Recent posts

#1
26.1, 26,4 Series / Re: catch-22 with OPNsense 26....
Last post by euclid - Today at 10:58:18 AM
ok for some reason the <opt> entries under xml:/opnsense/interfaces were deleted. it seems it happened 4 weeks ago, but can it happen without user intervention? I don't see anything in the logs?

the plot thickens
#2
General Discussion / losing internet connection aft...
Last post by Djazeiry - Today at 10:43:23 AM
hello guys , i'm new to opnsense and advanced networking , where i am i started by using opensens after insatlling it on a physical machine and made it as my DHCP Server , everything works fine for a few days and then suddenly i lose the internet connection on the network , my network  structure is explained on the joined image ,  my firewall configuration is by default didn't touch anything

network structure :

You cannot view this attachment.




#3
26.1, 26,4 Series / Re: catch-22 with OPNsense 26....
Last post by euclid - Today at 10:38:23 AM
looking at the configuration some interface definitions live under
```
<opnsense>
  <interfaces>
    <wan>
...
    </wan>
    <lan>
...
```
But I don't see the vlan interfaces <vlanif> mapping to <optX>. Where should this happen?

 
#4
Hardware and Performance / Re: Adapts to Marvell AQC113C-...
Last post by Seimus - Today at 10:36:10 AM
We have as well an official kmod on OPNsense.
Its in the repository and can be installed via cli. You don't need to complete the driver yourself

https://forum.opnsense.org/index.php?topic=51767.0

Regards,
S.
#5
26.1, 26,4 Series / Unbound not able to retrieve I...
Last post by Taomyn - Today at 10:34:19 AM
I use Unbound as my DNS forwarder but I've been noticing the past few weeks a lot of failed IPv6 DNS lookups - I don't use IPv6 externally on my WAN, but as far as I can tell it's enabled on many of my internal devices, but I tend to stick with IPv4. Unbound is set to forward requests to Quad9 at 9.9.9.10 using TLS

When I try to test things against my Unbound I get this:

root@MOE:~# kdig @192.168.1.1 AAAA one.one.one.one
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 15362
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; one.one.one.one.            IN      AAAA

;; Received 44 B
;; Time 2026-05-14 10:17:04 CEST
;; From 192.168.1.1@53(UDP) in 14.6 ms


If I try directly against Quad9 I get:

root@MOE:~# kdig @9.9.9.10 +tls AAAA one.one.one.one
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56075
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; one.one.one.one.            IN      AAAA

;; ANSWER SECTION:
one.one.one.one.        43200  IN      AAAA    2606:4700:4700::1111
one.one.one.one.        43200  IN      AAAA    2606:4700:4700::1001

;; Received 100 B
;; Time 2026-05-14 10:17:09 CEST
;; From 9.9.9.10@853(TLS) in 27.1 ms


I don't see any errors on the Unbound log for such queries, this I did on OPNsense itself:

drill AAAA one.one.one.one @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 63287
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; one.one.one.one.     IN      AAAA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 114 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu May 14 09:56:57 2026
;; MSG SIZE  rcvd: 33

2026-05-14T09:56:57Informationalunbound[63620:1] reply: 127.0.0.1 one.one.one.one. AAAA IN NOERROR 0.113617 0 33
2026-05-14T09:56:57Informationalunbound[63620:1] info: response for one.one.one.one. AAAA IN
2026-05-14T09:56:57Informationalunbound[63620:1] info: response for one.one.one.one. AAAA IN
2026-05-14T09:56:57Informationalunbound[63620:1] info: resolving one.one.one.one. AAAA IN
2026-05-14T09:56:57Informationalunbound[63620:1] query: 127.0.0.1 one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] reply: 127.0.0.1 one.one.one.one. AAAA IN NOERROR 0.035965 0 33
2026-05-14T09:48:17Informationalunbound[25115:0] info: response for one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] info: response for one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] info: resolving one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] query: 127.0.0.1 one.one.one.one. AAAA IN


And my DNS TLS forwarding config is:

Domain:
 Server IP: 9.9.9.10
 Server Port: 853
 Forward first: Disabled
 Verify CN: dns10.quad9.net
 Description: No Malware blocking, no DNSSEC validation

Any idea what else I can check, especially commands to test on OPNsense itself as I cannot work out a way to check TLS lookups on the command line although I was able to see that traffic on port 853 was going out.

