"Recent posts
#1
25.7, 25.10 Series / DNS issues since upgrade to 25...
Last post by sdsfgd - Today at 12:14:02 AMUpgraded from 25.7.9_7 to 25.7.10 and since then I am having what I believe to be DNS issues but not really sure how to debug
In the system settings, I have 149.112.112.112 and 9.9.9.9 as the DNS servers.
Then my inferfaces are as follows:
- LAN (ax0) -> v4: 10.0.1.1/24
- VLAN10_MANAGE (vlan01) -> v4: 10.0.10.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive - DNS in pi-hole is Proton DNS)
- VLAN20_VPN (vlan02) -> v4: 10.0.20.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive)
- VLAN30_CLEARNET (vlan03) -> v4: 10.0.30.1/24 -> DNS: DNS: 10.0.10.24 (Pi-hole light - DNS in pi-hole is Quad9)
- VLAN40_GUEST (vlan04) -> v4: 10.0.40.1/24 -> DNS: 1.1.1.1, 1.0.0.1
- VLAN50_IOT (vlan05) -> v4: 10.0.50.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive)
- VLAN60_BLOCKED (vlan06) -> v4: 10.0.60.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive)
- VLAN80_EXPOSED (vlan08) -> v4: 10.0.80.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive)
- VLAN90_INTERNAL (vlan09) -> v4: 10.0.90.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive)
- VPN0 (wg1) -> v4: 10.2.0.2/32
- VPN1 (wg2) -> v4: 10.3.0.2/32
- WAN (ax1) -> v4/DHCP4: 192.168.1.94/24
The networks that do not go through wireguard (ProtonVPN) no longer work: lan, clearnet, and guest. The other vlans go through the VPN, but I do get the sense they are slow
Opnsense no longer connects to the internet either. If I do a connectivity audit, it hangs, 1 hour+ and no result
If I check in the system settings
- Allow DNS server list to be overridden by DHCP/PPP on WAN
- Do not use the local DNS service as a nameserver for this system
and run connectivity audit, it is much faster, and I get the results below and seems at least opnsense has internet access again
I do not have unbound or dnsmasq enabled.
Also seing Network time errors like this in the logs `Error ntpd - error resolving pool 0.ch.pool.ntp.org: Address family for hostname not supported (1)`.
I also tried downgrading opnsense and kernel to 25.7.8 but the results did not change making me think a package update is responsible.
In the system settings, I have 149.112.112.112 and 9.9.9.9 as the DNS servers.
Then my inferfaces are as follows:
- LAN (ax0) -> v4: 10.0.1.1/24
- VLAN10_MANAGE (vlan01) -> v4: 10.0.10.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive - DNS in pi-hole is Proton DNS)
- VLAN20_VPN (vlan02) -> v4: 10.0.20.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive)
- VLAN30_CLEARNET (vlan03) -> v4: 10.0.30.1/24 -> DNS: DNS: 10.0.10.24 (Pi-hole light - DNS in pi-hole is Quad9)
- VLAN40_GUEST (vlan04) -> v4: 10.0.40.1/24 -> DNS: 1.1.1.1, 1.0.0.1
- VLAN50_IOT (vlan05) -> v4: 10.0.50.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive)
- VLAN60_BLOCKED (vlan06) -> v4: 10.0.60.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive)
- VLAN80_EXPOSED (vlan08) -> v4: 10.0.80.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive)
- VLAN90_INTERNAL (vlan09) -> v4: 10.0.90.1/24 -> DNS: 10.0.10.25 (Pi-hole aggressive)
- VPN0 (wg1) -> v4: 10.2.0.2/32
- VPN1 (wg2) -> v4: 10.3.0.2/32
- WAN (ax1) -> v4/DHCP4: 192.168.1.94/24
The networks that do not go through wireguard (ProtonVPN) no longer work: lan, clearnet, and guest. The other vlans go through the VPN, but I do get the sense they are slow
Opnsense no longer connects to the internet either. If I do a connectivity audit, it hangs, 1 hour+ and no result
Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.7.10 (amd64) at Sat Dec 20 23:22:00 CET 2025
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
Waiting for another process to update repository OPNsenseIf I check in the system settings
- Allow DNS server list to be overridden by DHCP/PPP on WAN
- Do not use the local DNS service as a nameserver for this system
and run connectivity audit, it is much faster, and I get the results below and seems at least opnsense has internet access again
Code Select
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.7.10 (amd64) at Sat Dec 20 23:15:49 CET 2025
Checking connectivity for host: mirror-opnsense.serverbase.ch -> 212.237.209.20
PING 212.237.209.20 (212.237.209.20): 1500 data bytes
--- 212.237.209.20 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://mirror-opnsense.serverbase.ch/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 928 packages processed.
