Messages

Hi Team

I've tested upgrading successfully 3 times on different lab environments, but I'm confused as to why the fw rules continue to remain greyed out and uneditable once migrated and step 5 is complete, am I missing something to complete the migration of fw rules?

Everything appears to function as expected although mine aren't complicated labs, but my main reason for testing was to see what happens with ISC DHCP and IPv6, which is working.

While I do appreciate all the effort that goes into the software and please I'm not disrespecting anyone, I'm not a fan of the new firewall interface to switch between networks, it's a lot of extra clicking to navigate now.  If it was possible to choose a default landing page rather than floating rules, it may help.  Happy to hear the reason for the change though.

unfortunately there is no network between levels, but I suspect that may resolve the issue I'm facing.

Thanks everyone else for your replies, I was hoping that there was some solution that avoided seperate controllers as that's another level of management that needs to remain stable.

Hi everyone

I'm in need of some recommendations, obviously, I'm using Opnsense as my firewall, but as I'm living in a double story home, I need a mesh wifi solution.  Currently I'm using 4 wifi AP's so that I can separate IOT & Guest clients from home client devices.

Can anyone recommend some AP's that I can use that will allow vlans over wifi and still support a mesh system?

I've heard Ruckus can do this but I'd appreciate some feedback from the Opnsense community.

I'd like to replace the current system with 2 AP's but I'd like to have more VLAN's on the wireless network.
Does anyone have any recommendations that they have successfully implemented?

thanks

I'll second this!

I've done quite a bit of testing, moving from Adguardhome to unbound and its BL's. Even using the same BL's with the URL's added to unbound make them identical, I'm still getting AD's coming through when using unbound, that I don't when using Adguardhome.
A restart of Opnsense also doesn't appear to make any difference, local client dns cache and browser cache clears as well as rebooted the client.

I'll give it a second go after the next upgrade

Thanks for the reply and info Franco

Hello Franco

Sorry to direct this to you, I know you're busy.

• Could you please tell me what the plan is for DHCP ISC?  
• I know it will be retired and become a plugin, but when will this happen?  
• Will we need to change any configurations to keep it running or will it continue as already implmented?

I know I should be moving off it, but after spending too many days implementing, configuring and troubleshooting it due to encountering problems with DHCPv6, I've given up.

Unless there are serious security risks, I'm going to keep using ISC, but I would like to know the plan moving forward with it.

thanks 

ok, thanks for all your patience with me Maurice, you've been a big help

sorry I don't mean to appear rude, but wasn't the point of migrating to dnsmasq to remove dependancy on ISC so it can be removed at the next major update?

thanks

Yip, they are configured exactly like that :-)

But then dnsmasq isn't assigning the ipv6 address is it?

that would mean I can't remove isc dhcpv6 or the router advertisement service as it's enabled when tracking is enabled.

So it would seem that dnsmasq is not able to completely replace ISC yet?

Unfortunately I'm not having any success with this.

Router Advertisements in general settings is enabled, although I didn't believe this was required if configured on each interface, when reading the help for the setting.
WAN interface IPv6 is set to DHCPv6
LAN Interface IPv6 configuration is set to none, so no entry available for ISC DHCPv6 or Router Advertisements.

Re the DNSMASQ RA configuration I've tried all the options and no IPv6 address is assigned to the client.

I'm starting to think that dnsmasq is incapable of assigning an ipv6 address to the clients.

Where am I going wrong?

Hi Maurice

Thanks for the help.

I'd like to remove all dependancies on the old ISC, so I've removed DHCP6 from the interface.  I'm now only left with the dnsmasq config.
I've tried the suggestions you've given me, but I don't get an IPv6 address on that interface anymore.

Just to clarify, I specifiy the same interface for the constructor?
And should the WAN interface still be set to DHCPv6 and if it changes what should I set it to SLAAC?  My ISP supports slaac and I currently get a /48 via DHCPv6.
thanks

thanks team the upgrade to OPNsense 25.7.7 went perfectly

[no IPv6 leases being registed in dnsmasq]

Right here is an update on the second migration attempt...

I have IPv4 working
IPv6 addresses are being assigned from the interfaces, which are set to track the wan. 
However, there are no IPv6 leases being registed in dnsmasq.  The only way I am able to get the leases registed is if I enter start and end IPv6 addresses, which adds an EXTRA IPv6 address to each device.

here are the settings on the DHCP range that I'm applying (can't seem to include an image for some reason?)

start address ::3000
end address ::4000
constructor - same as Interface
RA Mode slaac, ra-names
Domain Type - Interface

With the above configured, I get  the IPv6 address registed which looks something like this - xxxx:xxxx:c3ca:dd30::33cc

on the client I have the following now

DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IPv6 Address. . . . . . . . . . . : xxxx:xxxx:c3ca:dd30::33cc(Preferred)        EXTRA IPv6 Address  ************
  Lease Obtained. . . . . . . . . . : Friday, 7 November 2025 11:28:33 AM
  Lease Expires . . . . . . . . . . : Friday, 7 November 2025 11:33:33 AM
  IPv6 Address. . . . . . . . . . . : xxxx:xxxx:c3ca:dd30:1a5d:5283:b231:d91a(Preferred)
  Link-local IPv6 Address . . . . . : xxxx::xxxx:xxxx:f53a:fe3d%3(Preferred)
  IPv4 Address. . . . . . . . . . . : 10.0.30.2(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : Friday, 7 November 2025 11:30:25 AM
  Lease Expires . . . . . . . . . . : Friday, 7 November 2025 11:35:24 AM
  Default Gateway . . . . . . . . . : xxxx::xxx:xxxx:fe01:82c6%3
                                      10.0.30.1
  DHCP Server . . . . . . . . . . . : 10.0.30.1
  DHCPv6 IAID . . . . . . . . . . . : 194570051
  DHCPv6 Client DUID. . . . . . . . :
  DNS Servers . . . . . . . . . . . : xxxx:xxxx:c3ca:dd30:2e2:59ff:fe01:82c6
                                      10.0.30.1
                                      xxxx:xxxx:c3ca:dd30:2e2:59ff:fe01:82c6
  NetBIOS over Tcpip. . . . . . . . : Enabled

Does anyone know how to resolve the IPv6 address registration issue and remove the extra address?

thanks

Thanks, I did follow this guide

I'll be interested to hear how your migration goes, specifically around the interface IPv6 settings (tracking vs dhcp vs slaac) and the dnsmasq IPv6 dhcp ranges and their RA modes. Also whether you were able to completely remove ISC and dependancy on the seperate Router Advertisement service, as it's built into dnsmasq.
If you'd be willing to share how you went it would really be appreciated.  After spending too many hours researching, implementing and testing I wasn't able to get IPv6 working without duplicate addresses being assigned and Testipv6 failing so just reverted.

thanks