Recent posts

#1
25.7, 25.10 Series / Re: BIOS halted with 0x06 Inva...
Last post by meyergru - February 25, 2026, 11:42:11 PM
I think that the 1.15 BIOS may have Intel microcode update from september 2025, so you probably need some very recent UEFI code to fix the problems caused by that. Other than that, there are probably only the microcode updates in there that caused Dell to issue that release.

Since it may be only the UEFI code that causes problems (and not the FreeBSD kernel), you could skip the BIOS update and only use the OpnSense microcode package. That is applied after the UEFI bootloader has finished.

Another possible trick would be to use BIOS boot instead of UEFI boot - OpnSense can do both.
#2
25.7, 25.10 Series / Re: BIOS halted with 0x06 Inva...
Last post by txr13 - February 25, 2026, 11:16:13 PM
I remember looking at that thread some time ago, as it happens! :) I was referencing it because I observed during the boot sequence that the loader needed to be updated. It was a while back, but I think the thread I saw was this one (https://forum.opnsense.org/index.php?topic=46035.0) which referenced your instructions to update the bootloader. (And in fact, I also remember taking some pains to be sure I updated the bootloader on both drives, since this is a ZFS mirror.)

So I know that the bootloader has been updated since the original installation, and probably within the last 12 months. It may be worth trying to update it again and then having a go with BIOS 1.15, but I do want to just confirm that I have done this update process once before in the past, so at the very least it's not as old as it could have been!
#3
25.7, 25.10 Series / Re: BIOS halted with 0x06 Inva...
Last post by meyergru - February 25, 2026, 10:53:32 PM
I would guess that your OpnSense installation is a little older. You must know that OpnSense does never upgrade the actual UEFI bootloader.

Yours may be incompatbible with your current BIOS / microcodes in version 1.15.

So, once back to the running 1.14 release, you could try to manually upgrade the UEFI bootloader and then try again to upgrade your BIOS.

See this - not exactly your situation, but the instructions on how to update the boot loader probably still work. Patrick is the expert on these matters. Be careful about your specific partitioning.
#4
26.1 Series / Re: Enable SSH at Console
Last post by TheSHAD0W - February 25, 2026, 10:51:32 PM
Grok's link expires after a while; Going to paste it here so it's preserved for future reference...

Quote**To enable SSH on OPNsense when you've lost WebUI access, use the built-in console menu (available via physical VGA/keyboard, serial, or VM console).** This works because SSH configuration lives in `/conf/config.xml` (the central config file), and the console gives you shell access to edit it directly. No internet or WebUI is required.

### Step-by-Step Instructions

1. **Access the console** 
  - Connect a monitor + keyboard (VGA) or serial cable. 
  - In a VM (e.g., Proxmox/ESXi), open the VM console. 
  - Power on or reboot if needed. Log in as **root** with your root password (default is usually `opnsense` on fresh installs, or whatever you set).

2. **Enter the OPNsense menu** 
  You'll see a numbered list (something like): 
  ```
  1) Assign Interfaces
  2) Set interface(s) IP address
  ...
  8) Shell
  5) Reboot system
  ...
  ```
  **Choose `8) Shell`** (this drops you to a FreeBSD root shell).

3. **(Optional but recommended) Verify current state** 
  ```
  ssh localhost
  ``` 
  or 
  ```
  ps aux | grep sshd
  ``` 
  If nothing is listening on port 22, SSH is disabled.

4. **Edit the config to enable SSH** 
  ```
  vi /conf/config.xml
  ``` 
  (vi is built-in; press `i` to insert/edit, Esc to exit insert mode, then `:wq` to save & quit. If you prefer nano: `pkg install nano` first.)

  - Press `/` then type `system` and Enter to jump to the `<system>` section. 
  - Inside the `<system>` ... `</system>` block, **add or edit** the `<ssh>` subsection so it looks like this (place it near the end of the `<system>` block, before `</system>`):

    ```xml
    <ssh>
      <enabled>1</enabled>
      <port>22</port>
      <permitrootlogin>1</permitrootlogin>  <!-- allows root login (recommended for recovery) -->
      <passwordauth>1</passwordauth>        <!-- allows password login -->
      <!-- Optional: restrict to LAN only -->
      <!-- <interfaces>lan</interfaces> -->
    </ssh>
    ```

    - If a `<ssh>` block already exists, just change `<enabled>0</enabled>` (or missing) to `1` and add the other lines as needed. 
    - Values like `1` (or sometimes `enabled`) both work; `1` is standard.

5. **Apply the changes** (no reboot needed in most cases) 
  ```
  /usr/local/etc/rc.sshd restart
  ``` 
  or 
  ```
  configctl sshd restart
  ``` 
  (If neither works: `pkill sshd; /usr/local/sbin/sshd`)

  You can also just reboot from the menu (exit shell with `exit`, then choose `5) Reboot system`).

6. **Test SSH** 
  From another machine on the same LAN: 
  ```
  ssh root@YOUR-OPNSENSE-LAN-IP
  ``` 
  (e.g., `ssh root@192.168.1.1`). It should connect and drop you straight into the OPNsense menu.

