Messages

[----HERE ARE THE KEY FACTORS and THE WORKAROUNDS TO AVOID THE BUG THAT I HAVE FOUND----]

I want to provide an update to the problem from my initial post above.  I will do so in my best effort as to not invoke the compulsion of people who are experts at thinking they are experts.

I hope that this helps someone in the future who may come across this post while searching for answers to the same problem if still unresolved.

The problem still is apparent with a fresh install as of version 26.1.2 of OPNsense.  HOWEVER, upon further research and some great help from a Youtube content creator, who provided some excellent perspective on this that I could not acquire elsewhere, the issue persists with the integration of dnsmasq DHCP.  More specifically how a user goes thru the initial IP range and DHCP setup process.

To see a thread that another user found of the same replicatable issues, check this link out--> https://github.com/opnsense/core/issues/9578

I can repeatedly and consistently create this error, as others are showing they can as well.

----HERE ARE THE KEY FACTORS and THE WORKAROUNDS TO AVOID THE BUG THAT I HAVE FOUND----
A) This is most prevalent with hardware where there are multiple LAN ports.  This problem does not persists with single LAN/WAN port systems
B) What is show in the CLI and validated once you complete the steps DOES NOT actually get completed in setup and use by OPNsense UNTIL you go thru and complete (sometimes even redoing steps) in the GUI.
C) You MUST go thru the GUI to validate that EVERYTHING that you initially setup in the CLI is consistently provisioned as it should be in the OPNsense entire "ecosystem" as the first steps before proceeding further with any setup.  You can do this before or after using the wizard if you choose.  However, You cannot proceed under the assumption that everything that you entered via the CLI is integrated and/or functioning properly until you validate it in the GUI.

----Here is what did to work around the current issues with IP range and DHCP network assignment to ports that persist.  Specifically the ones that were causing the issues I found----

1) Go thru the initial setup process, and if using the CLI, setup all of your LAN ports with the IP addresses, DHCP and ranges provisioned.  WRITE DOWN OR LOG EXACTLY EVERY IP ADDRESS AND RANGE DETAIL FOR EVERY PORT.  YOU MAY NEED THIS AGAIN ONCE INSIDE THE GUI.
2) Use that one network that you setup as the LAN management network moving forward, even after creating other LAN networks.  Moving this port after initial creation causes issues where some system components like dnsmasq DHCP to not entirely release the initial port and use the new port chose instead.  This is an issue that I could only replicate at random, but it was repeatable even though irregular with the same result.
3)Once you have completed your initial CLI setup, and are in the GUI, go to dnsmasq DHCP and verify that your ranges are showing for each port as they should.  Likely they will not be. TO RESOLVE THIS....
4)Edit the initial LAN Management port in that list.  All you will have to do is select the address information that you have provided the port, along with the range.  There is no need to update with new information, or a different IP range.  Once you select the original information that you have provided and then apply and exit that window, one of two things will happen.
A) All of your other ranges, along with the missing LAN ports will show up in that same list with the proper IP and DHCP range information that yo uprovided.
B) You may only see the LAN port and IP address/range information still listed

If option A happened then....
1) Go thru and validate that every LAN port, IP address for that port and DHCP range is what it should be.  You again will likely not have to re-enter information, but simply select was is now showing up.  By doing so this is actually validating in the system what should have been validated when you created it in the CLI.
2) Once finished with doing this for every LAN port IP address/range, make sure to apply in the primary dnsmasq DHCP window

If option B happened then....
1) Go thru and build out every LAN port, IP address/dhcp range that you wrote down and used in the CLI initially upon setup before entering the GUI.
2) After setting all of them up to reflect the values that you created in the CLI, make sure to click apply in the primary dnsmasq DHCP window where all ports and IP ranges are listed.

From what I have found up until present (April 2026)...This problem persists only if you are going thru the CLI for initial setup.  If using the GUI, and wizard which is easier on a single LAN and single WAN port system it is not a replicatable error.

I hope this info helps someone in the future with working around a very frustrating problem that caused months of frustration for me before I found it.

   I hope that the C-Suite executives, PR and marketing team for both OPNsense and Deciso read this thread.  The reason being that while the intention of me creating this thread never was what it turned into, it clearly exposes serious public perception concerns about the OPNsense brand and Deciso's perecption to the world over repeated issues that are rampant throughout this forum.  While exposing this was never my intention with starting this thread, it is obvious that my own troubleshooting concerns pale in comparison to a reoccurring, and greater problem on these forums that should be addressed.

