"Quote from: wincent on June 26, 2026, 03:59:25 AMIs it possible that you have set up another rule without a label to log records?
This happens when you disable logging of a rule. If I remember correctly, I observed this on 25.7 too.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
26.1, 26,4 Series / Re: Problem with Firewall Live View
June 26, 2026, 05:19:32 AMThis happens when you disable logging of a rule. If I remember correctly, I observed this on 25.7 too.
#2
General Discussion / Re: TUI for viewing and analysing OPNsense filter/firewall logs
June 23, 2026, 02:50:08 AMQuote from: allddd on June 22, 2026, 06:32:52 PM/conf/config.xml has descriptions of rules you've added manually, but default rules aren't there. The rules in there are also referenced by a uuid, not by the rule id from the log. I don't know of any other place that has the rule id and the description (of all rules).
Before posting the other day, I searched my firewall for another file containing the rule UUID and Description fields. The only other file I located on the system which contains the information, and is current, is /tmp/rules.debug. The GUI Live View is obtaining the information from somewhere.
Unless someone can advise where Live View obtains the information, perhaps creating and using a database reference file from either /tmp/rules.debug or the API, and regenerating it when a time-stamp changes.
On a side note, last Saturday I added a new VLAN interface to my system and enabled a DHCP server on it then included it to an existing Firewall Group. Later in the day I noticed some unexpected entries in Live View where a rule logs the allowed connection and then another line logged immediately after, which references an unrelated block rule. These entries also appeared in opnsense-filterlog. To overcome the problem OPNsense was rebooted.
#3
General Discussion / Re: Is this "no internet access network" correct?
June 21, 2026, 06:11:56 AM
What you are asking can be achieved.
Which version of OPNsense are you running?
Your block rule appears fine but could be refined by using a negated RFC-1918 network alias as the destination. If you enable logging of this rule you will see when it is used.
You may have other rules which are affecting the flow of traffic in to this interface..
Please provide more information about your set up including other rules you have for this interface as well as any floating rules applied to it.
Rules for WireGuard will need to be created to access the "mediaserver" network or just the servers IP addresses, either for your existing WireGuard instance or with a new instance which only has access to that network, if you prefer.
You may want to include IPv4 Null Routes in OPNsense - see https://forum.opnsense.org/index.php?topic=50678.msg259031#msg259031
Which version of OPNsense are you running?
Your block rule appears fine but could be refined by using a negated RFC-1918 network alias as the destination. If you enable logging of this rule you will see when it is used.
You may have other rules which are affecting the flow of traffic in to this interface..
Please provide more information about your set up including other rules you have for this interface as well as any floating rules applied to it.
Rules for WireGuard will need to be created to access the "mediaserver" network or just the servers IP addresses, either for your existing WireGuard instance or with a new instance which only has access to that network, if you prefer.
You may want to include IPv4 Null Routes in OPNsense - see https://forum.opnsense.org/index.php?topic=50678.msg259031#msg259031
#4
26.1, 26,4 Series / Re: Wake on Lan
June 20, 2026, 02:25:09 AM
WOL is still working with 26.1.10.
Set up a packet capture in Interfaces -> Diagnostics -> Packet Capture like in the image I've included, setting the interface per your device WOL configuration and then click Start.
Send the WOL then go back to Interfaces -> Diagnostics -> Packet Capture and click on the Jobs tab.
Click on one of the options under Commands to view the capture. You should see the 2 captured packets.
Set up a packet capture in Interfaces -> Diagnostics -> Packet Capture like in the image I've included, setting the interface per your device WOL configuration and then click Start.
Send the WOL then go back to Interfaces -> Diagnostics -> Packet Capture and click on the Jobs tab.
Click on one of the options under Commands to view the capture. You should see the 2 captured packets.
#5
General Discussion / Re: 802.1x certificate for the wan?
June 19, 2026, 05:24:26 PM
There isn't enough information what the WAN port would be connected to.
It could be a port on an infrastructure switch requiring authentication, we don't know.
Perhaps wpa_supplicant could be used but I don't know if one of the EAP methods supports Certificate Authentication Greg is mentioning.
