Messages

The firewall aliases don't have an option for dynamic IPv6 prefixes yet (only hosts), so allowing a specific dynamic prefix isn't easily possible.

For many use cases, using 'any' should be okay.

Cheers
Maurice

Please be aware that this little project is about OPNsense aarch64 sets and packages (as well as VM images), not about hardware-specific / bare-metal images.

As a first step, you'll have to do your own research about booting a general-purpose OS (BSD, Linux) on this appliance. If such a project exists or you figure it out yourself, then running OPNsense might be possible.

4 GB RAM is sufficient, I maintain some OPNsense systems with 2 GB or less for small setups.

@eguun Let me guess what happened here:

os-shadowsocks-devel 1.2 (which uses shadowsocks-rust) was released about a month ago with 25.1.12. Since no issues were reported, it was now moved to production in 25.7.2.

Since you initiated the switch, expectations were that you test the devel version and report potential issues. It seems this didn't happen.

Probably a misunderstanding?

Cheers
Maurice

OPNsense 25.7.2 aarch64 packages and sets released.

• My main router (not OPNsense) only delegates a single /64 subnet and provides addresses via SLAAC only.

If it actually delegates a /64, set the OPNsense WAN IPv6 configuration type to DHCPv6 and the prefix delegation size to 64. "Track interface" should then work on the LAN interface.

• Currently, OPNsense itself gets a /128 via SLAAC from the main router.

A /128 WAN address actually indicates that is was assigned via DHCPv6 - SLAAC addresses are /64. But even if your main router provides addresses via SLAAC only, prefix delegation is independent from address assignment and always uses DHCPv6.

2. Worst case to get IPv6 connectivity via the /128 of OPNsense as NAT connection

Ugly, but possible. Works the same as IPv4 NAT: Assign a static address to the LAN interface and create an outbound NAT rule.

Cheers
Maurice

See the help text for Redirect target port:

In case of a port range, specify the beginning port of the range (the end port will be calculated automatically).

Cheers
Maurice

Interesting approach - VM on ARM64 SBC. I might consider this for my next home setup.

Nothing wrong with consolidating everything on a single / few device(s). Reduces power consumption and uses less space. I'd just recommend isolating services in VMs and / or containers.

Thanks for your feedback!

Correct, the cloud shell requires an image with enabled serial console. That's why I created the fork in the first place. ;)
Launch mode "Paravirtualized" (the default setting) is correct. Also, setting the OS to "Generic Linux"  is recommended (there is no *BSD option).

Cheers
Maurice

Is the A record for local.mydomain.com a private (RFC1918) IP address? Unbound filters these (rebind protection). You can add it as a private domain in the advanced settings to allow private addresses.

Cheers
Maurice

Simply set the desired theme on a running OPNsense system and check what is added to the config.xml.

See https://github.com/opnsense/tools for how you can use the build option ADDITIONS to include additional packages.
As for making the theme default, you can edit src/etc/config.xml.sample (in opnsense/core) before building core.

Cheers
Maurice

Hey Andrew,

Take a look at projects like https://github.com/matheusber/opnsense for hints on how to include the required driver.

Cheers
Maurice

Packet captures are indeed a powerful tool to locate the issue. Try captures on all involved interfaces (gif, wan, lan) to see what shows up where. The OPNsense GUI has a neat packet capture feature btw. (Interfaces / Diagnostics).

Also, try pinging a target on the Internet from OPNsense itself, but with the source address set to the LAN interface address (which should be from your routed /64).

OPNsense 25.7.1 aarch64 packages and sets released.

[Update 2025-08-01]
Hotfix 25.7.1_1 released.

The OPNsense version of pkg is only meant to be used with the OPNsense repo.

Personally, I never use pkg update / upgrade on OPNsense build systems. When a new FreeBSD version is required (like 14.3 for 25.7), I set up a new build system. After that, I just keep the kernel / base system updated using freebsd-update.