Messages

We hotfixed it today, search for updates.

It was a very KEA thing, here some references:
https://github.com/opnsense/core/pull/10297

Thanks for letting me know. I had tried an update before posting incase there was a hotfix, but nothing showed up at first. I had to change my mirror back to default before the updates showed up.

All sorted now.

Thanks again.

Hi

I upgraded from 26.1.7 to 26.1.8 last night and all was OK initially. I did not rebout Opnsense after the upgrade as i'm not using Captive Portal (with or without IPv6).

This morning I restarted the firewall and when it came backup, the Kea DHCP service failed to start and I cannot start it manually.

Viewing log under services>>Kea DHCP shows nothing (it is blank - I cleared it before restarting Kea so I could see latest errors).

Viewing System>>Log File>>General shows the following (again cleared it before restarting Kea service)

Last day
2026-05-13T11:04:46Noticeopnsense/usr/local/sbin/pluginctl: plugins_configure kea_sync (execute task : kea_configure_do(1))
2026-05-13T11:04:46Noticeopnsense/usr/local/sbin/pluginctl: plugins_configure kea_sync (1)

To get my environment up an running again (all my devices use DHCP reservations), i had to quickly export my DHCP reservations from Kea, reformat them, and import them into DNSMasq which is have enabled for DHCP only.

I would prefer to keep using Kea instead of DNSMasq for DHCP.

How can I track down why Kea is no longer starting when the logs are not showing any info?

Is anyone else having similar issues with Kea after upgrading to 26.1.8?

Thanks in advance.

Update....got it sorted. I had to create the connection using override.conf file in /usr/local/etc/swanctl/conf.d

This allowed me to set the required proposal. Only minor drawback is the connection doesn't show up in the UI.

Tunnel is now up and I can route traffic from LAN to Azure, but not Azure to LAN :-(

Hi there,

I've been using a route-based IPsec S2S tunnel with Azure VPN Gateway (Basic SKU) for a while now. It's been working great, but I recently upgraded to version 25.1 and thought it was a good idea to switch to the new IPsec connections. I'm worried that the legacy tunnel settings might become deprecated soon, so I wanted to make the switch before it's too late.

I'm using the Basic SKU for Azure VPN, so I can't customise the IKE policies on the Azure side. I'm stuck with the settings that Microsoft allows by default.

I've tried setting up the new connection, but I keep getting an error saying that there are no valid IKE proposals available. Azure says that the following proposals are available:

IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

None of these proposals are available when I use the new IPsec connections, but they are available in the legacy tunnel settings.

Is it possible to add these proposals to OPNsense? If so, does anyone know how to do it?

Thanks a bunch!
FB

Update:

The hostname of the device has now changed in Zenarmor devices. I'm not sure what caused the change. I applied the latest hotfix for opnsense (24.7_9) and I also rebooted the firewall post update (I know that's not required, but i always like to reboot ASAP after an upgrade).

I don't know if it was the update (unlikely based on release notes), the firewall reboot, or if Zenarmor refreshes hostnames for devices periodically.

Hi

No, i mean the actual hostname that is shown under the device properties in Zenarmor. I have updated the name in Zenarmor to the correct new name, but the hostname is still showing as the old name.

I have attached a screenshot (some info redacted) that shows the Zenarmor device name and hostname mismatch.

I am a Zenarmor home subscriber and have a small issue with the 'Devices' feature.

I have changed the hostname of one of my devices but the hostname for the device is not updating in the devices list. I have removed the device, generated some traffic on the device to force it to appear again as a new device, marked it as a trusted device, but it is still showing the old hostname.

How do I update the hostname of the device in the Zenarmor device list or is there a method to force Zenarmor to re-query (reverse DNS lookup I assume) my DNS servers (unbound on Opnsense) to get the updated hostname?

Zenarmor is configured to use unbound DNS on Opnsense itself for DNS enrichment.

Performing a reverse DNS lookup of the IP address of the device that has had its hostname returns the correct hostname.

Thank you.

I originally installed Zenarmour using SQLite but I wanted more than 2 days data retention. Although my firewall is powerful enough to install elasticsearch (quad core, 8gb RAM), I preferred to keep Elasticsearch separate from my firewall, so I purchased a mini server to act as my Elasticsearch server (I will use it for other data logging as well now that I have it).

The install of Zenarmour went well and everything is working well as far as I can see but when I check the database in settings I get the following warning:

'We do not advise to set a data retention interval longer than 2 days for elasticsearchRemote backend'

It is currently set to 7 days.

Question; Why would using a much more powerful external Elasticsearch server for Zenarmor give a recommendation to only retain 2 days of logs while using Elasticsearch installed on the vastly less powerful firewall it is happy with a 7 day retention period?