Messages

Another option is that it's an Android phone that works only with SLAAC in most cases if not all of them!
In that case you need radvd when using KEA.

Please also note that KEA is not the best choice when you have a Dynamic IPv6 Prefix that can change often.
DNSmasqd is the better choice in that case!

It is an Android phone.  It shows up in the DHCPv4 just fine.

I will look at converting to DNSMasq, which could also solve the DNS resolution of DHCP clients (ISC->Unbound like).

The TBR getting an IP issue was finally resolved by finding out that it is a 100Mb device, which my primary switch can't do (1-10-40 only). I had to plug it into an older 5-port desktop switch and uplink it.

Thanks all for the info and help!

In response to all this - and perhaps some additional weirdness in the hypervisor related to VIF association - I just spun up a new VM and installed a fresh OPNsense.  My install mentioned in the OP has been upgraded version to version for a good number of years.

Now, my NAT rules don't work despite matching my previous install's config (and simply swapping back to the other VM router makes hosted services available again) and the KEA DHCPv6 leases are listing under "WAN" instead of "Management" this time.  I've got some leases going out with no client MAC address listed on the KEA leases page, and still my new TBR for my IoT is still apparently not getting an IP.

I've got one device - a mobile phone - that is getting an IPv4 address, but is generating these Warning log entries in KEA DHCPv6:

Code Select Expand

2026-04-20T00:25:40-05:00 Warning kea-dhcp6WARN [kea-dhcp6.alloc-engine.0x3b7ead86c008] ALLOC_ENGINE_V6_ALLOC_FAIL_CLASSES duid=[00:03:00:01:66:f9:0c:e7:b9:a3], [no hwaddr info], tid=0xcaf6d1: Failed to allocate an IPv6 address for client with classes: ALL, UNKNOWN

2026-04-20T00:25:40-05:00 Warning kea-dhcp6 WARN [kea-dhcp6.alloc-engine.0x3b7ead86c008] ALLOC_ENGINE_V6_ALLOC_FAIL_NO_POOLS duid=[00:03:00:01:66:f9:0c:e7:b9:a3], [no hwaddr info], tid=0xcaf6d1: no pools were available for the lease allocation

2026-04-20T00:25:40-05:00 Warning kea-dhcp6 WARN [kea-dhcp6.alloc-engine.0x3b7ead86c008] ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET duid=[00:03:00:01:66:f9:0c:e7:b9:a3], [no hwaddr info], tid=0xcaf6d1: failed to allocate an IPv6 lease in the subnet 2600:1700:7aa0:d7c0::/64, subnet-id 1, shared network (none)
There's a bunch of them, over and over, for that one device.  Other devices that are apparently not getting IPv6 addresses are not showing in the logs at all, when searching for their MACs.

I only have IPv6 on the one LAN interface due to only receiving a single /64 from upstream, that's the only interface KEA DHCPv6 is enabled on, and its all just ... weird.

I am running OPNsense in an XCP-NG VM, and I am seeing some genuine weirdness going on.

I have four interfaces labelled WAN, LAN, Management and Storage. 

Some VMs in my environment have only a single interface on the LAN network, others have some combination of the three. Physical devices (PCs, streaming devices, etc) are all on the LAN network.

The Management and Storage networks have firewall rules to keep them isolated - for all intents and purposes, unrouted.

KEA is configured to only have its DHCPv6 server active on the LAN network (only interface with a checkbox in the dropdown).  But its "Leases DHCPv6" page is showing active leases on the "Management" interface.  And on the hosts, those corresponding IPv6 addresses are showing on their LAN-associated interface.  At the same time, some devices on the LAN network cannot get IPv6 addresses.

Even after the latest upgrade, I still have ISC doing the IPv4, as I am fairly dependent on the Unbound relationship for DHCP lease DNS resolution.

This IPv6 stuff is genuinely a headache for me.  But since Matter devices require IPv6, I have to figure this all out.

I'd like to put IPv6 on all my interfaces and then it probably wouldn't matter since there'd be addresses available all over, but I can only get a single /64 from my ISP (AT&T).

Any insight or assistance is appreciated.  Thank you!

Nothing shows as listening on port 9100 in sockstat. 

I'm guessing I have enable the plugin, but every file seemingly associated either says "Don't edit" or doesn't exist.

[not]

I'm trying to get the os-node_exporter plugin working.  It is listed as installed in the plugins tab.  However, I see no indication that it is running.  It is not listed on the homepage.  I don't see anything about it in a process list.  The file /etc/rc.conf.d/node_exporter explicitly states not to edit it, but its one line is

Code Select Expand

node_exporter_enable="NO"

The node_exporter file I happened to find in /usr/local/etc says to add lines to /etc/rc.conf.local or /etc/rc.conf to enable it, but neither of those files exist for any other services.  Do I create them? Does it need some sort of bracketed identifier inside to say "These options are for the Prometheus node_exporter"?

