Messages

Separating clients of different trust levels into different networks, e.g. via VLANs, is common best practice, yes.

Hmm so I am gonna have to speed things up. It has been hard to find managed network switches that do not have locked SFP.

I am novice into advanced networking and I assumed that I could set up two subnet from 10.19.0.0/16 but that is not how things works.
It could also in theory have VLANs set on OPNSense without a managed network switch, although it may be possible it is not the best practice.

So reading between lines, I cannot force OPNSense to solve my problem on its own and do things the right way.

Thanks a lot Patrick

I got dual-stack in home network after some drama and everything works fine and IPv6 took over IPv4 everywhere, great.

My firewall rules however are void now because of IPv6.
Things like my robot vacuum, my office printer, my wireless router running OpenWRT, all had no access to the internet whatsoever.
Well, they were IPv4 rules, and because of the SLAAC IPv6 from the IPS, those rules are all voided now.

What options do I have??

It makes no sense to either setup a DHCPv6 or even worse, disable IPv6.
I am planning in upgrading my home network from 1G to 10G coz of my DIY NAS and all the Proxmox stuff, is VLAN my only real option left??

Thank you

I have create a bug ticket, let's see how that goes: https://github.com/opnsense/core/issues/10093

Have I interpreted this correctly?

No, OPNSense os-nut plugin when set to netclient, it has the UPS kill power command in it and you cannot remove it.
Meaning, the moment OPNSense UPS triggers it to go down, it will also shutdown the UPS and that is wrong.

This is TrueNAS UPS management set as netclient behaving the way OPNSense is not: monitor and shut itself down, nothing less, nothing more.

Code Select Expand

root@truenas# cat /etc/nut/upsmon.conf
MONITOR apc1000@10.19.0.14:3493 1 admin master SLAVE
NOTIFYCMD /usr/sbin/upssched
NOTIFYFLAG ONBATT SYSLOG+EXEC
NOTIFYFLAG LOWBATT SYSLOG+EXEC
NOTIFYFLAG ONLINE SYSLOG+EXEC
NOTIFYFLAG COMMBAD SYSLOG+EXEC
NOTIFYFLAG COMMOK SYSLOG+EXEC
NOTIFYFLAG REPLBATT SYSLOG+EXEC
NOTIFYFLAG NOCOMM SYSLOG+EXEC
NOTIFYFLAG FSD SYSLOG+EXEC
NOTIFYFLAG SHUTDOWN SYSLOG+EXEC
SHUTDOWNCMD "/sbin/poweroff"
HOSTSYNC 15

root@truenas# cat /etc/nut/nut.conf 
MODE=netclient


On OpenBSD system,  issuing
Code Select Expand

Code Select Expand

upsmon -c fsd results in OPNsense shutting down gracefully and powering off followed by the OpenBSD system doing the same.

Approximately 90 seconds later the UPS goes in to sleep mode. As the mains power is still on, it awoke some 180 seconds later and the devices powered on and booted normally.

The later, that is wrong and it is happening because of `POWERDOWNFLAG /etc/killpower`.
OPNSense is not the NUT server within our environment but netclient/slace and it should not behave as the server.

But power cycling when halted does not hurt.

And I already agreed hard wired shutting down the UPS is probably a bad idea - please raise a feature request o

I wanna believe that power cycling when halted does not hurt, but I cannot.

Back in the day when all we had was IDE HDD, halting a computer meant its reading/writing head would move to park position away from the disk.
So when the power was cut, the head would not hit the disk leaving a hole aka bad block.
Under those circumstances only, halt had meaning and purpose.

SSD/NVMe is electronic, I cannot trust cutting the power while in halt, won't damage it coz it is still in operational mode.
I will die in this hill, halt is not and will never be a shutdown.

I have crossed many old posts about this hard-coded UPS power kill switch, a few have mentioned about open request to remove it but it does not seem to be a priority.

By reading between the lines, there is no solution right now so:

1. Delete os-nut plugin
2. Install nut via pkg and hope OPNSense has no power over it; The config file won't change on OPNSense system update.
3. If the above does not work, have my NUT server to shutdown OPNSense box, nothing fancy, just invoke its shutdown!!

1. "/usr/local/etc/rc.halt" does call "shutdown -p now":

Code Select Expand

#!/bin/sh

# shutdown syshook / plugin scripts
/usr/local/etc/rc.syshook stop

/sbin/shutdown -op now

while :; do sleep 1; done

2. The hardwired killpower flag might call for a feature request to make it configurable.

I haven't noticed because here my OPNsense is the master NUT server and all other servers shut down first. I think the firewall killing the Internet connection should go down last.

