"Recent posts
#1
25.7, 25.10 Series / Re: Dnsmasq not responding to ...
Last post by Lu - Today at 02:54:44 AMThanks for replying.
We're not using VLANs and everything is on the v4 same subnet, and v6 prefix, so any firewall rule that blocked only the printer would have to contain address-specific parameters, right? There's nothing like that.
Further tests:
I can't take Dnsmasq down for any extended period until I have a decent maintenance window, but everything I've seen points to it, so far.
Doesn't 'floating' allow DNS requests from the WAN side? I don't want that, it would obviate the point of having overrides for private addresses on our domain. I already have a similar rule to immediately allow all DNS on the LAN interface, as recommended by the WAN failover guide, because we have a 5G backup connection.
Can you see anything in the packet captures? They're very small.
We're not using VLANs and everything is on the v4 same subnet, and v6 prefix, so any firewall rule that blocked only the printer would have to contain address-specific parameters, right? There's nothing like that.
Further tests:
- I gave my own PC static IPs by cloning the printer's reservation in Dnsmasq's Hosts page, one off of the printer's IPs, outside the normal DHCP offer ranges, and my PC still got replies from the OPNsense device.
- Set the resolver address on the printer and PC to a separate server, on the LAN, running BIND9. Both received usable DNS responses.
I can't take Dnsmasq down for any extended period until I have a decent maintenance window, but everything I've seen points to it, so far.
Quote from: meyergru on January 14, 2026, 10:56:30 AMI always create an "allow DNS on this firewall" as a floating rule.
Doesn't 'floating' allow DNS requests from the WAN side? I don't want that, it would obviate the point of having overrides for private addresses on our domain. I already have a similar rule to immediately allow all DNS on the LAN interface, as recommended by the WAN failover guide, because we have a 5G backup connection.
Can you see anything in the packet captures? They're very small.
#2
Documentation and Translation / clarification/possible typo in...
Last post by kensan - Today at 02:50:48 AMHere https://docs.opnsense.org/manual/nat.html#some-terms-explained one can read the following :
I'm interested in the option in the context of port forwarding as it is in the UI for port forwarding (and I didn't test it to so what it really does).
When in the context for port forwarding the implication is that someone or something tried to connect (external_ip:external_port), how does the above **external IP ** square with this scenario? Internal IP makes more sense as on can have a plethora of internal IPs to forward to.
Or am I missing something here?
If it is indeed the case, doesn't his make relayd redundant?
QuotePool options: When there are multiple IPs to choose from, this option will allow regulating which IP gets used. The default, Round Robin, will simply distribute packets to one server after the other. If you only have one **external IP**, this option has no effect.though It makes perfect sense for outgoing nat as one can have multiple external ips to nat from to.
I'm interested in the option in the context of port forwarding as it is in the UI for port forwarding (and I didn't test it to so what it really does).
When in the context for port forwarding the implication is that someone or something tried to connect (external_ip:external_port), how does the above **external IP ** square with this scenario? Internal IP makes more sense as on can have a plethora of internal IPs to forward to.
Or am I missing something here?
If it is indeed the case, doesn't his make relayd redundant?
#3
25.7, 25.10 Series / Unbound reporting not working ...
Last post by wallaby501 - Today at 02:19:07 AMI could be wrong because I honestly did not know of this before this version but it's not working for me. I'm unsure if it's specific to this version or not.
I made sure I have no errors in the new blocklist features and I've reloaded it since then but have NOT rebooted yet.
I see "Cannot read properties of undefined (reading 'total')" in the dev tools on the page. I have let it go a couple hours since fixing the issues with dnsbl of unbound.
One thing I will note is that I store /var/log in RAM to avoid excessive writes to my NVME. Will that at all affect the operation of the reporting? In Services-Unbound-Logging I see all the logs clearly. In Reporting-Unbound DNS I have nothing on Overview nor anything in the Details tab. I've enabled/disabled it and cleared the stats for it but no change over several hours.
Not a huge deal- just would prefer to have some nicer tools to look at what is going on vs. parsing through logs on Loki.
I made sure I have no errors in the new blocklist features and I've reloaded it since then but have NOT rebooted yet.
I see "Cannot read properties of undefined (reading 'total')" in the dev tools on the page. I have let it go a couple hours since fixing the issues with dnsbl of unbound.
