Messages

Hi, I migated an exisitng installation from kea dhcp to dnsmasq a couple of days before. Today I came across these errors in the logs:

Code Select Expand

2025-07-31T16:56:56Erroropnsense/usr/local/sbin/pluginctl: The command '/usr/local/etc/rc.d/dnsmasq stop' returned exit code '1', the output was 'dnsmasq not running? (check /var/run/dnsmasq.pid).'
2025-07-31T16:53:48Erroropnsense/usr/local/sbin/pluginctl: The command '/usr/local/etc/rc.d/dnsmasq stop' returned exit code '1', the output was 'dnsmasq not running? (check /var/run/dnsmasq.pid).'
2025-07-30T01:32:27Erroropnsense/usr/local/sbin/pluginctl: The command '/usr/local/etc/rc.d/dnsmasq stop' returned exit code '1', the output was 'dnsmasq not running? (check /var/run/dnsmasq.pid).'
How can I find details about them and debug them?

Thanks for the suggestion. I have came across the concept of the !rfc1918 rule before. Haven't tried yet though.

So, the conclusion is that the zones setup guide in the docs is incomplete, the zones setup using floating rules is not optimal and better follow a more traditional approach regarding the vlan isolation I am looking for.

Man, not sure I follow, sorry.

If a default "allow all" rule, floating or per vlan, is needed to access the internet, how am I going to block my untrusted vlans to access my trusted ones?

Thanks for explaining the quick vs non-quick rules and their processing order.

If you're using ISC, it registers automatic DHCP rules.  Kea and Dnsmasq do it by default unless you disable the option in the service settings.  I think there might be a nuance with Dnsmasq where it only auto-registers the DHCP rules if you select specific listen interfaces, but won't do it if you leave it on 'All' interfaces.

I am using KEA DHCP and I have the option to create firewall rules enabled, so this should not be a problem.

DNS rules may or may not be needed, depending on how you set up your access rules and where your DNS server is.  If you have a typical "Allow any" rule and your DNS isn't on a blocked network, then probably not needed.

I think this might be the problem... Should I also have an "allow any" per each interface, apart of the floating ones? And this "allow any" rule should be quick or non-quick?


Anyway, I am using a WAN PPPoE interface (vdsl) and several VLAN interfaces. No plain LAN as opnsense is virtualized and runs with one physical adapter only. Below are photos of my 3 firewall groups, the 4 floating firewall rules related to these groups and the rules that are picked up by vlan20 interface. There is also an "allow any" quick rule specific for that interface. If I remove/disable the "allow any" rule from the vlan20 interface, then access to the internet is blocked.

Is anyone going to fix the version typo on the title of this thread?

I have several vlans on my local network. I am trying to use the Security Zones guide to only allow specific vlans to access other vlans and also allow internet access to all vlans.

I have created 3 groups, trusted internal (secure vlans), untrusted internal (unsecure vlans) and external (wan, wireguard).

I created the ICMP rules as described in the guide, as well as a floating rule which allows all internal networks (trusted and untrusted) to access the external ones (internet). This does not seem to work correctly, as none of my vlans have internet access. In live log, I never see my floating rules being mentioned and I mostly see the "Default deny / state violation rule" auto-generated rule that blocks traffic.

The floating rules are picked up correctly as they are listed for each vlan interface, but they show below the auto-generated rules. How are the floating allow rules supposed to work if the they are processed after the auto-generated ones (and specifically the ones that blocks everything)?

Can anyone help me understand what's wrong? Do I also need to add a separate rule for each interface or something?

EDIT: Do I also need to add rules for DNS and DHCP for each zone?

3) Spend EUR 250 on a SFP+ ONT transceiver that I can use to plug in the fibre directly to Opnsense and put in the PPPoE credentials.

Maybe your DIGI router has a PPPoE passthrough option, so you can do no3 without the need of an ONT. Most providers allow for a 2nd PPP call to be made.