Messages

Seems like it was my IPv6 ULA address in the listen address causing the issue:

Code Select Expand

None None [2026-06-03 18:30:32] [FATAL] listen udp [fdee:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:15353: bind: can't assign requested address
None None [2026-06-03 18:30:32] [NOTICE] Now listening to 127.0.0.1:15353 [TCP]
None None [2026-06-03 18:30:32] [NOTICE] Now listening to 127.0.0.1:15353 [UDP]

Just changed in listen address from ULA to [::1]:15353 and in unbound query forward too

I've added two more cron jobs that might serve as a workaround. I didn't see any errors in the logs, so my idea is to have these additional tasks run shortly after the system reboot:

4:00 AM System reboot
4:10 AM dnsycrpy-proxy restart
4:15 AM unbound restart

Hopefully, staggering these restarts will ensure the services come up cleanly. I'll monitor and see if this resolves the issues.

Hi everyone,

I have a question regarding the IDS configuration in OPNsense when using IPv6 with dynamic prefix delegation from the ISP.

Under:

Services → Intrusion Detection → Administration

there is the setting:

Home networks

Current default value:

192.168.0.0/16
10.0.0.0/8
172.16.0.0/12

The hint says:

"Networks to interpret as local"

For IPv4 this is straightforward, but I am unsure how this should properly be configured for IPv6 when the ISP delegated prefix changes dynamically.

Example:

LAN currently receives a delegated /64
Prefix may change after reconnect/reboot

Questions:

Should the current delegated IPv6 LAN subnet be manually added here?
Is there a recommended way to handle dynamic IPv6 prefixes?
Can interface macros/variables like $LAN_NET be used in this field?
What is the recommended best practice for IDS Home Networks with IPv6 PD?

I would appreciate clarification on the intended/recommended configuration.

Thanks!

Hi everyone,

I recently configured a cron job to reboot my OPNsense firewall every 3 days.

After this morning's reboot, I noticed I had no internet connectivity. The DNSCrypt service had a red icon and wasn't running. I had to manually start DNSCrypt and then restart Unbound to restore DNS resolution.

I suspect the issue may have been related to IP assignment: the firewall might not have received an IPv6 address (or even an IPv4 address) immediately after reboot, which could have caused DNSCrypt to fail or exit. However, I couldn't find any logs indicating the process was killed or why it didn't start automatically.

My setup:

Destination NAT redirecting all LAN DNS traffic to Unbound
Unbound configured to forward queries to DNSCrypt

Questions:

Should DNSCrypt normally start automatically after reboot?
Is additional configuration needed to ensure the proper startup order?
Could this have been a one-time startup failure?
Is there a recommended way to ensure Unbound waits for DNSCrypt before starting?

Any tips or troubleshooting suggestions would be greatly appreciated.

Note: I've attached the relevant logs for reference. For some reason, the attachments are only visible when you are logged in. The reboot occurred at 4:00 AM, and I manually fixed the issue by restarting DNSCrypt and Unbound around 8:20 AM.

Service start order:

DNSCrypt starts at 04:01:23
Unbound starts at 04:01:24
Then Unbound starts again at 04:01:41

DNSCrypt wasn't fully ready when Unbound started:
Unbound depends on DNSCrypt upstream
Large DNSBL list load:
DNSBL module has 968,522 entries.

Thanks a lot for the help really appreciate the time and guidance. That solved my issue.

Would it be possible to use the Alias "This Firewall" as the redirect target instead of the ULA address? I guess not since its also a set of addresses and not a single address. My issue is that I think it behaves dynamically, meaning its value may depend on where it is used.

I'm having a dynamic prefix. I'll try fix it with a ULA instead.

Good point as well about DNS only needing one protocol.

Seems like i just had to set 127.0.0.1 for IPv4 and for IPv6 ::1 instead of Loopback Network ...

