Messages

My opnsense is a server, and when I travel I can connect to the OpenVPN server with my OpenVPN client config.  All using Ubuntu  24.04. 
Keep in mind the OpenVPN still works fine, but in Opnsense there's no longer a way to generate client configs and export them.  YES I can create a new client config as an 'instance', but there doesn't seem to be a way to export that into a file that can be imported into NetworkManager.
In the previous opnsense version the client config/export worked great. 

I have a laptop that I occasionally use that has been on a working IP reservation for a long time. 
Today I turned it on and was surprised to see it got an IP address in the restricted range(pool). 
The MAC showed up in the Kea pool while the reservation also showed the correct MAC.  My lease time is set very low,so when the system tried to renew it should have jumped to the reservation, but didn't. 
With the IP set manually to the same one as the reservation, the system can now do updates. 

Kea has been working great, but I just updated to 26.1.5 and now Kea assigns a IP address from the pool even though there's a valid reservation for the device. 
Restarted Kea, rebooted opnsense and the device still gets a IP address in the network pool. 

I've been using openvpn for a while fine.  Today I was having a client issue and found out the way clients are setup has been VERY much changed.

Under VPN/client export I see my original vpn setting called 'LisaVPNclient' where I can export it.  What I don't find is a way to EDIT that client settings.

Google says opnsense now uses 'instances' for clients, so I started another client in there, but when I go to export it, the new instance does not show up. 
So, where do we now export these new client 'instance'? 
How can I edit existing clients that are show on the export page?

I is checked.  See the screen shot.  Today I added a block rule on the CAMERA net and the requests were still happening.  So I disabled that DNAT and of course the redirects from the CAMERA net stopped. 
Seems the DNAT rules ignore what interfaces you have selected.  The CAMERA net should drop everyting by default.
So DNAT rules happen before the other rules, AND ignore what interfaces are checked.

Don't use Dnsmasq.  Kea/Unbound.

Why would you have a hostname with a '.' at the end?  I'm running the same setup here, and Kea/Unbound work great.  Do you know what causes the '.' on the hostname?

I use this same thing for re-routing DNS, but the DNAT rule seems to ignore the interfaces selected:  I had LAN only on the DNAT, and the rule still acts on the CAMERA interface.  Hope that gets fixed soon.

I use the following NAT rule for this:

Interface: LAN
Version: IPv4
Protocol: UDP
Destination Address: !LAN net
Destination Port: 123
Redirect Target IP: 192.168.100.1
Redirect Target Port: 123

>  I've removed the instances and it's still there.

That's why I said you need to disable the global wireguard enable toggle. Removing all instances is not enough for the group to disappear.


Cheers,
Franco

Just checked, I still show a wireguard group.  Maybe you could give some details on finding that 'global wireguard enable toggle'?

Seems to still have this issue in 26.1.2_5

unbound works great with Kea DHCP.  All devices are accessed by hostnames on the network.  For those few that the names are duplicates, I add them to the override list; such as when a server has multiple names for clarity.

Dnsmasq is a last resort for me; I've used it for many years when forced to, but the other issues with it are simply not worth using it.  True if we were still running with 56k modems it was great. 

I'm still getting port forwarding messages in my log file that claim my 'Camera' network (which should be very isolated) has members trying to reach 8.8.8.8:53. 
The 'Camera' interface is NOT listed in the port forwarding rule.  Only the LAN and PHONE interfaces.  So why do the logs show the rule is acting on the 'Camera' interface? 

I have a Destination NAT rule on two interfaces to redirect DNS to Opnsense for unbound. 
But it also redirects my camera net which is NOT in the redirect rule.  So all the cameras are sending lots of DNS requests which they don't need. 

Found part of the problem:  If I searched IP reservations for ESP The entries showed up.  But they were not listed in the table unless I searched for them.  This explains why they kept getting their old reservations.

Once I found them by searching reservations, I was able to change them to their new IP addresses and NOW they do show up in the normal list.

Address 200 still is lost out there somewhere.  But that address IS in the pool.  Pool entries don't seem to show on the leases list.
Bug in the kea lease listing.

Modified 3 more of the IOT devices, and they still come up with their old IP addresses with nothing showing in the Kea leases.

As you can see, the devices are working, and the one on 200 is just a second IP for a device that has two ports. 

Code Select Expand

[lisa@Legion-Pro-5 ~]$ nmap 192.168.10.90-254
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-08 15:25 MST
Nmap scan report for ESP8266-5.flack.net (192.168.10.93)
Host is up (0.038s latency).
All 1000 scanned ports on ESP8266-5.flack.net (192.168.10.93) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for ESP8266-7.flack.net (192.168.10.94)
Host is up (0.038s latency).
All 1000 scanned ports on ESP8266-7.flack.net (192.168.10.94) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for ESP8266-8.flack.net (192.168.10.95)
Host is up (0.0066s latency).
All 1000 scanned ports on ESP8266-8.flack.net (192.168.10.95) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for 192.168.10.200
Host is up (0.0049s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 165 IP addresses (4 hosts up) scanned in 140.01 seconds
[lisa@Legion-Pro-5 ~]$