"Recent posts
#1
German - Deutsch / Re: Problem mit Port Forwardin...
Last post by BeTZe313 - Today at 01:35:54 PMQuote from: Patrick M. Hausen on Today at 11:01:18 AMNein, natürlich nicht. Die Idee bei Nutzung einer OPNsense ist aber, den Provider-Router zu ersetzen. Wozu ist deine OPNsense denn da, wenn du einen Router hast?
Ok, d.h ich stecke das Kabel was aus der Wanddose kommt direkt in den WAN Port der OPNsense? Und konfiguriere darüber meinen DSL Telekom Anschluss?
#2
26.1 Series / Re: Identity Association IPv6 ...
Last post by bazineta - Today at 01:35:54 PMYes, that's it. My configuration contains the following:
And that corresponds to the 'stuck' interfaces. I had migrated to dnsmasq DHCP some time ago in preparation for this release, so ISC DHCP wasn't active on the interfaces either before or after the upgrade to 26.1. Tried the legacy -> association change both with the ISC plugin installed and with it uninstalled, no change.
There's no entry for ISC DHCP in System: Configuration: Defaults on my system.
To resolve, on each affected interface, I ticked "Allow manual adjustment of DHCPv6 and Router Advertisements", hit Save, then immediately changed the type to "Identity Association", hit Save again, and only then hit Apply.
This changed nothing in the dhcpdv6 section of the system configuration, still the same keys and values present there, but it did allow the type change to take.
Code Select
<dhcpdv6>
<opt2>
<enable>-1</enable>
</opt2>
<opt1>
<enable>-1</enable>
</opt1>
<lan>
<enable>-1</enable>
</lan>
<opt3>
<enable>-1</enable>
</opt3>
</dhcpdv6>
And that corresponds to the 'stuck' interfaces. I had migrated to dnsmasq DHCP some time ago in preparation for this release, so ISC DHCP wasn't active on the interfaces either before or after the upgrade to 26.1. Tried the legacy -> association change both with the ISC plugin installed and with it uninstalled, no change.
There's no entry for ISC DHCP in System: Configuration: Defaults on my system.
To resolve, on each affected interface, I ticked "Allow manual adjustment of DHCPv6 and Router Advertisements", hit Save, then immediately changed the type to "Identity Association", hit Save again, and only then hit Apply.
This changed nothing in the dhcpdv6 section of the system configuration, still the same keys and values present there, but it did allow the type change to take.
#3
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by Lucid1010 - Today at 01:21:36 PMAccording to current community information, the latest version is v2.36.
#5
26.1 Series / Re: Old rules deprecation
Last post by Seimus - Today at 01:18:16 PMQuote from: Seimus on January 29, 2026, 06:48:34 PMWould it be possible to have the Statistic section in a single row if I expand its section?https://github.com/opnsense/core/issues/9674
Regards,
S.
#6
26.1 Series / Potential issue with renaming ...
Last post by EndiRabbit - Today at 01:12:23 PMHi,
I primarily use groups for setting policies for my configuration. In a test config running in Proxmox this morning, I tried to go back and sanitize some FW group names, changing three of them from
to
After changing them in the test network and clicking [APPLY] (in the web GUI), access to the Internet went down (defined in rules in GRP_all_int). For reference, the GRP_all_int has general network rules to the Internet, and GRP_priv_int and GRP_iot_int have internal rules that are specific to the VLANs for the interfaces that make up each group. Then each interface has interface specific FW rules and a final rule to block all other undefined network traffic as a catch all.
I rebooted and reloaded the web admin interface, but no joy - couldn't access google.com. Traffic was hitting the catch all rule. Not until I rolled back in the GUI the names and clicked [APPLY] was Internet access restored. Has anyone else encountered this issue by changing FW group names in the web GUI?