One thing I will note is that I store /var/log in RAM to avoid excessive writes to my NVME. Will that at all affect the operation of the reporting? In Services-Unbound-Logging I see all the logs clearly. In Reporting-Unbound DNS I have nothing on Overview nor anything in the Details tab. I've enabled/disabled it and cleared the stats for it but no change over several hours.
Not a huge deal- just would prefer to have some nicer tools to look at what is going on vs. parsing through logs on Loki.
#4
General Discussion / Re: Wireless Access Points
Last post by passeri - Today at 01:48:41 AMMikrotik offers WiFi6 devices such as the wAP and cAP but not mesh as plug and play. On the other hand, they give you absolute control of every other aspect of operation including nigh-endless vLans or virtual radios. Do you have ethernet between the levels?
#5
General Discussion / Re: Wireless Access Points
Last post by nero355 - Today at 12:17:01 AMQuote from: Stormscape on January 15, 2026, 08:32:06 AMPersonally I use TP Link's Omada APs.IMHO stuff like TP-Link Omada and Ubiquiti UniFi can become very annoying if there is something wrong with the Controller :
They're quite good and can do fast roaming and mesh very easily, if you set up the Controller, which can run on any Windows/Linux machine, or you can use a dedicated hardware controller.
You can access them via SSH or some sort of CLI anyways, but any changes can't be saved and are lost after the next reboot... -_-
And when you host the Controller yourself the MongoDB dependancy is also extremely annoying because you need to check which version you will need to run and which CPU instructions are mandatory for that specific version !!
I love my UniFi In-Wall units, but the next time I need to buy something I would rather have a situation in which every Switch or Accesspoint has it's own webGUI and SSH access :)
#6
25.7, 25.10 Series / Re: 25.7.11 Upgrade Issue
Last post by Max_G - January 15, 2026, 11:34:32 PMAh nice! Thanks for the quick fix.
I'll try the update again in a bit.
I'll try the update again in a bit.
#7
25.7, 25.10 Series / openvpn client will not connec...
Last post by richaras - January 15, 2026, 11:26:34 PMi use PIA client in openvpn. After upgrading today to 25.7.11, my connection status says "resolve".
The log files say
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Google say add "remote-cert-tls server" to the configuration file. The options on the client settings no longer contain the remote-cert-tls server option to select it.
I tried to edit the .conf file directly on the console, but my changes are removed when i restart the service?
it was working fine in 25.7.10...?
The log files say
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Google say add "remote-cert-tls server" to the configuration file. The options on the client settings no longer contain the remote-cert-tls server option to select it.
I tried to edit the .conf file directly on the console, but my changes are removed when i restart the service?
it was working fine in 25.7.10...?
#8
25.7, 25.10 Series / Re: 25.7.11 Upgrade Issue
Last post by franco - January 15, 2026, 11:01:43 PMThanks, this was very recently reported and already hotfixed: https://github.com/opnsense/core/issues/9618
Cheers,
Franco
Cheers,
Franco
#9
Announcements / Re: OPNsense 25.7.11 released
Last post by franco - January 15, 2026, 10:59:25 PMA hotfix release was issued as 25.7.11_1:
o system: fix vsprintf() error on stray % invoke
o system: fix vsprintf() error on stray % invoke
#10
General Discussion / Re: QEMU NAT with Opnsense
Last post by viragomann - January 15, 2026, 10:57:32 PMNot clear, how did you set up your virtual network.
Do you run OPNsense with a single NIC?
OPNsense, the virtual router or any other IP?
To the OPNsense WAN, LAN???
Do you run OPNsense with a single NIC?
Quote from: August8828 on January 14, 2026, 07:33:07 PMFor NAT, I got assigned the 192.168.122.0/24 network. I can ping it from my Linux host.What?
OPNsense, the virtual router or any other IP?
Quote from: August8828 on January 14, 2026, 07:33:07 PMUnfortunately, when creating either a Linux or Windows VMTo what?
To the OPNsense WAN, LAN???
Quote from: August8828 on January 14, 2026, 07:33:07 PMRegarding the routing table,Which device?
Quote from: August8828 on January 14, 2026, 07:33:07 PMDo you have an idea why this is not working?Give more details.
