Messages

Hast Du Unbound evtl. schon nach intelli.domain.de befragt, bevor dieser Eintrag in bind angelegt wurde? Dann ist NXDOMAIN korrekt und landet im Unbound-Cache. Wann Unbound dann erneut den bind befragt hängt von der TTL der Zone ab.

Grüße
Maurice

OPNsense 25.7.3 aarch64 packages and sets released.

[Update 2025-09-11]
Hotfix 25.7.3_4 released.

[Update 2025-09-11]
Hotfix 25.7.3_7 released.

Have you tried a different mirror?

Cheers
Maurice

Nothing wrong with deploying ULAs, but treating IPv6 like IPv4 (private addresses NATed to a single public address) has a major caveat: When choosing a source address, clients always prefer IPv4 over a ULA (unless the destination is also a ULA). This means the IPv6 NAT will only get used for connecting to IPv6-only services. For dual-stack services, your clients will use IPv4. As a result, you'll see very little IPv6 Internet traffic with this setup.

So yes, better than nothing, but not a "fully modern dual-stack environment".
As a slight improvement, you can deploy your single delegated /64 in the "primary" LAN, while using NAT for the others.

Cheers
Maurice

... oder anders ausgedrückt: Das geht nicht. RAs kann man bei OPNsense nur von Interfaces senden, die eine statische (oder "tracking") IPv6-Konfiguration haben.

Grüße
Maurice

Correct, opnsense-bootstrap only works on amd64. I thought about adapting it for aarch64 before, but that's currently very low priority.

It shouldn't be required though. You can convert a qcow2 image to a raw image (or build your own) and boot it bare metal.

What makes the VM images VM images is the file format (qcow2 / vhdx / ...). Other than that, there is nothing specifically "virtual" about them.

Cheers
Maurice

The firewall aliases don't have an option for dynamic IPv6 prefixes yet (only hosts), so allowing a specific dynamic prefix isn't easily possible.

For many use cases, using 'any' should be okay.

Cheers
Maurice

Please be aware that this little project is about OPNsense aarch64 sets and packages (as well as VM images), not about hardware-specific / bare-metal images.

As a first step, you'll have to do your own research about booting a general-purpose OS (BSD, Linux) on this appliance. If such a project exists or you figure it out yourself, then running OPNsense might be possible.

4 GB RAM is sufficient, I maintain some OPNsense systems with 2 GB or less for small setups.

@eguun Let me guess what happened here:

os-shadowsocks-devel 1.2 (which uses shadowsocks-rust) was released about a month ago with 25.1.12. Since no issues were reported, it was now moved to production in 25.7.2.

Since you initiated the switch, expectations were that you test the devel version and report potential issues. It seems this didn't happen.

Probably a misunderstanding?

Cheers
Maurice

OPNsense 25.7.2 aarch64 packages and sets released.

• My main router (not OPNsense) only delegates a single /64 subnet and provides addresses via SLAAC only.

If it actually delegates a /64, set the OPNsense WAN IPv6 configuration type to DHCPv6 and the prefix delegation size to 64. "Track interface" should then work on the LAN interface.

• Currently, OPNsense itself gets a /128 via SLAAC from the main router.

A /128 WAN address actually indicates that is was assigned via DHCPv6 - SLAAC addresses are /64. But even if your main router provides addresses via SLAAC only, prefix delegation is independent from address assignment and always uses DHCPv6.

2. Worst case to get IPv6 connectivity via the /128 of OPNsense as NAT connection

Ugly, but possible. Works the same as IPv4 NAT: Assign a static address to the LAN interface and create an outbound NAT rule.

Cheers
Maurice

See the help text for Redirect target port:

In case of a port range, specify the beginning port of the range (the end port will be calculated automatically).

Cheers
Maurice

Interesting approach - VM on ARM64 SBC. I might consider this for my next home setup.

Nothing wrong with consolidating everything on a single / few device(s). Reduces power consumption and uses less space. I'd just recommend isolating services in VMs and / or containers.

Thanks for your feedback!

Correct, the cloud shell requires an image with enabled serial console. That's why I created the fork in the first place. ;)
Launch mode "Paravirtualized" (the default setting) is correct. Also, setting the OS to "Generic Linux"  is recommended (there is no *BSD option).

Cheers
Maurice

Is the A record for local.mydomain.com a private (RFC1918) IP address? Unbound filters these (rebind protection). You can add it as a private domain in the advanced settings to allow private addresses.

Cheers
Maurice