All repositories are up to date.
Checking connectivity for host: mirror-opnsense.serverbase.ch -> 2a03:da40:2::20
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://mirror-opnsense.serverbase.ch/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository OPNsense has no meta file, using default settings
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: mirror-opnsense.serverbase.ch
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R12
verify return:1
depth=0 CN = mirror-opnsense.serverbase.ch
verify return:1
DONE
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***I do not have unbound or dnsmasq enabled.
Also seing Network time errors like this in the logs `Error ntpd - error resolving pool 0.ch.pool.ntp.org: Address family for hostname not supported (1)`.
I also tried downgrading opnsense and kernel to 25.7.8 but the results did not change making me think a package update is responsible.
#2
German - Deutsch / Re: IPv6 am PON-Anschluss von ...
Last post by Maurice - December 20, 2025, 11:22:49 PMKein /56 oder gar keine Prefix Delegation? Was sagt denn das DHCPv6-Log?
Nur SLAAC am Glasfaser-Anschluss wäre sehr ungewöhnlich.
Nur SLAAC am Glasfaser-Anschluss wäre sehr ungewöhnlich.
#3
German - Deutsch / Re: Dual WAN Setup mit IPv6 Pr...
Last post by Maurice - December 20, 2025, 11:16:49 PMBei NPT muss das interne Präfix statisch sein. Das wäre nur möglich, falls der Telekom-Anschluss ein Business-Anschluss ist.
Und NPT löst nicht das Problem, dass sich einzelne Hosts im LAN nur über MAC-Aliase oder durch die Verwendung von DHCPv6-Reservierungen identifizieren lassen. Beides hat Nachteile.
Die Lösung mit getrennten LANs ist dagegen zuverlässig, einfach einzurichten und funktioniert ohne IPv6-NAT oder sonstige Tricks.
Und NPT löst nicht das Problem, dass sich einzelne Hosts im LAN nur über MAC-Aliase oder durch die Verwendung von DHCPv6-Reservierungen identifizieren lassen. Beides hat Nachteile.
Die Lösung mit getrennten LANs ist dagegen zuverlässig, einfach einzurichten und funktioniert ohne IPv6-NAT oder sonstige Tricks.
#4
25.7, 25.10 Series / Hosts imported into Dnsmasq no...
Last post by nray - December 20, 2025, 09:48:46 PMI set up Dnsmasq a month ago and used the "Import csv" feature to set up most of the host reservations. The DHCP lease reservations function as expected, except the Dnsmasq user interface doesn't recognize the lease type as "static" as it should and thinks they are "dynamic".
That means that on the Leases page, next to each of those hosts imported from the csv, instead of the magnifying glass "Find Reservation" there is the + "Add Reservation", even though there is a functioning reservation. Hosts I have set up individually using the "Add" button do not have this issue.
Is this a known issue, and is there a fix?
That means that on the Leases page, next to each of those hosts imported from the csv, instead of the magnifying glass "Find Reservation" there is the + "Add Reservation", even though there is a functioning reservation. Hosts I have set up individually using the "Add" button do not have this issue.
Is this a known issue, and is there a fix?
#5
Virtual private networks / Re: os-softether-devel (miscon...
Last post by mcedars - December 20, 2025, 09:35:20 PMSame here, we use it in production and as per the above I offered to contribute documentation for it. It's been very stable for us, for many years, on many different systems and in multiple use cases.
All that users need to grasp is that it behaves like its own IP stack side-by-side to the OS, and once you wrap your head around that everything falls into place. Most of the trouble people have is when it tries to compete with OPNsense itself for the same addresses etc.
I wish there was a way to get it installable again, either from the main repo or from the mimugmail repo. Please!! :-)
All that users need to grasp is that it behaves like its own IP stack side-by-side to the OS, and once you wrap your head around that everything falls into place. Most of the trouble people have is when it tries to compete with OPNsense itself for the same addresses etc.
I wish there was a way to get it installable again, either from the main repo or from the mimugmail repo. Please!! :-)
Quote from: fhloston on December 18, 2025, 04:24:33 PMQuote from: franco on August 29, 2025, 12:30:19 PMIn discussion with Michael we're going to remove it in 25.7.3 -- it was never released officially and feedback was very low and inconclusive over the years. Better VPN alternatives exist these days.
Oh what a pity... just noticed on a new install that this is not installable anymore.
I contributed the patch to have it follow carp state. I am using this on roughly 40 HA pairs to connect remote offices with datacenter backends. We explicitly migrated to softether from openvpn because in the dual HA configuration this works very well, the active tunnel endpoint on each side just follows CARP master.
Usually if there is no feedback, it just works [tm].
