"
Running default theme on opnsense with new iOS on iPad the opnsense web page, latest version, has problems with the left panel not collapsing correctly. Also when trying to move around in a right window, ie scrolling firewall log, it kind of just floats around.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
25.7 Series / Re: Can anybody verify that dnsmasq responds to IPv6 only clients
September 04, 2025, 07:32:45 PM
Also dnsmasq works as expected for ipv4, and proxmox does the same in ipv4 too. It's just that dnsmasq as configured acts differently with ipv6.
#3
25.7 Series / Re: Can anybody verify that dnsmasq responds to IPv6 only clients
September 04, 2025, 07:30:56 PMQuote from: Monviech (Cedrik) on September 04, 2025, 07:22:39 PMI dont understand, isnt it good that it only responds via the GUA of the interface of the VLAN?
If you send a dns option via RA from DNSmasq it will automatically send the correct GUA to the clients via RRDNS.
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements
Whats the issue? Is there some kind of usecase you have that needs special configuration? Just use the above and it will just work TM.
No its not good, because proxmox overrides dns resolver of containers, and replaces it with the address that proxmox knows about which in my is on vlan10. So each container ends up using the router address of vlan10 regardless of what dhcp/RA tells it to use.
This was never issue before, because unbound works no matter which interface I point to as long as my firewall rules pass DNS to "This Firewal" vs "VLAN30 Address"
#4
25.7 Series / Re: Can anybody verify that dnsmasq responds to IPv6 only clients
September 04, 2025, 07:19:50 PM
I tried the same series of test using ipv4 and did not see what I am seeing with ipv6. I could query any of the ipv4 router addresses and get a good response
#5
25.7 Series / Re: Can anybody verify that dnsmasq responds to IPv6 only clients
September 04, 2025, 07:17:00 PMQuote from: Monviech (Cedrik) on September 04, 2025, 06:54:27 PMWell this means unbound is your primary resolver and it is responsible right now for the ipv6 traffic on port 53.
yes, right now I had to switch it back to unbound so everything will still work, but I can still dig to the Dnsmasq via 53053.
#6
25.7 Series / Re: Can anybody verify that dnsmasq responds to IPv6 only clients
September 04, 2025, 07:15:41 PM
Now doing the same thing but from a ubuntu 24.04 server located on vlan 20 querying the router address also vlan 20
So it is still all good.
However if I change to a different vlan address I get this:
my testing shows that basically for any interface it will respond to the router address of the interface, but communications error to any other interface router address.
I should note I do have fw rule allowing 53053 and logging. I see in logs that the firewall is passing the query.
I also get the same results on a Mac:
but it works on the same interface.
Code Select
root@test2:~# dig @2603:aaaa:bbbb:fbizn20::cccc -p 53053 bedroom.mydomain.com a
; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> @2603:aaaa:bbbb:fb20::cccc -p 53053 bedroom.mydomain.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31094
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;bedroom.mydomain.com. IN A
;; ANSWER SECTION:
bedroom.mydomain.com. 300 IN A 10.23.20.102
;; Query time: 0 msec
;; SERVER: 2603:aaaa:bbbb:fb20::cccc#53053(2603:8001:2a00:fb20::faf3) (UDP)
;; WHEN: Thu Sep 04 10:01:35 PDT 2025
;; MSG SIZE rcvd: 64
So it is still all good.
However if I change to a different vlan address I get this:
Code Select
root@test2:~# dig @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
;; communications error to 2603:aaaa:bbbb:fb30::cccc#53053: timed out
;; communications error to 2603:aaaa:bbbb:fb30::cccc#53053: timed out
;; communications error to 2603:aaaa:bbbb:fb30::cccc#53053: timed out
; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
; (1 server found)
;; global options: +cmd
;; no servers could be reached
my testing shows that basically for any interface it will respond to the router address of the interface, but communications error to any other interface router address.
I should note I do have fw rule allowing 53053 and logging. I see in logs that the firewall is passing the query.
I also get the same results on a Mac:
Code Select
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reachedbut it works on the same interface.
#7
25.7 Series / Re: Can anybody verify that dnsmasq responds to IPv6 only clients
September 04, 2025, 06:59:37 PM
I am hiding actual domain/ipv6 addresses, but this is using my router address on vlan 30:
I get the same results using any router interface. All is good from the router itself.
Code Select
root@OPNsense:~ # dig @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
; <<>> DiG 9.20.11 <<>> @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2429
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
; bedroom.mydomain.com. IN A
;; ANSWER SECTION:
bedroom.mydomain.com. 300 IN A 10.23.20.102
;; Query time: 0 msec
;; SERVER: 2603:aaaa:bbbb:fb30::cccc#53053(2603:aaaa:bbbb:fb30::cccc) (UDP)
;; WHEN: Thu Sep 04 09:56:31 PDT 2025
;; MSG SIZE rcvd: 64
I get the same results using any router interface. All is good from the router itself.
