"
That is because OpnSense itself contacts internet sites via its WAN interface (and the MTU of that). Your LAN devices contact OpnSense with their respective LAN MTU size, which should match. If it does not, there is MSS clamping (if enabled) or else it can go wrong.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
25.7, 25.10 Series / Re: ISC deprecation issues
Today at 08:38:55 AM
Yes, I linked it in my first answer.
#3
25.7, 25.10 Series / Re: ISC deprecation issues
January 19, 2026, 08:24:55 PM
And the difference to DHCPv6-derived IPs is that SLAAC-provided IPs are pushed, i.e. they are applied immediately when the GUA prefix changes.
The only thing you do not have is "known" static IPv6s that you can reference in DNS names (because the prefix can change). Usually, you do not need them anyways, because you can always use the IPv4 for internal purposes in DNS. All of that is covered in the HOWTO I linked above.
The only thing you do not have is "known" static IPv6s that you can reference in DNS names (because the prefix can change). Usually, you do not need them anyways, because you can always use the IPv4 for internal purposes in DNS. All of that is covered in the HOWTO I linked above.
#4
25.7, 25.10 Series / Re: ISC deprecation issues
January 19, 2026, 07:25:10 PMQuote from: stanthewizzard on January 19, 2026, 07:13:54 PMevery server inside the lan (homelab) has a statiq IP fddd:31e8:3076:XX:YY
DHCPv6 with prefix and RA managed on carpv6 (also updated with IPv6 changes) and RA advertises fddd:31e8:3076:XX:YY
Do not send any DNS configuration to clients
fddd:31e8:3076:: is an ULA prefix that is not routed outside of your LAN, unless you use NAT66 or you still have the assigned GUA prefix IPv6s on top for outside access. If you use those ULA IPs for server access, fine.
But then, why / how do you rely on ISC DHCPv6?
I can see only two things it could provide: routeable IPv6 addresses, which can be handed out via SLAAC as well and leases and/or reservations which allow to use internal DNS names (which you say you do not use).
Frankly, I do not get what you are missing.
#5
German - Deutsch / Re: Anfänger und sorry --- bekomme es nicht hin
January 19, 2026, 07:15:10 PM
Du kannst in Interfaces->Overview sehen, welche Interfaces online sind. Bei diesem Router-behind-Router-Setup benötigst Du Outbound NAT, wenn Du von "hinter" der OpnSense Internet-Zugriff haben willst. Und ja, das WAN-Gateway (wahrscheinlich 192.168.178.1) fehlt. Das wäre alles korrekt, wenn Du auf dem WAN nicht Static IP, sondern DHCPv4 eingestellt hättest.
Vielleicht liest Du mal dies: https://forum.opnsense.org/index.php?topic=39556
Vielleicht liest Du mal dies: https://forum.opnsense.org/index.php?topic=39556
#6
German - Deutsch / Re: Anfänger und sorry --- bekomme es nicht hin
January 19, 2026, 02:40:45 PM
Die Bilder sind viel zu klein zum Lesen.
#7
25.7, 25.10 Series / Re: How to increase a proxmox VM disk and have opnsense/freebsd use the extra space
January 19, 2026, 10:35:55 AM
You should change the title to include "with an UFS install" - I think you need different (probably no steps at all) inside the VM for ZFS installs.
#8
25.7, 25.10 Series / Re: ISC deprecation issues
January 19, 2026, 10:19:58 AM
There is a problem with your approach with ISC DHCPv6 as well: The prefix change will potentially go unnoticed for as long as your lease time, because your clients will use the old prefix for as long.
With dynamic IPv6 prefixes, you basically have two choices:
a. Use SLAAC in "assisted" mode, where DHCPv6 only supplies the DNS server (besides RDNSS) - if at all, because DNSv4 is sufficient to supply both IPv4 and IPv6 resolution. This is the safest/easiest approach and shown here. Any local traffic is done via IPv4, such that you do not need DHCPv6 to supply specific IPv6 to your devices in order to adress those in DNS.
b. If you need to have fixed IPv6, you will need to use some adresses on top of GUA that you can use for internal DNS purposes. Keep in mind that ULA will probably not work, because it is prioritized lower than even IPv4. Still, you can use any unused IPv6 prefix.
