Topics

Just posting this here in case it's helpful for anyone. I just spent 2 frustrating hours because of this.

I had "enable static ARP entries" enabled in the ISC settings, dynamic ARP entries were working fine, all good.

Then I disabled ISC.

First gotcha: you can't do this per interface, you got to disable ISC on all interfaces.

Second gotcha: After migrating to Kea, dynamic ARP entries became impossible, only static was possible, which basically breaks all IPv4 connectivity.

It is visible using "ifconfig <interface>": it returns "STATICARP" in the list of flags. For example:

Code Select Expand

flags=1088843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,STATICARP,LOWER_UP> metric 0 mtu 1500
It took me a while to figure this out, I suspected some firewall alias not being updated for a while. Disabling the setting in the GUI under ISC IPv4 was also not sufficient, I had to enter "ifconfig <intf> -staticarp" to get rid of it. Connectivity was instantly reestablished.

Just putting this out there, for anyone researching how to migrate to ISC.

I still do not fully understand how this "enable static ARP entries" setting works and why it has a different effect if ISC is disabled.

I have noticed a significant CPU consumption rise in 25.7.

I already had such an increase back with 24.7.11 (it never went back down), it's worrying me a bit on the long term, the DEC695 is now reaching 50% CPU usage on a regular basis with less than a Mbps traffic going over it.

Just putting this out there to hear if anyone has seen a similar increase.

When the server reboots, time is kept, but on power outage (5min), it looses time.

This is problematic for me because I have DNS over HTTPS setup, and when the router boots up thinking it's 2022 instead of 2025, all TLS handshakes fail, hence no DNS. And because NTP tries to reach "de.pool.org", it needs DNS. Catch 22.

I have added a couple of IPs to my NTP servers to prevent this from happening again, but I feel the router shouldn't lose the time within 5min, some battery is empty or defective.

Is this issue expected and if not, is there a guide on how to replace the defective battery?

ISC had a button that allowed this conversion, this does not seem to exist in Kea, at least not for DHCPv6.

Attempting to create a static reservation fails, because the DUID already exists (as a dynamic lease).

I have a strange problem I could reproduce on TWO devices (both kindles):

Kindle is not receiving replies to its DNS lookups and hence believe it does not have internet.

tcpdump on opnsense shows DNS lookups coming in, I can see them processed by AdGuard, not blocked (NOERROR, correct A records being sent back), but:

there are absolutely no DNS replies in the tcpdump. DHCP replies are properly sent out though. I tried filtering by MAC and IP in tcpdump, same result.

And now the weird bit: in ISC DHCPv4, if I create a static DHCP lease (with static ARP entry), suddenly everything works.

Any idea what the issue can be? The dynamic DHCP IP was 192.168.1.238 while the statically assigned one is 192.168.1.131, but I don't see how that could cause anything.

Originally, because the device moved between vlans (I had them on the guest vlan originally), I thought, maybe something is broken in ARP. But the fact DHCP answers were correctly sent to 192.168.1.238 while DNS answers were not is very puzzling to me, that seems to eliminate any ARP issue, it must be something else, which I really cannot figure out.

Hello, I have a kindle device which somehow says "your kindle connected to the wi-fi network but could not reach the internet".

It is so far the first device having an internet access issue on this subnet/interface, other devices are fine. I'm running AdGuardHome on port 53, I can see some requests from the kindle, but it appears some other DNS requests are blocked:

24,,,02f4bab031b57d1e30553ce08e0ec131,vlan0.1010,match,block,in,4,0x0,,64,23848,0,DF,17,udp,60,192.168.1.238,192.168.1.1,32793,53,40

where "192.168.1.238" is the DHCP assigned IPv4 of the Kindle.

The firewall rule causing this is a little nebulous for me:

Code Select Expand

root@opn:~ # pfctl -vvsr | grep -n "^@24"
105:@24 block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
How can I determine what this label is and where this rule is coming from? The same rule (same label) also exists for IPv6, but this label doesn't show up in any other rule.

I currently don't understand how a firewall rule could block some DNS lookups but not others...

I have successfully migrated from ISC DHCPv6 to Kea DHCPv6, now I would like to now migrate to Kea DHCPv4.

My first test is, enabling Kea DHCPv4 for a single "test" interface and check it works as expected. But currently it's failing.

The same interface works without issue with ISC DHCPv4. I am simply disabling ISC v4 for this interface, then enabling it for Kea. Same Interface IP, same DHPC IP pool.

But DHCP stops working then, DHCP requests are simply not answered (I launched wireshark on the computer to check this).

The laptop is directly wired to the igb3 interface on the DEC695. Is it not supported to have Kea DHCPv4 on one interface but ISC DHCPv4 on another?

If anyone has a pointer on what I should be checking, I would be grateful.

[edited] Router advertisements were not enabled, DHCPv6 cannot work like that.


Only question left: where can I see the delegated IPv6 prefix?

This output from "netstat -rn6" is not entirely clear to me: why is it Static (S), what is it blackholed (B)?

2a02:1234:1234:8400::/56            link#5                        USB            lo0

I'm struggling a bit to figure out the format.

