"Recent posts
#1
26.1, 26,4 Series / Re: Unable to get IPv6 Traffic...
Last post by space_cadet - Today at 02:23:33 AMHey, sorry to hear your IPv6 settings are still not working.
1. My RA settings are blank. WireGuard assigns the IPv6 addresses, and I'm using Dnsmasq for DHCPv6 address assignment on my LAN.
2. NAT Outbound is set to Automatic Outbound NAT Rule Generation.
3. NAT NPTv6 is also blank.
What settings do you have set up for your WireGuard Server Instance? I know you have requested a /56 prefix from your ISP, but are you sure it's honoring it? When I tried to use a /56 the ISP kicked me back to a /64. The lowest it would let me go was a /60. See my last post regarding the Interface > Overview, to ensure your ISP is honoring the /56 prefix.
I also see you have 2a01:xxxx:xxxx:xx03::9001 listed as your DNS. When you entered this into your tunnel address, did you list it as 2a01:xxxx:xxxx:xx03::9001/64? This is just like setting the subnet mask for IPv4.
1. My RA settings are blank. WireGuard assigns the IPv6 addresses, and I'm using Dnsmasq for DHCPv6 address assignment on my LAN.
2. NAT Outbound is set to Automatic Outbound NAT Rule Generation.
3. NAT NPTv6 is also blank.
What settings do you have set up for your WireGuard Server Instance? I know you have requested a /56 prefix from your ISP, but are you sure it's honoring it? When I tried to use a /56 the ISP kicked me back to a /64. The lowest it would let me go was a /60. See my last post regarding the Interface > Overview, to ensure your ISP is honoring the /56 prefix.
I also see you have 2a01:xxxx:xxxx:xx03::9001 listed as your DNS. When you entered this into your tunnel address, did you list it as 2a01:xxxx:xxxx:xx03::9001/64? This is just like setting the subnet mask for IPv4.
#2
General Discussion / Re: What is the Purpose of 'op...
Last post by Patrick M. Hausen - Today at 12:43:03 AMThe OS names change when the hardware does.
Switch from 1G to 10G by adding a new 10G NIC? Simply reassign the logical interface to the new device - done. IP configuration, DHCP, firewall rules, NAT, ... all will just follow with a single click.
Switch from 1G to 10G by adding a new 10G NIC? Simply reassign the logical interface to the new device - done. IP configuration, DHCP, firewall rules, NAT, ... all will just follow with a single click.
#3
26.1, 26,4 Series / DEC840 gets stuck on boot if a...
Last post by feld - Today at 12:07:55 AMOPNsense 26.1.8_5-amd64
I have Quantum Fiber for my internet service and my CPE equipment is a C5500XK. Unfortunately I don't have a GPON SFP that will let me bypass this equipment at this time.
I have a 10GBASE-T SFP+ 30m https://www.fs.com/products/111919.html
If I attempt to boot my DEC840 with this physical link up it gets stuck and fails to complete booting. I have tried replacing this SFP as I have many on hand, but they all produce the same behavior. Changing this out for an 1G transceiver works fine and it boots noticeably faster than the 10G.
I am attaching the boot log captured over serial console at boot via script+screen. I had to clean this up a bit as it had all the terminal control characters and color sequences littered throughout but I think it's fully intact.
What I have observed is that there are some additional i2c devices detected when the 10G module is used, and it seems to fail to configure/communicate with the SFP based on the timeouts it displays in the boot log.
If I boot the firewall without the physical link up (unplug ethernet), and then plug in after fully booted it works fine -- or at least I don't notice any issues with the link or its stability.
edit: I want to mention that this hardware configuration worked fine for a couple years, but I can't be certain when this problem started happening. I believe it started somewhere within the 25.x series.
I have Quantum Fiber for my internet service and my CPE equipment is a C5500XK. Unfortunately I don't have a GPON SFP that will let me bypass this equipment at this time.
I have a 10GBASE-T SFP+ 30m https://www.fs.com/products/111919.html
If I attempt to boot my DEC840 with this physical link up it gets stuck and fails to complete booting. I have tried replacing this SFP as I have many on hand, but they all produce the same behavior. Changing this out for an 1G transceiver works fine and it boots noticeably faster than the 10G.
I am attaching the boot log captured over serial console at boot via script+screen. I had to clean this up a bit as it had all the terminal control characters and color sequences littered throughout but I think it's fully intact.
What I have observed is that there are some additional i2c devices detected when the 10G module is used, and it seems to fail to configure/communicate with the SFP based on the timeouts it displays in the boot log.