With dynamic IPv6 prefixes, you basically have two choices:
a. Use SLAAC in "assisted" mode, where DHCPv6 only supplies the DNS server (besides RDNSS) - if at all, because DNSv4 is sufficient to supply both IPv4 and IPv6 resolution. This is the safest/easiest approach and shown here. Any local traffic is done via IPv4, such that you do not need DHCPv6 to supply specific IPv6 to your devices in order to adress those in DNS.
b. If you need to have fixed IPv6, you will need to use some adresses on top of GUA that you can use for internal DNS purposes. Keep in mind that ULA will probably not work, because it is prioritized lower than even IPv4. Still, you can use any unused IPv6 prefix.
#9
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 19, 2026, 09:58:57 AM
Potentially yes, but depending on working PMTUD, some sites work with the wrong MTU and some do not.
#10
25.7, 25.10 Series / Re: [SOLVED] How can I automatically restart wg instance, if gw down?
January 19, 2026, 09:55:48 AM
Your assessment:
is almost surely wrong. The way the cron script detects if a wireguard connection is stale is by looking at the last handshake age and see if it is too old (> 135s). That way, you can be sure that there is still an ongoing wireguard connection. It is beyond me how that handshake should occur with the gateway down.
You can check this yourself:
https://github.com/opnsense/core/blob/ade7e9e9c7887978abf3f425c57def324ebcac03/src/opnsense/scripts/wireguard/reresolve-dns.py
The command for testing is "/usr/bin/wg show all latest-handshakes" and the last column is compared against "date +%s". If the difference is > 135, the connection is restarted. Of course, this can take up to ~2 minutes and also, if the drop is caused by the remote side changing its IP and DNS caching gets in the way, for an even longer time, because multiple tries must be taken until the connection gets up again.
If I am wrong, please create a bug report on github.
Quote from: tessus on January 19, 2026, 08:36:11 AMUnfortunately none of the solutions here worked. The Renew DNS for Wireguard on stale connections cronjob doesn't work in my case, because wg reports the connection as active (not stale) even though the gateway is down. So the action that should be triggered to restart the wg service is not triggered.
is almost surely wrong. The way the cron script detects if a wireguard connection is stale is by looking at the last handshake age and see if it is too old (> 135s). That way, you can be sure that there is still an ongoing wireguard connection. It is beyond me how that handshake should occur with the gateway down.
You can check this yourself:
https://github.com/opnsense/core/blob/ade7e9e9c7887978abf3f425c57def324ebcac03/src/opnsense/scripts/wireguard/reresolve-dns.py
The command for testing is "/usr/bin/wg show all latest-handshakes" and the last column is compared against "date +%s". If the difference is > 135, the connection is restarted. Of course, this can take up to ~2 minutes and also, if the drop is caused by the remote side changing its IP and DNS caching gets in the way, for an even longer time, because multiple tries must be taken until the connection gets up again.
If I am wrong, please create a bug report on github.
#11
German - Deutsch / Re: Alte Hostnamen im Netz
January 18, 2026, 09:08:48 PM
Ja, klar. Die Namen können immer noch im Leasefile stehen, beispielsweise passiert das, wenn man bei ISC einen Lease in eine Reservierung ändert, die eine andere IP hat. Ich habe den alten Mist immer aus den Dateien manuell rausgelöscht (dazu musst Du den Daemon aber erstmal stoppen, sonst schreibt er das selbe wieder rein).
Ob sich das allerdings noch wirklich lohnt, ist die Frage, in 26.1. (also in knapp zwei Wochen) wandert ISC DHCP in die Plugins und wird nur nicht mehr supported. Ich würde empfehlen, die Gelegenheit zu nutzen und auf Kea oder DNSmasq umzustellen.
