"Recent posts
#1
26.1, 26,4 Series / Synchronize and Reconfigure Al...
Last post by cornelius - Today at 07:05:12 PMHi everyone,
First off, a huge thank you to the developers and community for the incredible work on OPNsense. I switched from pfSense years ago and never looked back!
I have a small quality-of-life UI/UX feature request regarding the High Availability (HA) sync page (System > High Availability > Status).
When configuring or troubleshooting a cluster for the first time, finding the "Synchronize and reconfigure all" action can be a bit of a hide-and-seek exercise. Because it currently renders as standard text with a small inline refresh icon next to it, it easily blends into the section header style and doesn't immediately stand out as an actionable, high-priority button.
I've attached a screenshot to reference the current layout.
The Suggestion:
Would it be possible to style this action to look more like a standard Bootstrap button (e.g., adding a button outline or a subtle background fill)? Making it physically larger or giving it a clear button boundary would greatly improve accessibility and ease of access for admins managing high-availability states.
Curious to hear if other admins or developers agree that a little more visual prominence here would be helpful!
Thanks again for your time and dedication to the project.
Much appreciated,
Corey
First off, a huge thank you to the developers and community for the incredible work on OPNsense. I switched from pfSense years ago and never looked back!
I have a small quality-of-life UI/UX feature request regarding the High Availability (HA) sync page (System > High Availability > Status).
When configuring or troubleshooting a cluster for the first time, finding the "Synchronize and reconfigure all" action can be a bit of a hide-and-seek exercise. Because it currently renders as standard text with a small inline refresh icon next to it, it easily blends into the section header style and doesn't immediately stand out as an actionable, high-priority button.
I've attached a screenshot to reference the current layout.
The Suggestion:
Would it be possible to style this action to look more like a standard Bootstrap button (e.g., adding a button outline or a subtle background fill)? Making it physically larger or giving it a clear button boundary would greatly improve accessibility and ease of access for admins managing high-availability states.
Curious to hear if other admins or developers agree that a little more visual prominence here would be helpful!
Thanks again for your time and dedication to the project.
Much appreciated,
Corey
#2
Hardware and Performance / Re: Slow DNS above 7K sessions...
Last post by meyergru - Today at 07:04:08 PMDid you check if the firewall state tables gets exhausted? If so, increase Firewall ➔ Settings ➔ Advanced : Max States
#3
26.1, 26,4 Series / Problem with Firewall Live Vie...
Last post by mooh - Today at 06:45:55 PMTurning off the logging of a firewall rule, the Live View still shows events caused by it but leaves the Label field empty. Additionally, when clicking on the i button of that event, followed by clicking the rid, the rule isn't found. The browser will open an empty new frame/window and close it immediately instead of showing the relevant rule editing dialog. It looks like the association between log file entry and firewall rule only exists while logging is turned on. I hope this is only a cosmetic error.
#4
26.1, 26,4 Series / Re: Problem with shutdown/rebo...
Last post by nero355 - Today at 05:32:47 PMQuote from: cookiemonster on Today at 03:25:38 PMhttps://forum.opnsense.org/index.php?topic=52191.msg269089;topicseen#msg269089This issue is related to that issue as he mentions there two or three times ;)
Double post or similar but separate problem?
#5
Hardware and Performance / Slow DNS above 7K sessions/sta...
Last post by rudiservo - Today at 04:59:22 PMI am having sort of an issue with Unbound taking a long time to respond to a query when I turn on qBittorrent.
I tried tweeking Unbound but it hasn't made that much of a difference.
The network is fine, ping is fine, speedtest is fine, qBittorrent has speed limits, its really just unbound taking a long time to respond to a query.
A dig command with @ my router sometimes results in a timeout.
Anyone has any advice on how to deal with this?
I tried tweeking Unbound but it hasn't made that much of a difference.
The network is fine, ping is fine, speedtest is fine, qBittorrent has speed limits, its really just unbound taking a long time to respond to a query.
A dig command with @ my router sometimes results in a timeout.
Anyone has any advice on how to deal with this?
#6
26.1, 26,4 Series / PF/Alias list update oddity
Last post by jonny5 - Today at 04:58:01 PMAlready feeling bad about making this post, but, if someone else has this happen - hope you find this and we can figure it out together.
My OPNSense upgraded to 26.1.10 w/no issue, and I have CrowdSec installed and the Firewall Blocker feature enabled (this means there are two PF/Alias lists that CrowdSec manages updates for).