#8
25.7 Series / Re: Can anybody verify that dnsmasq responds to IPv6 only clients
September 04, 2025, 06:52:11 PM
on the opnsense itself I get for sockstat -l
Code Select
unbound unbound 99237 5 udp6 *:53 *:*
unbound unbound 99237 6 tcp6 *:53 *:*
unbound unbound 99237 7 udp4 *:53 *:*
unbound unbound 99237 8 tcp4 *:53 *:*
unbound unbound 99237 9 udp6 *:53 *:*
unbound unbound 99237 10 tcp6 *:53 *:*
unbound unbound 99237 11 udp4 *:53 *:*
unbound unbound 99237 12 tcp4 *:53 *:*
unbound unbound 99237 13 udp6 *:53 *:*
unbound unbound 99237 14 tcp6 *:53 *:*
unbound unbound 99237 15 udp4 *:53 *:*
unbound unbound 99237 16 tcp4 *:53 *:*
unbound unbound 99237 17 udp6 *:53 *:*
unbound unbound 99237 18 tcp6 *:53 *:*
unbound unbound 99237 19 udp4 *:53 *:*
unbound unbound 99237 20 tcp4 *:53 *:*
unbound unbound 99237 21 tcp4 127.0.0.1:953 *:*
nobody dnsmasq 47107 4 udp4 *:67 *:*
nobody dnsmasq 47107 8 udp6 *:547 *:*
nobody dnsmasq 47107 10 udp4 *:53053 *:*
nobody dnsmasq 47107 11 tcp4 *:53053 *:*
nobody dnsmasq 47107 12 udp6 *:53053 *:*
nobody dnsmasq 47107 13 tcp6 *:53053 *:*
#9
25.7 Series / Can anybody verify that dnsmasq responds to IPv6 only clients
September 04, 2025, 05:48:44 AM
I keep trying out dnsmasq with little success. I have a real domain, not .internal, and decided to try out dnsmasq in front of unbound.
Per https://docs.opnsense.org/manual/dnsmasq.html#dnsmasq-as-primary-dns-resolver
Seemed to be working, but I am mostly IPv6 network and noticed my Ubuntu servers 24.04 LTS were having dns issues. Couldn't resolve the packages etc. these are IPv6 only, no ipv4. It is almost like that dnsmasq does not respond on IPv6 only. The dual stack clients were ok.
Per https://docs.opnsense.org/manual/dnsmasq.html#dnsmasq-as-primary-dns-resolver
Seemed to be working, but I am mostly IPv6 network and noticed my Ubuntu servers 24.04 LTS were having dns issues. Couldn't resolve the packages etc. these are IPv6 only, no ipv4. It is almost like that dnsmasq does not respond on IPv6 only. The dual stack clients were ok.
#10
25.7 Series / Re: Services: ACME Client: Certificates fails to automatically update certificate
September 02, 2025, 05:18:44 PMQuote from: allan on September 01, 2025, 11:20:35 PMMy remaining certificates renewed this morning. Under "Services > ACME Client > Log Files > System Log tab", do you see a non-zero value for "AcmeClient: AcmeClient: The shell command returned exit code 'n'"? Are you able to cat out the file at the end of that line? On my error post above, it is /var/etc/acme-client/accounts/6027ee9e097f39.62139316_prod/account.conf. Until I hit Reset ACME Client, that file did not exist. You can also try increasing the ACME logging level from "normal" to "debug" before the next renewal.
I was able to cat all of them, at least now they are there but yesterday was massively deleting stuff, and reinstalling package. So who knows?
I have had this issue over many renewal times and finally just installed an uptime kuma monitor to check the certificates and notify me when expiring within 20 days. Then I manually update.
opnsense acme experience is definitely not as smooth as my proxmox servers setup which is so much better. Not sure the difference is.
#11
25.7 Series / Re: Services: ACME Client: Certificates fails to automatically update certificate
September 01, 2025, 09:21:38 PM
I Reset Acme, then changed the cron schedule and it failed again. Neither did manually pressing the Issue/Renew all certificates. Forcefully updating it did work, so just like before.
Resetting Acme did not seem to help. I guess I will see what happens in 90 days.
Resetting Acme did not seem to help. I guess I will see what happens in 90 days.
#12
25.7 Series / Re: Services: ACME Client: Certificates fails to automatically update certificate
September 01, 2025, 08:37:45 PM
Ok, I reset it. It implies that in the morning it will do the update at the scheduled time and I will see then.
#13
25.7 Series / Unbound is not registering opnsense for reverse lookups
August 17, 2025, 08:55:38 PM
Unbound no longer seems to be registering the opnsense routers interface addresses other than LAN interface.
from the console:
now reverse lookup of the LAN interface looks as expected:
But when I do reverse lookup on any other interface it doesnt return the name of the router:
It acts the same way with ipv6.