Ob sich das allerdings noch wirklich lohnt, ist die Frage, in 26.1. (also in knapp zwei Wochen) wandert ISC DHCP in die Plugins und wird nur nicht mehr supported. Ich würde empfehlen, die Gelegenheit zu nutzen und auf Kea oder DNSmasq umzustellen.
#12
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 18, 2026, 09:05:18 PM
Yes, that is expected if anywhere between you and 8.8.8.8 there is a limitation of 1492 bytes (probably imposed by your ISP). That also means your settings of 1512 do not work and you cannot use 1500 bytes MTU on either OpnSense WAN or LAN, you should set them to 1492 and be content with it.
#13
General Discussion / Re: NEED WITH HELP OPNSENSE CONFIG.(Modem>Opnsense firewall>managedSwitch>OpenwrtAP)
January 18, 2026, 08:19:27 PM
For starters, you have got a few problems here:
a. That video of the HomeNetworkGuy handles an internet connection with DHCP only, not with PPPoE - so, you cannot follow this from the very start. That is the problem with many of these video guides: They show one specific setup - in reality, every setup is different and you will have to know what your are doing.
b. Speaking of this, the question you ask about IPs clearly show that you have little to no networking skills. Different networks (like WAN with the modem and LAN with your switch and/or AP) not only have different IPs, but even different IP ranges. So, you cannot have 192.168.1.1 for the modem, 192.168.1.2 for OpnSense WAN and also 192.168.1.x for anything that connects to your LAN (like the switch and AP). Besides that, OpnSense has an IP for every which interface, say 192.168.2.1 for LAN.
c. If you aim to learn while your regular network does not get interrupted, you should consider to use OpnSense behind your ISP router first. That way, you can try out these things. However, that is what is called a "router-behind-router" scenario, which in some ways is even harder to understand than a normal setup.
You could start with this post for hints and the official OpnSense docs, I do not recommend YT videos or AI to learn this. YT videos cannot cover every variant, like you see and AI is wrong most of the time.
However, you will find that it may take you serious time to learn the skills to master this. OpnSense is a professional tool, not your average consumer appliance.
a. That video of the HomeNetworkGuy handles an internet connection with DHCP only, not with PPPoE - so, you cannot follow this from the very start. That is the problem with many of these video guides: They show one specific setup - in reality, every setup is different and you will have to know what your are doing.
b. Speaking of this, the question you ask about IPs clearly show that you have little to no networking skills. Different networks (like WAN with the modem and LAN with your switch and/or AP) not only have different IPs, but even different IP ranges. So, you cannot have 192.168.1.1 for the modem, 192.168.1.2 for OpnSense WAN and also 192.168.1.x for anything that connects to your LAN (like the switch and AP). Besides that, OpnSense has an IP for every which interface, say 192.168.2.1 for LAN.
c. If you aim to learn while your regular network does not get interrupted, you should consider to use OpnSense behind your ISP router first. That way, you can try out these things. However, that is what is called a "router-behind-router" scenario, which in some ways is even harder to understand than a normal setup.
You could start with this post for hints and the official OpnSense docs, I do not recommend YT videos or AI to learn this. YT videos cannot cover every variant, like you see and AI is wrong most of the time.
However, you will find that it may take you serious time to learn the skills to master this. OpnSense is a professional tool, not your average consumer appliance.
#14
25.7, 25.10 Series / Re: 25.7.11 GeoIP
January 18, 2026, 01:20:18 PM
No, no change there. Yet, for me, GeoIP works fine.
#15
25.7, 25.10 Series / Re: 25.7.11 GeoIP
January 18, 2026, 12:57:37 PM
Maybe you wanted to block certain regions from accessing your forwarded ports and forgot that implicit NAT rules are prioritized over interface rules?
In order to make that work, you need to create floating block rules for your WAN interface or use the inverted range in the source part of your NAT rules.
In order to make that work, you need to create floating block rules for your WAN interface or use the inverted range in the source part of your NAT rules.
