Messages

The dhclient.leases.igb2 looks as expected. I was looking at packets through tcpdump and did not see any request packets at all at the 1800 second mark, none until it was nearly expired.

DHCP lease renewal is normally (per standard) attempted when half of the lease time remains. That's very well established, and generally stable.

I haven't been seeing opnsense do that though. It seems to wait until the 85% mark before attempting renewal.

There was a similar-ish sounding case recently, where the OP was convinced that DHCP wasn't doing what it's supposed to, but it actually turned out to be an issue with the ISP's hardware upstream: https://forum.opnsense.org/index.php?topic=51994.0

Thanks for the reference. I'm pretty sure my ISP's hardware *is* an issue, yes. Thing is, as I said, other devices and OSes are able to do a much better job at connecting and keeping the lease up, and there's no reason for opnsense to be more fragile.

No change in behavior after upgrade to 26.1.10.

Also for reference: Here are the settings gemini recommended:

root@router:/var/etc # cat dhclient.igb2.conf
interface "igb2" {
  # timing values
  backoff-cutoff 10;
  initial-interval 10;
  reboot 30;
  retry 5;
  select-timeout 1;
  timeout 60;
  # custom options
  require dhcp-server-identifier;
  always-broadcast true;
  supersede dhcp-max-message-size 576;
  supersede dhcp-parameter-request-list 1,28,2,121,3,15,6,12,119,26,57;
  # standard settings
  script "/usr/local/opnsense/scripts/interfaces/dhclient-script";
  supersede interface-mtu 0;
}

Also got a *very* delayed DHCP ACK while testing these settings, which was interesting.

I've been having issues with connecting to my DSL provider's service on opnsense. It will occasionally connect but not for longer than a few hours and it may take hours to reconnect. I've tested with kali, mint and win10 and all three are able to connect, though it does seem to take a bit longer than it ought to. Some options taken from the gemini llm improved the situation a bit but not acceptably; the connection would still tend to drop after a while. (It also seems the router doesn't attempt to renew the lease until right at the very end of the lease term.) It looks to me like the provider is dropping most of the packets it receives from opnsense, but is more permissive from other sources. I've replacing the ethernet adapter too. (Both are intel i350 type.)

root@router:/var/etc # cat /var/etc/dhclient.igb2.conf
interface "igb2" {
  timeout 60;
  retry 15;
  select-timeout 0;
  initial-interval 1;
  script "/usr/local/opnsense/scripts/interfaces/dhclient-script";
  supersede interface-mtu 0;
}

Flags   up
broadcast
running
promisc
simplex
multicast
lower_up
Capabilities   rxcsum
txcsum
vlan_mtu
vlan_hwtagging
jumbo_mtu
vlan_hwcsum
tso4
tso6
lro
wol_ucast
wol_mcast
wol_magic
vlan_hwfilter
vlan_hwtso
netmap
rxcsum_ipv6
txcsum_ipv6
hwstats
mextpg
Options   vlan_mtu
vlan_hwtagging
jumbo_mtu
vlan_hwcsum
wol_magic
vlan_hwfilter
vlan_hwtso
hwstats
mextpg
MAC Address   80:61:5f:08:00:74 - Beijing Sinead Technology Co.
Ltd.
Supported Media   autoselect
1000baseT
1000baseT full-duplex
100baseTX full-duplex
100baseTX
10baseT/UTP full-duplex
10baseT/UTP
Physical   true
Device   igb2
mtu   1500
macaddr_hw   80:61:5f:08:00:74
Media   100baseTX <full-duplex>
Media (Raw)   Ethernet autoselect (100baseTX <full-duplex>)
Status   up
nd6   
flags
performnud
ifdisabled
auto_linklocal
Identifier   opt7
Description   WANdsl
Enabled   true
Link Type   dhcp
addr4   
addr6   
VLAN Tag   
Gateways   
Driver   igb2
Index   7
Promiscuous Listeners   1
Send Queue Length   0
Send Queue Max Length   50
Send Queue Drops   0
Type   Ethernet
Address Length   6
Header Length   18
Link State   2
vhid   0
Data Length   152
Metric   0
Line Rate   100.00 Mbit/s
Packets Received   3320
Input Errors   0
Packets Transmitted   90121
Output Errors   0
Collisions   0
Bytes Received   318664
Bytes Transmitted   10446593
Multicasts Received   426
Multicasts Transmitted   0
Input Queue Drops   0
Packets for Unknown Protocol   0
Hardware Offload Capabilities   0x0
Uptime at Attach or Statistics Reset   1

example of a successful handshake:

