Messages

The interfaces were specified as VLAN2.

Yes, indeed my suspicions were correct. What I did was download a backup .xml and edited so my VLAN2 was OPT1, VLAN6 OPT2, VLAN33 OPT3 etc.

Then spent about an hour changing all my broken firewall rules, NTP, DHCPs etc etc.....haha

Anyhow, both issues are now fixed. Shame we can't change OPT identifiers via WEBGUI - but then I guess it would break a lot of stuff without manual intervention.

This is baremetal. Running latest.

Yesterday, I decided to finally remove the LAN/Native VLAN from my homelab - I did this so my traffic would show up correctly across my VLANs.

My new management VLAN is at VLAN2 (parent ix1) = 10.10.2.0/24

I also have VLAN6 (parent ix1) = 10.10.6.0/24 & VLAN33 (parent ix1) = 10.10.33.0/24


When I removed the LAN (ix1), I noticed some odd entries in the Destination NAT for the WEBGUI and SSH anti-lockout. Both are now on VLAN6 and I can't change them to VLAN2. Is this because my VLAN6 now has the lowest OPTx identifier?

OPT1 = VLAN6
OPT2 = VLAN33
OPT3 = Wireguard
OPT4 = VLAN2

I tried to disable both Anti-Lockout rules, which removed the entries but once I re-enabled - they both came back as VLAN6 as before. I rebooted in-between too to make sure.


The other thing I am struggling with is resolving opnsense.internal to 10.10.2.1

If I SSH in to opnsense and ping host (7), opnsense.internal resolves to 10.10.6.1 instead of 10.10.2.1

I don't have WEBGUI or SSH enabled on all interfaces so I have to SSH in via the IP instead of hostname.


My DNS is Technitium docker on VLAN6 using port 53. DNSmasq is listening on all interfaces using port 53053. Everything resolves correctly apart from opnsense.

Is this guide still valid with the latest OPNsense build? I've been testing Technitium out on my unRAID server as a docker, and I must say - I am impressed.

I want to run this on my metal OPNsense box, but following the guide I am unable to progress further than the first steps due to:

lang/dotnet8 does not exist.

Maybe as well additional info for those who don't read patch notes ;)

Q-Feeds is as well officially documented in OPNsense docs.

https://docs.opnsense.org/manual/qfeeds.html

Regards,
S.

I am guessing there is a critical error on the firewall rules setup instructions?

I am using Caddy to get rid of the annoying HTTPS GUI risk errors for my switches, APs, HomeAssistant, unRAID, cameras etc.

Everything is working lovely, but my Caddy error log is constantly spammed with entries like this;

Code Select Expand

"warn","ts":"2025-06-25T10:07:59Z","logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"10.10.1.1:8443","duration":0.042737367,"request":{"remote_ip":"10.0.3.3","remote_port":"52165","client_ip":"10.0.3.3","proto":"HTTP/1.1","method":"GET","host":"opnsense.mydomain.net","uri":"/api/diagnostics/traffic/stream/1","headers":{"X-Forwarded-For":["10.0.3.3"],"Sec-Fetch-Dest":["empty"],"Priority":["u=4"],"Pragma":["no-cache"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["cors"],"Accept":["text/event-stream"],"Referer":["https://opnsense.mydomain.net/ui/core/dashboard"],"X-Forwarded-Host":["opnsense.mydomain.net"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Cookie":["REDACTED"],"Via":["1.1 Caddy"],"Accept-Language":["en-GB,en;q=0.5"],"Sec-Fetch-Site":["same-origin"],"Cache-Control":["no-cache"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"opnsense.mydomain.net"}},"error":"reading: context canceled"}

Code Select Expand

"debug","ts":"2025-06-25T09:33:14Z","logger":"http.handlers.reverse_proxy","msg":"streaming error","upstream":"10.10.6.2:80","duration":0.001746601,"request":{"remote_ip":"10.0.3.3","remote_port":"50503","client_ip":"10.0.3.3","proto":"HTTP/1.1","method":"GET","host":"unraid.mydomain.net","uri":"/graphql","headers":{"Accept":["*/*"],"Upgrade":["websocket"],"Sec-WebSocket-Key":["DGBO2HIVqUx6DeTiLcb+FQ=="],"Sec-Fetch-Site":["same-origin"],"Cookie":["REDACTED"],"Sec-WebSocket-Version":["13"],"Cache-Control":["no-cache"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Connection":["Upgrade"],"Sec-Fetch-Dest":["empty"],"Pragma":["no-cache"],"Sec-WebSocket-Extensions":["permessage-deflate"],"X-Forwarded-For":["10.0.3.3"],"Sec-WebSocket-Protocol":["graphql-transport-ws"],"X-Forwarded-Host":["unraid.mydomain.net"],"Accept-Language":["en-GB,en;q=0.5"],"Via":["1.1 Caddy"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0"],"X-Forwarded-Proto":["https"],"Origin":["https://unraid.mydomain.net"],"Sec-Fetch-Mode":["websocket"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"unraid.mydomain.net"}}}
Can anyone shed any light on these errors even though everything appears to be working correctly?

Dnsmasq uses the DNS servers defined in "System - Settings - General" as upstream.

Otherwise, you need this patch:

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commit/220dbc7931e11c71587734ed9c1731abdf9eaff8

With it you can set "Do not forward to system defined DNS servers" in dnsmasq and provide your own ones in the "Domain" tab. Just use an asterisk (*) to specify any domain, and then define an IP address (e.g. 1.1.1.1) or Unbound if it runs on a different port (127.0.0.1, Port 53053).

Just finished doing this with thanks from your help. Everything working great, apart from my Blocklist now just gets ignored. Any way around this?