This package is already installed in my OPNsense. I don't use it and I don't know if it's included in a default install.
Looking at the sample configuration file (/usr/local/etc/wpa_supplicant.conf.sample) under the "AP scanning/selection" section, the value of 0 is described as;
I don't know how this would be configured in OPNsense, however, this site has a configuration for a wired device - https://skybert.net/linux/wired-network-with-8021x-authentication/
It could be a port on an infrastructure switch requiring authentication, we don't know.
Perhaps wpa_supplicant could be used but I don't know if one of the EAP methods supports Certificate Authentication Greg is mentioning.
This package is already installed in my OPNsense. I don't use it and I don't know if it's included in a default install.
Looking at the sample configuration file (/usr/local/etc/wpa_supplicant.conf.sample) under the "AP scanning/selection" section, the value of 0 is described as;
Quote# AP scanning/selection
.
.
.
# 0: This mode must only be used when using wired Ethernet drivers
# (including MACsec).
I don't know how this would be configured in OPNsense, however, this site has a configuration for a wired device - https://skybert.net/linux/wired-network-with-8021x-authentication/
#6
26.1, 26,4 Series / Re: picky DHCP on WAN
June 19, 2026, 06:54:51 AMQuote from: TheSHAD0W on June 19, 2026, 03:16:42 AMI was looking at packets through tcpdump and did not see any request packets at all at the 1800 second mark, none until it was nearly expired.
That is odd as it is the DHCP client which performs the renewal and the lease time you received from the DHCP server was 3600 seconds.
With the other OS's you tested, did they drop or fail to renew their connections after a period of time too?
If your DHCP client isn't attempting to renew at around the 50% mark, OPNsense is somehow using a different lease renew time, and based upon 85% of 3600, this would be a setting of around 3060 seconds, or 51 minutes.
What happens if you adjust your DHCP settings so the subsequent DHCP Discover request goes at 6 seconds after the first?
Can you verify your are not blocking connections to the IP address listed in the Server-ID field, i.e. 199.27.156.55.
I don't see any Server-IP fields in the captures you've shown.
Yesterday I cleared the DHCP lease file and re-applied settings to the WAN interface.
With the settings I use, the second DHCP Discover goes out 6-seconds later and promptly receives the request.
I also kicked off tcpdump to watch the DHCP lease renewal and they are happening at the 50% mark, i.e., 1800 seconds.
My captures reveals two DHCP servers, most probably Relays, responding to the initial DHCP Discover request. After that it is renewing with the DHCP server defined in the Server-ID field.
This is my capture command - via SSH: tcpdump -pvni re0 'proto udp and port (67 or 68)'
For those who may be wondering, I've been using the Realtek NIC in a Draytek VigorNIC 132 modem with OPNsense and without issues ever since January 2021. Initially for many, many, months without the Realtek kernel module. It was after reading many messages advising installing the non-FreeBSD driver that I installed it.