If I boot the firewall without the physical link up (unplug ethernet), and then plug in after fully booted it works fine -- or at least I don't notice any issues with the link or its stability.
edit: I want to mention that this hardware configuration worked fine for a couple years, but I can't be certain when this problem started happening. I believe it started somewhere within the 25.x series.
#4
26.1, 26,4 Series / Re: [26.1] NAT reflection not ...
Last post by Kinerg - May 14, 2026, 11:56:52 PMQuote from: nero355 on May 14, 2026, 03:45:22 PMIf possible you should avoid Reverse NAT a.k.a. NAT Loopback anyway, so maybe a good moment to consider moving away from it ?!Why? Genuine question.
#5
General Discussion / What is the Purpose of 'opt' I...
Last post by Al Muckart - May 14, 2026, 11:56:18 PMI've been configuring multiple firewalls that need to be identical recently and I got curious.
What is the purpose of abstracting OS interfaces to OPNsense's 'optN' interfaces, vs. using the OS names directly?
Thanks.
What is the purpose of abstracting OS interfaces to OPNsense's 'optN' interfaces, vs. using the OS names directly?
Thanks.
#6
Tutorials and FAQs / Re: HOWTO - Redirect all DNS R...
Last post by yourfriendarmando - May 14, 2026, 11:40:12 PMHere is an excerpt of my configurations, related to DNS and NTP redirection:
DNS and NTP redirection
Goals to solve with this solution:
- Provide local DNS services to clients.
- Redirect client attempts to circumvent local DNS, back to local DNS services
- Force clients to only use DNS UDP port 53 via their IPv4 address
- Block attempts to use port DNS over TLS port 853
- Block client access, to as great extent as possible, from accessing servers known to host DNS services via any protocol.
Pre-Requisites:
Firewall :: Categories (Optional step, including Categories used below)
Automatic: [ ] Unchecked
Name # Color
0Frequent 0084ff
ASN e7bc98
Danger ff0000
Danger0 ff7f7f
Danger2 fa6400
Danger3 ffeb00
Danger4 ee00ee
Excep 808080
Firewall ffffff
Host 84542a
Ingres 00ff00
Ingres0 80ff80
Ingres2 00bf00
Local 00ffff
Net b37e52
Port c990dd
Firewall :: Groups (Firewall Interface Groups)
Name Members Description
My Example:
LANs <All Local except WANs>
LANs ex: OoB, LAN, GST, MGT, IoT, NVR All Local networks, excluding virtual interfaces like OpenVPN, and WANs
Policy Approach Example:
DNScli LAN, GST, ... Interface networks you want to force local DNS
Firewall :: Aliases
Name: danger_port
Type: Port(s)
Categories: Danger0, Port
Content: 853
Description: Block Dangerous Egress Ports
Notes: This is part of a list of Ports I consider dangerous to access on the Internet.
If you want more ports, or have your own, let's share
Name: excep_local_nets_net
Type: Network(s)
Categories: Excep, Local
Content: !10.0.0.0/8,!172.16.0.0/12,!192.168.0.0/16,!127.0.0.0/8,!::1/128,!127.0.0.1/32,!fc00::/7
Description: Local Default Networks Exclusion
Notes: This list of networks are used to clean up external Block Lists.
It is possible to receive a list with local CIDR blocks,
and be remotely hosed from your own local networks.
Name: danger_symm_url_aRaw
Type: URL (IPs)
Categories: Danger2
Content: https://raw.githubusercontent.com/crypt0rr/public-doh-servers/refs/heads/main/ipv4.list
https://raw.githubusercontent.com/crypt0rr/public-doh-servers/refs/heads/main/ipv6.list
https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv4.txt
https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv6.txt
https://raw.githubusercontent.com/oneoffdallas/dohservers/refs/heads/master/iplist.txt
https://raw.githubusercontent.com/oneoffdallas/dohservers/refs/heads/master/ipv6list.txt
Description: Block Symmetric URLs raw
Notes: This is part of a list of URLs to Block lists of IP addresses.
These IP addresses must not be accessed, and should not be accessing you.
If you want more ports, or have your own, let's share
Name: danger_symm_url_aGrp
Type: Network group
Categories: Danger2
Content: excep_local_nets_net,danger_symm_url_aRaw
Description: Block Symmetric URL Group
Notes: Fuses the two above lists to sanitize the input of the external block lists.
The WANs rules to use this alias, are not discussed in this tutorial.
Name: fw_port_svc_rdr
Type: Port(s)
Categories: Firewall, Port
Content: 53,123
Description: Firewall Redirect Egress Ports DNS NTP
Notes: Confines a client from accessing a DNS or NTP server,
A NAT rule will loop a request back to the Firewall or whatever destination you choose.