I have configured the following fields in the CSV: subnet,ipv6,hostname,description

But I keep getting these errors for every line:

!! Duplicate entry exists
!! A value is required.
!! Address not in specified subnet

There are zero DHCPv6 reservations in Kea at the moment, hence I can't see how anything could be duplicate.

Are the column headers maybe mandatory? If yes, if someone knows the exact syntax, I'd be grateful. I can't find the documentation for this CSV import format so far.

It's been two nights in a row that certificate renewal fails for the same reason: "domain validation failed (dns01)"

I have "Automation Timeout" set to 20min (1200), yet the failure happens 40s after starting the certification renewal. cronjob is set for 00:00:00 and at 00:00:41 I get the failure.

I also see in the acme logs "timeout=" with nothing behind it, as if timeout was not set.

This used to work, I have not changed the config in a while, hence I suspect something broke in a more recent version of acme.sh or opnsense.

I'm running opnsense 25.1.3.

Wondering if anyone else has this issue and if they found a solution.

A long time ago, I set up my home network to use 192.168.1.1/24. It worked well for many years, but I now find myself spending a lot of time connected over VPN to my network and recently, I have to do it from networks using the same exact subnet, which is conflicting.

Hence, I decided I needed to move to a less common subnet (for example, 192.168.46.1/24). The likeliness of me having to connect over VPN from a network using this new subnet should be quite low.

I am trying to build a bullet list of task for the migration and would appreciate feedback.


• connect to opnsense over IPv6
• edit firewall rules to allow 192.168.46.0/24 the same as 192.168.1.0/24
• change subnet mask of LAN intf from 192.168.1.1/24 to 192.168.1.1/16
• Change ISC DHCPv4 IP range to 192.168.46.200-240
• Move static DHCP assignments to 192.168.46.10-50 range (~ 30 static assignments)
• edit corresponding local DNS entries
  
  ** IPv4 IMPACT START **
• Powercycle individual devices to force them to acquire their new DHCP IPv4
• change DNS Server in DHCP settings to 192.168.46.1
• change IP of LAN intf to 192.168.46.1/16
• Edit AdGuard Home yaml config
  * remove bind to 192.168.1.1 and add bind to 192.168.46.1 (check if AdGuard cannot simply bind to 0.0.0.0)
  * reload adguard home
  
  ** IPv4 IMPACT END **
  
• change subnet of LAN intf to 192.168.46.1/24
• edit wireguard config (allowed IPs)



Any feedback or suggestion welcome.

I just noticed this, switched to unbound for DNS for now and will troubleshoot it today.

The UniFi plugin is marked as "missing" somehow (was definitely up and running on 25.1.1, I was on the GUI just yesterday)

I cannot find "/var/log/AdGuard.log" somehow, which makes the AdGuard troubleshooting a bit challenging at the moment...

Any pointers welcome.

Hello,

I would like to have my devices only get IPs via DHCPv6 on the network, no autoconfiguration. (I want to know which IPv6 belongs to what device, it's a small home network.)

At the same time, I do want to use ULA as a backup: I had a couple of times the issue that my ISP Internet was down and additional opnsense power cycled, causing DHCPv6 acquired prefix to be forgotten by the router. I am aware that the point could be made, IPv4 is already one backup, since it's RFC1918...

Question 1: is there a way for opnsense to keep using the last known DHCPv6 acquired prefix / IP, even after a reboot? (I assume not)

Question 2: if that is not possible, is it possible to assign ULAs over DHCPv6 while using the managed mode for router advertisement?

opnsense 25.1.1 on DEC695

I see the warning "kod does nothing without limited" in my NTP logs.

It seems this seems to have been caused by this change. It seems "kod" should simply be replaced by "kod limited" in the ntpd.conf, but I am not enough an expert on ntp to understand if that wouldn't trigger the issue that the aforementioned change fixed again.

My "/var/etc/ntpd.conf":

Code Select Expand

root@opn:~ # cat /var/etc/ntpd.conf
#
# Autogenerated configuration file
#

tinker panic 0
# Orphan mode stratum
tos orphan 12
# Max number of associations
tos maxclock 10


# Upstream Servers
pool 3.pool.ntp.org maxpoll 9
pool de.pool.ntp.org maxpoll 9


statsdir /var/log/ntp
logconfig =syncall +clockall +peerall +sysall
driftfile /var/db/ntpd.drift
restrict source  kod nomodify notrap
restrict default  kod nomodify notrap nopeer
restrict -6 default  kod nomodify notrap nopeer
restrict 127.0.0.1  kod nomodify notrap nopeer
restrict ::1  kod nomodify notrap nopeer
interface ignore all
interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
interface listen fe80::1%lo0
interface listen 192.168.10.1
interface listen <redacted-IPv6-GUA-subnet3>::1
interface listen fe80::f690:eaff:fe00:b349%vlan0.1010
interface listen 192.168.3.1
interface listen <redacted-IPv6-GUA-subnet2>::1
interface listen 192.168.1.1
interface listen <redacted-IPv6-GUA-subnet1>::1
interface listen fe80::f690:ebff:fe00:b349%vlan0.1001
interface listen 192.168.150.1
interface listen fe80::f690:ebff:fe00:b34a%igb3
interface listen <redacted-public-IPv4>
interface listen <redacted-public-IPv6>
interface listen fe80::f690:ebff:fe00:b347%igb0
interface listen fd00:2::1
interface listen fd00:1::1
interface listen fd00:150::1
Hence, question: is that really a bug, should I attempt to raise a PR for this?