Instead of configuring my Firewall to use the "CrowdSec managed lists" aliases, I have made a new alias/list where I included the CrowdSec lists (IPv4 and IPv6), SpamHaus list, and a personally kept list as my combined blocklist. This is my blocklist for Inbound and Outbound traffic - works great!
Some time ago, I realized I could have "Uptime Kuma" check an alias/list via API to see how recently it has been updated and let me know if it starts aging too much. After a while I found that the 25 minute marker was good for watching this combined blocklist that I had created - more or less, it near always updates within 25 minutes.
For those wondering, it is a JSON check:
URL: https://opnsense.domain.tld/api/firewall/alias/getItem/<UUIDOfList>
Check: (($millis() - $toMillis(alias.last_updated)) / 60000)
Here is the issue:
Yesterday there was an alert that my combined blocklist hadn't updated, and it was getting into its 4th hour. After restarting the PF service, restarting the CrowdSec Firewall Blocker, and trying to modify my combined blocklist (basically open to edit and hit save) in the Alias list, my combined blocklist would never update. The CrowdSec managed lists were updating (even though you cannot see an edit date, you can tell their count had gone down as it didn't add up to the total sum of my combined blocklist), but my combined blocklist held its aging modify/update time and high count.
Once I restarted the OPNSense, things returned to normal and now the next day, continues to do so. No idea what happened there, but, I would recommend you watch your lists and make sure you track the last update date in case they get locked too. If it happens again (this has only happened once so far), I hope to be able to do more to figure out what the hang up is - would love ideas to check!
My OPNSense upgraded to 26.1.10 w/no issue, and I have CrowdSec installed and the Firewall Blocker feature enabled (this means there are two PF/Alias lists that CrowdSec manages updates for).
Instead of configuring my Firewall to use the "CrowdSec managed lists" aliases, I have made a new alias/list where I included the CrowdSec lists (IPv4 and IPv6), SpamHaus list, and a personally kept list as my combined blocklist. This is my blocklist for Inbound and Outbound traffic - works great!
Some time ago, I realized I could have "Uptime Kuma" check an alias/list via API to see how recently it has been updated and let me know if it starts aging too much. After a while I found that the 25 minute marker was good for watching this combined blocklist that I had created - more or less, it near always updates within 25 minutes.
For those wondering, it is a JSON check:
URL: https://opnsense.domain.tld/api/firewall/alias/getItem/<UUIDOfList>
Check: (($millis() - $toMillis(alias.last_updated)) / 60000)
Here is the issue:
Yesterday there was an alert that my combined blocklist hadn't updated, and it was getting into its 4th hour. After restarting the PF service, restarting the CrowdSec Firewall Blocker, and trying to modify my combined blocklist (basically open to edit and hit save) in the Alias list, my combined blocklist would never update. The CrowdSec managed lists were updating (even though you cannot see an edit date, you can tell their count had gone down as it didn't add up to the total sum of my combined blocklist), but my combined blocklist held its aging modify/update time and high count.
Once I restarted the OPNSense, things returned to normal and now the next day, continues to do so. No idea what happened there, but, I would recommend you watch your lists and make sure you track the last update date in case they get locked too. If it happens again (this has only happened once so far), I hope to be able to do more to figure out what the hang up is - would love ideas to check!
#7
26.1, 26,4 Series / os-kea-ubnd-ddns v0.98 — Kea D...
Last post by tkreagan - Today at 04:56:44 PMHi all,
os-kea-ubnd-ddns is an OPNsense plugin that keeps Kea DHCP and Unbound in sync, automatically and close to real-time.
GitHub: https://github.com/tkreagan/os-kea-ubnd-ddns
Latest release (v0.98 .pkg): https://github.com/tkreagan/os-kea-ubnd-ddns/releases/latest
It lives under Services → Kea Unbound DDNS once installed.
Background
I've been running OPNsense with Kea DHCP since the ISC DHCP sunset and hit the same problem a lot of people have: Kea has no built-in equivalent to the automatic DNS registration that ISC DHCP used to provide. I know static reservation mapping was added to Unbound in the standard plugin, but it doesn't handle dynamic leases and the other workarounds felt fragile. So I wrote a plugin to fix it properly.
I know some people have used dnsmasq — it's a fine combined DHCP+DNS server — but it works by being both things at once, and that's exactly why it can't help here. Kea and Unbound are separate services with no shared state, and dnsmasq can't bridge two services it doesn't own.
