Messages

It's not exactly a one VLAN limit but a four zones total limit as I found out. For whatever reasons. Seems silly.

AFAICS this is a legacy concept that originated from SmoothWall, before it became IPCop, before it became IPFire. Or somesuch as I didn't follow the development closely.
They had originally "colored" the physical interfaces, which made perfect sense back in the day as there aren't too many even now. Probably the simplicity of the concept kept it around, even though with VLANs it should be updated to at least "8 bit colors". :)

I'm stuck trying to react to the WAN interface getting a new IPv6 privacy extensions address. I've found the "newwanipv6" trigger but that only triggers when the main IPv6 address / prefix has changed. It does, however, not trigger when privacy extension addresses expire / new ones are generated. I need to react to both these events. A cron job would be possible but running that every minute is both wasteful and slow to react. There must be a better way, can somebody please point me in the right direction?

Currently the only option is to monitor an interface (the various external services will suffer the same problem with even less means of control), but with IPv6 and its multiple IP addresses this doesn't always return the most desirable address out of those available. So it would be great if there were some options to guide it. Most likely one will only want the GUA, anyway, but there also could be another GUA from the privacy extensions, plus there might be reasons to pick an ULA (I don't see a use case for that but who knows, maybe one could use DDNS for internal use inside the DMZ or something to avoid rolling an own DNS service? People can get pretty creative :) ), and maybe even to allow use of deprecated addresses.
Anyway, the issue is that with IPv6 there are more than one address per interface, that also appear in a random order (most often the GUAs are on top, with the non-PE one first, but occasionally the ULAs will be, or even the LLA, so one can't rely on this ordering at all), and thus there needs to be a means of control over which one gets picked. For example, on my WAN IF, I have (at minimum) five IPv6 addresses (1xLLA, 2xGUA(1 PEA), 2xULA(1 PEA)), plus two more deprecated PEAs (again, one GUA and one ULA) until they fully expire. If one could use a Dynamic IPv6 host alias as source this would reduce the ambiguity to 1 GUA and 1 ULA, and I suppose ULAs won't get picked anyway, so it would be unambiguous, but it doesn't allow the selection of this type of alias.

Thanks for considering! :)

Probably, your widget is one-column width. Try expanding it to two columns. That works for me.

That was it, thanks! The issue was that I expected it to auto-expand when moved to a wide column but it wouldn't so I assumed that it just won't. Instead, you have to manually drag the border to resize it. :) Still not great for IPv6 because the address is not entirely visible, and the most important part (the suffix) is outside the display area unless I widen it even more. Either IPv6 addresses need the entire width, or the address needs to be linebroken like the gateway watcher does. Thanks for considering! :)

In OPNsense 26.1.2_5 I now see the custom hostname to the right in the widget. This is a good solution. Please consider this closed.

What do I need to do to enable this (26.1.5)? I still only get "custom". Is this because I use the dark theme, or because mine is IPv6 with its unwieldly / long address blurting out everything else?

If I define an alias for an IPv6 address (dynamic IPv6 host) and then put that into the translation target box for Outbound, the netmask only allows the IPv4 range (up to 32 bits), while it should switch to the IPv6 range. Maybe it would be necessary to assign an IP version to the aliases for this to work. The resulting rule then is invaild "2026-03-25T19:55:36 Error firewall There were error(s) loading the rules: no IP address found for Nonprivate_IPv6/32" and NAT doesn't work.

Is this a bug or am I overlooking something obvious again?

Whenever my prefix changes, I get a new set of addresses: a public one and a PE one, like these
   inet6 2001:a:b:c:1:2:3:4a prefixlen 64 autoconf pltime 3600 vltime 7200
   inet6 2001:a:b:c:1:2:3:4b prefixlen 64 autoconf temporary pltime 3600 vltime 7200

When the firewall itself sends a message, it properly uses the PE generated address. However, when a NATed client reaches out, it'll be NATed to the normal address. I tried to do this with aliases (by creating a "dynamic host" alias with the MAC-derived suffix) but then I'd need to invert this in order to match the PE address (which I can't predict and thus can't create an alias for), and then somehow put this into the NAT pool.

