Messages

I was already planing to replace my unmanned Netgear with a SFP+ one ( I am building a NAS, I don't need 10G network but with everything going so sideways in price and HDD already showing signs, I better do it now before network gears gets bitten by the AI bug also :-) )

I have a MikroTik CRS317 as my 10G core switch, which has 2 x Netgear GS728TXP, 2 x GS110TP and an GS316EP hanging off it along with my NAS (10G interface) and my main Linux R&D box (10G interface).

I did as I suggested and use 10.xx.vv.0/24 subnets where 'xx' is my site ID and I keep the third octet of the IP address the same as the VLAN tag, so if 'vv' is 20 then it's on VLAN20 - just makes it easy to remember.

If you're dual stack and are running IPv6 with a /48 then I parition at the /49 boundary and the bottom half is outside the firewall and the top half is inside, eg. 2001:DB8:1234:8000::/49 is inside. Then I do the same trick an use the VLAN tag in the IPv6 /64s so 2001:DB8:1234:8020::/64 is on VLAN20.

Keeps everything memorable.

I also look after five sites so we use different site codes and use WireGuard to link various VLANs over IPv4 or route over IPv6.

Mike

While the underlying FreeBSD OS supports 'aliases' on network interfaces in a similar way to Linux I'm not sure that all of the plumbing through OPNsense and KEA DHCP is in place to support it.

It would be a much better idea to use VLANs and perhaps delare your site as 10.19.0.0/16 since you used that IP range already and then subnet in to VLANs like:

vlan0.1   [DEFAULT] 10.19.1.0/24
vlan0.2   [MGMT]    10.19.2.0/24
vlan0.10  [LAB]     10.19.10.0/25
vlan0.254 [IOT]     10.19.254.0/24
vlan0.255 [GUEST]   10.19.255.0/24

then everything will fit together nicely ;-)

Mike

I have no idea how that happened, but I took the hint and moved over the Kea DHCP as ISC DHCP is End-of-Life and deprecated.

[unknown-repository]

Okay, so:

   cd /tmp
   wget https://pkg.opnsense.org/FreeBSD:14:amd64/26.1/MINT/26.1.1/latest/All/os-lcdproc-sdeclcd-1.1_1.pkg
   pkg install os-lcdproc-sdeclcd-1.1_1.pkg

works, but System > Firmware > Plugins now shows:

   os-lcdproc-sdeclcd (installed)   1.1_1   982B   4   unknown-repository   LCDProc for SDEC LCD devices

Should I have done something different?

Mike

I am running OPNsense 26.1.1 on a re-purposed Sophox XG230.

With 25.7_11 I had the LCDproc plugin running and had system stats and performance on the 2-line LCD panel.

With 26.1.x System > Firmware > Plugins reports it missing:

os-lcdproc-sdeclcd (missing)   1.1_1   982B   3   OPNsense   LCDProc for SDEC LCD devices[/b]   

Is there a chance that it could make a return?

Regards

Mike

Hi Franco,

Thanks, patch applied and I am now able to add DNAT rules ;-)

I don't know where my previous NAT rules went... this is what I did:

1. Existing Server, working system (25.7_11) ... Backed up config

2. New (temp) server, installed 26.1, imported backup, upgraded to 26.1_4. Didn't explicitly test DNAT but everything seemed to be working.

3. Flattened exiting server, installed 26.1. Backed up temp server, imported to existing server. Upgraded to 26.1_4

Found that DNAT wasn't working. I guess somewhere along the way it broke...

All is good now. Thanks for the help.  Have sent €50,00 donation.

Regards

Mike

Hi Franco,

Pluginctl -v results in a message per interface in the form:

root@gate:~ # pluginctl -v
OPNsense\Firewall\Alias.aliases.alias.__wan_network.name => The name must start with a letter or single underscore, be less than 32 characters and only consist of alphanumeric characters or underscores.

and pluginctl -g nat results in an empy set:

root@gate:~ # pluginctl -g nat
root@gate:~ #

... does that help?

Regards

Mike

System: Firmware: Reporter should have logs. Better paste the PHP errors here than submitting them (it's a bit difficult to find them out of context).