Hi everyone,

I'm trying to force all DNS traffic through my Unbound resolver on OPNsense for both IPv4 and IPv6. Here's what I have configured:


Two Destination NAT Rules one IPv4 an IPv6 (Redirect DNS 53 to Unbound)

Sequence: 100
Description: Reroute Port 53
Interface: LAN
Version: IPv4
Protocol: TCP/UDP

Source:

(Advanced) Invert Destination: ✔ checked

Destination:

Destination Address: LAN address
Destination Port: 53 (single port)

Translation:

Redirect Target IP: Loopback network
Redirect Target Port: 53 (single port)
Pool Options: Default

Options:

No RDR (NOT): unchecked
Log: unchecked
No XMLRPC Sync: unchecked
NAT Reflection: Disabled
Set Tag / Match Tag: empty
Firewall Rule: Pass

LAN Firewall Rule (Block Outgoing DNS 53)

Quick: ✔ checked
Action: Block
Interface: LAN
Protocol: TCP/UDP
Direction: Out
Version: IPv4+IPv6
Source: Any
Destination: Any
Destination Port: 53


Destination NAT rule: Redirect all port 53 traffic (TCP/UDP) from LAN to Unbound (loopback).
LAN firewall rule: Block all outgoing port 53 (to force clients to use Unbound).

The problem:

With these three rules enabled, my Chromecast cannot connect to Wi-Fi.
If I disable both rules inclsuive the LAN block rule, Chromecast works fine.
I also tried setting Google DNS (8.8.8.8 / 8.8.4.4) in Unbound with no block rules, but it still doesn't work.

I'm not sure why blocking port 53 + NAT is breaking Chromecast.

Hello everyone,

I'm encountering an issue with my OPNsense setup. During the execution of the script sensor_info.py located at /usr/local/opnsense/scripts/etpro_telemetry/, I am getting the following error:

Error
configd.py

[9012173e-136c-437f-a308-a85a12274648] Script action failed with Command '/usr/local/opnsense/scripts/etpro_telemetry/sensor_info.py ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 89, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/etpro_telemetry/sensor_info.py ' returned non-zero exit status 1.

Has anyone else encountered this issue or can point me in the right direction to resolve it?

Type: opnsense-business    
Version: 25.10_2    
Architecture: amd64    
Commit: 89445f333    
Repositories: OPNsense (Priority: 11)    
Updated on: Thu Oct 23 18:59:03 CEST 2025


Hi,

I'm encountering an error in OPNsense related to Suricata, and I'm unsure where to report it or how to resolve it.
The error message I'm seeing is as follows:

 [109203] <Error> -- error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE TA399/Sidewinder StealerBot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/MoFA/"; startswith; fast_pattern; pcre:"/^[a-f0-9]{8}(?:\x3fe\x3d.*p\x3d.*\xw\x3d)?/R"; http.header_names; content:!"|0d 0a|user-agent|0d 0a|"; nocase; reference:md5,b55f692ccc11496e2772705060f3d9d2; classtype:trojan-activity; sid:2864929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, tls_state TLSDecrypt, created_at 2025_10_17, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag TA399, updated_at 2025_10_17, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name exfiltration_over_C2_channel;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-malware.rules at line 6545


also this error was logged too:

suricata
[109203] <Error> -- pcre2 compile of "/^[a-f0-9]{8}(?:\x3fe\x3d.*p\x3d.*\xw\x3d)?/R" failed at offset 35: digits missing after \x or in \x{} or \o{} or \N{U+}

This seems to be related to an issue with the parsing of a signature in the "emerging-malware.rules" file, specifically around the "Sidewinder StealerBot" CnC checkin detection.

Could anyone suggest where I should report this issue or if there's a specific fix I should apply? Is this a known problem with Suricata's signature parsing or OPNsense's Suricata implementation?

Thanks in advance for any help!

Nope its not working with a redirect rule.

