Messages

I would suggest to be more investigating and less criticizing. I have several of N300 (stronger version of N100) and for whole time only one issue with platform (not updating EFI bootloader) got me to unusable state. Every update smooth like hell. But if you want to raise problem and get feedback what to perform to solve issue phrases like "PLEASE FOR THE LOVE OF GOD!!!" wont help at all. Post screen, logs, console output etc. to get to the point and to get solution. If your box is sensitive to software issues, follow best practice of having 2 (they are cheap like hell) and setup either flow TEST and PROD, or HA to prevent your internet to be disconnected.

https://github.com/opnsense/ports/issues/233

Right - https://github.com/opnsense/core/issues/9021

I dont know what is best practice and if it is really bug or feature.

Searching internet there are recommendations: "You typically assign ULA or GUA addresses to each end of the WireGuard tunnel Example: fd00:1::1/64 on the server, fd00:1::2/64 on client. You then route specific IPv6 networks over the tunnel via AllowedIPs."

I will probably go that way, because it is clearly more readable for admin and system, that interface is ipv6 capable.

[Workaround:]

I confirm the source of the problem:

If the WireGuard tunnel has an IPv6 address set (i.e., in the "Tunnel Address" field), the interface is correctly initialized:

• An IPv6 address is assigned.
• The IFDISABLED flag is not set.
• Result: IPv6 communication (e.g., roadwarrior setups) works as expected.

However, if the tunnel itself is IPv4-only, and only the peer's AllowedIPs contain IPv6 networks (e.g., fd00::/64), the interface:

• Does not get an IPv6 address.
• Has the IFDISABLED flag set.
• Result: Incoming IPv6 traffic (which arrives correctly via the tunnel) is silently dropped at the interface level.

This breaks site-to-site or multi-peer IPv6 routing where the tunnel itself doesn't need an IPv6 address but is expected to forward IPv6 to/from peers.

Workaround:

Assigning a dummy ULA IPv6 address to the tunnel interface (e.g., fd00:1234::1/128) clears the IFDISABLED flag and restores IPv6 routing functionality.

While this workaround is effective, it is not ideal, as it requires manual and potentially error-prone configuration outside the intended scope of the peer-level AllowedIPs.

Expected Behavior:

If any IPv6 network is present in the AllowedIPs of a peer, OPNsense should:

Automatically enable IPv6 on the WireGuard interface.

Either assign a link-local or dummy address, or at minimum, clear the IFDISABLED flag.

Im experiencing same problem. Routing IPV6 via Wireguard is not working. To connect to WG is ok and can ping both sides. But to access networks behind those WG peers i doesnt work.
No config change from 25.1.x
During packet capture packets are visible, but even "live logging" in GUI doesnt show them.

Only iPV6 problem, IPV4 is ok including routing

Github project https://github.com/vfreex/mdns-reflector

There is already project build from scratch to support IPv6.
https://forum.opnsense.org/index.php?topic=48150.0

This binary can be run multiple times to create what you want to achieve.
Until proper plugin, you have to run manual.
https://forum.opnsense.org/index.php?topic=48150.0

Hi,

I just find mdns-reflector.
It is drop in replacement for unsupported mdns-repeater.

I have just compiled binary and replaced, reboot and it works with current plugin config!
Key advantage is IPv6 support. Without IPv6 I cant get to work Matter protocol which requires mDNS and IPv6.
With this it works like charm.

Is it possible to replace unsupported binary in OPNsense or clone plugin with new binary?

Thanks

Im one of those who had problem to upgrade to 25.7 with microcode installed.
I have started to play with snapshots and microcode is not root cause.
After connecting monitor I saw:

******************************************************
**           BOOT LOADER IS TOO OLD. PLEASE UPGRADE.           **
******************************************************

Loading /boot/defaults/loader.conf
Loading /boot/defaults/loader.conf
Loading /boot/device.hints
Loading /boot/loader.conf
console vidconsole is invalid!
Available consoles:
    efi
    comconsole
    nullconsole
    spinconsole


And then freeze.

After running those commands upgrade went smoothly even with microcode installed (FOR OTHERS DO NOT COPY PASTE-DANGEROUS !!!)
gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 2 nda0
cp /boot/loader.efi /boot/efi/efi/boot/bootx64.efi
cp /boot/loader.efi /boot/efi/efi/freebsd/loader.efi

Any idea why this happens?
After 25.7 upgrade I re-run those commands, because loader.efi in efi partition was not updated to newest version.

After upgrade to 25.7, in log these warnings start to appear.
Did I miss any change?

Skipping AdvLinkMTU configuration since it cannot be applied on opt3
Skipping AdvLinkMTU configuration since it cannot be applied on opt5
Skipping AdvLinkMTU configuration since it cannot be applied on opt8

All are VLAN interfaces.

I have same issue. Device with CWWK with N-305 with microcode plugin installed. Started 25.7 upgrade and then it hangs. It is headless, so I dont have clue what happened, need to go there and check what is on console. I dont understand why uninstalling microcode could help and if it is just with this upgrade or any other later, or general with boot process itself.

Interesting. Im using IGMP to watch tv too.

So I tried to replicate issue (to know how Im affected), but it is not happening to me - cant replicated described behavior.

Can you please help me diagnose, how do you noticed that issue is happening?

Its clear from browser dev console:
On first there is 1sec timeout on UI enforced.
On second there is real load time of response. Response is ok, JSON is ok, return code 200-ok.