Code Select
DHCP Server 1 = a.a.a.a
DHCP Server 2 = b.b.b.b
Server-IP 1 = c.c.c.c
Server-IP 2 = d.d.d.d
Server-ID = e.e.e.e
My IP address = f.f.f.f
Default Gateway = g.g.g.g
tcpdump: listening on re0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:52:16.481293 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Discover
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
12:52:16.481345 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Discover
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
12:52:22.496067 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, secs 6, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Discover
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
12:52:22.496162 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, secs 6, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Discover
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
12:52:27.818108 IP (tos 0x0, ttl 255, id 39865, offset 0, flags [none], proto UDP (17), length 328)
a.a.a.a.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, secs 6, Flags [none]
Your-IP f.f.f.f
Server-IP c.c.c.c
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Offer
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
12:52:27.818907 IP (tos 0x0, ttl 255, id 39867, offset 0, flags [none], proto UDP (17), length 328)
b.b.b.b.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, secs 6, Flags [none]
Your-IP f.f.f.f
Server-IP d.d.d.d
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Offer
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
12:52:28.076789 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, secs 6, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Requested-IP (50), length 4: f.f.f.f
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
12:52:28.076883 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, secs 6, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Requested-IP (50), length 4: f.f.f.f
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
12:52:28.109575 IP (tos 0x0, ttl 255, id 39876, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, secs 6, Flags [none]
Your-IP f.f.f.f
Server-IP c.c.c.c
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
12:52:28.147722 IP (tos 0x0, ttl 255, id 39877, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, secs 6, Flags [none]
Your-IP f.f.f.f
Server-IP d.d.d.d
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
tcpdump: listening on re0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:22:28.148922 IP (tos 0x10, ttl 128, id 37964, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
19:22:28.149004 IP (tos 0x10, ttl 128, id 37964, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
19:22:28.171188 IP (tos 0x0, ttl 255, id 62899, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP c.c.c.c
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
19:22:28.219356 IP (tos 0x0, ttl 255, id 62900, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP d.d.d.d
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
19:52:28.201780 IP (tos 0x10, ttl 128, id 4220, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
19:52:28.201865 IP (tos 0x10, ttl 128, id 4220, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
19:52:28.223429 IP (tos 0x0, ttl 255, id 19271, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP c.c.c.c
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
19:52:28.272798 IP (tos 0x0, ttl 255, id 19273, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP d.d.d.d
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
20:22:28.266868 IP (tos 0x10, ttl 128, id 65065, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
20:22:28.266990 IP (tos 0x10, ttl 128, id 65065, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
20:22:28.289581 IP (tos 0x0, ttl 255, id 41167, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP c.c.c.c
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
20:22:28.337901 IP (tos 0x0, ttl 255, id 41169, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP d.d.d.d
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
20:52:28.363349 IP (tos 0x10, ttl 128, id 61856, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
20:52:28.363427 IP (tos 0x10, ttl 128, id 61856, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
20:52:28.385334 IP (tos 0x0, ttl 255, id 63034, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP c.c.c.c
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
20:52:28.433614 IP (tos 0x0, ttl 255, id 63035, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP d.d.d.d
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
21:22:28.526671 IP (tos 0x10, ttl 128, id 47860, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
21:22:28.526779 IP (tos 0x10, ttl 128, id 47860, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
21:22:28.549280 IP (tos 0x0, ttl 255, id 19392, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP c.c.c.c
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
21:22:28.597992 IP (tos 0x0, ttl 255, id 19394, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP d.d.d.d
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
21:52:28.603988 IP (tos 0x10, ttl 128, id 227, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
21:52:28.604092 IP (tos 0x10, ttl 128, id 227, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
21:52:28.625739 IP (tos 0x0, ttl 255, id 41260, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP c.c.c.c
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
21:52:28.674379 IP (tos 0x0, ttl 255, id 41261, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP d.d.d.d
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
22:22:28.750381 IP (tos 0x10, ttl 128, id 28758, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
22:22:28.750493 IP (tos 0x10, ttl 128, id 28758, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
22:22:28.987440 IP (tos 0x0, ttl 255, id 63083, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP c.c.c.c
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
22:22:29.034725 IP (tos 0x0, ttl 255, id 63085, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP d.d.d.d
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
22:52:28.020620 IP (tos 0x10, ttl 128, id 63357, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
22:52:28.020665 IP (tos 0x10, ttl 128, id 63357, offset 0, flags [none], proto UDP (17), length 328)
f.f.f.f.68 > e.e.e.e.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
22:52:28.167766 IP (tos 0x0, ttl 255, id 19369, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP c.c.c.c
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
22:52:28.220303 IP (tos 0x0, ttl 255, id 19370, offset 0, flags [none], proto UDP (17), length 328)
e.e.e.e.67 > f.f.f.f.68: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb9c33b02, Flags [none]
Client-IP f.f.f.f
Your-IP f.f.f.f
Server-IP d.d.d.d
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: ACK
Server-ID (54), length 4: e.e.e.e
Lease-Time (51), length 4: 3600
Subnet-Mask (1), length 4: 255.255.224.0
Default-Gateway (3), length 4: g.g.g.g
#7
General Discussion / Re: TUI for viewing and analysing OPNsense filter/firewall logs
June 19, 2026, 04:48:46 AM
@allddd Thank you for this utility. It certainly makes viewing the logs easier.