Also, once its running, will I need to create a firewall rule to allow my Prometheus instance to scrape it for stats?

It is very confusing behind the scenes with this.

Thanks for any assistance.

Excellent, thank you!

I have OPNsense 23.1.4_1-amd64 running under XCP-NG 8.2.1 and have the os-xen 1.2_1 guest utilities installed, which apparently is the latest, as no update is available.  However, XCP and Xen Orchestra report no guest utilities installed, and there is no os-xen service listed on the dashboard for start/restart/stop.  There are a couple of processes running that would seem to be xen-related:

Code Select Expand

0    16     0 3 -16  0       0     16 waitev   SL    -      0:19.78 [xenwatch]
0    17     0 2 -16  0       0     16 xbread   IL    -      0:00.05 [xenstore_rcv]

but again, the hypervisor isn't seeing them installed.

Any ideas on getting the hypervisor to recognize the tools?  I need to migrate my router VM to another host so I can patch.

Thanks!

I'm on 22.7.4 and have the netdata plugin enabled.  I set it to be bound to the LAN interface.  Sockstat shows that netdata is listening on the LAN interface on port 19999, but trying to access the URL times out.

I figure I need to make sure its working locally before troubleshooting why its not sending to the configured backend.

Any suggestions is appreciated.

If someone could let me know where the files go, I could manually download and place them on the router, and restart Unbound.

Doing that curl command dumps out the file, and I'm able to check for opnsense updates on the repo which requires it, so name resolution seems to be working

Might anyone know where the files are for the built-in DNSBLs?  Perhaps I can get in there and check why it can't find them to refresh.  I don't know for sure, but the error seems like it is trying to resolve just a base path, and not a full URL.

I have Unbound DNSBL enabled, and a selection of the built-in blocklists set in Cron to update once a day.  However, I get this error for each of the blocklists when it tries to update:

Code Select Expand

2022-02-21T16:18:21-06:00 Error unbound blocklist download : unable to download file from https://adaway.org/hosts.txt (error : HTTPSConnectionPool(host='adaway.org', port=443): Max retries exceeded with url: /hosts.txt (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x8025ca850>: Failed to establish a new connection: [Errno 8] Name does not resolve')))

2022-02-21T16:17:20-06:00 Error unbound blocklist download : unable to download file from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts (error : HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /StevenBlack/hosts/master/hosts (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x8025ca460>: Failed to establish a new connection: [Errno 8] Name does not resolve')))

Is there some configuration I might have missed beyond the checkmark in the Unbound DNSBL config, and adding the Cron job?  I don't have any custom blocklist URLs or such.

Any insight is appreciated.

I recently upgraded my router to 22.1 and also got AT&T fiber.  My RG is in passthrough mode so my OPNsense router gets the public IP.

I'd like to get IPv6 working properly, and have found a couple of threads from a year or more ago regarding changes to the dhcp6 conf file for multiple ia-pd and id-assoc entries to get multiple /64 delegations, for pfsense.

https://forum.netgate.com/topic/153288/multiple-ipv6-prefix-delegation-over-at-t-residential-gateway-for-pfsense-2-4-5

https://forums.att.com/conversations/att-fiber-equipment/ipv6-prefix-delegation-to-3rd-party-router-not-working-2020-edition/5e98da19fd08354359ccd447?commentId=5e9b3ea5758fed7722fd4361&replyId=5eb1a6b372a09d7a3fc8f1fb

I just wanted to check with anyone who might be able to confirm that this is proper for OPNsense 22.1 before I go mucking about in the conf files manually.

Thanks!

I installed the netdata plugin on my router with the intent of ultimately feeding the data to a backend DB and making a Grafana display.

However, before I do that, I'd like to ensure that netdata itself is working properly.  But all I have is a blank grey screen that says "Netdata - Real-time performance monitoring done right!" at http://router:19999

It has no graphs or menus or any other elements.

Could someone perhaps point me toward what configs might need to be tweaked to get some sort of display out of it?

The settings in the OPNsense menu are Enabled / Listen address:  127.0.0.1  /  Listen port: 19999

I thought maybe I needed to change the listen address from localhost to the LAN address, but if it weren't listening at all, I wouldn't even get the grey page.

Any help is appreciated.

If the VLANs are created in OPNsense it should work no problem. On my bare metal OPNsense I use two NICs and have four VLANs plus LAN, and have never had to manually specify routes. Maybe a config issue with the VM in your case?

That's what I was thinking.  I was under the impression that regardless of IP space used, if I put a known IP into a browser or SSH client or whatever on a device connected on VLAN 1, it would know "Oh, I have that IP space on Interface 2!  I'll send that over there" and I get a connection.

I went through, and I realized I didn't have VLAN interfaces configured under "Interfaces->Other->VLAN" but I didn't think tagging was necessary if the interfaces are physically distinct, and the switch ports are configured for all traffic on each of the ports to be for the appropriate VLAN.