Firewall :: NAT :: Destination NAT
Description: Fwd DNS NTP to FW
Interface: LANs, OpenVPN (Or other Interfaces, or Firewall Interface Groups you created)
Version: IPv4 (Do NOT specify IPv6, that way it is easier to know who accesses services)
Protocol: TCP/UDP
Source ::
Invert Source: [X]
Source Address: This Firewall
Source Port: any
Destination ::
Invert Source: [X]
Source Address: This Firewall
Source Port: [ fw_port_svc_rdr v ]
Pool Options: Default
Options ::
No RDR (NOT): [ ]
Log: [ ]
No XLMRPC Sync: [ ]
NAT Reflection: [ Disable v ]
Set Tag: [ ]
Match Tag: [ ]
Firewall rule: [ Manual v ]
Description: Fwd NTP6 to FW
Interface: LANs, OpenVPN (Or other Interfaces, or Firewall Interface Groups you created)
Version: IPv6 (Do NOT specify IPv4, that is handled above)
Protocol: TCP/UDP
Source ::
Invert Source: [X]
Source Address: This Firewall
Source Port: any
Destination ::
Invert Source: [X]
Source Address: This Firewall
Source Port: [ Single port or range v ]
[ 123 ]
Pool Options: Default
Options ::
No RDR (NOT): [ ]
Log: [ ]
No XLMRPC Sync: [ ]
NAT Reflection: [ Disable v ]
Set Tag: [ ]
Match Tag: [ ]
Firewall rule: [ Manual v ]
:::::: So far, this will cover redirecting services 53 and 123, now we block circumvention ::::::
Firewall :: Rules [New] or classic, same concept
Act Dis Ifaces Ver Proto Source SPrt Destination DstPort Log Description Categories
Prm [ ] * 4,6 Any This Firewall * any [ ] FW Prm Anything Ingres,Firewall
Notes: Prevent your firewall from blocking access to external resources
Blk [ ] * 4,6 TC/UD local_link * any 53 (DNS) [X] Blk Link Local DNS Danger0,Local,Port
Notes: Prevent link local addresses in both IPv4 and v6 from accessing DNS anonymously
Blk [ ] * 4,6 Any local_link * !This Firewall [X] Blk Link Local Final Danger0,Local,Net
Notes: Block remaining link local access that was not blocked from Default rules
Blk [ ] * 6 TC/UD local_net_aGrp * any 53 (DNS) [X] Blk Local DNS6 Danger0,Local,Port
Notes: Completely block clients with a Unicast IPv6 address, from accessing DNS anywhere.
Clients can lookup AAAA records via v4 address.
Blk [ ] * 4,6 TC/UD local_net_aGrp * !local_net_aGrp danger_port [X] Blk Egr Danger Ports Danger0,Local,Port
Notes: Block Dangerous ports, or at least port 853 for everyone except the firewall.
Prm [ ] * 4,6 Any Excep network * excep_egr_url_aGrp [X] Prm Egr Excep URL Danger2,Excep
Notes: The exception rule allows a trusted device to by-pass the block rule below, it is not discussed in this tutorial.
Blk [ ] * 4,6 Any * * danger_symm_url_aGrp [X] Blk Egr Danger URL Danger2
Notes: Block clients from accessing IP address lists known to serve DNS via any UDP, DNS over HTTPs, DNS over TLS, etc.
Please set a CRON rule to refresh your Aliases and DNS block lists.
Please feel free to ask questions
It is probably not fool-proof 100%,
I'm always open to improvement
Sources:
- This tutorial thread https://forum.opnsense.org/index.php?topic=9245.0
- https://github.com/dibdot/DoH-IP-blocklists
- https://github.com/oneoffdallas/dohservers/tree/master
- https://github.com/crypt0rr/public-doh-servers/tree/main
DNS and NTP redirection
Goals to solve with this solution:
- Provide local DNS services to clients.
- Redirect client attempts to circumvent local DNS, back to local DNS services
- Force clients to only use DNS UDP port 53 via their IPv4 address
- Block attempts to use port DNS over TLS port 853
- Block client access, to as great extent as possible, from accessing servers known to host DNS services via any protocol.