Cheers,
Franco

Hi Franco,

I have run the health check (no problems) and re-installed the opnsense 26.1 package and upgraded to 26.1_4 and rebooted.

I still see the same problem when I try to add the Destination NAT with this PHP stack-trace:

[03-Feb-2026 12:29:19 Europe/London] TypeError: dom_import_simplexml(): Argument #1 ($node) must be of type object, null given in /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php:755
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(755): dom_import_simplexml(NULL)
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(822): OPNsense\Base\BaseModel->internalSerializeToConfig()
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php(327): OPNsense\Base\BaseModel->serializeToConfig(false, true)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php(498): OPNsense\Base\ApiMutableModelControllerBase->save(false, true)
#4 /usr/local/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/DNatController.php(122): OPNsense\Base\ApiMutableModelControllerBase->addBase('rule', 'rule')
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\Firewall\Api\DNatController->addRuleAction()
#6 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#7 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#8 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/firewall/d...', Array)
#9 {main}

What to try next?

Regards

Mike

Re-installation pf "opnsense 26.1_4" package performed:

***GOT REQUEST TO REINSTALL***
Currently running OPNsense 26.1_4 (amd64) at Mon Feb  2 18:23:36 GMT 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following packages will be fetched:

New packages to be FETCHED:
   opnsense: 26.1_4 (6 MiB: 100.00% of the 6 MiB to download)

Number of packages to be fetched: 1

The process will require 6 MiB more space.
6 MiB to be downloaded.
Fetching opnsense-26.1_4.pkg: .......... done
opnsense-26.1_4: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
   opnsense-26.1_4

Number of packages to be reinstalled: 1
[1/1] Reinstalling opnsense-26.1_4...
[1/1] Extracting opnsense-26.1_4: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from opnsense-26.1_4:

--
One step ahead, one step behind it, now you gotta run to get even
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***


I will now re-boot and try the DNAT configuration again.

Regards

Mike

Here's the result of:

    System > Firmware > Status > Run Audit > Health

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 26.1_4 (amd64) at Mon Feb  2 17:34:21 GMT 2026
>>> Root file system: /dev/gpt/rootfs
>>> Check installed kernel version
Version 26.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 26.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 26.1_4 has 67 dependencies to check.
Checking packages: .................................................................... done
***DONE***


Regards

Mike

Hi Franco,

User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
FreeBSD 14.3-RELEASE-p7 stable/26.1-n271965-1bab7230df71 SMP amd64
OPNsense 26.1_4 889098cfa
Time Mon, 02 Feb 2026 17:00:14 +0000
OpenSSL 3.0.18
Python 3.11.14
PHP 8.3.28


Each time I attempt to add a Destination NAT I get a PHP stack trace:

[02-Feb-2026 14:25:40 Europe/London] TypeError: dom_import_simplexml(): Argument #1 ($node) must be of type object, null given in /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php:755
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(755): dom_import_simplexml(NULL)
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(822): OPNsense\Base\BaseModel->internalSerializeToConfig()
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php(327): OPNsense\Base\BaseModel->serializeToConfig(false, true)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php(498): OPNsense\Base\ApiMutableModelControllerBase->save(false, true)
#4 /usr/local/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/DNatController.php(122): OPNsense\Base\ApiMutableModelControllerBase->addBase('rule', 'rule')
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\Firewall\Api\DNatController->addRuleAction()
#6 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#7 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#8 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/firewall/d...', Array)
#9 {main}
[02-Feb-2026 15:15:06 Europe/London] TypeError: dom_import_simplexml(): Argument #1 ($node) must be of type object, null given in /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php:755
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(755): dom_import_simplexml(NULL)
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(822): OPNsense\Base\BaseModel->internalSerializeToConfig()
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php(327): OPNsense\Base\BaseModel->serializeToConfig(false, true)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php(498): OPNsense\Base\ApiMutableModelControllerBase->save(false, true)
#4 /usr/local/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/DNatController.php(122): OPNsense\Base\ApiMutableModelControllerBase->addBase('rule', 'rule')
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\Firewall\Api\DNatController->addRuleAction()
#6 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#7 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#8 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/firewall/d...', Array)
#9 {main}
[02-Feb-2026 15:21:43 Europe/London] TypeError: dom_import_simplexml(): Argument #1 ($node) must be of type object, null given in /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php:755
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(755): dom_import_simplexml(NULL)
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(822): OPNsense\Base\BaseModel->internalSerializeToConfig()
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php(327): OPNsense\Base\BaseModel->serializeToConfig(false, true)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php(498): OPNsense\Base\ApiMutableModelControllerBase->save(false, true)
#4 /usr/local/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/DNatController.php(122): OPNsense\Base\ApiMutableModelControllerBase->addBase('rule', 'rule')
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\Firewall\Api\DNatController->addRuleAction()
#6 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#7 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#8 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/firewall/d...', Array)
#9 {main}