How it works
The best mechanism Kea provides is kea-dhcp-ddns (D2), which sends RFC 2136 DNS UPDATE packets when leases change. Standard Unbound doesn't speak RFC 2136. This plugin closes that gap: it's a stub listener on 127.0.0.1:53535 that receives D2's DNS UPDATE packets and translates them immediately into unbound-control local_data and local_data_remove calls. A, AAAA, and PTR records are handled automatically, and DNS updates happen as soon as the lease is registered.
The resident daemon also watches the Kea and Unbound pidfiles. If either service restarts and flushes its state, the daemon automatically runs a full reconcile from Kea — no manual intervention needed.
Beyond the live path, the plugin has scheduled cron jobs for syncing and cleaning anything that drifted between live updates and the next cron tick (due to how DHCP and Kea work, some things can't easily be handled in real time). If you want closer to real-time performance, there is a secondary log watcher daemon that tails the Kea log for release events and SERVFAILs, triggering targeted DNS cleanup without waiting for the next cron run.
Hostname collision handling
When two devices claim the same hostname, you choose the behavior: last wins (default — the new lease wins), allow (both IPs coexist, useful for dual-stack), first wins (first registrant holds the name), or none (evict all records for the name until the next sync resolves who owns it — prefer a brief gap over a wrong answer). OPNsense Host Overrides and "Register DHCP Static Mappings" entries are never touched by any path.
Magic hostnames
This is the feature I'm most pleased with. On most networks you'll eventually get collisions that aren't easily managed — accidents, IoT devices with hard-coded names, devices with MAC address randomization (iOS, Android, modern Windows).
When Magic hostnames is enabled, every device involved in a collision gets a stable, per-MAC parallel FQDN alongside whatever the collision policy does to the bare name:
There's also an optional LAA tag that inserts -laa- into the suffix for MACs with the locally-administered bit set (the kind iOS and Android randomize), so you can see at a glance that the suffix encodes a throwaway MAC that may change.
Is it ready to use?
Yes. v0.98 runs on my main OPNsense box and has since shortly after the Kea migration. The feature set is complete — all four collision policies, magic hostnames, the log watcher, a Lease Audit tab that shows exactly what's registered and what the plugin thinks about each record, and a Kea Config Check tab that validates your subnet DDNS settings and can configure them for you automatically.
The 0.98 version label is honest: I've tested this extensively and the plugin is designed to be safe — it only ever writes to Unbound's runtime in-memory zone via unbound-control and never touches Unbound's config files or Host Overrides. I'm treating the next phase of broader testing and the community plugin review process as the gate to 1.0.
What's next
I'm still actively developing this - working through a few things on the edge and I have a couple more ideas I want to develop - so I am happy to take feedback and suggestions. Most importantly, installation is currently manual (download the .pkg from the release page). My goal is to get 1.0 submitted as an OPNsense community plugin once 26.7 releases and things settle — 26.7.1 or so, when there's bandwidth to review it. The plugin is fairly self-contained and shouldn't be impacted by the 26.7 changes, but I'd rather not put in a PR during a release crunch.
Happy to answer questions — would love to hear how it works on other setups.
os-kea-ubnd-ddns is an OPNsense plugin that keeps Kea DHCP and Unbound in sync, automatically and close to real-time.
GitHub: https://github.com/tkreagan/os-kea-ubnd-ddns
Latest release (v0.98 .pkg): https://github.com/tkreagan/os-kea-ubnd-ddns/releases/latest
It lives under Services → Kea Unbound DDNS once installed.
Background
I've been running OPNsense with Kea DHCP since the ISC DHCP sunset and hit the same problem a lot of people have: Kea has no built-in equivalent to the automatic DNS registration that ISC DHCP used to provide. I know static reservation mapping was added to Unbound in the standard plugin, but it doesn't handle dynamic leases and the other workarounds felt fragile. So I wrote a plugin to fix it properly.
I know some people have used dnsmasq — it's a fine combined DHCP+DNS server — but it works by being both things at once, and that's exactly why it can't help here. Kea and Unbound are separate services with no shared state, and dnsmasq can't bridge two services it doesn't own.
How it works
The best mechanism Kea provides is kea-dhcp-ddns (D2), which sends RFC 2136 DNS UPDATE packets when leases change. Standard Unbound doesn't speak RFC 2136. This plugin closes that gap: it's a stub listener on 127.0.0.1:53535 that receives D2's DNS UPDATE packets and translates them immediately into unbound-control local_data and local_data_remove calls. A, AAAA, and PTR records are handled automatically, and DNS updates happen as soon as the lease is registered.