HTH,
Patrick

When I was running OPNSense as master and was testing around:

1. it went into halt mode and stayed there
2. UPS power was recycled so it killed everything, including OPNSense itself which was in halt mode, it never fully shutdown.

Avoids NUT nonsense

Patrick, this also answer your "I think the firewall killing the Internet connection should go down last."

By having a NUT server, it gives me full control of everything:

1. Everybody BIOS is set to turn back online when the power is restored.
2. You can run a command from the NUT server to recycle the UPS power
3. If the battery is back above 80% for example, recycle the UPS power, and that will bring everybody back online [1]
4. This is a Dell Wyse 3040 5v3A so it will run forever before going down, it also turns on automatically when the power is restored.
5. NAS is my only priority, it must be the first one to go down. If OPNSense goes down first or later, so be it.
6. Proxmox scripts do check if the NAS is up and if the NFS shares are active before running backups, otherwise, skip.

I did what I did to keep the whole process fully automated.
I am novice so don't take me too seriously :)

I have a Debian NUT server running from a 5V3A client, everything is working fine, it is the last one to die during power outage.
Everybody else such as Proxmox, TrueNAS and OPNSense, fetch the UPS status from the little guy above aka "slave"

However, os-nut plugin has broken logic and does not allow overwriting:

1. /usr/local/etc/rc.halt: This is wrong, it must be "shutdown -p now" compatible with FreeBSD (I never understood halt to be honest, it and nothing is the same)
2. /etc/killpower: The worst offence. It fully kills the UPS power on exit. Proxmox, TrueNAS will go kill because of it. This should never be here.
3. If you noticed the first lines, you must not edit this file, I did and everything was reverted back.

Code Select Expand

# Please don't modify this file as your changes might be overwritten with
# the next update.
#
MONITOR apc1000@10.19.0.14:3493 1 admin master slave
SHUTDOWNCMD "/usr/local/etc/rc.halt"
POWERDOWNFLAG /etc/killpower


How are you guys managing this??
Ditching os-nut plugin altogether and installing nut via pkg so OPNSense has no interference??

As it stands, I have to let OPNSense baremetal power to be cut by force, it is wrong but better that way than it destroying my NAS HDDs when killing the UPS power.

Thank you

SOLVED.

There are quite a lot of posts with folks having similar problem when trying to update from X to Y
Somebody had the same problem as me going from 25.7.11_9 to 26.1.1 posted 2 months ago on Reddit.
The solution was:

Code Select Expand

1. SSH into OPNSense
2. 8) Shell
3. Run: opnsense-bootstrap
4. Enter and agree with the warning

I finally got 26.1.5 update installed.
Plugins were removed like the UPnP, other set as missing and I had to reinstall them like ISC DHCP which is running.

I have no idea what happened when 26.1.2_5 was installed but this seems to be a normal thing here and there.

I tried changing the repo location via GUI again and this is what I get but OPNSense seems unable to download it.

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 26.1.2_5 (amd64) at Wed Apr  1 11:58:42 AEDT 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (2 candidates): .. done
Processing candidates (2 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: ......... done
Nothing to do.
Nothing to do.
Starting web GUI...done.
Installation out of date. The update to opnsense-26.1.5 is required.
***DONE***


I checked the repo config which I never ever touch, and it looks correct to me.
Via GUI is set as default/default/Community since always.

Code Select Expand

root@firewall01:~ # cat /etc/pkg/FreeBSD.conf
#
# To disable this repository, instead of modifying or removing this file,
# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
#
#   mkdir -p /usr/local/etc/pkg/repos
#   echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
#

FreeBSD: {
  url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}
FreeBSD-kmods: {
  url: "pkg+https://pkg.FreeBSD.org/${ABI}/kmods_quarterly_${VERSION_MINOR}",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}



Check your repository configuration, if you added more than the standard OPNsense repository that might be your issue.

If you added more repos (which always is a manual shell operation) you should know where to look in the filesystem.

Thank you for the reply but that is the problem, I have made no changes at all.

Out of the blue, I have the plugins:

* os-apcupsd (missing)
* os-isc-dhcp (missing)
* os-nut (missing)

They are red in colour and have an "+" instead of the delete icon, but they are installed.