This doesn't seem to be possible, but hopefully I'm just overlooking something, like the checkbox that says "use only temporary addresses"? ;)

If I need a full image I use "dd".

You cn chain "dd" with a zipping tool and scp filetransfer in a single command and then set it as cron job.

As much as I love dd, isn't dd-ing (or copying in any other form) a running system a sort of desperate measure? Even the -nano images aren't immutable (I'd be real great if they were!), so at the very least the clone will generate "not properly unmounted" messages when booted. ZFS will probably also recover gracefully, but still...

I had read through the entire thread and it was indeed established that PE is only defined for SLAAC, not for DHCP6 (counter-intuitively at first, but of course it makes sense that an address that is assigned explicitly by central management should be used). However, the final post
https://forum.opnsense.org/index.php?msg=230300
voiced the observation that with requesting a prefix only the PE would, if enabled, also generate a proper address just like it would in the SLAAC case, but the problem might be the priority of it being used for outgoing traffic.
Be that as it may, I always get the MAC-derived address first in the list and the PE second so the picker always uses the MAC-derived one. Probably the kernel would chose the PE properly but the NAT picker doesn't. Removing the MAC-derived address obviously always works so there is no priority ambiguity. Maybe I can do something with aliases, but since the prefixes change regularly, I don't see how I could pin it down. Regularly changing prefixes are just as desirable as it is to randomize the suffix since otherwise trackers will simply track by prefix.

I'm aware that the OPNSense box normally only uses its IP for its own traffic and that a public address is helpful for inbound connectivity that also will be advertised to a DynDNS provider (I need to look into this as well for IPv6, but if it works, it would also work with PE addresses).

Anyway, I've noticed that each time a new prefix is assigned, the WAN interface gets a new set of addresses but the old one pervails, so it'll end up accumulating addresses (I assign two prefixes (one from the ISP and one ULA) so maybe that is the issue). ifconfig output lists the old ones as "deprecated" though, so they should not be used and hopefully get cleared automatically eventually. The script doesn't catch the newly assigned one, possibly it is only run at start-up, I'll need to look into this some more. Also, it needs to be made more robust in both the selection and handling of multiple matches.

And yes, I am using a VPN, but it's not always desirable to use it so I'd like working PE as "backup".

I still hope to find a way to get NAT to hit before the scope check, so I could go fully local-only on the LAN. That way, if pf goes down or forgets its rules for any reason, I will be fully closed instead of being fully open (like it would be now).

I know this is necromancy but this issue has crept up for me as well, and I decided on the sledgehammer (do what you were already suggesting with removal through ifconfig). The tunables seem to be working if the interface is configured via SLAAC, but not when doing NAT. Maybe there is a way to do this less invasively, preferredly through the GUI? If so please comment!

I put a script into /usr/local/etc/rc.syshook.d/start/11-removeslaacwan

Code Select Expand

#!/bin/sh
MAC1=`ifconfig re1 |grep ether|cut -w -f 3|cut -d\: -f 1`
MAC2=`ifconfig re1 |grep ether|cut -w -f 3|cut -d\: -f 2`
MAC3=`ifconfig re1 |grep ether|cut -w -f 3|cut -d\: -f 3`
MAC4=`ifconfig re1 |grep ether|cut -w -f 3|cut -d\: -f 4`
MAC5=`ifconfig re1 |grep ether|cut -w -f 3|cut -d\: -f 5`
MAC6=`ifconfig re1 |grep ether|cut -w -f 3|cut -d\: -f 6`
tvar=`echo  $(( 0x$MAC1 + 0x2 ))`
pvar=`printf "%x" ${tvar}`
MAC1_="${pvar}"
SLAACMAC="${MAC1_}${MAC2}:${MAC3}ff:fe${MAC4}:${MAC5}${MAC6}"
testvar=`ifconfig re1|grep "inet6\ 2"|grep "${SLAACMAC}"|cut -w -f 3`
restvar=`ifconfig re1|grep "inet6\ 2"|grep "${SLAACMAC}"|cut -w -f 5`
if [ "${testvar}" ]; then
ifconfig re1 inet6 "${testvar}" remove
# ifconfig re1 inet6 "${testvar}/${restvar}"
echo "Address ${testvar}/${restvar} handled."
else
echo "No matching address found."
fi
The commented-out "adding back" the address may be desired since it places the address at the end of the list hoping the picker might ignore it because it finds another viable address before reaching this. It also clears the "automatic" flags, for better or worse. Might be worthwhile for inbound connectivity.