The resident daemon also watches the Kea and Unbound pidfiles. If either service restarts and flushes its state, the daemon automatically runs a full reconcile from Kea — no manual intervention needed.
Beyond the live path, the plugin has scheduled cron jobs for syncing and cleaning anything that drifted between live updates and the next cron tick (due to how DHCP and Kea work, some things can't easily be handled in real time). If you want closer to real-time performance, there is a secondary log watcher daemon that tails the Kea log for release events and SERVFAILs, triggering targeted DNS cleanup without waiting for the next cron run.
Hostname collision handling
When two devices claim the same hostname, you choose the behavior: last wins (default — the new lease wins), allow (both IPs coexist, useful for dual-stack), first wins (first registrant holds the name), or none (evict all records for the name until the next sync resolves who owns it — prefer a brief gap over a wrong answer). OPNsense Host Overrides and "Register DHCP Static Mappings" entries are never touched by any path.
Magic hostnames
This is the feature I'm most pleased with. On most networks you'll eventually get collisions that aren't easily managed — accidents, IoT devices with hard-coded names, devices with MAC address randomization (iOS, Android, modern Windows).
When Magic hostnames is enabled, every device involved in a collision gets a stable, per-MAC parallel FQDN alongside whatever the collision policy does to the bare name:
Code Select
laptop.home.lan → 192.168.1.42 (last_wins: the current registrant)
laptop-mAABBCC.home.lan → 192.168.1.42 (magic FQDN for that MAC)
laptop-mDDEEFF.home.lan → 192.168.1.75 (the displaced device still has a name)
The magic FQDNs are written regardless of collision policy and are never displaced by subsequent collisions. You always have a stable name to reach any device in a collision group, even when the bare hostname is bouncing between registrants.There's also an optional LAA tag that inserts -laa- into the suffix for MACs with the locally-administered bit set (the kind iOS and Android randomize), so you can see at a glance that the suffix encodes a throwaway MAC that may change.
Is it ready to use?
Yes. v0.98 runs on my main OPNsense box and has since shortly after the Kea migration. The feature set is complete — all four collision policies, magic hostnames, the log watcher, a Lease Audit tab that shows exactly what's registered and what the plugin thinks about each record, and a Kea Config Check tab that validates your subnet DDNS settings and can configure them for you automatically.
The 0.98 version label is honest: I've tested this extensively and the plugin is designed to be safe — it only ever writes to Unbound's runtime in-memory zone via unbound-control and never touches Unbound's config files or Host Overrides. I'm treating the next phase of broader testing and the community plugin review process as the gate to 1.0.
What's next
I'm still actively developing this - working through a few things on the edge and I have a couple more ideas I want to develop - so I am happy to take feedback and suggestions. Most importantly, installation is currently manual (download the .pkg from the release page). My goal is to get 1.0 submitted as an OPNsense community plugin once 26.7 releases and things settle — 26.7.1 or so, when there's bandwidth to review it. The plugin is fairly self-contained and shouldn't be impacted by the 26.7 changes, but I'd rather not put in a PR during a release crunch.
Happy to answer questions — would love to hear how it works on other setups.
#8
Hardware and Performance / Re: Inseego MiFi Pro M4 as WAN...
Last post by Greg_E - Today at 04:49:28 PMSupposed to arrive today. I've been reading and it looks like the IPPT (ip passthrough) on the ethernet port is what I want. I'll have to pick up another 12v 2a POE power splitter to power this thing when it gets to my lab, then figure out how I'm going to connect everything. Probably going to need a POE injector to go with this.
It does say you can do IPPT with USB tethering, so that might be an answer too, I have a few active extenders and my plan tops out at about 100mbps anyway. There will be much messing around before I find the final solution. Need to go back to the OPNsense docs and see what kind of options I can set for WAN and backup WAN with USB.
It does say you can do IPPT with USB tethering, so that might be an answer too, I have a few active extenders and my plan tops out at about 100mbps anyway. There will be much messing around before I find the final solution. Need to go back to the OPNsense docs and see what kind of options I can set for WAN and backup WAN with USB.
#9
Zenarmor (Sensei) / Re: Zenarmor performance expec...
Last post by Greg_E - Today at 04:42:25 PMIn general, flow control is your friend, even for audio/video over ethernet we run this.
#10
Zenarmor (Sensei) / Re: updating to 2.6 checking f...
Last post by Greg_E - Today at 04:40:44 PMGlad I always seem to be behind by a lot of days.
