Messages

Schau mal genau in Deinen eigenen Screenshots, vielleicht findest Du es...

[seems]

Please indicate more precisely what you want to achieve.


So what you want to do seems to be that the DNS entry wpdebat.dk is resolved on your OpnSense itself as an authoritative DNS server.

First thing I can tell you that from outside your LAN, no DNS requests are served - probably because that is blocked by the firewall:

Code Select Expand

#nslookup fw.halfdaner.dk
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   fw.halfdaner.dk
Address: 5.186.54.48

#nslookup wpdebat.dk fw.halfdaner.dk
;; communications error to 5.186.54.48#53: timed out


So I doubt that the name resolves fine when your mobile is outside of your WiFi and uses public DNS.




Also, although the domain seems registered, there are no nameservers declared:

Code Select Expand

#nslookup -query=ns wpdebat.dk
;; Got SERVFAIL reply from 127.0.0.53
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find wpdebat.dk: SERVFAIL

If you only want to resolve that name as an override only locally, you would need to create it in unbound to resolve to whatever you want.

Wie ist NAT Reflection auf Deinem System eingestellt? Du kannst es auch hier lokal nur für diese Regel einschalten.

Und ist die o.a. IP im LAN oder ist das die selbe wie die WAN IP?

DNS names are cached on several levels. For instance, they are cached on Windows PCs themselves. You can use "ipconfig /flushdns" to clear that cache.

However, usually, caching uses the validity period it is given together with the DNS name, so it will cache no longer than the DNS entry itself dictates. Also, this does not at all explain why your DNS does not work at all - the cache time for a negative answer is very short.

I think what you probably forgot to allow access to UDP port 53 on your LAN interface, or the DNS service is misconfigured or your clients are not configured to use the OpnSense DNS service. This can go wrong on several levels, because OpnSense does not work right out of the box - especially when you just switched from your old router or if the old router is still in front of your OpnSense.

You should probably read this first - especially point 8.

Then it would be time to ask yourself a few questions to make sure you are not jumping to conclusions, like:

- Can I ping an IPv4 directly? Like 8.8.8.8?
- Can I ping an IPv6 directly? Like 2600:: ?
- Does this work from OpnSense itself only or from the LAN behind it?
- Can I resolve a DNS name like "google.com"? Do I get both an IPv4 and an IPv6 address?

Are you sure that you download the file from an IPv4 source and not via IPv6?

If the source/destination criteria on the forwarding rule are sufficiently selective, then I suppose a 'pass' action is sufficient.

True, but there is a problem with it: Imagine you have some blocking rules. You can use them in the floating rules, but just for WAN. You can enable or disable each of them selectively and that combination works work all port forwarding and allow rules after that alike. I mean something like this:

You cannot view this attachment.

If you want to mimic that with separate source criteria for each port forwarding rule, you look at a lot of work. Also, some of the block rules cannot be combined in a single network group alias, because of their type (say, __qfeeds_malware_ip).

Therefore, you probably still need separate rules (I do) to be able to shift their priorities, but you must take care of them manually after 26.1, because they become disassociated from their respective NAT rules.

IDK if this is related, but just now, after ~16hour of running time, my system crashed and rebooted silently (no core dumps or anything and nothing in the crash reporter).

After startup, I find a host of these messages in the logs:

Code Select Expand

/usr/local/opnsense/scripts/health/updaterrd.php: The command </usr/local/bin/rrdtool create '/var/db/rrd/wireguard-traffic.rrd' --step 0 DS:'inpass:COUNTER:120:0:2500000000' DS:'outpass:COUNTER:120:0:2500000000' DS:'inblock:COUNTER:120:0:2500000000' DS:'outblock:COUNTER:120:0:2500000000' DS:'inpass6:COUNTER:120:0:2500000000' DS:'outpass6:COUNTER:120:0:2500000000' DS:'inblock6:COUNTER:120:0:2500000000' DS:'outblock6:COUNTER:120:0:2500000000' RRA:'AVERAGE:0.5:1:1200' RRA:'AVERAGE:0.5:5:720' RRA:'AVERAGE:0.5:60:1860' RRA:'AVERAGE:0.5:1440:2284'> returned exit code 1 and the output was "ERROR: step size: value must be positive"

I also have remote logging for that system. Nothing particular shows before the reboot:

You cannot view this attachment.

I have switched those "PASS" settings out for associated rules. However, those will get disassociated during upgrade to 26.1. You will have to take care of their management manually further on (as indicated by the "MANUAL" setting in the NAT rule).

You are misunderstanding: Floating rules were never processed before a port forward with "PASS". We only assumed that this was the case - it never was.