   I have given this a few days in hopes for a better response from other experts on these forums.  I had hopes that the side trails that this thread has gone off into would be brought back on course to provide some further points to consider in my troubleshooting efforts.  Specifically a response focused on answering questions, or at least providing direction to helpful resources that I may have missed or that I may be unaware of.

   It is obvious that this has not transpired.

   So let me address these points of concern, starting with a few of the comments in your responses @meyergru up to this point.

   First, I want to make perfectly clear that no where in this post I am trying to attack OPNsense, nor did I intend to come across as blaming OPNsense software for the issues that I was having.  I spent many, many hours combing thru posts both on this forum and elsewhere, and have found a very infrequent issue that a few continue to have.

   In no way did I mean to come across by posting very detailed responses, as expecting you @meyergru, or anyone else, to fix this issue for me.  If that was how it was perceived, then my sincere apologies.

   Whether this problem is being logged or not, it is obvious that it persists, even though infrequent.  I could not find a running forum thread, or page that is a continuously building list of known hardware issues that OPNsense, and/or it's plug-ins are incompatible with.  Is there one?  If so, and I missed it in all of my browsing that is my mistake, and I would appreciate simply a link to direct me to read thru that information.

   I know how much reading through details in others posts has helped me personally, and have been expressed in replies of gratitude by others long after the post or thread was initially created.  Not only here, but elsewhere in the past where people are bold, and honest enough to share their mistakes, and the details for their troubleshooting of issues up to that point.  If there is anything we as humans learn from it is from ours and OTHERS mistakes IF we choose to value the lessons they provide.  Creating and cultivating a culture where that is welcomed is one of the most critical points of a brand's success or failure.  You can have the greatest product in the world, but if you do not include even the person with the most basic understanding of it, success is impeded.

   As a result I took the additional time and posted those details above.  I did so in hopes that providing them might give someone reason to point me in the direction of other resources, lists, or even other forum threads that would help myself and future viewers out.  Hope that taking my time to do so would eliminate additional response time for you as "Hero Members," "Sr. Members," and"Administrators," and other high level users of the forums.  I posted to help others that may make a common mistake that I innocently missed in the setup process with my slip-up with Layer2 network conflicts, and trusting the labeling of networking ports on my own  hardware.

   That obviously did not happen, nor was taken as a value in that sense.  My post further was seen as an opportunity to provide yet another condescending rant.  One, not just attacking myself, but everyone that you would include as "non-experts,"  and went as far as venting about those who post "all kids of external internet guides and/or videos." by you @meyergru

   @meyergru you mentioned that you, "often say that OPNsense is not your average consumer router where point-and click just works.  It is a professional tool that should be operated by experts."

   My question to you is, where does one start outside off to be that "network expert?"  How does one learn if not by trial and error to become familiar with and knowledgable of the way OPNsense works?  How does one become that "expert" who knows how to use OPNsense, if making the same mistakes as others is not permitted?  I again could be wrong, but I cannot see where a person just does not one day wake up and become an "expert" at OPNsense. 

   It is rather by one, regardless of their network experience takes on the challenge to learn.  Learn by trial and error, and asking questions, searching for knowledge from experienced users, and content.  For OPNsense, there is no other way offered.  There is no certification program, official classes, or programs to sit down and learn OPNsense in an officially sanctioned learning environment.

   That does not make OPNsense bad in any way, but at the same time it needs to be understood that people are then forced to learn the system on their own thru online communities, forums, and video examples that they can compare and contrast their setup to.  Humans instinctively learn more by human interaction and engagement in some modern form of the age-old form of apprenticeship.  Whether that be following an "external internet guide," walking them thru the process, or engaging in conversations like was intended when I started this thread.

   To say that the OPNsense system "should be operated by experts," completely sequesters OPNsense to being inhibited to growth, adaptation, and opportunity for use by up-and-coming users.  Users that would eventually be loyal enthusiasts who encourage their own companies and organizations to purchase enterprise licensing for OPNsense that they have spent time becoming familiar with.

   Let me put this another way for you to consider that likely has not been though of.  Ask yourself these questions- WHO is posting?  Is how I am answering encouraging them to engage FURTHER with the brand of OPNsense to make it a success for Deciso?  Or is what I am saying, or how I am responding leaving such a bad experience that this person will forever reject OPNsense, or anything to do with anything from Deciso?