I just updated to 26.1.8_5 and it hasn't helped
#6
Hi @Franco,

I may have found a microcode packaging/split-file issue on OPNsense.

System:

Protectli VP6630
Intel Core i3-1215U, Alder Lake R0
coreboot 0.9.0

Installed packages:

cpu-microcode-intel-20260227
os-cpu-microcode-intel-1.1

Current microcode after boot:

x86info -a | grep -i micro
Microcode version: 0x0000000000000432

Boot message:

dmesg | grep -i micro
[1] CPU microcode: no matching update found

The package only provides this split file for CPUID 06-9a-04:

/usr/local/share/cpucontrol/06-9a-04.40
but for Intel Core Gen12 / Alder Lake R0 I would expect platform 06-9a-04/80, not /40.

Full relevant output:

pkg info -x microcode
cpu-microcode-intel-20260227
os-cpu-microcode-intel-1.1

pkg info -l cpu-microcode-intel | grep -E 'intel-ucode|06-9a-04|microcode'
cpu-microcode-intel-20260227:
        /boot/firmware/intel-ucode.bin
        /usr/local/share/cpucontrol/06-9a-04.40

find /usr/local/share/cpucontrol /boot/firmware -iname '*06-9a-04*' -o -iname '*intel*ucode*'
/usr/local/share/cpucontrol/06-9a-04.40
/boot/firmware/intel-ucode.bin



Is it possible that the split microcode file 06-9a-04.80 is missing from the package, so the Intel microcode plugin cannot update this CPU and keeps the firmware-provided 0x432?

Thanks!


FB
#7
26.1, 26,4 Series / Re: catch-22 with OPNsense 26....
Last post by euclid - Today at 09:24:50 AM
Also applies in 26.1.8_5
#8
26.1, 26,4 Series / catch-22 with OPNsense 26.1.7_...
Last post by euclid - Today at 09:19:47 AM
Hi,

I updated opnsense to 26.1.7 and after the update, I see a few issues with how the *soft interfaces* (/interfaces_assign.php) are started.

Host with 2 physical interfaces, and some VLANs + wireguard interfaces.

I have an interface that is using the [legacy] ISC DHCPv4 (OPT1). because of that it is not registered in the UI. then, all the consecutive interfaces OPT2, OPT3, ... do not appear because I assume the process to start the soft interfaces at boot stops immediately on the first error [I consider this bug #1 - because one interface failed, the following interfaces are not even registered]. There is a bug #1.1 additionally, because all the interfaces were marked as enabled and prevent interface removal.

Now because I don't have these soft interfaces, my [legacy] ISC DHCPv4 does not show me the configured interfaces to move the DHCP configuration, so I cannot really solve this unless I touch the system [I consider this bug #2 - this is the catch-22]

In general the user ergonomics of the transition of deprecating DHCPv4 and move some of its parts (for better or worse) as part of the interface UI, is not well thought, and I consider this bug #3. User Interface experience lacks.

Because the interface didn't start as expected, my gateways did random things I had a system that some things work, but without me having any possibility to modify from the UI.

I've been using opnsense for 6 years. This release must have been the least quality assured release I remember.
#9
Tutorials and FAQs / Re: Technitium DNS Server on O...
Last post by jaykumar2005 - Today at 09:17:55 AM
Will the Technitium installation survive a OPNsense major upgrade?
#10
Just a quick response, it now works again without any changes on my side.