This is recent, maybe after last upgrade?
I have switched over to dnsmasq as dhcp server, but I have not forwarded anything to dnsmasq as dns.
from the console:
Code Select
root@OPNsense:~ # dig opnsense.redacted.com a
; <<>> DiG 9.20.11 <<>> opnsense.redacted.com a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64531
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;opnsense.redacted.com. IN A
;; ANSWER SECTION:
opnsense.redacted.com. 3600 IN A 10.23.60.1
opnsense.redacted.com. 3600 IN A xx.xx.xx.xx
opnsense.redacted.com. 3600 IN A 10.23.255.1
opnsense.redacted.com. 3600 IN A 10.23.10.1
opnsense.redacted.com. 3600 IN A 10.23.20.1
opnsense.redacted.com. 3600 IN A 10.23.30.1
opnsense.redacted.com. 3600 IN A 10.23.40.1
opnsense.redacted.com. 3600 IN A 10.23.50.1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Aug 17 11:42:58 PDT 2025
;; MSG SIZE rcvd: 177
now reverse lookup of the LAN interface looks as expected:
Code Select
root@OPNsense:~ # dig -x 10.23.10.1
; <<>> DiG 9.20.11 <<>> -x 10.23.10.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47286
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.10.23.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.10.23.10.in-addr.arpa. 3600 IN PTR OPNsense.redacted.com.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Aug 17 11:34:21 PDT 2025
;; MSG SIZE rcvd: 86But when I do reverse lookup on any other interface it doesnt return the name of the router:
Code Select
root@OPNsense:~ # dig -x 10.23.20.1
; <<>> DiG 9.20.11 <<>> -x 10.23.20.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26665
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.20.23.10.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
10.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Aug 17 11:35:03 PDT 2025
;; MSG SIZE rcvd: 111
It acts the same way with ipv6.
This is recent, maybe after last upgrade?
I have switched over to dnsmasq as dhcp server, but I have not forwarded anything to dnsmasq as dns.
#14
25.7 Series / Services: ACME Client: Certificates fails to automatically update certificate
August 05, 2025, 12:54:52 AM
I noticed that my acme client was failing. for the logs below I obfuscated my domain to MYDOMAIN
I use Cloudflare with DNS01 and a dns API
from logs:
acme.sh [Mon Aug 4 00:03:00 PDT 2025] 'opnsense.MYDOMAIN.com' is not an issued domain, skipping.
opnsense AcmeClient: domain validation failed (dns01)
opnsense AcmeClient: validation for certificate failed: opnsense. MYDOMAIN.com
on the router Services: ACME Client: Certificates
I clicked the red square, Issue/Renew All Certificates
I failed as it did this morning.
I clicked on the little circle arrow (Issue or Renew Certificate), that is on the same line as the existing certificate.
It updated the certificate with status OK
So there is a difference between the auto update, Issue/Renew All Certificates and the individual Renew
Only the individual Renew works
I use Cloudflare with DNS01 and a dns API
from logs:
acme.sh [Mon Aug 4 00:03:00 PDT 2025] 'opnsense.MYDOMAIN.com' is not an issued domain, skipping.
opnsense AcmeClient: domain validation failed (dns01)
opnsense AcmeClient: validation for certificate failed: opnsense. MYDOMAIN.com
on the router Services: ACME Client: Certificates
I clicked the red square, Issue/Renew All Certificates
I failed as it did this morning.
I clicked on the little circle arrow (Issue or Renew Certificate), that is on the same line as the existing certificate.
It updated the certificate with status OK
So there is a difference between the auto update, Issue/Renew All Certificates and the individual Renew
Only the individual Renew works
#15
25.7 Series / Re: IPv6 traffic within Wireguard tunnel not transferred anymore
July 29, 2025, 02:10:02 AM
you might check your configuration as my road warrior wireguard does work with ipv6. many of my local servers are ipv6 only and until recently I ran it as ipv6 only.
my ifconfig for wg does show ip addresses for ipv6 and ipv4 that are assigned by the wireguard instance that dont seem to be in yours.
those are the addresses I assigned as the tunnel address so it seems odd that you don't have any.
my ifconfig for wg does show ip addresses for ipv6 and ipv4 that are assigned by the wireguard instance that dont seem to be in yours.
Code Select
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
description: WG (opt1)
options=80000<LINKSTATE>
inet 10.XX.XX.1 netmask 0xffffff00
inet6 2603:xxxx:zzzz:yyyy::1 prefixlen 64
groups: wg wireguard
nd6 options=1<PERFORMNUD>those are the addresses I assigned as the tunnel address so it seems odd that you don't have any.