   That person posting could be a kid from a small-school or non-profit where he/she may be the only one who understands networking in their organization, or that their organization can afford.  The decision makers of that same organization trust them, and are looking to them to not only learn, but figure out if OPNsense is the right solution before purchasing an enterprise level license.  Is that person shunned from using OPNsense because they're making mistakes while not qualifying as a "expert," yet willing to learn.  Based on your perspective they SHOULD NOT EVEN CONSIDER attempting to learn OPNsense because they do not qualify to be an "expert."

   Maybe that person posting the question that you hated answering because it was THE SAME QUESTION OR PROBLEM for the 4,551st time is a Dad who is making a home lab and wants to learn OPNsense.  However, for his day job though he is the C-Suite decision maker of his business or franchise.  A person where once he could get OPNsense to work, he was going to recommend that his small or medium size company  purchase across all of their properties multiple enterprise licenses.  Are you going to tell him that he should not consider operating OPNsense either because he is not qualified to be an "expert" according to your qualifications?

   For me, I openly admit that I was making this a Homelab exercise.  However, I have three non-profits that I work with which need scalable solutions that I was considering recommending OPNsense for.  That is, once I could get it to work since they would likely be calling me for any issues.  For my day job, I work in the live-event industry and travel globally.  I am needing to create 4 travel/temporary network solutions that I am going to be implementing for large scale trade shows, conventions, and tours by the end of Q3 of this year whereby I need a firewall solution.  I was considering OPNsense since I THOUGHT it would be great at an enterprise leve.  However I needed to figure it out on a personal/consumer level first before recommendations and purchases since likely I would be the one called when issues happened.

   All of you that have the title under your name of "Hero Member," "Sr. Member," "Administrator," and others are perceived by those that read your responses, and see your names on these forums as those that KNOW and ARE the "network experts."  We look up to, and value your perspective, feedback, and any guidance.  Even if that guidance is in providing direction to a post we may not have read, simply because it was missed in our searches.  The point of connection with YOUR responses, and by YOU taking the time to answer matters  more than you realize.  Not just for us, but for the PERCEPTION that we have of the greater brand of Deciso and OPNsense.  To those of us that are not, "Hero Members," "Administrators, "Sr. Members," or others in those realms, you REPRESENT the brand to the WORLD whether you are on here voluntarily, or paid to do so.  Your response is perceived as the brand's response to US that may be potential users.  Your response is also amplified in the perception of the brand by those tens if not hundreds of thousands of users, and potential buyers that may search and land on your response, but never post.

   If all of you "Hero Members," "Administrators, "Sr. Members," and others that consistently leave threads without solutions, or berate those who may have asked a question for the 10,723rd time, are you leaving them in a way that you would find motivating to continue engaging with the software and brand if the tables were flipped?  If you were just a beginning user, would you continue to find the engagement that a "Hero Member," "Administrator, "Sr. Member," or other high ranking user on these forums posted as a response to you one that would leave you motivated and encouraged to continue to pursue the right answer?  Or would it give you cause to move on to another solution of software all together? 

   As for your statement @meyergru that, "this forum is not an official Decisio support forum, but mostly used by hobbyists," that is a marketing and branding serious concern that may not be yours but one that Deciso and OPNsense needs to address.  The PRIMARY domain of this forum is opnsense.org.  The forum is also linked on the official main page/site of OPNsense and such is subsequently perceived as THE OFFICIAL resource for anyone looking to connect with others.  There is no statement anywhere requiring someone to be a networking "expert" before posting on these forums which leads to the CLEAR misunderstanding that ANYONE is welcome to post their issues or concerns relating to OPNsense.  Posting with an assumption that any response IS TO BE CONSIDERED from any "Hero Member," "Administrator, "Sr. Member," or other high ranking user AS from OPNsense.  If this was not an "official forum," then there should be explicit visual and verbal details providing that information to first-time viewers, and regular users alike.

   That said, all other context, graphics, branding, etc. leads to a complete disagreement with that statement that this is NOT an "official Deciso support forum."

   So when a person follows that link that you provided as a "Hero Member," "Administrator, "Sr. Member," or other high ranking user, It doesn't take a "networking expert" to view posts that applaud the "old article" that you lauded in your READ THIS FIRST forum thread to see something seriously wrong.  Anyone reading that  linked article will quickly realize in NO WAY could that old article be construed to be helpful to users.  That is nothing but a condescending, verbal, jerk-off piece intended to do nothing but intentionally berate anyone else whom the author sees as inferior on their knowledge to themselves.  It is written by an individual, while possibly a "network expert," who clearly has psychological issues, and is completely deprived of any character that allows him to even care about the value of others who might read that piece.

