Messages

Thanks for the help @dseven - I realised I made a typo when renaming - I used mimugmail_full.conf instead of mimugmail-full.conf

After renaming it correctly to mimugmail-full.conf, the ipv6 connectivity audit now works, and the mimugmail repo passes under ipv4.

Code Select Expand

Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 928 packages processed.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .... done
Processing entries: .......... done
mimugmail repository update completed. 189 packages processed.
Updating ntop repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: . done
Processing entries: . done
ntop repository update completed. 6 packages processed.
All repositories are up to date.

mimugmail repo update fails under ipv6, which I think is correct as the mimugmail url is only accessible via ipv4.

Code Select Expand

Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: ......... done
Processing entries: .......... done
OPNsense repository update completed. 928 packages processed.
Updating mimugmail repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository mimugmail has no meta file, using default settings
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
Unable to update repository mimugmail
Updating ntop repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: . done
Processing entries: . done
ntop repository update completed. 6 packages processed.


Thanks guys, yes I'm running AdGuard Home - strange as I've been running AGH and ipv6 for a long time and the ipv6 Connectivity Audit always worked for ipv6 until recently.

I just tried renaming mimugmail.conf to mimugmail-full.conf and the ipv6 Connectivity Audit then worked, however it wasn't able to perform the mimugmail repository update as it couldn't find the mimugmail.conf, so I reverted the name back to mimugmail.conf

I also noticed I had the priority: for mimugmail.conf set to 5, so I changed that to 150 however the ipv6 connectivity audit still failed.

I wonder if it is possible to force the ipv6 connectivity audit to use the same config that is used for ipv4?

I've noticed a connectivity audit indicates I have no ipv6 connection, even though I have ipv6 working fine on my system. I can ping6 and traceroute6 from opnsense ssh and from a client without issue, and the correct ipv6 firewall rules are enabled.

test-ipv6.com also reports ipv6 is working.

Here is the output - is opn-repo.routerperformance.net the correct repo for ipv6 as a google search indicates it only has an ipv4 address?

Code Select Expand

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 26.1.8_5 (amd64) at Sat May 30 11:45:49 AEST 2026

Current repository configuration:
/usr/local/etc/pkg/repos/FreeBSD.conf:
FreeBSD: { enabled: no }
FreeBSD-kmods: { enabled: no }
/usr/local/etc/pkg/repos/OPNsense-aux.conf:
OPNsense-aux: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/OPNsense",
  url: "https://pkg.opnsense.org/${ABI}/26.1/aux",
  signature_type: "fingerprints",
  priority: 11,
  enabled: no
}
/usr/local/etc/pkg/repos/OPNsense.conf:
OPNsense: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/OPNsense",
  url: "https://pkg.opnsense.org/${ABI}/26.1/latest",
  signature_type: "fingerprints",
  priority: 11,
  enabled: yes
}
/usr/local/etc/pkg/repos/mimugmail.conf:
mimugmail: {
  url: "https://opn-repo.routerperformance.net/repo/${ABI}",
  priority: 5,
  enabled: yes
}

/usr/local/etc/pkg/repos/ntop.conf:
ntop: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/ntop",
  url: https://packages.ntop.org/FreeBSD/${ABI}/latest,
  signature_type: "fingerprints",
  priority: 100,
  enabled: yes
}

Checking connectivity for host: opn-repo.routerperformance.net -> 46.16.78.247
PING 46.16.78.247 (46.16.78.247): 1500 data bytes
1508 bytes from 46.16.78.247: icmp_seq=0 ttl=48 time=251.814 ms
1508 bytes from 46.16.78.247: icmp_seq=1 ttl=48 time=251.098 ms
1508 bytes from 46.16.78.247: icmp_seq=2 ttl=48 time=251.640 ms
1508 bytes from 46.16.78.247: icmp_seq=3 ttl=48 time=251.238 ms

--- 46.16.78.247 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 251.098/251.448/251.814/0.291 ms

Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 928 packages processed.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: ... done
Processing entries: .......... done
mimugmail repository update completed. 189 packages processed.
Updating ntop repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: . done
Processing entries: . done
ntop repository update completed. 6 packages processed.
All repositories are up to date.

No IPv6 address could be found for host: opn-repo.routerperformance.net

Checking server certificate for host: opn-repo.routerperformance.net
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E7
verify return:1
depth=0 CN = opn-repo.routerperformance.net
verify return:1
DONE
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***


Thanks Franco,

To avoid any doubt, could the message be:

"Version x.y.z is correct for OPNsense a.b.c_d" ?

Cheers

Excellent - many thanks.

I should have mentioned that my initial attempt to update to 28.1.8_5 from 28.1.7 hung, so I tried the update again from the ssh menu and it worked there.

I wondered if the aborted update had "broken" the kernel.

I recently updated to 26.1.8_5 and the health audit I just ran displayed the kernel is 26.1.7 - is this correct?

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 26.1.8_5 (amd64) at Sat May 23 19:50:23 AEST 2026
>>> Root file system: zroot/ROOT/know_working
>>> Check installed kernel version
Version 26.1.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 26.1.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
mimugmail (Priority: 5)
ntop (Priority: 100)
>>> Check installed plugins
os-adguardhome-maxit 1.16
os-cpu-microcode-intel 1.1
os-gdrive-backup 1.0_1
os-homeassistant-maxit 1.0
os-isc-dhcp 1.0_4
os-lldpd 1.2
os-net-snmp 1.6_1
os-ntopng 1.3
os-nut 1.9_1
os-openvpn-legacy 1.0_1
os-q-feeds-connector 1.6
os-redis 1.1_4
os-smart 2.4
os-speedtest-community 0.9_6
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: ....
os-adguardhome-maxit-1.16: checksum mismatch for /usr/local/AdGuardHome/AdGuardHome
os-adguardhome-maxit-1.16: checksum mismatch for /usr/local/AdGuardHome/AdGuardHome.sig
Checking all packages....
os-speedtest-community-0.9_6: checksum mismatch for /usr/local/opnsense/scripts/OPNsense/speedtest/opn_speedtest.py
Checking all packages........ done
>>> Check for core packages consistency
Core package "opnsense" at 26.1.8_5 has 68 dependencies to check.
Checking packages: ..................................................................... done
***DONE***


you mean unbound- advanced area correct?