Regards


Mike

Over the weekend I have upgraded my OPNsense system from 25.7_11 to 26.1_4 and everything is working except inbound port forwarding (aka "Destination NAT").

I am trying to configure Asterisk IAX2 (UDP/4569) from my Work firwall to my home firewall.

I have host aliases for the work firewall (single IPv4) and the home PBX.  I have a port alias "iax2_port" = 4569.

I go to Firewall > NAT > Destination NAT and use "+" to add a new rule:

  Interface:
       Interface: WAN
       Version: IPv4
       Protocol: UDP

  Source (advanced):
       Invert Source:  (unchecked)
       Source Address: thorcom_gate  <- alias with correct IPv4 source
       Source Port: iax_port

   Destination:
       Invert Destination:  (unchecked)
       Destination Address: WAN address  (from drop down)
       Destination Port: iax_port

   Translation:
       Redirect Target IP: tubby_pbs  <- alias with correct host IP for my internal PBX
       Redirect Taget Port: iax_port


When I save the rule I get the error "Danger: Unexpected error, check log for details", but there's nothing visible in the logs accessible from the UI?

It appears that all of my inbound DNATs (formerly "port forwards") have disappeared/failed to be migrated as I have also lost the rules for my NVD/DVR and for my SDR - all of which were working fine under 25.7_11

How do I get inbound DNAT/port forwarding to work again?


Mike

I thought I was going mad so I have done this three times now and get the same result.

Hardware is Sophos XG210 chassis, have installed OPNsense 25.1, in UEFI mode, all boots and works fine.

XG210 has eight Ethernet ports (6 x GbE and 2 x SFP).

Out of the box OPNsense comes up with:

  igb0 -> LAN with 192.168.1.1/24
  igb1 -> WAN (no IP address yet)

I plug igb0 in to my Netgear VLAN enabled GS728TPv2 switch on the same VLAN (VLAN144) as my Win 11 PC. I add a secondary IP address to the network interface on the Win 11 PC (in this case 192.168.1.40) and I can access the OPNsense UI - this works because the PC and XG210 are on the same VLAN.

In OPNsense I add a third interface:

  igb2 -> MGMT and set the IP address to 192.168.2.1/24

I check in System > Settings > Access and it says the admin interface is defaulted to 'all interfaces'.

I have set the UI to be HTTP rather than HTTPS and I have 'Applied Settings'.

I add another secondary IP to my Win 11 PC (192.168.2.40/24) and move the cable on from the Netgear from igb0 to igb2 on teh XG210 and attempt to access http://192.168.2.1 without success (connection timeout).

If I move the cable back to igb0 I can no longer access the UI on 192.168.1.1 either.

I habe now lost UI access to OPNsense so I go to the console and use option (4) Factory reset and start again I can access the UI on 192.168.1.1.

Rinse and repeat ...


Why does adding a management interface break the UI on the LAN interface?


My specific use-case needs me to shoe-horn in OPNsense as a replacement for another firewall that has a WAN interface and where the LAN interface has eight VLANs... adding a management interface was my preference to alow both the WAN and VLANs on the LAN interface to be configured without getting locked out ;-)

Where am I going wrong?


Mike