   For anyone that promotes, applauds, and thinks as you mentioned @meyergru in that forum thread, which you posted, that the writer of that condescending piece should be given accolades, I genuinely feel sorry.  Not only for the author of the piece but for both of you as human beings.  It is clear that there is a massive lack of human decency for anyone who provides that old article accolades.  That is the furthest piece of content from providing helpful guidance to anyone.

   Furthermore that someone who is a , "Hero Member," "Administrator, "Sr. Member," or other high ranking user who sees any value in providing that as a reference on a forum, and one that represents the brand of Deciso's software OPNsense, is cause for any public-relations and marketing team to find cause for dismissal as a result of promotion of content like that.  It not only is damaging to the brand, but creates the unspoken perception that NO ONE is welcomed to post their issues or concerns on this forum unless they are considered an "expert" by the "Hero Member," "Administrator, "Sr. Member," or other high ranking users.

   I get it, the forums are free, and voluntary.  You as "Hero Members," "Administrators, "Sr. Members," and others high level users, cannot hide behind that excuse though.  That leaves no excuse for the tirades and rants about why OPNsense is only for networking "experts" and not for anyone else.  If that was the case, then let me ask you again, at what point would you endorse someone just wanting to learn?  How would they go about making mistakes while learning without getting berated, and looked down upon by engaging in this forum community?  How would they find helpful answers and responses if they do not have your experience, and expertise, or if they missed reading that one thread, or post you have shared thousands of times?

   With the responses that many, including myself, have received frequently on these forums, if you were in our shoes, ask yourself these questions.  Would YOU walk away from the experience on these forums wanting to purchase a license for your small organization, or startup company?  With the lack of positive engagement, even if you made a mistake like tens of thousands before you, yet were berated for asking an honest question, would you recommend to a board of directors, and financial decision makers their need to make a financial purchase to integrate and use an enterprise version of OPNsense?

   It doesn't take a "networking expert" to realize the answer is NO.

   As for the "external internet guides and/or videos," that you "urge everyone to refrain from using," because, "they are often outdated or too unspecific."  Let me provide perspective that may not have been considered by you or others integral in the public relations and marketing management for Decisio and OPNsense. 

   Organizations like Decisio and OPNsense are missing a great opportunity to connect with their audiences by isolating their only connection point to these forums on their brand's domain, or their reddit forums that they moderate.  That may be for budgetary purposes, or other decisions.  I get it.  While that is a problem that should eventually be resolved, berating other like YouTubers that cover OPNsense has no purpose but to DEGRADE the PERCEPTION of OPNsense to the rest of the world.

   Instead of creating problems, those Youtubers posting content about OPNsense are doing one thing that the teams with Deciso and OPNsense are not-  THEY ARE FILLING A VOID.

   The platform used second to Google on a global scale, for ANY search criteria, is YouTube.  Contrary to what others might think, YouTube is where people go to search and LEARN about a topic first.  Viewers find greater value in connecting thru posting comments there.  Add to that the YouTubers curating those channels are happy to respond to their viewers in a positive manner.  This in turn creates a positive and encouraging environment to foster learning.  That INCLUDES even answering the most basic or rudimentary questions without providing a condescending response.

   These content developers take the time to do so because THEY VALUE THE PERCEPTION OF THEIR BRAND.  Connecting with, or politely answering that one person's most basic question, one that clearly would be considered "dumb or stupid" on this forum, IS MORE VALUABLE TO THEM, and they know it.  That one answer or comment reply is likely to lead to word of mouth advertisement that the content developer could never pay for, yet will grow their viewership base.

   Even the most basic YouTuber's channel posting content about OPNsense, that would qualify for your berating, are doing MORE for the brand of OPNsense, THAN ALL of the "Hero Members," "Administrators, "Sr. Members," and others high level users, on this forum COMBINED!  THEY ARE PROMOTING THE BRAND, NOT MAKING THE BRAND EXCLUSIVE for "expert users."   These "external internet guides," as you called them, are FILLING A VOID that these forums at the OPNsense brand's domain, fail miserably at.

   Instead of going on rants about how external content is "often outdated or too unspecific," Deciso, and those managing OPNsense would make HUGE STRIDES for brand growth if they looked for ways to make these YouTubers their own BRAND AMBASSADORS.  As the YouTubers notoriety grows with their increase of their own subscriber base, positive user interaction, and value perceived as a consistent resource, it would reflect positively on Deciso and OPNsense by identifying with their brand.  In return this would amplify the value for people to learn and embrace OPNsense.  It would create an environment where users, regardless of their network expertise, FEEL WELCOMED to post their questions or issues, and where they would be answered providing the future user and purchaser or OPNsense with a reason to make a financial investment in the brand. 

