"Recent posts
#1
26.1 Series / Re: [SOLVED] Static IPv6 addre...
Last post by Maurice - Today at 01:32:11 AMA stable-privacy interface identifier (RFC 7217) is only stable as long as the prefix is stable, but then you wouldn't need dynamic DNS.
If your prefix is dynamic, you indeed have to use EUI-64 or a token (which most devices still do).
ISC DHCPv6 allows static mappings without an address range for dynamic leases. RA flags are configured independently (in radvd).
Kea does not (yet) support dynamic prefixes, so that's probably not an option.
Not sure about dnsmasq.
If your prefix is dynamic, you indeed have to use EUI-64 or a token (which most devices still do).
ISC DHCPv6 allows static mappings without an address range for dynamic leases. RA flags are configured independently (in radvd).
Kea does not (yet) support dynamic prefixes, so that's probably not an option.
Not sure about dnsmasq.
#2
26.1 Series / Shaper on 26.1.2 - Removed Pip...
Last post by Timotei79 - Today at 01:06:20 AMHi,
Bit of an odd one, checking with ISP, but current upstream seems to be limited in terms of speed.
I had setup shaper on upload, then removed it all, but the Shaper status still shows Pipes/Queues still in place?
Is there a way to remove the remaining entities to rule out affecting my upload speed?
Bit of an odd one, checking with ISP, but current upstream seems to be limited in terms of speed.
I had setup shaper on upload, then removed it all, but the Shaper status still shows Pipes/Queues still in place?
Is there a way to remove the remaining entities to rule out affecting my upload speed?
#3
26.1 Series / Re: How to have two DNS server...
Last post by Maurice - Today at 12:49:51 AMQuote from: nero355 on February 15, 2026, 11:30:26 PMPlease share your setup configuration with us :)Just normal "bind service to loopback interface" stuff. :)
- Interfaces: Devices: Loopback, add two interfaces ('Loopback_Unbound', 'Loopback_BIND').
- Interfaces: Assignments, assign the interfaces and configure them with static /32 / /128 IP addresses (should not be within subnets used elsewhere).
- Services: Unbound DNS: General, set 'Network Interfaces' to 'Loopback_Unbound'.
- Services: BIND: Configuration, enter the IP addresses of 'Loopback_BIND' as 'Listen IPs' / 'Listen IPv6'.
- Now you can advertise the 'Loopback_Unbound' addresses to some clients and the 'Loopback_BIND' addresses to others, using a method of your choice (DNS servers setting in Kea / ISC / radvd / Dnsmasq).
Should work for any service which allows binding to specific interfaces or IP addresses. I do the same for e. g. the Web UI and downstream DNS-over-HTTPS (both on port 443).
Cheers
Maurice
#4
26.1 Series / Re: How to have two DNS server...
Last post by yarn - Today at 12:49:14 AMQuote from: Maurice on February 15, 2026, 09:34:47 PMit works for me for running both Unbound and BIND on port 53 (but different IP addresses).Yes I'd like to know as well! The GUI for unbound only lets me select interfaces which seems to take up all IPs despite the "Deny service binding" setting.
#5
General Discussion / Re: Teams & Gmeet issue - Free...
Last post by OPNenthu - Today at 12:47:54 AMPerhaps :) I read it as "You can accept the baseline so that we don't have to troubleshoot your network."
I sooner suspect problems with either IPv6 fragmentation or UDP packet drops, tbh. It's been a theme and the FreeBSD kernel is getting mucked with to make pf play well with pfil() hooks requiring the entire packet which is a problem under IPv6. Or something like that.
I'm only halfway through this explanation: https://www.youtube.com/watch?v=JtSg6ylDALo
Also need to re-read this: https://github.com/opnsense/src/issues/254
I sooner suspect problems with either IPv6 fragmentation or UDP packet drops, tbh. It's been a theme and the FreeBSD kernel is getting mucked with to make pf play well with pfil() hooks requiring the entire packet which is a problem under IPv6. Or something like that.
I'm only halfway through this explanation: https://www.youtube.com/watch?v=JtSg6ylDALo
Also need to re-read this: https://github.com/opnsense/src/issues/254
#6
General Discussion / Re: DynDNS client for deSEC.io
Last post by JamesFrisch - Today at 12:40:43 AMQuote from: skywalker007 on February 15, 2026, 06:14:21 PMI looked at your script quickly and my observation is that it is completely decoupled from OPNsense logic to update the IPs when the WAN connection gets established. Why would I schedule a script with cron?
