Text only | Text with Images

OPNsense Forum

English Forums => 26.1 Series => Topic started by: chrisgtl on March 24, 2026, 11:34:43 AM

Title: Removed LAN interface and now strange things with DNS and NAT [SOLVED]
Post by: chrisgtl on March 24, 2026, 11:34:43 AM
This is baremetal. Running latest.

Yesterday, I decided to finally remove the LAN/Native VLAN from my homelab - I did this so my traffic would show up correctly across my VLANs.

My new management VLAN is at VLAN2 (parent ix1) = 10.10.2.0/24

I also have VLAN6 (parent ix1) = 10.10.6.0/24 & VLAN33 (parent ix1) = 10.10.33.0/24


When I removed the LAN (ix1), I noticed some odd entries in the Destination NAT for the WEBGUI and SSH anti-lockout. Both are now on VLAN6 and I can't change them to VLAN2. Is this because my VLAN6 now has the lowest OPTx identifier?

OPT1 = VLAN6
OPT2 = VLAN33
OPT3 = Wireguard
OPT4 = VLAN2

I tried to disable both Anti-Lockout rules, which removed the entries but once I re-enabled - they both came back as VLAN6 as before. I rebooted in-between too to make sure.


The other thing I am struggling with is resolving opnsense.internal to 10.10.2.1

If I SSH in to opnsense and ping host (7), opnsense.internal resolves to 10.10.6.1 instead of 10.10.2.1

I don't have WEBGUI or SSH enabled on all interfaces so I have to SSH in via the IP instead of hostname.


My DNS is Technitium docker on VLAN6 using port 53. DNSmasq is listening on all interfaces using port 53053. Everything resolves correctly apart from opnsense.

Title: Re: Removed LAN interface and now strange things with DNS and NAT
Post by: viragomann on March 24, 2026, 01:53:59 PM
Quote from: chrisgtl on March 24, 2026, 11:34:43 AMWhen I removed the LAN (ix1), I noticed some odd entries in the Destination NAT for the WEBGUI and SSH anti-lockout. Both are now on VLAN6 and I can't change them to VLAN2. Is this because my VLAN6 now has the lowest OPTx identifier?
Specify the proper interface in System: Settings: Administration > Listen Interfaces.

Quote from: chrisgtl on March 24, 2026, 11:34:43 AMMy DNS is Technitium docker on VLAN6 using port 53. DNSmasq is listening on all interfaces using port 53053. Everything resolves correctly apart from opnsense.
Did you configure your DNS server in System: Settings: General?
Title: Re: Removed LAN interface and now strange things with DNS and NAT
Post by: chrisgtl on March 24, 2026, 02:41:20 PM
The interfaces were specified as VLAN2.

Yes, indeed my suspicions were correct. What I did was download a backup .xml and edited so my VLAN2 was OPT1, VLAN6 OPT2, VLAN33 OPT3 etc.

Then spent about an hour changing all my broken firewall rules, NTP, DHCPs etc etc.....haha

Anyhow, both issues are now fixed. Shame we can't change OPT identifiers via WEBGUI - but then I guess it would break a lot of stuff without manual intervention.
Text only | Text with Images