Messages

The .de DNS zone is broken. See here, follow the links - the top two are in English:

https://forum.opnsense.org/index.php?topic=51804.0

I guess that was it. Very weird. Thanks!

Hi there,

I'm trying to find a way to diagnose a strange issue: I cannot resolve a specific domain name from my LAN, all other domain names I tested work.
Unfortunately, this is the domain of my mail provider...

manitu.de doesn't work, neither in the browser, nor via ping in the (Windows) command prompt.
All other domains I tried work.
Doesn't work on the phone, either, as long as I'm connected to my Wifi.
If I switch to mobile data only (outside my LAN), I can resolve it.
When I query a domain up/down checker service, the domain is reachable from elsewhere
When I ping the IP address, that works (so it's really a DNS issue).
When I try to ping the domain name from my OpnSense Web GUI, it can be resolved. So the firewall itself somehow resolves it correctly, but the devices from within my LAN cannot.

I have a pretty simple setup, with a local network behind the firewall, and the WAN side. I use Unbound DNS with default configuration, and I haven't changed the configuration for a long time. I also have not upgraded OpnSense since a few days ago. The domain worked until recently.

As an emergency measure, I have added the most important domains to my local 'hosts' file, so I can at least write e-mails.

How do I diagnose such an issue?
My first try is updating to the latest version (mine is less than a week old), but what after that?
Please note that I'm an IT professional, but not in the network administration field.

It seems I somehow managed to solve it "by accident". I chose "reinstall" for package "pkg". It became a little scary when the WebGui apparently crashed (no longer reachable), but hey, it's almost Halloween. WebGui was fixed by a hard reboot, after which I also made sure I had SSH access as a backup if necessary (should have done that first, but alas, we learn by trial, but mostly by error).
Strangely, after that episode the WebGUI reported "no packages to update", and the health audit no longer complained about conflicting packages. I'm a bit sceptical if the newest update is really installed (when? how?), and it also looks a bit weird that the health audit reports "running 25.7.6" but also kernel version "25.7.5"

Not saying I understand what happened, but it seems to work.
Thanks for your pointers. They were a bit cryptic for someone not doing network admin work regularly, but they helped me onto the right track.

That seems to be spot on, but how does one upgrade the package manager first?

And the outdated packages are from OPNsense 25.7.5. They should get updated along with the OPNsense 25.7.6 update.

And as I said....update isn't working (see first error message in OP). The actual question is how to get that running, but I though starting with fixing the health audit issues is the way to start.

What Patrick says.

Code Select Expand

pkg delete py37-markupsafe

How do I do that in WebUI? Can I open a console somewhere in there?

I have been a happy user of OPNsense for years (on a small commercial box from Deciso).
Today, when I tried updating, I got the error "The release type 'opnsense' is not available on this repository."
As recommended, I ran a health audit, and revealed some missing dependencies and package version mismatches (full log below).
The troubleshooting section on opnsense.org briefly mentions that "When mismatches are reported, you can reinstall affected packages in the Packages section of the firmware screen.", but there is no further elaboration. It's unclear to me how and why "reinstalling" the package would resolve a version mismatch, and also the missing dependency is not in the list of packages, so I don't know how to "reinstall" that.
I did not find a troubleshooting section going into further detail.

How should I proceed?

Health audit output:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7.5 (amd64) at Sun Oct 26 19:09:18 CET 2025
>>> Root file system: /dev/ufs/OPNsense
>>> Check installed kernel version
Version 25.7.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.5 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 25.7.5 has 67 dependencies to check.
Checking packages: .....................
openssh-portable-10.0.p1_2,1 version mismatch, expected 10.2.p1,1
Checking packages: ..
opnsense-25.7.5 version mismatch, expected 25.7.6
Checking packages: ...
opnsense-update-25.7.5 version mismatch, expected 25.7.5_1
Checking packages: ..............................
py311-sqlite3-3.11.13_11 version mismatch, expected 3.11.14_11
Checking packages: ........
suricata-7.0.12 version mismatch, expected 8.0.1
Checking packages: .
syslog-ng-4.8.2_4 version mismatch, expected 4.10.2
Checking packages: ..
wpa_supplicant-2.11_5 version mismatch, expected 2.11_7
Checking packages: . done
***DONE***


Argh, network cable slipped out. Fatal User Error....

I see a COM port appearing in the device manager when I connect Windows PC to the DEC via USB cable, but when I try zo open a session using PuTTy on that com port ( using elevated rights) nothing happens.

I have used a Opnsense-based firewall (ready-to-use box from Deciso) for 3 years now, and regularly updated the OpnSense version.
Today, I simply cannot reach the firewall anymore (which I also use as DHCP server), my PCs don't get valid IP addresses. Even if I manually force them into the correct subnet, I cannot reach the firewall.
I checked the troubleshooting section, but all articles there seem to assume you can reach the web UI.

What can I do?

Edit: It's a DEC 600 and I already tried a hard reboot.

Hi all,
I use DHCPv4 service to assign local IP addresses.
Today, I connected a new device. It was assigned a valid IP address from the pool of dynamic addresses (i.e. those not used for static IP mappings).

The connection on the switch shows "active"
I can ping it within the network.

But it does not appear in my list of DHCP leases in the web UI.

This is important as I'd like to learn it's MAC address, and assign it a permanent IP.

Where do I need to look for dynamically assigned IP addresses? I've been looking under "DHCPv4 --> Leases"

The maximum setting that fits into a 32bit signed int is more than 60 years. That should do. I also only set this to specific static leases where I encounter these problems.

Interesting. Since I upped the maximum lease time, I no longer my Wifi AP's "device has been disconnected" error once every 24 hours.
Seems like not every device knows it needs to renew the lease...

So the default lease time is one day, even for statically mapped IP addresses. I understand now why my Wifi AP complains once a day that is was disconnected  :)

The ugly solution is to enter a ridiculously high value (2^31 comes to mind, since I don't know whether the value is stored signed or unsigned). As an engineer, this solution is not very satisfying. Is there a default "disable maximum lease time" option?

OK, someone at UniFi thought "Multicast and Broadcast Filtering" would make a great default option for a Wifi AP. I must have overlooked that at initial setup.

Case closed. Thanks for the help!