Topics

Hi there,

I'm trying to find a way to diagnose a strange issue: I cannot resolve a specific domain name from my LAN, all other domain names I tested work.
Unfortunately, this is the domain of my mail provider...

manitu.de doesn't work, neither in the browser, nor via ping in the (Windows) command prompt.
All other domains I tried work.
Doesn't work on the phone, either, as long as I'm connected to my Wifi.
If I switch to mobile data only (outside my LAN), I can resolve it.
When I query a domain up/down checker service, the domain is reachable from elsewhere
When I ping the IP address, that works (so it's really a DNS issue).
When I try to ping the domain name from my OpnSense Web GUI, it can be resolved. So the firewall itself somehow resolves it correctly, but the devices from within my LAN cannot.

I have a pretty simple setup, with a local network behind the firewall, and the WAN side. I use Unbound DNS with default configuration, and I haven't changed the configuration for a long time. I also have not upgraded OpnSense since a few days ago. The domain worked until recently.

As an emergency measure, I have added the most important domains to my local 'hosts' file, so I can at least write e-mails.

How do I diagnose such an issue?
My first try is updating to the latest version (mine is less than a week old), but what after that?
Please note that I'm an IT professional, but not in the network administration field.

I have been a happy user of OPNsense for years (on a small commercial box from Deciso).
Today, when I tried updating, I got the error "The release type 'opnsense' is not available on this repository."
As recommended, I ran a health audit, and revealed some missing dependencies and package version mismatches (full log below).
The troubleshooting section on opnsense.org briefly mentions that "When mismatches are reported, you can reinstall affected packages in the Packages section of the firmware screen.", but there is no further elaboration. It's unclear to me how and why "reinstalling" the package would resolve a version mismatch, and also the missing dependency is not in the list of packages, so I don't know how to "reinstall" that.
I did not find a troubleshooting section going into further detail.

How should I proceed?

Health audit output:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7.5 (amd64) at Sun Oct 26 19:09:18 CET 2025
>>> Root file system: /dev/ufs/OPNsense
>>> Check installed kernel version
Version 25.7.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.5 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 25.7.5 has 67 dependencies to check.
Checking packages: .....................
openssh-portable-10.0.p1_2,1 version mismatch, expected 10.2.p1,1
Checking packages: ..
opnsense-25.7.5 version mismatch, expected 25.7.6
Checking packages: ...
opnsense-update-25.7.5 version mismatch, expected 25.7.5_1
Checking packages: ..............................
py311-sqlite3-3.11.13_11 version mismatch, expected 3.11.14_11
Checking packages: ........
suricata-7.0.12 version mismatch, expected 8.0.1
Checking packages: .
syslog-ng-4.8.2_4 version mismatch, expected 4.10.2
Checking packages: ..
wpa_supplicant-2.11_5 version mismatch, expected 2.11_7
Checking packages: . done
***DONE***


I have used a Opnsense-based firewall (ready-to-use box from Deciso) for 3 years now, and regularly updated the OpnSense version.
Today, I simply cannot reach the firewall anymore (which I also use as DHCP server), my PCs don't get valid IP addresses. Even if I manually force them into the correct subnet, I cannot reach the firewall.
I checked the troubleshooting section, but all articles there seem to assume you can reach the web UI.

What can I do?

Edit: It's a DEC 600 and I already tried a hard reboot.

Hi all,
I use DHCPv4 service to assign local IP addresses.
Today, I connected a new device. It was assigned a valid IP address from the pool of dynamic addresses (i.e. those not used for static IP mappings).

The connection on the switch shows "active"
I can ping it within the network.

But it does not appear in my list of DHCP leases in the web UI.

This is important as I'd like to learn it's MAC address, and assign it a permanent IP.

Where do I need to look for dynamically assigned IP addresses? I've been looking under "DHCPv4 --> Leases"

So the default lease time is one day, even for statically mapped IP addresses. I understand now why my Wifi AP complains once a day that is was disconnected  :)

The ugly solution is to enter a ridiculously high value (2^31 comes to mind, since I don't know whether the value is stored signed or unsigned). As an engineer, this solution is not very satisfying. Is there a default "disable maximum lease time" option?