   I want to share a few examples that have helped me in my journey with learning OPNsense on YouTube.  They are ones that provided details, often visually, that I could not find specific answers to my questions for in the official documentation, tutorials, and certainly on this official forum.  I do so in hopes of providing some examples where Deciso and OPNsense could consider collaborating with these content developers that would help amplify the positive engagement of Deciso's brand OPNsense that is desperately lacking in these forums.  For the record I know none of them personally, nor have any reason to mention them outside of how helpful their content, or personal feedback in a timely response in one case, has been to me.

   Thank you "Sherridan Computers" (https://www.youtube.com/@sheridans)- Thank you for taking the time to provided perspectives and advice on immediately upgrading to the next version of OPNsense.  Thank you for the detailed walk-thru of how to properly setup a VPN, and what you should be looking for to qualify a proper setup as the VPN connection is built out in OPNsense.  You taking the time to provide screen captures helped to provide details that were not completely clear to understand in the official documentation

   Thank you "What's New With Andrew" (https://www.youtube.com/@Whats.New.Andrew)- Thank you for your detailed walk-thrus that were simplistic to understand and get the basics up and going for an OPNsense setup.

   Thank you "HomeNetworkGuy" (https://www.youtube.com/@homenetworkguy)- Thank you for providing critical considerations that no one else covered as to why migrating to either DNSMasq /DHCP or Kea both have their advantages, and disadvantages depending on your current setup, and scalability needs for users systems.

   Thank you "Apalrd's Adventures" (https://www.youtube.com/@apalrdsadventures)- Thank yo for taking the time to provide a refresher course of the dynamics of the different network layers that are critical to understanding IPv4 and IPv6 network setups.  For those of us that do not live in a world of network address assignments daily, your detailed explanations and simple visual diagrams were helpful.

   The visuals that all of you provided in each an every step of the setups and tutorials all are helpful to any viewer who is looking to validate whether or not they are taking the right steps to set up their own OPNsense setup properly.

   Additionally all of the time that these, and other YouTube content developers take to stay current with GUI versions and updates that are made to the OPNsense system, help to eliminate the confusion for viewers.  Confusion that exists persistently throughout the official documentation and tutorials that I took hours and days to read thru.  The official content simply is not updated fast enough, sometimes does not provide that visual detail that's needed for the viewer that has changed in an updated version of the software.  You all provide helpful, and relevant information to how to properly setup, modify or adjust systems based on current versions of OPNsense.

   In speaking with anyone outside of this forum, anyone whom I have talked to hates, and the word was HATES, coming here to the official forums.  These forums have curated a reputation for being a place where people, regardless of their experience or not, are either ignored, berated, or at best looked down upon in a condescending manner if you are not a "Hero Members," "Administrators, "Sr. Members," and others high level users; or at the least considered a "networking expert."

   That is so sad, because the "Hero Members," "Administrators, "Sr. Members," and others high level users, are the ones in the end that are damning the success of what potentially could be a great community surrounding, and growing the market space, and enterprise license orders, of a fantastic piece of software.

   While I hope that taking the time to present this information will help, my suspicion is high that I do not think any of this will change any time soon.  Even though I and many others I am sure looking for a positive engagement in these forums would hope that it would.  OPNsense is a fantastic product that is ultimately being curtailed from success by its own "network experts."

   Since it was misconstrued by you @meyergru that I somehow wanted someone "take me by the hand and  [to be] guided through the process."  That never was the case.  You initially responded to my posting that started this thread, which I am grateful for @meyergru.  To which I provided my mistakes, and how I resolved them thanks to what you had mentioned in your initial response.

   Consequently though, me posting those solutions I found in resolving my mistakes were then berated, and not seen for the value it could provide others who may read this hundreds, or thousands of times after who may have similar problems or have created the same errors.

   Value in honesty and detailing mistakes to provide steps to solutions, is obviously not cultivated or valued here on these official forums.  That in and of itself is what has impacted my perception of considering OPNsense not just for personal learning and use, but for commercial opportunities whereby I influence, or make decisions for in the future.