13:59:59.313540 80:61:5f:08:00:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 80:61:5f:08:00:74, length 300, xid 0x29715326, Flags [none] (0x0000)
     Client-Ethernet-Address 80:61:5f:08:00:74
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Discover
       Client-ID (61), length 7: ether 80:61:5f:08:00:74
       Hostname (12), length 6: "router"
       Parameter-Request (55), length 10:
         Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
         Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
         Unknown (119), MTU (26)
14:00:12.315311 80:61:5f:08:00:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 80:61:5f:08:00:74, length 300, xid 0x29715326, secs 13, Flags [none] (0x0000)
     Client-Ethernet-Address 80:61:5f:08:00:74
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Discover
       Client-ID (61), length 7: ether 80:61:5f:08:00:74
       Hostname (12), length 6: "router"
       Parameter-Request (55), length 10:
         Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
         Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
         Unknown (119), MTU (26)
14:00:28.356093 80:61:5f:08:00:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 80:61:5f:08:00:74, length 300, xid 0x29715326, secs 29, Flags [none] (0x0000)
     Client-Ethernet-Address 80:61:5f:08:00:74
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Discover
       Client-ID (61), length 7: ether 80:61:5f:08:00:74
       Hostname (12), length 6: "router"
       Parameter-Request (55), length 10:
         Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
         Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
         Unknown (119), MTU (26)
14:00:38.407528 80:61:5f:08:00:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 80:61:5f:08:00:74, length 300, xid 0x29715326, secs 39, Flags [none] (0x0000)
     Client-Ethernet-Address 80:61:5f:08:00:74
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Discover
       Client-ID (61), length 7: ether 80:61:5f:08:00:74
       Hostname (12), length 6: "router"
       Parameter-Request (55), length 10:
         Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
         Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
         Unknown (119), MTU (26)
14:00:51.408343 80:61:5f:08:00:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 80:61:5f:08:00:74, length 300, xid 0x29715326, secs 52, Flags [none] (0x0000)
     Client-Ethernet-Address 80:61:5f:08:00:74
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Discover
       Client-ID (61), length 7: ether 80:61:5f:08:00:74
       Hostname (12), length 6: "router"
       Parameter-Request (55), length 10:
         Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
         Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
         Unknown (119), MTU (26)
14:01:01.459540 80:61:5f:08:00:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 80:61:5f:08:00:74, length 300, xid 0xddf175e3, Flags [none] (0x0000)
     Client-Ethernet-Address 80:61:5f:08:00:74
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Discover
       Client-ID (61), length 7: ether 80:61:5f:08:00:74
       Hostname (12), length 6: "router"
       Parameter-Request (55), length 10:
         Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
         Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
         Unknown (119), MTU (26)
14:01:01.654312 08:96:ad:5a:db:c1 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 355: (tos 0xc0, ttl 30, id 48761, offset 0, flags [none], proto UDP (17), length 341)
    104.193.102.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 313, xid 0xddf175e3, Flags [none] (0x0000)
     Your-IP 104.193.102.85
     Gateway-IP 104.193.102.1
     Client-Ethernet-Address 80:61:5f:08:00:74
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Offer
       Subnet-Mask (1), length 4: 255.255.255.0
       Default-Gateway (3), length 4: 104.193.102.1
       Domain-Name-Server (6), length 12: 199.27.156.34,199.27.156.35,167.254.227.7
       Hostname (12), length 6: "router"
       Domain-Name (15), length 12: "dellcity.com"
       Lease-Time (51), length 4: 3600
       Server-ID (54), length 4: 199.27.156.55
       Client-ID (61), length 7: ether 80:61:5f:08:00:74
14:01:02.669840 80:61:5f:08:00:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 80:61:5f:08:00:74, length 300, xid 0xddf175e3, Flags [none] (0x0000)
     Client-Ethernet-Address 80:61:5f:08:00:74
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Request
       Server-ID (54), length 4: 199.27.156.55
       Requested-IP (50), length 4: 104.193.102.85
       Client-ID (61), length 7: ether 80:61:5f:08:00:74
       Hostname (12), length 6: "router"
       Parameter-Request (55), length 10:
         Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
         Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
         Unknown (119), MTU (26)
14:01:11.679729 80:61:5f:08:00:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 80:61:5f:08:00:74, length 300, xid 0xddf175e3, Flags [none] (0x0000)
     Client-Ethernet-Address 80:61:5f:08:00:74
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Request
       Server-ID (54), length 4: 199.27.156.55
       Requested-IP (50), length 4: 104.193.102.85
       Client-ID (61), length 7: ether 80:61:5f:08:00:74
       Hostname (12), length 6: "router"
       Parameter-Request (55), length 10:
         Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
         Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
         Unknown (119), MTU (26)
14:01:11.866296 08:96:ad:5a:db:c1 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 355: (tos 0xc0, ttl 30, id 56185, offset 0, flags [none], proto UDP (17), length 341)
    104.193.102.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 313, xid 0xddf175e3, Flags [none] (0x0000)
     Your-IP 104.193.102.85
     Gateway-IP 104.193.102.1
     Client-Ethernet-Address 80:61:5f:08:00:74
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: ACK
       Subnet-Mask (1), length 4: 255.255.255.0
       Default-Gateway (3), length 4: 104.193.102.1
       Domain-Name-Server (6), length 12: 199.27.156.34,199.27.156.35,167.254.227.7
       Hostname (12), length 6: "router"
       Domain-Name (15), length 12: "dellcity.com"
       Lease-Time (51), length 4: 3600
       Server-ID (54), length 4: 199.27.156.55
       Client-ID (61), length 7: ether 80:61:5f:08:00:74