Opnsense is using chrony plugin


My client which is running Ubuntu 25.10 is using by default Chrony with NTS.

If the 123/UDP redirect rule is active and my LAN client uses Chrony with NTS (Network Time Security), it won't work.

If the 123/UDP redirect rule is active and my LAN client uses Chrony without NTS, it works.

If the 123/UDP redirect rule is inactive and my LAN client uses Chrony with NTS, it works.


my setup

internet -> modem -> opnsense firewall -> router -> network devices



Output of my LAN client with Chrony and NTS and active 123/UDP redirect rule:

Code Select Expand

ubuntu@ubuntu:~$ sudo chronyc tracking
Reference ID    : 00000000 ()
Stratum         : 0
Ref time (UTC)  : Thu Jan 01 00:00:00 1970
System time     : 0.000000001 seconds fast of NTP time
Last offset     : +0.000000000 seconds
RMS offset      : 0.000000000 seconds
Frequency       : 2.169 ppm fast
Residual freq   : +0.000 ppm
Skew            : 0.000 ppm
Root delay      : 1.000000000 seconds
Root dispersion : 1.000000000 seconds
Update interval : 0.0 seconds
Leap status     : Not synchronised
ubuntu@ubuntu:~$ sudo systemctl status chronyd
● chrony.service - chrony, an NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chrony.service; enabled; preset: enabled)
     Active: active (running) since Sun 2025-10-19 14:10:23 CEST; 18min ago
 Invocation: 8fc8127e9e5749de904bac3d8035352c
       Docs: man:chronyd(8)
             man:chronyc(1)
             man:chrony.conf(5)
   Main PID: 9258 (chronyd-starter)
      Tasks: 3 (limit: 75408)
     Memory: 6.1M (peak: 7.3M)
        CPU: 221ms
     CGroup: /system.slice/chrony.service
             ├─9258 /bin/sh /usr/lib/systemd/scripts/chronyd-starter.sh -n -F 1
             ├─9270 /usr/sbin/chronyd -n -F 1
             └─9271 /usr/sbin/chronyd -n -F 1

Oct 19 14:10:23 ubuntu chronyd[9270]: Frequency 2.169 +/- 1.737 ppm read from /var/lib/chrony/chrony.drift
Oct 19 14:10:23 ubuntu chronyd[9270]: Loaded seccomp filter (level 1)
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 1.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added source 192.168.178.1
Oct 19 14:10:23 ubuntu systemd[1]: Started chrony.service - chrony, an NTP client/server.
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 2.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 3.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 4.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool ntp-bootstrap.ubuntu.com
Oct 19 14:10:39 ubuntu chronyd[9270]: Can't synchronise: no selectable sources (11 unreachable sources)


Hi everyone,

I'm trying to set up my network in a way that forces all NTP (Network Time Protocol) traffic to go through my OPNsense firewall so it can handle time synchronization via Chrony. Here's what I have so far:

I have Chrony installed and running on my OPNsense firewall.

Some of my devices on the network use Chrony as their NTP client with NTS.

I want to redirect all outgoing NTP requests from these devices to OPNsense, essentially forcing them to sync time through OPNsense.

I'm considering using NAT redirection and firewall rules similar to how DNS requests are handled, but I'm not sure if NTP traffic can be redirected in the same way.

Specifically, I have a few questions:

1. Is it possible to redirect NTP traffic (UDP port 123) to OPNsense using firewall rules and NAT?

2. Can OPNsense act as the sole time server for all devices in my network, and how would I set that up?

3. Since some of my devices use Chrony with NTS, will OPNsense be able to handle these requests, or do I need additional configuration?

Ideally, I'd like to accomplish this with something similar to the way DNS redirection works using firewall rules and NAT redirection to force all NTP traffic to go through OPNsense.

also my root user name is not root i was able to modify the username when setting up my system

I've created a github bug issue it can be found here: https://github.com/opnsense/core/issues/9246