   As a result, what I am committed to do is this-
1) I am going to print out this thread, and have already printed out the "READ FIRST," and "old article" posts.  I will this post, along with the others, immediately following this post for future personal, and referral reference for others.  Should this thread be deleted, or removed, I will have proof that the responses that I received, along with the berating and condescending rants provide proof.  Proof of the unprofessional and lack of any resemblance of desire to provide feedback, even at the voluntary level- which leads to a tainted value perception for Deciso's brand of OPNsense.

2) Should any of my client projects, any group that I volunteer with, or even friends that bring up home networking questions ever consider OPNsense, I will print this thread out and give it to them as PROOF why the toxic, lack of community, and condescending approach that those respected as "Hero Members," "Administrators, "Sr. Members," and high level users on these forums have repeatedly presented by representing OPNsense with their voluntary responses.

3) Any of my project builds in the future for commercial purposes in my areas of consulting and decision making for companies I will remember this brand experience with Deciso.  It will give me cause to think twice about any products now, or in the future, that Deciso develops.  Cause based on the reputation of the experience I personally have had on these forums with those that are presented as their brand representatives of OPNsense.

   The experience on these forums that I have seen others have had, and which I now have personally experience myself, has turned me from a potential avid supporter of OPNsense, to one who will never provide the consideration for anything relating to Deciso or OPNsense that I am involved with in the future.  I am sure I am one of many, based off of many comments outside of these forums that I have found that this resonates with.

   Before I do those things that I stated, I will give this one last challenge to the rest of you "Hero Members," "Administrators, "Sr. Members," and others high level users on this forum that post frequently.  @meyergru has clearly presented his character, and lost any credibility to value his response, but the rest of you still have an opportunity.

   My challenge is simple- CHANGE MY MIND

   Prove to anyone reading this thread, and to myself that you can actually provide value in a positive response to my questions and this thread.  Your response could be as simple as providing a link to a running list of conflicting hardware that is known NOT to be compatible with OPNsense.  Do you have one?  Did I miss it in my searching thru the official documentation or thousands threads these forums?  Where did I miss it if so?  Can you provide me a link to it without berating me for making the human mistake of missing this useful piece of content?  Something that I missed after reading thru content that I have taken days and months to go thru?  Can you do it without berating me for messing up, or failing to find it on my own?

   That would be greatly appreciated by any of you.

   While I will likely move on because of my experience here, I hope that taking the time to present these serious concerns will provide opportunity for growth and change in the organization.  Growth that the "Hero Members," "Administrators, "Sr. Members," and others high level users which the rest of us see as the "experts" who curate this forum and online community.  "Experts" that REPRESENT Deciso's brand of OPNsense, even if voluntarily.  "Experts" who represent OPNsense to the world.

   We all make mistakes.  How we help each other matters often more than resolving the error.  In maintaining that point of understanding the error often times easily is found even quicker for others.  At the least the solution often works itself out and becomes the best learning experience of all involved, and those who watch, or read about it in the future regarding what has transpired.

   I was hoping that taking the time to detail my errors and the issues that I had found consistently coming up throughout various posts for years where threads were not solved, would provide that opportunity.  It did not.  I hope that what I have experienced here changes for others in a positive manner in the future.  If not, an incredible product like OPNsense will fail like many others.  Not because of it's incredible offering and ongoing development.  It will fail because the people that represented the brand and software that was developed, or those who were responsible for curating its value to potential users and purchasers, created exclusivity instead of a welcoming community embracing anyone who was willing to take on the challenge.  The challenge of learning their software, regardless of their level of expertise.

@meyergru

Thank you for your response.  The details in it really helped, even though I still have not successfully been able to get OPNsense completely functional.

I am going to take the time to post a few errors that I found on my part, and validate why taking the step that you guided to do in eliminating Proxmox as a variable.  That helped me to find serious hardware issues I was unaware of until I went with a bm (bare metal / no other OS but OPNSense on the hardware) install.

I hope this helps in paying it forward with someone else having similar symptoms/issues.

First, at some point in the dozens, and dozens of rebuild attempts, I had created Layer-2 network conflicts by not creating networks that were on the same subnet.

Please correct me if I'm wrong @meyergru about any of this.

For those reading this in the future that may have similar problems.  You CANNOT have different IP ranges with different subnets (i.e 192.168.x.x, and 172.200.x.x, and 10.10.x.x, etc.).  Just because everything has the same CIDR declaration (i.e. /24, /16, etc.) does NOT mean that they are not going to conflict, or more importantly are IN THE SAME RANGE.

I had created my primary LAN management port IP as 192.168.100.1/24

At some point in the troubleshooting I had CHANGED all of my other optional LANs to 10.10.X.X while leaving my primary as 192.168.100.x

That was the mistake that I had made which was creating the Layer-2 network errors.

