"Recent posts
#1
26.1, 26,4 Series / Re: Problem with IPv6 traffic ...
Last post by riverchu2023 - Today at 04:30:23 AMHi, I think I'm running into the same issue after upgrading to 26.1.7_1.
My setup uses a Loopback interface to bind the delegated IPv6 prefix from WAN, and my LAN interfaces use ULA addresses. I also have NPTv6 configured to translate the prefix on the WAN side.
After the upgrade, I noticed that some devices, mainly iPhones and Chromecast, are having trouble with IPv6 connectivity. Windows devices seem to be working fine. I also noticed outbound traffic showing up on the Loopback interface, which I had not seen before the upgrade.
After downgrading the kernel to 26.1.6, IPv6 connectivity returned to normal, and the Loopback interface no longer shows traffic.
My setup uses a Loopback interface to bind the delegated IPv6 prefix from WAN, and my LAN interfaces use ULA addresses. I also have NPTv6 configured to translate the prefix on the WAN side.
After the upgrade, I noticed that some devices, mainly iPhones and Chromecast, are having trouble with IPv6 connectivity. Windows devices seem to be working fine. I also noticed outbound traffic showing up on the Loopback interface, which I had not seen before the upgrade.
After downgrading the kernel to 26.1.6, IPv6 connectivity returned to normal, and the Loopback interface no longer shows traffic.
#2
26.1, 26,4 Series / Re: Factory reset, but retain ...
Last post by OPNsense4ever - Today at 03:45:35 AMQuote from: chemlud on April 30, 2026, 09:38:49 AMHow about "restoring" a custom config.xml with serial console enabled and other parts of the .xmp reset to your favourite state and reboot?
I think this is the right idea. I'm going to put this old firewall together with a new firewall in a CARP cluster. If I backup the config from the new firewall, edit the IPs, restore on the old firewall, that should work, right?
#3
General Discussion / Re: stop my ISP from eves drop...
Last post by BrandyWine - Today at 02:40:28 AMYou want to hide all app level stuff, then use a vpn service.
Even with all your traffic encrypted the ISP can see see routed IP. Using special techniques, traffic patterns become indicators, like part of a c2/botnet.
There are other more advanced techniques to be had, like chopping up your data stream and sending those chunks out via random VPN's, to be combined some place else before making last dash to target.
Even with all your traffic encrypted the ISP can see see routed IP. Using special techniques, traffic patterns become indicators, like part of a c2/botnet.
There are other more advanced techniques to be had, like chopping up your data stream and sending those chunks out via random VPN's, to be combined some place else before making last dash to target.
#4
26.1, 26,4 Series / Dnsmasq DHCP on new guest inte...
Last post by bernieo - Today at 12:59:31 AMDnsmasq DHCP on new guest interface receives Discover but sends no Offer until a manual dnsmasq override is added
## Summary
I ran into what looks like a Dnsmasq/OPNsense edge case while adding a new guest Wi-Fi interface.
A new guest subnet/interface was created and DHCP was enabled in the OPNsense GUI. The network path itself was confirmed working:
* client DHCP Discover packets reached the correct guest interface
* `dnsmasq` was running and listening on UDP 67
* the generated `dnsmasq.conf` already contained a DHCP range for the new interface
Despite that, no `DHCPOFFER` or `DHCPACK` was sent.
The issue was only resolved after adding a manual override file under:
```text id="y967c9"
/usr/local/etc/dnsmasq.conf.d/
```
with an explicit interface-scoped DHCP definition for the guest interface, then restarting `dnsmasq`.
After that, DHCP immediately worked and guest clients could:
* obtain leases
* resolve DNS
* access the internet
* remain isolated from internal RFC1918 networks
## What makes this look like a bug / edge case
Before the workaround:
* DHCP Discover packets were definitely arriving on the intended guest interface
* the interface was up and addressed correctly
* the generated `dnsmasq.conf` already had a DHCP range for that interface
* but `dnsmasq` never sent an Offer
After adding an explicit manual override for that interface:
* `DHCPOFFER`
* `DHCPREQUEST`
* `DHCPACK`
all appeared immediately.