This has not been tested extensively (in fact, I just whipped it up), so it might break stuff. In my case, the gateway monitor goes red on the IPv6 gateway despite it being perfectly reachable. More testing needed.

Then you should have mentioned it, but again : Not something that I would actually use and trust completely...

The reason I didn't ask for this specifically was that this tool seems to be pretty niche and possibly not up to snuff security/trust-wise. I expected something more official that I just never had heard of.

but according to pkg, it's not even in our repository (let alone that it's not advisable to manually install stuff on a curated system like OPNsense).

Actually I have not seen a lot of posts being against it so my guess is that you can do it as long as you are aware of potential conflicts when you get some kind of error during updating/upgrading in the future :)

Yes, the issue with all non-stock setups. Documentation is a must and even then there's no guarantee I'll remember to check on it. That's why I've come to avoid anything that's not at least in the official repository. :)

If you really want something to do tests with then this is a better alternative IMHO :

Not sure if this will suit your needs/usecase but I am using stress-ng. You can install it on OPN directly.

That's the kind of hint I was hoping for. :) I'll look into this since I intend to do periodic tests like I schedule periodic SMART extended tests. It really is supposed to do only light testing to catch RAM going bad over time, I had this happen to me twice already and normally you suspect the PSU if a system becomes unreliable years after it passed the initial pre-deployment tests. It doesn't have to catch the very first error.

Regarding the "testing only unused memory" sentiment: yes, anything that runs on a live system can only test the unallocated memory. It might have ways to cooperate with the paging service (which may be able to swap out / around pages of memory). My assumption is that if memory goes bad, the issue affects either an entire column or repeating rows (assuming that lines fail). Marginal cells / connections may go unnoticed for a while, but likewise they will do so if the system were to be shut down for scheduled manual memtest86+ runs every 6 months or so, especially if only one single pass is done each time.

Anyway, thanks for the hints @all! :) I'll see whether I do install the memtester tool from ports or find a way to do some lightweight testing through stress-ng through a cron job. I really want to test live and automatically. :)

Zumindest Sachen, die pf auf die Konsole schreibt, landen auch in dmesg (was ja (im Wesentlichen?) nur /var/log/messages vorliest).

That you are looking for ECC RAM + CPU and Motherboard that support it.

DEC4280 – OPNsense® Rack Security Appliance
Memory    64GB DDR4

So Decisio is just understating their hardware capabilities, even on their top of the line products? ;)

Such software tool does not exist unless you run Windows from the Windows 95/98 era and use tools that were more a workaround instead of anything actually useful ;)

Like this?
https://man.freebsd.org/cgi/man.cgi?query=memtester&apropos=0&sektion=8&manpath=FreeBSD+15.0-RELEASE+and+Ports&format=html

Which actually is what I was asking about, but according to pkg, it's not even in our repository (let alone that it's not advisable to manually install stuff on a curated system like OPNsense).

Alles ist OK bis hier hin:

Child process pid=41919 terminated abnormally: Segmentation fault

Welcher Prozeß das ist kann man nur auf der Konsole mit einem gut getimeten ps fax herausfinden.

Mein Fehler war, dass ich als Absender und Empfänger die gleiche eMail-Adresse fälschlicherweise eingetragen hatte. Müssen natürlich zwei verschiedene Adressen sein.

Das ist zumindest inzwischen nicht mehr so, bzw. falls doch, ein Problem mit Deinem speziellen Mailprovider. Ich schicke mir seit Jahren erfolgreich selber Mails mit allen möglichen Kisten und Diensten...
Vorstellen könnte ich mir aber, daß Du bei der ursprünglichen Senderadresse erst "Zugriff für externe Programme erlauben" irgendwo ganz tief versteckt in den Optionen vom Mailkonto aktivieren müßtest, damit das funktioniert.