Example of handshake from other device:

13:06:35.855113 08:8f:c3:6d:33:fd > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 333: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 319)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 08:8f:c3:6d:33:fd, length 291, xid 0xa3745acd, secs 1, Flags [none] (0x0000)
     Client-Ethernet-Address 08:8f:c3:6d:33:fd
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Discover
       Client-ID (61), length 7: ether 08:8f:c3:6d:33:fd
       Parameter-Request (55), length 17:
         Subnet-Mask (1), Time-Zone (2), Domain-Name-Server (6), Hostname (12)
         Domain-Name (15), MTU (26), BR (28), Classless-Static-Route (121)
         Default-Gateway (3), Static-Route (33), YD (40), YS (41)
         NTP (42), Unknown (119), Classless-Static-Route-Microsoft (249), Unknown (252)
         RP (17)
       MSZ (57), length 2: 576
       Requested-IP (50), length 4: 104.193.102.50
       Hostname (12), length 7: "misaka4"
13:06:38.612918 08:8f:c3:6d:33:fd > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 333: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 319)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 08:8f:c3:6d:33:fd, length 291, xid 0x843f0ebf, secs 2, Flags [none] (0x0000)
     Client-Ethernet-Address 08:8f:c3:6d:33:fd
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Discover
       Client-ID (61), length 7: ether 08:8f:c3:6d:33:fd
       Parameter-Request (55), length 17:
         Subnet-Mask (1), Time-Zone (2), Domain-Name-Server (6), Hostname (12)
         Domain-Name (15), MTU (26), BR (28), Classless-Static-Route (121)
         Default-Gateway (3), Static-Route (33), YD (40), YS (41)
         NTP (42), Unknown (119), Classless-Static-Route-Microsoft (249), Unknown (252)
         RP (17)
       MSZ (57), length 2: 576
       Requested-IP (50), length 4: 104.193.102.50
       Hostname (12), length 7: "misaka4"
13:06:38.751299 08:96:ad:5a:db:c1 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 356: (tos 0xc0, ttl 30, id 26121, offset 0, flags [none], proto UDP (17), length 342)
    104.193.102.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 314, xid 0x843f0ebf, Flags [none] (0x0000)
     Your-IP 104.193.102.50
     Gateway-IP 104.193.102.1
     Client-Ethernet-Address 08:8f:c3:6d:33:fd
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Offer
       Subnet-Mask (1), length 4: 255.255.255.0
       Default-Gateway (3), length 4: 104.193.102.1
       Domain-Name-Server (6), length 12: 199.27.156.34,199.27.156.35,167.254.227.7
       Hostname (12), length 7: "misaka4"
       Domain-Name (15), length 12: "dellcity.com"
       Lease-Time (51), length 4: 3600
       Server-ID (54), length 4: 199.27.156.55
       Client-ID (61), length 7: ether 08:8f:c3:6d:33:fd
13:06:38.751530 08:8f:c3:6d:33:fd > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 339: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 325)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 08:8f:c3:6d:33:fd, length 297, xid 0x843f0ebf, secs 2, Flags [none] (0x0000)
     Client-Ethernet-Address 08:8f:c3:6d:33:fd
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Request
       Client-ID (61), length 7: ether 08:8f:c3:6d:33:fd
       Parameter-Request (55), length 17:
         Subnet-Mask (1), Time-Zone (2), Domain-Name-Server (6), Hostname (12)
         Domain-Name (15), MTU (26), BR (28), Classless-Static-Route (121)
         Default-Gateway (3), Static-Route (33), YD (40), YS (41)
         NTP (42), Unknown (119), Classless-Static-Route-Microsoft (249), Unknown (252)
         RP (17)
       MSZ (57), length 2: 576
       Requested-IP (50), length 4: 104.193.102.50
       Server-ID (54), length 4: 199.27.156.55
       Hostname (12), length 7: "misaka4"
13:06:43.051749 08:8f:c3:6d:33:fd > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 339: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 325)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 08:8f:c3:6d:33:fd, length 297, xid 0x843f0ebf, secs 2, Flags [none] (0x0000)
     Client-Ethernet-Address 08:8f:c3:6d:33:fd
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Request
       Client-ID (61), length 7: ether 08:8f:c3:6d:33:fd
       Parameter-Request (55), length 17:
         Subnet-Mask (1), Time-Zone (2), Domain-Name-Server (6), Hostname (12)
         Domain-Name (15), MTU (26), BR (28), Classless-Static-Route (121)
         Default-Gateway (3), Static-Route (33), YD (40), YS (41)
         NTP (42), Unknown (119), Classless-Static-Route-Microsoft (249), Unknown (252)
         RP (17)
       MSZ (57), length 2: 576
       Requested-IP (50), length 4: 104.193.102.50
       Server-ID (54), length 4: 199.27.156.55
       Hostname (12), length 7: "misaka4"
13:06:47.497671 08:8f:c3:6d:33:fd > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 339: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 325)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 08:8f:c3:6d:33:fd, length 297, xid 0x843f0ebf, secs 2, Flags [none] (0x0000)
     Client-Ethernet-Address 08:8f:c3:6d:33:fd
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: Request
       Client-ID (61), length 7: ether 08:8f:c3:6d:33:fd
       Parameter-Request (55), length 17:
         Subnet-Mask (1), Time-Zone (2), Domain-Name-Server (6), Hostname (12)
         Domain-Name (15), MTU (26), BR (28), Classless-Static-Route (121)
         Default-Gateway (3), Static-Route (33), YD (40), YS (41)
         NTP (42), Unknown (119), Classless-Static-Route-Microsoft (249), Unknown (252)
         RP (17)
       MSZ (57), length 2: 576
       Requested-IP (50), length 4: 104.193.102.50
       Server-ID (54), length 4: 199.27.156.55
       Hostname (12), length 7: "misaka4"
13:06:47.691162 08:96:ad:5a:db:c1 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 356: (tos 0xc0, ttl 30, id 32265, offset 0, flags [none], proto UDP (17), length 342)
    104.193.102.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 314, xid 0x843f0ebf, Flags [none] (0x0000)
     Your-IP 104.193.102.50
     Gateway-IP 104.193.102.1
     Client-Ethernet-Address 08:8f:c3:6d:33:fd
     Vendor-rfc1048 Extensions
       Magic Cookie 0x63825363
       DHCP-Message (53), length 1: ACK
       Subnet-Mask (1), length 4: 255.255.255.0
       Default-Gateway (3), length 4: 104.193.102.1
       Domain-Name-Server (6), length 12: 199.27.156.34,199.27.156.35,167.254.227.7
       Hostname (12), length 7: "misaka4"
       Domain-Name (15), length 12: "dellcity.com"
       Lease-Time (51), length 4: 3600
       Server-ID (54), length 4: 199.27.156.55
       Client-ID (61), length 7: ether 08:8f:c3:6d:33:fd

