Messages

I have a Destination NAT rule on two interfaces to redirect DNS to Opnsense for unbound. 
But it also redirects my camera net which is NOT in the redirect rule.  So all the cameras are sending lots of DNS requests which they don't need. 

Found part of the problem:  If I searched IP reservations for ESP The entries showed up.  But they were not listed in the table unless I searched for them.  This explains why they kept getting their old reservations.

Once I found them by searching reservations, I was able to change them to their new IP addresses and NOW they do show up in the normal list.

Address 200 still is lost out there somewhere.  But that address IS in the pool.  Pool entries don't seem to show on the leases list.
Bug in the kea lease listing.

Modified 3 more of the IOT devices, and they still come up with their old IP addresses with nothing showing in the Kea leases.

As you can see, the devices are working, and the one on 200 is just a second IP for a device that has two ports. 

Code Select Expand

[lisa@Legion-Pro-5 ~]$ nmap 192.168.10.90-254
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-08 15:25 MST
Nmap scan report for ESP8266-5.flack.net (192.168.10.93)
Host is up (0.038s latency).
All 1000 scanned ports on ESP8266-5.flack.net (192.168.10.93) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for ESP8266-7.flack.net (192.168.10.94)
Host is up (0.038s latency).
All 1000 scanned ports on ESP8266-7.flack.net (192.168.10.94) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for ESP8266-8.flack.net (192.168.10.95)
Host is up (0.0066s latency).
All 1000 scanned ports on ESP8266-8.flack.net (192.168.10.95) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for 192.168.10.200
Host is up (0.0049s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 165 IP addresses (4 hosts up) scanned in 140.01 seconds
[lisa@Legion-Pro-5 ~]$

I had the device disconnected for 30 minutes.  After pluging it back in it again got it's old address 192.168.10.92.  The Kea pool is 200-254.  There's no entry in reservations for this device, so it should get a 2XX address.  This worked before upgrading to 26.1.1

Code Select Expand

INFO [kea-dhcp4.leases.0x1d1fe1877008] DHCP4_LEASE_ALLOC [hwtype=1 d8:f1:5b:0e:ab:18], cid=[01:d8:f1:5b:0e:ab:18], tid=0x2e37506c: lease 192.168.10.92 has been allocated for 600 seconds

Today I finally re-organized my ip address ranges.  In doing so, I noticed that devices on the net that are assigned from the Kea pool no longer show up under Kia/Leases. 

Specifically I have 5 IOT things out there that have remained on their old IP addresses, and also don't show up on the leases.  They work fine, and I can ping/use all of them.

Before starting this change, I set the lease time to 600 seconds so devices should get their new address quite quickly.  So far these IOT things have not.  I reset the IOT things and they come back up with their old original IP addresses.

DNSmasq has always given me issues.  I only run unbound and it resolves everything on my network.  For duplicates (like multiple names for a server), I just put an entry in Unbound/overrides

My system crashed today.  Thanks for all the notes on here.  I disabled the hostwatch and logs and it's running again. 
There should be some indicator on the dashboard that monitors disk usage better.

Thanks, I'll look at that.

IPv4 TCP/UDP   LAN net   *   *   SafePorts    *   *      Allow Safe Ports (80, 443)      
           
IPv4 TCP/UDP   TVs    *   *   TVPorts    *   *      Allow TV's to their ports(Bunch of ports) Including 80 and 443      
              
IPv4 *   *   *   *   *   *   *      Block LAN Traffic      

TV's are on .63-.65

I added the t65tv temporarly to allow to anywhere.  I'll check the logs and see if it shows.


LANIn2025-12-12T17:35:30-07:00TCP192.168.10.63:5512963.34.182.173:443 blockBlock LAN Traffic
LANIn2025-12-12T17:35:30-07:00TCP192.168.10.63:5512963.34.182.173:443 blockBlock LAN Traffic
LANIn2025-12-12T17:27:34-07:00TCP192.168.10.63:3911434.160.212.185:443 blockBlock LAN Traffic
LANIn2025-12-12T17:27:34-07:00TCP192.168.10.63:3911434.160.212.185:443 blockBlock LAN Traffic
LANIn2025-12-12T16:57:35-07:00TCP192.168.10.63:57909174.129.18.38:443 blockBlock LAN Traffic

I switched my ISP router to transparent bridging mode.  Then let opnsense do everything.

I have a early general firewall rule that allows LAN traffic to ports in an alias 'safe ports' (80 443)

The last firewall rule deny traffic to anywhere.  "Block LAN Traffic"

Lan is subnet 192.168.10.0/24

In the logs I'm seeing the following getting blocked on the last rule like this:

LAN In 2025-12-12T12:00:39-07:00 TCP 192.168.10.63:40982   34.160.212.185:443   block   Block LAN Traffic

The earlier rule should have passed this.

Not sure why?

thanks!  I'll ignore them!

Globally removed?  I've removed the instances and it's still there.  I'll see if I missed something.  I remember when I was installing it there were some other changes.  Thanks for the help.

enc0
pflog0
wan_stf

I switched from Wireguard to OpenVPN, and the wireguard group is still showing.  How can I remove it?