I swear, I have made no changes so idk what to do or change to fix this.
I tried changing the repo location via the GUI last night as my last hope but that didn't work.

The only major change was to install 26.1.5_2 update.
I checked for update, read the release note, and applied, I do not touch repo config.

I see the update page was posted on 24th, it is 31th and I still cannot download with "There are no updates available on the selected mirror."

I have tried changing mirror to one in the US which helped in the past but not this time.

There are 3 plugins in conflict including os-isc-dhcp (missing) and they require 25.1.5 but I cannot install this update.

Thank you

Services > Router Advertisements:

    Interface: LAN
    Mode: *Unmanaged*

Thank you so much for that.
As soon as I changed that, my PC got an IPv6 so did all the clients and I can ping IPv6 IPs now without a DHCPv6 server.
IPv6 gateway does show down, I guess that is because of the PPPoE.

What matter is that is all works, I guess I am officially running dual-stack haha

Thanks a lot.

[client]

It does not work like that (you already noticed, didn't you?).

Like with IPv4, there is two sides:

- WAN
- LAN

On WAN, you have to use whatever means it takes to get a WAN IP, often DHCPv4 and DHCPv6 as a client.

On LAN, you use DHCPv4 and (probably DHCPv6) as server. ALternatively, you can use SLAAC (RA) instead for IPv6.

You did neither: ISC DHCPv6, DNSmasq, RAdvd, all disabled. So how would clients get what they need. You must have IPv6 supplied to your LAN, otherwise it will not work.

There is a guide on how to do this via DNSmasq only in the official docs, instead, I prefer to do it like this.

There seems to be a misunderstanding, let's try again :)

• ISC DHCPv6 is disabled, IPv6 tracking doesn't need that
• LAN IPv6 is tracking WAN so the clients will get IPv6 automatically. No need for DHCPv6 server in here. Clients do receive ISPv6 DNS automatically already
• Services > Router Advertisement: It is up and running. I don't don't need DNSmasq for that
• The above only works if you follow the documentation "Identity Association" instead of "Track Interface(legacy)" : https://docs.opnsense.org/manual/radvd.html

That is the main purpose of having LAN IPv6 > Tracks WAN > RA > Clients get out: things happen dynamically.
You should not have to set up a DHCPv6 server/pool manually and all, it must be fully dynamic.

Hi all,

I finally got OPNSense to see my ISP IPv6, I had to change from IPoE back to PPPoE (ISP dramas).
OPNSense can ping IPv6 just fine but the clients cannot:

ping -6 2001:4860:4860::8888
From fe80::7e5a:1cff:fe48:1c50%eno1 icmp_seq=1 Destination unreachable: Beyond scope of source address


https://docs.opnsense.org/manual/radvd.html

Done that: If "Track Interface (legacy)" is used, an existing disabled entry will also deactivate advertisements on that interface. Alternatively, switch to "Identity association" for full manual configuration if needed."

Dnsmasq is disabled and not being used, and RA is not selected either

My PC network does show the 2400: IP under the DNS6 so it is seeing something.

ISC DHCPv6 service is disabled

Services > Router Advertisements:

• Interface: LAN
• Mode: Managed
• Minimum interval: 200(default)
• Maximum interval: 600(default)

Interfaces > LAN

• IPv6 Configuration Type: Identity association
• Track IPv6 Interface > Parent interface: WAN

Interfaces > WAN

• IPv4 type: PPPoE
• IPv6 type: DHCPv6 (As instructed by the ISP)

OPNSense:
netstat -rn
Internet6:
Destination                      Gateway                      Flags        Netif Expire
default                          fe80::2293:39ff:fef6:75e3%pppoe0 UGS      pppoe0


ping6 -c 3 2001:4860:4860::8888
16 bytes from 2001:4860:4860::8888, icmp_seq=0 hlim=121 time=2.030 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=1 hlim=121 time=1.957 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=2 hlim=121 time=1.952 ms

I am running Unbound Recursive, no major changes other than "Register Mappings"

Thank you

Oh wow, so this could be the reason of my problems.

I am trying to setup dual-stack at home and right now I have WAN > DHCP
To cut it short, my ISP wants me back to PPPoE for the WAN > DHCPv6 to receive the reservation.

I spent ages today trying to get PPPoE to work but nothing happens, in previous releases was type username, password, save, and connected.
I checked old backup configs, the PPPoE section is exactly the same but nope.

I am stuck with WAN > DHCP now and without IPV6 which only works via PPPoE for my ISP.