How do I enable multicast DNS within my local network?
I have not found anything about mDns in the unbound DNS documentation. There is documentation about a multicast dns proxy, but all my devices are in the same VLAN, so that should not be necessary.
I already use unbound DNS with DHCP leases registered.

My symptoms are that Android and Kodi devices have issues discovering other devices in my local network, where a port scanner app can clearly show the device to be accessible. A vendor pointed me to mDNS as requirement for discovery of their sound equipment.

I was testing a network connection issue, and wanted to temporarily remove a device from static IP mapping (DHCPv4).
1) The device was connected and had the static IP address
2) I removed the static mapping on firewall
3) I did "ipconfig release" and "ipconfig renew" on device
4) Firewall DHCP leases shows new IP address in list, but device shows old IP address
5) Rebooted device - still has old IP address
6) Restart all services on Firewall using console - finally, the device gets the new IP address

Is this a known issue with the DHCPv4 service?

EDIT: It works the other way round. If I assign a static IP address and do "ipconfig release" and "ipconfig renew", I immediately get the statically assigned address.

I have a wireless (Phone) and a wired device (PC) in the same VLAN.
Since they get correct IP addresses in the same subnet, I conclude that
a) they can both reach the Firewall
b) they are connected via the same interface (and thus to the same VLAN)

From the firewall I can ping both devices.

However, the PC cannot ping the phone ("destination host cannot be reached")
If I connect the PC via wireless as well, I can ping the phone.

How can I analyze this issue?

I set up a configuration with a guest LAN/WIFI using a separate interface with a VLAN id. My switch has dedicated guest ports (untagged with pvid=guest vlan id), and I have a Wifi AP which has a separate SSID for the guest vlan.

In the firewall, I defined an alias for "all local IP addresses", and made a firewall rule:

• Pass from "Guest net" to "! Local IPs"

From my understanding, that would allow guests to access any IP address outside my home network. They still can see each other because the switch doesn't block traffic (it never gets to the firewall for rule checking), but I can live with that.

What is curious: On the wired guest network, I had internet connection. On the guest Wifi I did not. Then I added a rule

• Pass from "guest net" to "this firewall"

Suddenly, my guest wifi has internet access.

Can you make any sense of it?
Can I at least partially restrict the rule (e.g. only opening certain ports)?

If I connect the default LAN interface to a VLAN-capable switch, will the LAN interface tag packets with (default) VLAN id 1, or send untagged packets?
In reverse, will LAN interface drop packets tagged with VLAN id 1 or accept them?

I have a very simple VLAN setup

• VLAN 1 (internal)
• VLAN 2 (guest)

Code Select Expand


Firewall---1+2---Smart Switch---1+2---Wifi AP
                 |  |  |  |
                 1  1  1  1
                 |  |  |  |
                 PC


On the OPNsense firewall

• I created the VLANs 1 and 2
• I checked that the Firewall port connecting to the smart switch was assigned to LAN interface, but not to one of the VLANs (I assume that means it is trunk).

On the smart switch,

• I set all ports intended for PCs etc. to "Member of VLAN 1 only" and "Untagged", with PVID set to 1
• I set the ports for Firewall and (VLAN-capable WIFI AP) to "Member of VLANs 1 and 2" and "Tagged" with PVID set to 2 (force "guest" in case a non-VLAN device is connected by mistake)

As soon as I completed this setup, I could neither reach the smart switch web interface, nor the firewall (via smart switch).
I can still connect to the firewall if I connect it directly to the PC.
For the smart switch, I probably have to do a factory reset.

Can you tell me what I did wrong?

This question is obsolete and no longer needs to be answered.

I would like to rebuild my network around an OPNsense-based Firewall, and I have one configuration questions. The topic has been discussed in several threads, but the answers there were mostly focused on specific configuration issues. My question is more about understanding the basic concepts.

What I need:
-) OPNsense Firewall connected to existing internet router
-) A switch connected to the firewall for cable LAN
-) An internal Wifi and a guest Wifi.
Internal Wifi has full network access, but is protected both by password and MAC address whitelisting.
Guest Wifi has internet access, and nothing else.

From what I understand so far, I can achieve this using only a single Wifi access point, provided this AP supports VLANs. Is this correct?

If so, will it work with any vendor's VLAN implementation, or are there differences to watch out for?

Do you have such a configuration running, and if so, which access point vendor do you use?