I primarily use groups for setting policies for my configuration. In a test config running in Proxmox this morning, I tried to go back and sanitize some FW group names, changing three of them from
- all_internal SEQ 11
- priv_internal SEQ 9
- iot_internal SEQ 9
to
- GRP_all_int SEQ 11
- GRP_priv_int SEQ 9
- GRP_iot_int SEQ 9
After changing them in the test network and clicking [APPLY] (in the web GUI), access to the Internet went down (defined in rules in GRP_all_int). For reference, the GRP_all_int has general network rules to the Internet, and GRP_priv_int and GRP_iot_int have internal rules that are specific to the VLANs for the interfaces that make up each group. Then each interface has interface specific FW rules and a final rule to block all other undefined network traffic as a catch all.
I rebooted and reloaded the web admin interface, but no joy - couldn't access google.com. Traffic was hitting the catch all rule. Not until I rolled back in the GUI the names and clicked [APPLY] was Internet access restored. Has anyone else encountered this issue by changing FW group names in the web GUI?
#7
Hardware and Performance / Re: Latest BIOS update bricked...
Last post by patient0 - Today at 01:01:33 PMQuote from: ab on Today at 12:13:51 PMCurrently they just say "Reboot the machine" which I thought I had accomplished with the power button.Glad you're back online without having to use a chip reader/writer.
That is indeed something that could be added to the documentation, yes.
#8
26.1 Series / Log to remote logserver using ...
Last post by sensuary - Today at 12:58:07 PMHi, I have a CA that I manage myself outside of OPNsense. I have issued a certificate for my OPNsense firewall and I would like to use that to send logs from OPNsense to my central logserver using TLS.
I can go into System, Settings, Logging, Remote and set everything there up (before that I have imported the certificate to be used into the Trust store). But each time OPNsense tries to send a log to my logserver this appears in OPNsenses local logs
As I understand it then this means that syslog-ng does not trust the certificate on the other end.
That certificate is signed by my CA, so if I upload my CA to OPNsense then syslog-ng should trust it right?
But how do I upload my CA without giving it my key?
I tried going into Trust, Authorities and upload my self signed certificate. I selected "Import an existing Certificate Authority", gave it a description and pasted my public certificate into the Certificate Data field, leaving the Private key data field empty.
This does not help it seems.
Any ideas on what I am doing wrong?
I can go into System, Settings, Logging, Remote and set everything there up (before that I have imported the certificate to be used into the Trust store). But each time OPNsense tries to send a log to my logserver this appears in OPNsenses local logs
Code Select
Notice syslog-ng Syslog connection broken; fd='33', server='AF_INET($REDACTED_IP)', time_reopen='60'
Error syslog-ng I/O error occurred while writing; fd='33', error='Broken pipe (32)'
Error syslog-ng SSL error while writing stream; tls_error='error:0A000086:SSL routines::certificate verify failed', location='/usr/local/etc/syslog-ng.conf.d/syslog-ng-destinations.conf:12:9'
Error syslog-ng Certificate validation failed; ...$REDACTED CERTIFICATE INFO ... error='unable to get local issuer certificate', depth='1'
Notice syslog-ng Syslog connection established; fd='33', server='AF_INET($REDACTED_IP)', local='AF_INET(0.0.0.0:0)'As I understand it then this means that syslog-ng does not trust the certificate on the other end.
That certificate is signed by my CA, so if I upload my CA to OPNsense then syslog-ng should trust it right?
But how do I upload my CA without giving it my key?
I tried going into Trust, Authorities and upload my self signed certificate. I selected "Import an existing Certificate Authority", gave it a description and pasted my public certificate into the Certificate Data field, leaving the Private key data field empty.
This does not help it seems.
Any ideas on what I am doing wrong?
#9
26.1 Series / Re: gray fields in new rules
Last post by franco - Today at 12:58:00 PMIf you mean the grey (i) it's simply indicating the option does not have a help text. ;)
Cheers,
Franco
Cheers,
Franco
#10
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by franco - Today at 12:54:33 PMIt was updated in .11 https://github.com/opnsense/hostwatch/commit/5f35418