Pre-Requisites:
Firewall :: Categories (Optional step, including Categories used below)
Automatic: [ ] Unchecked
Name # Color
0Frequent 0084ff
ASN e7bc98
Danger ff0000
Danger0 ff7f7f
Danger2 fa6400
Danger3 ffeb00
Danger4 ee00ee
Excep 808080
Firewall ffffff
Host 84542a
Ingres 00ff00
Ingres0 80ff80
Ingres2 00bf00
Local 00ffff
Net b37e52
Port c990dd
Firewall :: Groups (Firewall Interface Groups)
Name Members Description
My Example:
LANs <All Local except WANs>
LANs ex: OoB, LAN, GST, MGT, IoT, NVR All Local networks, excluding virtual interfaces like OpenVPN, and WANs
Policy Approach Example:
DNScli LAN, GST, ... Interface networks you want to force local DNS
Firewall :: Aliases
Name: danger_port
Type: Port(s)
Categories: Danger0, Port
Content: 853
Description: Block Dangerous Egress Ports
Notes: This is part of a list of Ports I consider dangerous to access on the Internet.
If you want more ports, or have your own, let's share
Name: excep_local_nets_net
Type: Network(s)
Categories: Excep, Local
Content: !10.0.0.0/8,!172.16.0.0/12,!192.168.0.0/16,!127.0.0.0/8,!::1/128,!127.0.0.1/32,!fc00::/7
Description: Local Default Networks Exclusion
Notes: This list of networks are used to clean up external Block Lists.
It is possible to receive a list with local CIDR blocks,
and be remotely hosed from your own local networks.
Name: danger_symm_url_aRaw
Type: URL (IPs)
Categories: Danger2
Content: https://raw.githubusercontent.com/crypt0rr/public-doh-servers/refs/heads/main/ipv4.list
https://raw.githubusercontent.com/crypt0rr/public-doh-servers/refs/heads/main/ipv6.list
https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv4.txt
https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv6.txt
https://raw.githubusercontent.com/oneoffdallas/dohservers/refs/heads/master/iplist.txt
https://raw.githubusercontent.com/oneoffdallas/dohservers/refs/heads/master/ipv6list.txt
Description: Block Symmetric URLs raw
Notes: This is part of a list of URLs to Block lists of IP addresses.
These IP addresses must not be accessed, and should not be accessing you.
If you want more ports, or have your own, let's share
Name: danger_symm_url_aGrp
Type: Network group
Categories: Danger2
Content: excep_local_nets_net,danger_symm_url_aRaw
Description: Block Symmetric URL Group
Notes: Fuses the two above lists to sanitize the input of the external block lists.
The WANs rules to use this alias, are not discussed in this tutorial.
Name: fw_port_svc_rdr
Type: Port(s)
Categories: Firewall, Port
Content: 53,123
Description: Firewall Redirect Egress Ports DNS NTP
Notes: Confines a client from accessing a DNS or NTP server,
A NAT rule will loop a request back to the Firewall or whatever destination you choose.
Firewall :: NAT :: Destination NAT
Description: Fwd DNS NTP to FW
Interface: LANs, OpenVPN (Or other Interfaces, or Firewall Interface Groups you created)
Version: IPv4 (Do NOT specify IPv6, that way it is easier to know who accesses services)
Protocol: TCP/UDP
Source ::
Invert Source: [X]
Source Address: This Firewall
Source Port: any
Destination ::
Invert Source: [X]
Source Address: This Firewall
Source Port: [ fw_port_svc_rdr v ]
Pool Options: Default
Options ::
No RDR (NOT): [ ]
Log: [ ]
No XLMRPC Sync: [ ]
NAT Reflection: [ Disable v ]
Set Tag: [ ]
Match Tag: [ ]
Firewall rule: [ Manual v ]
Description: Fwd NTP6 to FW
Interface: LANs, OpenVPN (Or other Interfaces, or Firewall Interface Groups you created)
Version: IPv6 (Do NOT specify IPv4, that is handled above)
Protocol: TCP/UDP
Source ::
Invert Source: [X]
Source Address: This Firewall
Source Port: any
Destination ::
Invert Source: [X]
Source Address: This Firewall
Source Port: [ Single port or range v ]
[ 123 ]
Pool Options: Default
Options ::
No RDR (NOT): [ ]
Log: [ ]
No XLMRPC Sync: [ ]
NAT Reflection: [ Disable v ]
Set Tag: [ ]
Match Tag: [ ]
Firewall rule: [ Manual v ]
:::::: So far, this will cover redirecting services 53 and 123, now we block circumvention ::::::
Firewall :: Rules [New] or classic, same concept
Act Dis Ifaces Ver Proto Source SPrt Destination DstPort Log Description Categories
Prm [ ] * 4,6 Any This Firewall * any [ ] FW Prm Anything Ingres,Firewall
Notes: Prevent your firewall from blocking access to external resources
Blk [ ] * 4,6 TC/UD local_link * any 53 (DNS) [X] Blk Link Local DNS Danger0,Local,Port
Notes: Prevent link local addresses in both IPv4 and v6 from accessing DNS anonymously
Blk [ ] * 4,6 Any local_link * !This Firewall [X] Blk Link Local Final Danger0,Local,Net
Notes: Block remaining link local access that was not blocked from Default rules
Blk [ ] * 6 TC/UD local_net_aGrp * any 53 (DNS) [X] Blk Local DNS6 Danger0,Local,Port
Notes: Completely block clients with a Unicast IPv6 address, from accessing DNS anywhere.