So it seems the GUI-generated scope existed, but was not actually sufficient for live DHCP service on that new interface.
## Workaround that fixed it
A custom dnsmasq drop-in file was added with explicit interface binding plus router/DNS options for the guest subnet, followed by:
```sh id="c8b9xw"
configctl dnsmasq restart
```
## Question
Has anyone seen this before with newly added interfaces/VLAN-backed guest networks in OPNsense using dnsmasq?
I have a fuller write-up with config excerpts and before/after packet captures if needed, but I wanted to start with a cleaner summary first in case this is already a known issue.
#5
26.1, 26,4 Series / Re: Business Edition pf CVE-20...
Last post by pfry - Today at 12:47:18 AMSomething the Fortinets had that was rather nice was "session-helper" (ALG or protocol parsing) control - you could enable specific ALGs by protocol and port. (Interestingly, I don't see SCTP in my old config template.) Killing the SCTP ALG might be of limited use, though.
#6
25.1, 25.4 Legacy Series / Re: HA Proxy no logs at all.
Last post by bimbar - Today at 12:37:34 AMSame problem here, same solution works. No idea why. On another firewall with haproxy, it works.
#7
26.1, 26,4 Series / Re: Old Rules --> New rules
Last post by torwag - April 30, 2026, 11:58:13 PMFunny, came here to ask exactly the same question. I understand that these changes require a careful and long transition time. Meanwhile, people who did the switch are facing a more cluttered interface of [new], [legacy] options (same is going on for DHCP Services). For me, it is not the aesthetic aspect but my pure stupidity, which let me start do changes in the old config, before I noticed I'm at the wrong spot.
I would love to see a possibility to mark certain entries, including those I don't use, in the particular menu bar to set them to be invisible. Potentially indicating that the current view of the menu bar is a shortened version, by a very subtle "..." sign at the end of a menu-bar. Clicking on that three dots, will extend the menu bar to its complete and full glory.
Thus, users could shorten and customize the menus for daily use, without losing the possibility to quickly access seldomly used features.
I would love to see a possibility to mark certain entries, including those I don't use, in the particular menu bar to set them to be invisible. Potentially indicating that the current view of the menu bar is a shortened version, by a very subtle "..." sign at the end of a menu-bar. Clicking on that three dots, will extend the menu bar to its complete and full glory.
Thus, users could shorten and customize the menus for daily use, without losing the possibility to quickly access seldomly used features.
#8
26.1, 26,4 Series / Re: Business Edition pf CVE-20...
Last post by muchacha_grande - April 30, 2026, 10:58:47 PMQuote from: Patrick M. Hausen on April 30, 2026, 09:06:57 PMCheck your rule set for rules that do not specify the protocol explicitly as TCP, UDP or ICMP but use "any" instead. These are susceptible to a DoS attack. You might want to replace "*" with "TCP/UDP" if applicable.
Thank you Patrick for pointing this out
#9
General Discussion / Re: NPTv6 seems to mistranslat...
Last post by OPNenthu - April 30, 2026, 10:58:19 PMDo we have a tutorial for NPTv6?
I rebooted after upgrade to the latest OPNsense and now because my WAN interface address is being translated I have lost the WG tunnel to a remote OPNsense.
You cannot view this attachment.
Apologies for the redactions but in this screenshot 2600:...:185 is the remote OPNsense and 2601:...:d2cf is my WAN IF.
For some reason it's getting translated to my LAN prefix which of course is wrong.
I rebooted after upgrade to the latest OPNsense and now because my WAN interface address is being translated I have lost the WG tunnel to a remote OPNsense.
You cannot view this attachment.
Apologies for the redactions but in this screenshot 2600:...:185 is the remote OPNsense and 2601:...:d2cf is my WAN IF.
For some reason it's getting translated to my LAN prefix which of course is wrong.
#10
Announcements / Re: OPNsense 26.1.7 released
Last post by franco - April 30, 2026, 10:14:44 PMA hotfix release was issued as 26.1.7_1:
o system: fix missing newline when generating cron jobs due to a regression
o system: fix missing newline when generating cron jobs due to a regression
