it! Rock solid.... until... I fired up the Raspberry Pi. Once I started downloading a file or two, and the bandwidth kicked up to over ~300Mbps, the whole WAN interface and both VPNs froze up.
I have attached an image of my setups as they progressed through my troubleshooting. Original "known good" setup on pfSense/pre-migration to OPNsense: "Setup 1", "Setup 2" where I replaced the pfSense/Netgate with the OPNsense/Protectli, and "Setup 3" where I removed the managed switch from the equation.
I have tried many things on both the router and the bittorrent client (bandwidth shaping on router, MTU/MSS on both, bandwitdh limits on bittorrent client; connection limits on bittorrent client) and once I started downloading any files that require the client to run for more than 2 minutes (e.g. 25GB+) it freezes the VPN2 connection.
Now, in Setup 2, all connections would lock up, in Setup 3, ONLY VPN2 locks up and the WAN and VPN1 stay connected.
I love troubleshooting so here are SOME of the steps I took. Stopping the download does not allow the VPN2 to self correct. I started big and rebooted the router and all goes back to normal until I start a download again.
The ONLY step that seems to work short of a reboot is reloading the WAN DHCP interface in 'Interfaces: Overview' (or the newly found CLI 'configctl interface reconfigure wan' command). I am not familiar enough with FreeBSD/OPNsense enough to know what all this command does so I'm not quite sure what it's doing that it fixes VPN2, but no other standalone command is able to fix it like this step.
A little more info: I have watched every log in the GUI and whichever ones I could set to "Debug" I did. Nothing pops up OTHER than I seemed to notice a few more pf logs of "mismatched state" but wasn't sure if that was coincidence. This hardware is overkill so my firewall states are not maxing out (maybe 2000 total at the time?), CPU remains around 10% usage and memory is about 10%, so I'm not hitting any max states or connections. I removed the "virusprot" overload rules via "Disable rate limit rule" in "Firewall:Settings:Advanced".
Also, I watched my cable modem to see if any logs popped up there and nothing did. (which I wasn't sure they would in setup 3 because the WAN stayed active)
Now, to go back to my "moved the config over", I asked to withhold judgment because everything else works just like before. So I'm not sure what could be wrong with the config.
Any and all advice welcomed. I'm truly mostly looking to help myself in maybe some info I don't have on what logs I may be able to watch as the issue is fairly easily reproducible.
(If more info is required, please let me know, I just didnt want to overload my initial post and hope this is enough for now.)
THANK YOU!
Long time lurker, first time poster.
New to OPNsense but used pfSense for years. I am pulling my hair out and need some advice.
Long story kinda short, I had my pfSense (Netgate SG-2100) using a selective routing setup to Mullvad via WireGuard (VPN1) for my primary VLAN (VLAN10) and I also ran a Raspberry Pi on VLAN 50. VLAN 50 did not use VPN1 but connected using WireGuard client on the Debian running Raspberry Pi.
All worked fine and I could use my full bandwidth (I get ~400/10 from my ISP) to download files using a bittorrent client.
I migrated to an OPNsense (Protectli VP2440; running 26.1.1) and "moved the config over" (this may be a point of contention later but withhold judgment temporarily). After some minor hiccups and new Rule changes that didn't adapt, I got everytihng running! It is a beast and I love it! Rock solid.... until... I fired up the Raspberry Pi. Once I started downloading a file or two, and the bandwidth kicked up to over ~300Mbps, the whole WAN interface and both VPNs froze up.
I have attached an image of my setups as they progressed through my troubleshooting. Original "known good" setup on pfSense/pre-migration to OPNsense: "Setup 1", "Setup 2" where I replaced the pfSense/Netgate with the OPNsense/Protectli, and "Setup 3" where I removed the managed switch from the equation.
I have tried many things on both the router and the bittorrent client (bandwidth shaping on router, MTU/MSS on both, bandwitdh limits on bittorrent client; connection limits on bittorrent client) and once I started downloading any files that require the client to run for more than 2 minutes (e.g. 25GB+) it freezes the VPN2 connection.
Now, in Setup 2, all connections would lock up, in Setup 3, ONLY VPN2 locks up and the WAN and VPN1 stay connected.
I love troubleshooting so here are SOME of the steps I took. Stopping the download does not allow the VPN2 to self correct. I started big and rebooted the router and all goes back to normal until I start a download again.
The ONLY step that seems to work short of a reboot is reloading the WAN DHCP interface in 'Interfaces: Overview' (or the newly found CLI 'configctl interface reconfigure wan' command). I am not familiar enough with FreeBSD/OPNsense enough to know what all this command does so I'm not quite sure what it's doing that it fixes VPN2, but no other standalone command is able to fix it like this step.
A little more info: I have watched every log in the GUI and whichever ones I could set to "Debug" I did. Nothing pops up OTHER than I seemed to notice a few more pf logs of "mismatched state" but wasn't sure if that was coincidence. This hardware is overkill so my firewall states are not maxing out (maybe 2000 total at the time?), CPU remains around 10% usage and memory is about 10%, so I'm not hitting any max states or connections. I removed the "virusprot" overload rules via "Disable rate limit rule" in "Firewall:Settings:Advanced".
Also, I watched my cable modem to see if any logs popped up there and nothing did. (which I wasn't sure they would in setup 3 because the WAN stayed active)
Now, to go back to my "moved the config over", I asked to withhold judgment because everything else works just like before. So I'm not sure what could be wrong with the config.
Any and all advice welcomed. I'm truly mostly looking to help myself in maybe some info I don't have on what logs I may be able to watch as the issue is fairly easily reproducible.
(If more info is required, please let me know, I just didnt want to overload my initial post and hope this is enough for now.)
THANK YOU!
#8
German - Deutsch / Re: DHCP läuft nicht v.26.1
Last post by k0ns0l3 - Today at 01:39:49 AMQuote from: Utopia on February 12, 2026, 02:09:42 PMBei mir war das gleiche Problem. Nach dem Update funktionierte das DCHP nicht mehr.
Meine Windows-PCs haben keine IP-Adressen mehr bekommen.
Ich bin im Menü dann auf den Punkt "Dienste", dann auf "DNSMask DNS&DHCP". Im Reiter "Allgemein" war bei dem Menü "ISC / KEA DHCP (veraltet)" der Auswahlpunkt "ISC DHCP4-Leases registrieren" nicht aktiviert. Für mich sieht das so aus, wie wenn dieser Service mit der neuen Version abgeschaltet wurde. Ich habe dort wieder einen Haken gesetzt und auf "speichern" geklickt. Danach haben meine Windows-PC ihre IP-Adresse wieder automatisch über DHCP bekommen.
Ich beobachte das Ganze mal noch etwas, aber augenscheinlich scheint es wieder zu funktionieren.
Danke für den Hinweis
Lg
#9
26.1 Series / Re: NAT Reflection / Hairpinni...
Last post by TheSHAD0W - Today at 01:29:12 AMWifi was broken in general for the 26.1 release. I'm surprised it was working for you. Try the latest update. You may need ot delete and reinstall the wifi.
#10
26.1 Series / Re: DNAT auto firewall [Regist...
Last post by TheSHAD0W - Today at 12:48:34 AMNote that a quick test using the "Register Rule" method on 26.1.2 was not successful; I'll dig further later...