Hello team,

I have a couple of old routers I mainly use as managed switches. Some have very limited flash and I can't squeeze the acme package in.

I could use extroot, but it's a bit of a pain, as it has to be reinstalled/reconfigured at each upgrade. So far I haven't found a way to make this relatively painless, I always end up having to manually plug/unplug something on the openwrt box (USB drive, network cable...).

Hence, I thought, maybe I can outsource this to my opnsense box.

So far, I cannot find a deploy hook for openwrt but I want to ask on this forum if anyone has a pointer maybe.

I have a DEC695, I started the upgrade from 24.7.11 to 24.7.12 from the GUI, but it left the router in limbo it seems.

After 45 minutes, the router still hadn't rebooted (up time was 3 days) and many services were down (crowdsec, acme, intrusion detection...), as if it was still doing something. I could ping and ssh, but I could not "su - root" (error was "sorry", that's it, it looked the password was wrong, but I copy-paste it so it definitely was correct.). Also, rebooting from the GUI had no effect. Interestingly, the dashboard was reporting "OPNsense 24.7.12-amd64".

I powercycled the DEC695 and everything seems back to normal, I can su - root again.

Just weird, I thought I'd report it here.

Today I had a power outage and upon restarting my internet connection was unusable due to this chain of events:

• Symptom: Only ping from a client on the LAN to Internet was working, that's about it, DNS was not for example. I could ping 1.1.1.1 form any client on the LAN, as an example.
• The local time on the opnsense router was wrong (multiple years off somehow), NTP was not synchronised.
• NTP could not synchronise because it could not resolve DNS
• DNS could not be resolved because AdGuard could not resolve anything public (local DNS entries, "DNS rewrites", were working).
• the upstream server for AdGuard was Unbound and unbound was unable to resolve anything it seems, there was no DNS lookups on the packet capture of the WAN interface somehow, the request didn't even leave opnsense. I wonder if that was because time was completely wrong on the router (it was suddenly back in May 2022 somehow...).

I did a DNS lookup from the WAN intf (Interfaces > Diagnostics) and that worked fine. But DNS lookup from any client or from any service (AdGuardHome, NTP) seemed to all fail.

I added a public DNS under system > settings > general and the issue went away, once NTP had resynchronised.

I am certain this issue did not exist in the past, anyone else has observed this?

The worst part was that everything was that a lot of services (including DHCP) were very unstable, probably due to the time being totally wrong.

Does the fact it was a power outage and not a controlled reboot has any implications? I regularly restart for updates, but a real cold power cycle, I had not done in many months, maybe a year – hence the question.

In hindsight, using the local DNS service might not have been the smartest idea in terms of resilient design, but I would still like to understand if anyone can make a theory as to what happened.

Since yesterday's upgrade to 24.7.11_2 (on a DEC695, from 24.7.10_1), my userspace CPU consumption increased significantly, see attachment.

I tried using htop, I see flowd_aggregate.py and update_tables.py consuming a lot of CPU, but it's very jumpy, it's hard to tell if that's these two. There isn't a process constantly consuming 10-20% CPU.

My initial question: how can I filter for userspace processes in htop? I tried adding "!KERNEL" as filter in htop, but it doesn't match any process, the list becomes empty.

Any other idea to narrow down the pool of suspects?

DoT (TCP 853), DoC (UDP 853) all working fine, only DoH over IPv6 is not working.

Additionally, the admin interface of AGH is not reachable over IPv6.

I checked the ports AGH is listening to using "sockstat -l | grep AdG", and I see ADG is only listening to TCP/443 on my LAN interface's IPv4 address, not on IPv6 addresses.

I unfortunately cannot say when this stopped working, I'm fairly certain that the admin interface used to be reachable over IPv6 though.

If anyone has an idea, let me know. Or if someone could take the time to check and confirm they are not seeing the same issue as me, that would be super useful as well.

Hello,

I would like to see the ratio of traffic (in bytes) between IPv4 and IPv6 on my WAN interface (in and out).

This is pure curiosity from my side, there's no real requirement or use case.

DNS stats do not help, I noticed that very often clients make request for both A and AAAA records. Additionally, a DNS lookup does not mean much in terms of how much traffic will flow to/from that IP.

This question came up a while back, I thought I'd ask again, in case there's something new:
https://forum.opnsense.org/index.php?topic=29369.0

Extracting the information over API is also acceptable for me, I would just need some pointers as to which API calls will give me the above mentioned stats.

[edit]
Forgot to mention, I had a look at vnstat already, it does not support this,. There's a feature request for it but it seems unlikely to happen:
https://github.com/vergoh/vnstat/issues/215