Just triggering the script, when there was an WAN IP change detected, is of course also a good idea.
On the other hand, I see a by default 60 second interval in the webGUI. Again, I am not a coder and have not checked what it is actually doing every 60s.
Just to clarify, my script does NOT run an update request every 5min with cron. It does a DNS request & a curl request. That is very, very lightweight. And a little bit more fail save. I could imagine some edge cases, where OPNsense thinks it has a working WAN IP, but in reality there is for whatever reason a connection issue.
#7
General Discussion / Re: Teams & Gmeet issue - Free...
Last post by connervt - Today at 12:29:53 AMQuote from: OPNenthu on February 15, 2026, 11:31:23 PMSaw a note under the section "Technologies that aren't recommended with Microsoft Teams":QuotePacket shapers. Any kind of packet snipper, packet inspection, or packet shaper devices aren't recommended for Teams media traffic and may degrade quality significantly.
Interesting.
You could also read that as Microsoft saying "Don't do anything that prevents us from having complete control of your system..."
#8
General Discussion / IPV6 tunnel with route64
Last post by Swtrse - February 15, 2026, 11:44:20 PMHello,
I'm at my wit's end, and Copilot is just sending me around in circles. ^^
I have a PPPoE setup. My "Stone Age" provider (A1) doesn't offer IPv6 on my connection, so I set up a GIF tunnel with route64.
My problem
After rebooting the firewall, IPv6 works for ~120 seconds, then I only get timeouts.
What Copilot suggested and I implemented (without success):
Gateway monitoring disabled
Static route set to the end address of Route64. (Because I'm not using the actual tunnel address, but the also routed /56 subnet.)
An allow-all rule on the interface for the GIF tunnel
Checked the rule on the WAN interface for Protocol 41 ["Reply to" disabled] and set [Status Type] to "No State."
MTU settings and MSS as well.
As soon as my pings only throw timeouts. I don't see anything even in the packet capture.
I'm at my wit's end, and Copilot is just sending me around in circles. ^^
I have a PPPoE setup. My "Stone Age" provider (A1) doesn't offer IPv6 on my connection, so I set up a GIF tunnel with route64.
My problem
After rebooting the firewall, IPv6 works for ~120 seconds, then I only get timeouts.
What Copilot suggested and I implemented (without success):
Gateway monitoring disabled
Static route set to the end address of Route64. (Because I'm not using the actual tunnel address, but the also routed /56 subnet.)
An allow-all rule on the interface for the GIF tunnel
Checked the rule on the WAN interface for Protocol 41 ["Reply to" disabled] and set [Status Type] to "No State."
MTU settings and MSS as well.
As soon as my pings only throw timeouts. I don't see anything even in the packet capture.
#9
Development and Code Review / OPNsense - Topology map & cli...
Last post by flaviuvlaicu - February 15, 2026, 11:37:21 PMHi all,
I was bored over the weekend and I know that a lot of people requested in the past to have some sort of topology map and clients overview. I made this feature as a package to install. I still got some things to work at it but it's functional. Share your thoughts about how it looks and idea and also if there is anyone who would like to contribute further or test.
I was bored over the weekend and I know that a lot of people requested in the past to have some sort of topology map and clients overview. I made this feature as a package to install. I still got some things to work at it but it's functional. Share your thoughts about how it looks and idea and also if there is anyone who would like to contribute further or test.
#10
General Discussion / Re: Teams & Gmeet issue - Free...
Last post by OPNenthu - February 15, 2026, 11:31:23 PMYou are seeing the same even without shaping?
I was skimming through this: https://learn.microsoft.com/en-us/microsoftteams/microsoft-teams-online-call-flows
Saw a note under the section "Technologies that aren't recommended with Microsoft Teams":
Interesting.
There are also several issues on the OPNsense GH related to fragmentation (some closed, some not) so maybe this is rearing its ugly head again. A little out of my depth, though.
I was skimming through this: https://learn.microsoft.com/en-us/microsoftteams/microsoft-teams-online-call-flows
Saw a note under the section "Technologies that aren't recommended with Microsoft Teams":
QuotePacket shapers. Any kind of packet snipper, packet inspection, or packet shaper devices aren't recommended for Teams media traffic and may degrade quality significantly.
Interesting.
There are also several issues on the OPNsense GH related to fragmentation (some closed, some not) so maybe this is rearing its ugly head again. A little out of my depth, though.