That is an 10G Base-SR type SFP+ transceiver, which is way less power-consuming than RJ45 ones. For DAC cables, you do not even get a temp reading, because they are the least power hungry of the three types.

This seems to differ in business and community versions. In the community version, you have to acquire a license yourself and enter the corresponding URL with a token, whereas in the business version, you only have to choose which one you want.

The problem you had is literally described in this article, point 5. Maybe you should read it in full.

There are also other pitfalls, like not creating an "Allow any" rule, which is automatically created only for the first LAN and which may be the cause of your DHCP problem. Other than that, the HOWTOs in the OpnSense documentation are mostly very good. Also, there is a tutorial section in the forum where specific topics are covered.

That being said, I repeat what I often say: OpnSense is not your average consumer router where point-and click just works. It is a professional tool that should be operated by experts. Otherwise, it can (and probably will) do more harm than good.

For the same reason, I urge everyone to refrain from using all kinds of external "internet" guides and/or videos, because they are often outdated or too unspecific. More often than not, these videos leave the impression that anyone can somehow "make their network more secure" by using OpnSense - which may even be dangerous in many cases. If you really aim to use OpnSense, you should either be network-savvy in the first place or be prepared to go to a steep (and long) learning curve. The READ ME FIRST article is a good starting point.

Also, sometimes, there is a misunderstanding that in the forum, you will be taken by the hand and guided through the process - that is simply not possible. For starters, this forum is not an official Deciso support forum, but mostly used by hobbyists.

Thus, you will have to learn by yourself and if you get stuck, you can come back and ask for specific unclear points.

Isn't that exactly what the documentation shows? https://docs.opnsense.org/manual/how-tos/shaper_limit_per_user.html

Upgraded to 26.1-r2_2 from 25.7.11 on my home box.

Did not see too many php-cgi processes, but I did not have rapid commit enabled. System is up and running with both IPv4 and IPv6.



What I did see was two popups about errors and then this in the crash reporter:

Code Select Expand

[26-Jan-2026 18:40:11 Europe/Berlin] Error: Class "OPNsense\Mvc\Router" not found in /usr/local/opnsense/www/api.php:35
Stack trace:


There was no stack trace or panic.

I did a health check, which gave this:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 26.1.r2_2 (amd64) at Mon Jan 26 18:40:52 CET 2026
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 26.1.r1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 26.1.r1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
mimugmail (Priority: 5)
OPNsense (Priority: 11)
>>> Check installed plugins
os-acme-client 4.12
os-auto-recovery-community 1.0
os-c-icap 1.9
os-cache 1.0_1
os-caddy 2.0.4_3
os-chrony 1.5_3
os-clamav 1.8.1
os-cpu-microcode-intel 1.1
os-crowdsec 1.0.12
os-ddclient 1.29
os-dmidecode 1.2
os-dnscrypt-proxy 1.16_1
os-etpro-telemetry 1.8
os-freeradius 1.10
os-ftp-proxy 1.0_4
os-gdrive-backup 1.0
os-git-backup 1.1_2
os-haproxy 4.6_2
os-homeassistant-maxit 1.0
os-igmp-proxy 1.5_6
os-intrusion-detection-content-et-open 1.0.2_2
os-intrusion-detection-content-ptopen 1.0
os-iperf 1.0_2
os-isc-dhcp-devel 1.0_3
os-mdns-repeater 1.2
os-nextcloud-backup 1.1
os-opnarp-maxit 1.0_4
os-q-feeds-connector 1.4
os-qemu-guest-agent 1.3
os-realtek-re 1.0
os-sftp-backup 1.1_2
os-smart 2.4
os-squid 1.4
os-tayga 1.3
os-telegraf 1.12.14
os-tftp 1.0
os-theme-advanced 1.1
os-theme-cicada 1.40
os-theme-flexcolor 1.0
os-theme-rebellion 1.9.4
os-theme-solarized-community 0.4_1
os-theme-tukan 1.30
os-theme-vicuna 1.50
os-udpbroadcastrelay 1.0_6
os-upnp 1.8
os-wol 2.5_3
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 26.1.r2_2 has 67 dependencies to check.
Checking packages: .............
hostwatch-1.0.9 is not set to automatic
Checking packages: ....................................................... done
***DONE***
Don't know about the hostwatch thing. In fact, it is disabled, but last time I upgraded this way, it was enabled by default and I did not touch the setting.

Associated NAT firewall rules got disassociated and are editable, as expected.

It seems there is no way I can disable the Qfeeds domain blocklist - the content of dnsbl.json is still there and used after uninstalling the Qfeeds plugins completely.

The only way I found is to recreate an empty dnsbl.json and restart Unbound.