However for me, that still did not get things working.

Before I wiped and started completely clean with a bm install, I checked VLAN aware status on Proxmox for all of the Linux Bridges.  Everything was fine there.

From every sign, and from what I could derive, Proxmox was working fine.  That was not the issue though.

When I wiped the hardware and installed OPNsense natively on the hardware, all interfaces came up correctly and I assigned the interfaces as follows:

LAN1-Management- 192.168.100.1/24
WAN- DHCP (No static IP assigned) [It will acquire it from my ISP upstream]
LAN2- 192.168.115.1/24
LAN3- 192.168.116.1/24
LAN4- 192.168.117.1/24
LAN5- 192.168.118.1/24

No VLAN's at this point.  I don't want to complicate things until I get the DHCP server issue resolved.

What I found though is something that may help others.  When starting up the anti-lockout rules will allow the traffic to the GUI interface on any port.  That is both good and bad.  Bad, if you assume that all is well, and that you are connected physically to the right port.  That was the mistake I was having.

The LAN interface that I assumed was the right physical NIC port once again works with DHCP no problems. 

My clue was that the WAN was NOT acquiring an IP address upstream.

That is when I used an IP scanner (Angry IP, LAN Scan, etc.).  I manually assigned an IP address to my client machine that's networked, and of which I am using to access OPNsense.  I am again eliminating potential issues by just a single wire from the OPNsense box, directly to the client hardware NIC.  No other hardware in between.

I physically unplugged the cable, and started plugging into other ports.  At the same time I was manually changing the static IP address to be in the range, but not the same address (i.e. 192.168.115.10) as the gateway address for that interface (i.e. 192.168.115.1).

What I found in my hardware was that the actual NIC assignment on my OPNsense box is completely opposite than what it is labeled on the front of the case by the manufacturer.  It was sequentially inverted, meaning instead of ports labeled / numbered left to right, it was right to left. 

SIDE NOTE- I have heard of some hardware having ports that are randomly numbered and not sequential in their hardware placement. 

LESSON LEARNED- Check and VALIDATE your physical network ports BEFORE YOU START TROUBLESHOOTING ANYTHING ELSE!  Don't believe the labels!

So Proxmox was creating Linux Bridges correctly all along.  The problem was that I was plugging into the wrong ports, all while assuming I was plugged into and working on the correct ones.

Once I was able to determine this problem, I was able to go back and use the same IP sniffing program to see if it would find all of the host static IP addresses for the interfaces as they are assigned in OPNsense.  All of them were found where they should be, and with what network IP addresses they should have.

The problem that I have now, is the same original problem that started this forum post thread.  I cannot get the DHCP server to provide addresses for each interface.

At present, I have completely disabled the firewall in the Firewall > Settings tab.  I will re-enable, and work on rules once I can get a basic DHCP server working on each LAN.

I hope taking the time to post this information helps others that may run into the same problems.

Also, I will likely go back to a Proxmox setup later, but not until I get a functional setup of OPNsense on bm working properly.

Thank you @meyergru for bringing up the Layer-2, and the bm troubleshooting steps.  I had worked on this until my eyes were crossing and completely had not thought about the possibility of what I found, and the errors I had created.

@meyergru What would you advise at this point with regards to next steps in resolving the DHCP server issues that I'm am seeing consistently on all optional LAN ports?

FYI, I have made sure in DNSmasq that all interfaces are checked/selected instead of unchecked which leaves the drop-down menu to say "All Interfaces."

Thanks in advance for the response.

Greetings to all,

   I'm posting this 9 days away from the end of month of January 2026 when everyone is expecting version 26.1 to be released.

   Before I do, I want to make sure I mention that in no way do I intend this as a "nasty-gram" to those who very consistently, and patiently, provide great feedback on here for users from level "noob" to advanced.  Any frustration or sarcasm from me is not vented at any of you, but has just been seared into my brain with this entire experience as a result of this problem that I cannot get past.  So know that I appreciate your support, feedback, and even consideration of this persistent issue that quite a few continue to experience, and which has turned a few frustrated with no resolution to it away from OPNsense.

   Also, this post is certainly in the TL;DR category.  I get it.  I'm trying to provide details here that will hopefully be considered by the engineers/dev team that may help in finding the source of the problem which can resolve it before the next big release.

   With all of that said, here's the problem-

   I have encountered a problem which based on reading various posts on this forum, on Reddit, and posted on personal blogs, etc. seems to have been a persistent issue since version 24 of OPNsense.  To date it seems to still not be resolved.