### Extra Tips & Common Fixes
- **If you also lost WebUI access** (same root cause): 
  In the same `/conf/config.xml` edit, look for the `<webgui>` section and make sure it has `<enabled>1</enabled>` and no overly restrictive `<listenaddr>` or `<interfaces>`. 
  Or simpler: from the console menu, choose **2) Set interface(s) IP address** → it often offers to "restore web GUI defaults" (switches back to HTTPS on all interfaces).

- **Firewall rules**: 
  Once SSH is enabled in config, the built-in **anti-lockout rule** (on LAN) automatically allows port 22 to the firewall itself. You don't need to add a manual rule for LAN access.

- **Security notes** 
  - Only enable root login temporarily if needed. 
  - For production, create an admin user in the admins/wheel group, add your SSH key under **System > Access > Users**, then disable password/root login later (when WebUI is back). 
  - Restrict listen interfaces to LAN only in the `<ssh>` block if desired.

- **Backup first** (good practice): 
  Before editing: 
  ```
  cp /conf/config.xml /conf/config.xml.bak
  ```

This method is the standard recovery path documented across OPNsense forums, GitHub issues, and troubleshooting guides. Once SSH is up, you can fix the original WebUI issue from the shell or re-enable the GUI properly.

If you run into any error (e.g., XML syntax), paste the exact error here and I can help debug the config snippet. Good luck!
#5
26.1 Series / Re: How does SLAAC for ipv6 wo...
Last post by allebone - February 25, 2026, 10:04:57 PM
One more question, if I follow this guide: https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples

And enable slaac in Services ‣ Dnsmasq DNS & DHCP ‣ General - must I then disable Router advertisements on that interface under Services ‣ Router Advertisements? Are these 2 services in conflict?

-P
#6
26.1 Series / Re: How does SLAAC for ipv6 wo...
Last post by allebone - February 25, 2026, 09:58:25 PM
Interesting, thanks everyone. Based on the above Im going to simply create AAAA records for servers I want to access by name and see if after 1 year any ipv6 addresses changed. If they did I will just statically assign them an ipv6 address. This is very easy to do anyway. I would probably  just statically assign them going forward but want to see if they ever change out of interest.
#7
Russian - Русский / Re: Натройка Sing-box+TUN (про...
Last post by _tribal_ - February 25, 2026, 09:33:48 PM
Quote from: scorpid on February 25, 2026, 02:33:59 PMкоторый сам поднимает интерфейс TUN.
это не совсем правда. Интерфейс tun вкорячивается в систему скриптом прямо в конфиг opnsense.
#8
25.7, 25.10 Series / BIOS halted with 0x06 Invalid ...
Last post by txr13 - February 25, 2026, 08:53:40 PM
I'm running OPNsense 25.7.11_2 on a Dell PowerEdge R250. After updating the BIOS to version 1.15, I can no longer boot OPNsense at all.

After POST, the loader menu comes up, and OPNsense proceeds to load the various modules for ZFS, intel_uucode.bin, bridge, and others I didn't catch. On a normally-booting system, the screen is cleared, the font changes, and the actual boot sequence begins. On a system running BIOS v1.15, I get a red screen indicating the BIOS has halted because of a CPU exception 0x06 Invalid Opcode in the pre-boot UEFI environment. Registers are visible, but there is no stack trace. (From memory, it says something about there being no LBR, but I don't know what that is.)

This was the primary router for a fairly large site, so I focused on getting the system back into operation rather than deeply investigating the issue. The problem was fixed upon reverting to BIOS v1.14.

Version 1.14 (working): https://www.dell.com/support/home/en-ca/drivers/driversdetails?driverid=t3jrr&oscode=naa&productcode=poweredge-r250
Version 1.15 (failed): https://www.dell.com/support/home/en-ca/drivers/driversdetails?driverid=2yt0g&oscode=naa&productcode=poweredge-r250

The most notable change in 1.15 seems to be "Intel processor and memory reference codes in the IPU Production Release IPU 2026.1 2125.15." I freely admit that I don't know that this caused the error, but I wanted to raise this as a possibility that this may change the opcodes available to the loader in the UEFI environment.

The site in question does have a secondary router on identical hardware, so there's a possibility I can use that to gather more information if necessary / helpful.
#9
German - Deutsch / Re: Kaufberatung
Last post by iani - February 25, 2026, 08:32:47 PM
Danke dir Patrick. Da werd ich mich gleich mal umschauen.
#10
26.1 Series / Re: How does SLAAC for ipv6 wo...
Last post by OPNenthu - February 25, 2026, 07:46:02 PM
Quote from: nero355 on February 25, 2026, 07:01:03 PMThis document explains all the options and seems to match your experience : https://www.networkmanager.dev/docs/api/latest/settings-ipv6.html

Ah, actually it looks like I was wrong about the NIC with "stable privacy" mode.  Per this document:

"Also, the address is stable when the network interface hardware is replaced."