No - I mean within the Security --> Q-feeds Connect --> Events tab

That's what you posted in your first screenshot?

Should events be populating?

Do you have logging enabled? If I turn off logging, then I don't see any events in that tab just like you even though the number in the widget increases. I normally have logging off to prevent wear on my eMMC memory which is were the logs are written on my Protectli host.

I had a faulty HDD on my OPNSense device a few weeks ago that was reporting many errors. I did a config backup, then replaced the faulty drive and reinstalled opnsense and restored the old config. This was on the 25.x firmware just before 26.1 was released.

I then started to have regular IPV6 WAN problems where it seems the DHCP lease isn't being renewed at the ISP side, so IPv6 WAN goes down.

Software reboot doesn't fix it, in fact it doesn't get any IP4 or 6 address after a soft reboot. The only (temporary) fix is a hard power cycle.

I've tried swapping the WAN port to a different NIC but no difference is seen.

I upgraded to 26.1 with no errors, however the IPv6 drops still occur.

I'm wondering if the config is somehow corrupt from the HDD errors, but if so why would it work for days and then fail?

Does anyone have any suggestions please.

the firewall itself is not honouring the MTU/MSS settings on the WAN interface and is thus failing in its IPv6 connectivity.

Have you tried deleting the MSS and MTU settings you manually entered? My settings have nothing in the values for MSS/MTU in the WAN config and my Connectivity Audit doesn't fail

I had no issues when Upgrading from 25.7.11 -> 26.1 -> 26.1_4 however after upgrading today to 26.1.1, I had no WAN ipv4 connection.

A software restart via GUI didn't resolve, in fact after the restart many services were not running as could be seen in the Dashboard widget.

I then tried to physically power off my machine (Protectli 2410) and noticed it was extremely hot and it didn't respond to my pressing the power on/off button.

After I pulled the power cable and reinserted it, the system rebooted and everything came up OK including WAN etc. and the temperature went back down to normal levels

Very strange, I've never experienced that before.

This doesn't seem to be related to the Q-Feeds Plugin since you're using AGH. As your screenshot shows it perfectly pulls in the domains? If you try to reach 'cherrypharm.com' (just checked, still in the domains list), can you see any DNS requests for that domain in AGH ?

Yes, you're correct - after a bit more checking, it seems the Warning for that website was generated by my browser natively, or via an add-in (Brave) - I could see within the AGH log that it actually blocked access. When I tried Safari, I didn't get the warning as it must not have the same website checking, and again aGH blocked it. Sorry for my misunderstanding :)

Allright! Will look into it together with Deciso and get back to you. Thanks for digging into it already, very helpful!

FYI - I'm seeing this issue too however I'm using the qfeed Domains blocklist only within AGH and not within Unbound.  I'm running OPNsense 25.7.11_9-amd64  with AGH setup as the main DNS on port 53, and Unbound is on 5335. Within AGH I have 127.0.0.1:5335 setup as a Private reverse DNS server, and for Local resolution via Unbound on 127.0.0.1:5335 - this has been working well for years.

Blocking of sites on the qfeeds Domains blocklist within AGH worked well previously, however it now seems to have stopped as the example problem url's posted earlier in this thread are no longer blocked and they display warnings in my browser.

The widget shows the blocked number incrementing as I have the floating rules setup to block the qfeeds IPs which works properly - it's just the Domain blocklist isn't working anymore

edited to add - this is the url added to the AGH Qfeeds Malware Domains shown in the screenshot:
https://api.qfeeds.com/api.php?feed_type=malware_domains&api_token=tip_xxxxxxx

/boot/efi/efi/freebsd/loader.efi and /boot/efi/efi/boot/bootx64.efi should be identical, although only one will be used. Which one depends on your BIOS and its settings.

I've now ensured that both are identical - I think I should be ok now - thanks for your assistance @Patrick

ZFS pool upgrades are never applied automatically. You need to explicitly use "zpool upgrade zroot". And if you do this, then remember to also upgrade your boot loader.

As further context to my question, coincidentally today the second of two disks in my ZFS Raid pool died, so rather than replace it, I detached it from the pool and did a zpool update. However I didn't upgrade the boot loader as I overlooked that step :(

I tried to reboot but it failed as it couldn't find a bootable disk, so I booted off usb and copied the loader.efi from the usb to /boot/efi/efi/boot/bootx64.efi - thats probably why that file has today's date.

The pool is showing no errors now:

Code Select Expand

# zpool status
  pool: zroot
 state: ONLINE
  scan: resilvered 4.26G in 20483 days 03:18:56 with 0 errors on Fri Jan 30 14:19:00 2026
config:

NAME        STATE     READ WRITE CKSUM
zroot       ONLINE       0     0     0
  ada0p4    ONLINE       0     0     0

errors: No known data errors

So I'm now assuming I'll need to copy it to /boot/efi/efi/freebsd/loader.efi as that file is from 2022?



Thanks