One feature I would find helpful is the inclusion of the rule descriptions, ideally in the main view or at least in the details view and also when '-j' option is used.
One feature I would find helpful is the inclusion of the rule descriptions, ideally in the main view or at least in the details view and also when '-j' option is used.
#8
26.1, 26,4 Series / Re: picky DHCP on WAN
June 18, 2026, 04:20:55 AMQuote from: TheSHAD0W on June 17, 2026, 05:16:07 PMThing is, as I said, other devices and OSes are able to do a much better job at connecting and keeping the lease up, and there's no reason for opnsense to be more fragile.
Looking at the requests the notable differences are;
- OPNsense TOS field is set to 0x10 whereas in the other it is 0x0
- The initial time interval for OPNsense re-transismission is 13 seconds, where as the other is 3 seconds
I have experienced similar issues a long time ago but I think they were ISP related and may have been when the connection to the primary server failed, hence it was directed to their back-up system.
I have a minimal DHCP client configuration on my firewall and rely on internal DNS servers.
This is my dhclient configuration file.
Code Select
interface "re0" {
# timing values
# custom options
request subnet-mask, routers;
require subnet-mask, routers;
send dhcp-lease-time 3600;
# standard settings
script "/usr/local/opnsense/scripts/interfaces/dhclient-script";
supersede interface-mtu 0;
}Looking at the DHCP request to my ISP on OPNsense 26.1.10, the first two requests go within the same second and the response is immediate.
Quotetcpdump: listening on re0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:03:41.409243 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xa7f96e94, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Requested-IP (50), length 4: aaa.bbb.ccc.ddd
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
09:03:41.409292 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xa7f96e94, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Requested-IP (50), length 4: aaa.bbb.ccc.ddd
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
#9
26.1, 26,4 Series / Re: Priority Settings (advanced) in firewall rule will silently drop the packets
June 18, 2026, 03:30:20 AM
I hit this problem too when I first set up my OPNsense firewall whilst configuring VoIP rules. The settings relate to the PCP of a VLAN interface - see Advanced in https://docs.opnsense.org/manual/firewall.html#id3
Perhaps the reason the rules worked on the "sibling" could be due to the interface being a VLAN, whereas on this one it isn't.
Quote from: xtom42x on June 17, 2026, 03:50:24 PMthe thing is I imported the firewall settings from an older "silbling" OPNsense where these settings worked (let traffic pass)
so the settings that worked before stopped working silently (was a hell to figure out the reason). Don't think that's how it should be (esp. if you use these options for what they are intended to do)
Perhaps the reason the rules worked on the "sibling" could be due to the interface being a VLAN, whereas on this one it isn't.
#10
26.1, 26,4 Series / Re: IPsec IKEv1 Phase 2 rejected by FortiGate (PFS enabled) - Quick Mode sent withou
June 17, 2026, 03:02:17 PMQuote from: garroz on June 15, 2026, 04:52:56 PMOPNsense configuration
Phase 2Code SelectESP: AES128-SHA256
PFS Group: 5 (also tested with 14)
Local TS: 10.202.159.192/26
Remote TS: 10.200.0.0/14
Doing some further reading, I came across this example, though it is for a dialup client configuration - https://github.com/B4b4u/Guide-FortiGate-IPsec-VPN-Configuration-for-Linux-Clients#2-linux-configuration-debian-with-strongswan
Perhaps you could try in OPNsense with only one Phase 2 configuration being;
Code Select
ESP: AES128-SHA256
PFS Group: 14
Local TS: 0.0.0.0/0
Remote TS: 0.0.0.0/0
#11
26.1, 26,4 Series / Re: IPsec IKEv1 Phase 2 rejected by FortiGate (PFS enabled) - Quick Mode sent withou
June 17, 2026, 03:19:30 AM
When configuring the FortiGate with IPSEC in Policy Based mode, you require seperate P2's for each subnet, which works fine when FortiGates are at each end.