This may be related to an issue with upgraded setups and multi-WAN in general. https://github.com/opnsense/core/issues/9702
There may be a setting hiding in the config somewhere that's causing the issue; multi-WAN with a fresh install appears to work properly. Don't know if you want to start over and reconfigure everything.

You're probably going to need a reinstall. If there's no direct 26.1.3 image, an upgrade from the latest version available should hopefully not go the same way.

Stupid question, did you try re-running the update process?

Another suggestion to try, if you don't want to migrate from dnsmasq to kea - set a machine with a static ip and disable dnsmasq, then try to start unbound. If it succeeds you know something in dnsmasq is blocking it.

I'd suggest migrating your dhcp handling to kea and disabling dnsmasq entirely and seeing if that fixes your issue. Depends on how much work it'd take.

Grok's link expires after a while; Going to paste it here so it's preserved for future reference...

**To enable SSH on OPNsense when you've lost WebUI access, use the built-in console menu (available via physical VGA/keyboard, serial, or VM console).** This works because SSH configuration lives in `/conf/config.xml` (the central config file), and the console gives you shell access to edit it directly. No internet or WebUI is required.

### Step-by-Step Instructions

1. **Access the console** 
  - Connect a monitor + keyboard (VGA) or serial cable. 
  - In a VM (e.g., Proxmox/ESXi), open the VM console. 
  - Power on or reboot if needed. Log in as **root** with your root password (default is usually `opnsense` on fresh installs, or whatever you set).