   The common thread for all individuals experiencing this problem is that we need, and have built an IPv4 exclusive firewall that blocks, and does not handle IPv6 traffic for whatever the reasons that we may have.  For me it's a known security leak with some software and hardware that I am wanting to put behind the firewall that is known on IPv6, but that I can manage and block currently on IPv4.  All that is unrelated to OPNsense, but which I am needing OPNsense's capabilities to provide security and block the known traffic issues within the network and also outbound to the WAN at the firewall level.

   Here are just three of the many posts where you will find others stating similar, if not identical problems-
https://forum.opnsense.org/index.php?topic=47277.0
and
https://forum.opnsense.org/index.php?topic=47135.30
Also on Reddit here-
https://www.reddit.com/r/opnsense/comments/1dixd9y/opnsense_dhcp_server_not_assigning_ip_addresses/


    What I have found is that everyone is having a problem once they get to building out their secondary or "optional" LAN networks providing DHCP clients addresses.  This is not noticeable in the system if you use IPv6 in tandem with IPv4 for some reason.  However, an exclusive IPv4 setup brings this gremlin out.  You also do not notice this problem either if you are just using  your initial LAN  Management port.  Everything works dandy there for inexplicable reasons.

   Forget VLAN setups as well.  The problem may persist there as well, but all people experiencing this problem have simply been trying to get their LAN ports working, including myself, before proceeding to setting up VLANs.

    When you start to build out your router with other LAN (optional) ports, that is where the problem comes up for everyone.

    What I can deduce from reading through these many threads is one common point.  That is where people started having these issues is in version 24 it seems.  They all run into this  problem, especially once DNSMasq and DHCP migration from ISC became a thing. 

   A critical point to note- This was not a problem and people have stated that no issues like this were present with ISC. 

   The same problem, while inconsistent, comes up with Kea as well.  From posts that I've been reading this problem has been persistent since version 24.x.x, and it continues thru 25.7.11 (or whatever is current).

   I personally have tried using both DNS Masq / DHCP, then disabling and activating DHCP management via KEA.  The problem persists with both.

   While the is a known issue, it hasn't been solved, nor has there been a workaround to it that has been posted that I could find.  If there is one that I have missed, please do advise.

   For the sake of helping to provide some troubleshooting information here are some additional steps that I have taken to diagnose where the problem might be.

   Everyone experiencing the same issues, including myself, are experiencing this on a virtual machine environment.  For the most part, although not exclusively, it was with Proxmox; at whatever the latest version was at the time of their posting of the issue.

   One other key clue that may help out in finding the issue is something I found with a Mac.  I found that this issue would not show up in Windows and Linux when the DHCP handshake process happens, at the level of detail as I could see in real time on osX.  It doesn't show up in the other OS's only because likely the GUI doesn't provide a real-time view of the DHCP IP lease process in real-time like the GUI does in Mac osX.

   A few details / side notes that should be stated at this point-

   Keep in mind that no IP address is provisioned, but also no router and/or gateway address is provided, nor DNS addresses to the client on any secondary LAN ports.

   Also, this is with the firewall opened fully up, and allowing all traffic on all LAN's.  One default rule on each subnet to allow all traffic thru via IPv4.  No custom NAT redirection that would alter each of these individual LANs from behaving properly as well.

   The same issue persists when attempting to acquire an address from another virtual machine or container residing on any of the secondary networks as well that live on the Proxmox datacenter.  Same behavior.

   Here is what I noticed while watching this on a Mac-
   When engaging the NIC on the Mac connected to any of the optional / secondary LAN's, on ALL of them, for a brief second a router address is provided for a split second and then goes away (it goes blank as if none was ever provided).  However, the router address that is provided for that split second is NOT the IP address designated for that specific LAN, but rather the IP address of the primary / management LAN port which is assigned a completely different IP address/range, even though in the same subnet (/24).

   Just to re-emphasize, there are no NAT rules that would cause an address forward like this.  Also, this problem persists whether running with DNSMasq / DHCP or  KEA.

   I know that's a lot of info, but I am at a loss, and hoping that the solution for this problem will be caught and resolved by version 26.  I am at a standstill while waiting for it.

   I hope that taking the time to present this information will help the team provide a solution that many have been looking for, but to-date has not been presented sending many to find a firewall solution elsewhere.

   Any additional information that I can provide, please let me know and I will do my best to fill in any blanks for you.

   Thank you in advance for any insight in response.