FortiNet introduced IPSEC interface mode quite a long time ago. The adavantage is that you only have one P2 configuration and you control network access via FortiGate's standard interface policies.
My advice is to convert the FortiGate Policy based IPSEC configurations to Interface based configurations and set up appropriate Interface policies. The changes should be made using the CLI, either via SSH or the CLI in their Web GUI.
As you appear to be using NAT-T for IPSEC, your last resort would be to download and install FortiClient VPN Only edition (free version) on a supported platform and configure IPSEC there.
[Update] When using interface based IPSEC on the FortiGate, you will also need to include static routes to the remote networks. From memory, you can create a firewall address group for each subnet and include these individual members in another firewall address group.
Reading some docs online, FortiNet advises to also create a blackhole route to the remote subnets. This will be to prevent the network traffic leaking to the Internet in the event of the VPN tunnel being down.
FortiNet introduced IPSEC interface mode quite a long time ago. The adavantage is that you only have one P2 configuration and you control network access via FortiGate's standard interface policies.
My advice is to convert the FortiGate Policy based IPSEC configurations to Interface based configurations and set up appropriate Interface policies. The changes should be made using the CLI, either via SSH or the CLI in their Web GUI.
As you appear to be using NAT-T for IPSEC, your last resort would be to download and install FortiClient VPN Only edition (free version) on a supported platform and configure IPSEC there.
[Update] When using interface based IPSEC on the FortiGate, you will also need to include static routes to the remote networks. From memory, you can create a firewall address group for each subnet and include these individual members in another firewall address group.
Reading some docs online, FortiNet advises to also create a blackhole route to the remote subnets. This will be to prevent the network traffic leaking to the Internet in the event of the VPN tunnel being down.
#12
26.1, 26,4 Series / Re: Opnsense randomly (?) crashes
June 04, 2026, 05:21:54 AMQuote from: Nullman on June 03, 2026, 08:22:11 PMYou are probably dealing with either faulty memory, faulty motherboard, or faulty power supply.
For a hardware related issue this sums it up, though overheating should also be considered, as mentioned earlier regarding fans.
Run sudo sysctl -a | grep 'temperature' to obtain temperature sensor information.
Power supply faults can create strange and bewildering problems.
Memory exercising should be run for many hours with many passes.
Logging the serial console output to a file via your terminal program is a good idea.
Good luck.
#13
26.1, 26,4 Series / Re: "The DHCP Server is active on this interface"
June 04, 2026, 04:44:07 AM
Another option would be to configure the modem with a static IP address before it is connected to the WAN port.
With the right configuration in OPNsense, you can access the modem even when the WAN interface cannot obtain an IP address via DHCP from your ISP.
With the right configuration in OPNsense, you can access the modem even when the WAN interface cannot obtain an IP address via DHCP from your ISP.
#14
General Discussion / Re: Second network unable to reach Internet
June 03, 2026, 04:46:57 PM
Start by enabling logging for your rule Prevent VPN traffic exiting WAN, just in case it's getting caught there.
- Do you have a rule to allow traffic out of your WAN interface?
- In Firewall -> Settings -> Advanced, verify logging of Default block is enabled.
- Do you have rules for the new interface?
- Check the incoming rule on the new interface that it is allowing connections from subnet 192.168.2.0/24 to the Internet.
- As you are using IPv4, check your Source NAT rule is correctly configured.
- Do you have a rule to allow traffic out of your WAN interface?
- In Firewall -> Settings -> Advanced, verify logging of Default block is enabled.
- Do you have rules for the new interface?
- Check the incoming rule on the new interface that it is allowing connections from subnet 192.168.2.0/24 to the Internet.
- As you are using IPv4, check your Source NAT rule is correctly configured.
#15
Q-Feeds (Threat intelligence) / Re: Q-Feeds Events - nothing shown
June 02, 2026, 08:18:56 PMQuote from: Q-Feeds on June 02, 2026, 07:24:57 PMcan someone with these problems share the output of this command?Code Select/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs
Since updating to OPNsense 26.1.9, the Events tab now shows events.
I've included a sanitised partial extract from the command.