2. **Enter the OPNsense menu** 
  You'll see a numbered list (something like): 
  ```
  1) Assign Interfaces
  2) Set interface(s) IP address
  ...
  8) Shell
  5) Reboot system
  ...
  ```
  **Choose `8) Shell`** (this drops you to a FreeBSD root shell).

3. **(Optional but recommended) Verify current state** 
  ```
  ssh localhost
  ``` 
  or 
  ```
  ps aux | grep sshd
  ``` 
  If nothing is listening on port 22, SSH is disabled.

4. **Edit the config to enable SSH** 
  ```
  vi /conf/config.xml
  ``` 
  (vi is built-in; press `i` to insert/edit, Esc to exit insert mode, then `:wq` to save & quit. If you prefer nano: `pkg install nano` first.)

  - Press `/` then type `system` and Enter to jump to the `<system>` section. 
  - Inside the `<system>` ... `</system>` block, **add or edit** the `<ssh>` subsection so it looks like this (place it near the end of the `<system>` block, before `</system>`):

    ```xml
    <ssh>
      <enabled>1</enabled>
      <port>22</port>
      <permitrootlogin>1</permitrootlogin>  <!-- allows root login (recommended for recovery) -->
      <passwordauth>1</passwordauth>        <!-- allows password login -->
      <!-- Optional: restrict to LAN only -->
      <!-- <interfaces>lan</interfaces> -->
    </ssh>
    ```

    - If a `<ssh>` block already exists, just change `<enabled>0</enabled>` (or missing) to `1` and add the other lines as needed. 
    - Values like `1` (or sometimes `enabled`) both work; `1` is standard.

5. **Apply the changes** (no reboot needed in most cases) 
  ```
  /usr/local/etc/rc.sshd restart
  ``` 
  or 
  ```
  configctl sshd restart
  ``` 
  (If neither works: `pkill sshd; /usr/local/sbin/sshd`)

  You can also just reboot from the menu (exit shell with `exit`, then choose `5) Reboot system`).

6. **Test SSH** 
  From another machine on the same LAN: 
  ```
  ssh root@YOUR-OPNSENSE-LAN-IP
  ``` 
  (e.g., `ssh root@192.168.1.1`). It should connect and drop you straight into the OPNsense menu.

### Extra Tips & Common Fixes
- **If you also lost WebUI access** (same root cause): 
  In the same `/conf/config.xml` edit, look for the `<webgui>` section and make sure it has `<enabled>1</enabled>` and no overly restrictive `<listenaddr>` or `<interfaces>`. 
  Or simpler: from the console menu, choose **2) Set interface(s) IP address** → it often offers to "restore web GUI defaults" (switches back to HTTPS on all interfaces).

- **Firewall rules**: 
  Once SSH is enabled in config, the built-in **anti-lockout rule** (on LAN) automatically allows port 22 to the firewall itself. You don't need to add a manual rule for LAN access.

- **Security notes** 
  - Only enable root login temporarily if needed. 
  - For production, create an admin user in the admins/wheel group, add your SSH key under **System > Access > Users**, then disable password/root login later (when WebUI is back). 
  - Restrict listen interfaces to LAN only in the `<ssh>` block if desired.

- **Backup first** (good practice): 
  Before editing: 
  ```
  cp /conf/config.xml /conf/config.xml.bak
  ```

This method is the standard recovery path documented across OPNsense forums, GitHub issues, and troubleshooting guides. Once SSH is up, you can fix the original WebUI issue from the shell or re-enable the GUI properly.

If you run into any error (e.g., XML syntax), paste the exact error here and I can help debug the config snippet. Good luck!

This is apparently an issue with upgrading to the new opnsense version. You can try changing the destination NAT entries to "register rule" and deleting any old rules you had regarding the forwarding. I tested this as working with a fresh install but still haven't gotten my old setup working properly. More info at https://github.com/opnsense/core/issues/9702

First off, turn off DHCP on it. Select it under the Interfaces menu and give it the IPv4/v6 settings it needs. Then under settings/gateways add it as a gateway.

Edit: I should mention you can rename it too.

Wifi was broken in general for the 26.1 release. I'm surprised it was working for you. Try the latest update. You may need ot delete and reinstall the wifi.

Note that a quick test using the "Register Rule" method on 26.1.2 was not successful; I'll dig further later...

I should also mention that my setup is rather complex and that would complicate picking out the issue. I could maybe set up a test rig but then there's still so much that needs to be passed around.

If you really need it, I can set up said test rig, but it would be best if we could communicate more directly.