Clients can lookup AAAA records via v4 address.
Blk [ ] * 4,6 TC/UD local_net_aGrp * !local_net_aGrp danger_port [X] Blk Egr Danger Ports Danger0,Local,Port
Notes: Block Dangerous ports, or at least port 853 for everyone except the firewall.
Prm [ ] * 4,6 Any Excep network * excep_egr_url_aGrp [X] Prm Egr Excep URL Danger2,Excep
Notes: The exception rule allows a trusted device to by-pass the block rule below, it is not discussed in this tutorial.
Blk [ ] * 4,6 Any * * danger_symm_url_aGrp [X] Blk Egr Danger URL Danger2
Notes: Block clients from accessing IP address lists known to serve DNS via any UDP, DNS over HTTPs, DNS over TLS, etc.
Please set a CRON rule to refresh your Aliases and DNS block lists.
Please feel free to ask questions
It is probably not fool-proof 100%,
I'm always open to improvement
Sources:
- This tutorial thread https://forum.opnsense.org/index.php?topic=9245.0
- https://github.com/dibdot/DoH-IP-blocklists
- https://github.com/oneoffdallas/dohservers/tree/master
- https://github.com/crypt0rr/public-doh-servers/tree/main
#7
General Discussion / Re: Update not working after c...
Last post by UiD - May 14, 2026, 10:54:26 PM:( I thought the problem was solved but after rebooting it's the case again.
Very strange, if I select 1.1.1.1 I access the System: Firmware: Status menu without problem but I am blocked from downloading.
And if I select my DNS it takes time, I have an hourglass
There must be a subtlety somewhere?
Very strange, if I select 1.1.1.1 I access the System: Firmware: Status menu without problem but I am blocked from downloading.
And if I select my DNS it takes time, I have an hourglass
There must be a subtlety somewhere?
#8
Web Proxy Filtering and Caching / Re: Nginx CVE-2026-42945
Last post by wirehire - May 14, 2026, 10:05:03 PMthanks, i look and found nothing. but zero trust on me , so i wait for the patch , and closed the front.
i though the packages come directly from freebsd , so a okg update ngixn worked. so thanks for the inside!
i though the packages come directly from freebsd , so a okg update ngixn worked. so thanks for the inside!
#9
General Discussion / Re: Accessibility compliance f...
Last post by Greg_E - May 14, 2026, 09:40:18 PMLooks like the service I just paid for may not have been required to conform.
I have one tool that will probably never comply, and a website that needs a MAJOR rework. I'll have to look into the latest version of Wordpress and make someone in my department learn it and build it. That said, if we get rid of the tool, we can dump the website too. More work off my plate would be nice.
I have one tool that will probably never comply, and a website that needs a MAJOR rework. I'll have to look into the latest version of Wordpress and make someone in my department learn it and build it. That said, if we get rid of the tool, we can dump the website too. More work off my plate would be nice.
#10
Hardware and Performance / Re: cpu-microcode-intel: no ma...
Last post by meyergru - May 14, 2026, 09:32:53 PMThat will probably not cut it, as I already said: For the boot phase, the intel-ucode.bin ist used. Only for the user-space (later phase) does cpucontrol use the single files. Therefore, I am unsure what procedure could be used. If cou wated to be safe, I would use the 300000 byte file from Linux and name than .80, plus I would copy the Linux intel-ucode.bin.
AFAIU, the tools will extract whatever they need from the files, so strictly speaking, you do not need the single files, but that I do not know for sure, so I would not risk to break anything going forward and leave it to the experts. The best way to proceed is probably to wait for FreeBSD to fix it - it there already is a bug report, then fine.
AFAIU, the tools will extract whatever they need from the files, so strictly speaking, you do not need the single files, but that I do not know for sure, so I would not risk to break anything going forward and leave it to the experts. The best way to proceed is probably to wait for FreeBSD to fix it - it there already is a bug report, then fine.