I would obviously be interested to a) be able to install it again and b) receive updates for it.
#6
German - Deutsch / Re: IPv6 am PON-Anschluss von ...
Last post by mbr89 - December 20, 2025, 09:00:24 PMbekomme keine 56er Präfix ... schon eine Frechheit
https://www.ripe.net/publications/docs/ripe-690/
4.2.3. Prefixes, longer than /56
It is strongly discouraged to assign prefixes longer than /56 unless there are very strong and unsolvable technical reasons for doing this.
Däs interessiert die wohl nen scheiss
https://www.ripe.net/publications/docs/ripe-690/
4.2.3. Prefixes, longer than /56
It is strongly discouraged to assign prefixes longer than /56 unless there are very strong and unsolvable technical reasons for doing this.
Däs interessiert die wohl nen scheiss
#7
German - Deutsch / Re: IPv6 am PON-Anschluss von ...
Last post by mbr89 - December 20, 2025, 08:31:59 PMQuote from: Maurice on December 20, 2025, 06:23:39 PMOkay, PPPoE-Session läuft, IPv6 Default Gateway wird zugewiesen, /64 wird per Router Advertisement zugewiesen, WAN-Interface-Adresse wird per SLAAC konfiguriert. Soweit alles normal.
Du musst aber wieder auf DHCPv6 stellen, falls Du eine Prefix Delegation möchtest, über SLAAC geht das nicht.
Am ONT gibt es diesbezüglich nichts zu konfigurieren, das ist eine Layer 2-Bridge.
ich probiere es mal so - siehe Anhang
#8
German - Deutsch / Re: Dual WAN Setup mit IPv6 Pr...
Last post by bimbar - December 20, 2025, 08:28:57 PMMein Rat wäre, das Präfix des primären Anschluss per SLAAC und Track Interface an die Clients geben, am sekundären Anschluss per NPTv6 outbound NAT machen.
Es gibt dafür sonst keine vernünftige Lösung, siehe auch https://blog.ipspace.net/2010/12/small-site-multihoming-in-ipv6-mission/ . Es gibt auch verschiedene RFCs und Entwürfe zu dem Thema, aber soweit ich weiß keine echte Lösung ausser NAT.
Es gibt dafür sonst keine vernünftige Lösung, siehe auch https://blog.ipspace.net/2010/12/small-site-multihoming-in-ipv6-mission/ . Es gibt auch verschiedene RFCs und Entwürfe zu dem Thema, aber soweit ich weiß keine echte Lösung ausser NAT.
#9
German - Deutsch / Re: Kein Zugriff auf Weboberfl...
Last post by Patrick M. Hausen - December 20, 2025, 08:04:14 PMJedes Gerät braucht einen Default-Gateway in seinem eigenen Netz, wenn es mit anderen außerhalb kommunizieren soll. Also ja.
#10
German - Deutsch / Re: Kein Zugriff auf Weboberfl...
Last post by juergen2025 - December 20, 2025, 07:59:54 PMSwitch: Ja, das war im Grunde ein Gedankenspiel, um mein Verständnis zu prüfen.
Ich glaube, ich habe einen grundlegenden Denkfehler beim Gateway gemacht und wollte das kurz verifizieren.
Ausgangslage:
PC hängt am LAN (192.168.13.0/24)
Mini-PC mit Proxmox hängt an OPT2 (192.168.15.0/24)
OPNsense hat:
LAN: 192.168.13.1
OPT2: 192.168.15.1
Ich bin bisher davon ausgegangen, dass ich bei der Proxmox-Installation als Gateway die LAN-IP (192.168.13.1) eintragen muss, da der Zugriff vom LAN erfolgt.
Inzwischen vermute ich, dass das falsch ist und bei einem Gerät, das direkt an OPT2 hängt, als Gateway immer die OPT2-IP der Firewall (192.168.15.1) eingetragen werden muss – unabhängig davon, aus welchem Netz später zugegriffen wird.
Ist diese Annahme korrekt und war genau das der Fehler, warum die Proxmox-Weboberfläche vom LAN aus nicht erreichbar war?
Ich glaube, ich habe einen grundlegenden Denkfehler beim Gateway gemacht und wollte das kurz verifizieren.
Ausgangslage:
PC hängt am LAN (192.168.13.0/24)
Mini-PC mit Proxmox hängt an OPT2 (192.168.15.0/24)
OPNsense hat:
LAN: 192.168.13.1
OPT2: 192.168.15.1
Ich bin bisher davon ausgegangen, dass ich bei der Proxmox-Installation als Gateway die LAN-IP (192.168.13.1) eintragen muss, da der Zugriff vom LAN erfolgt.
Inzwischen vermute ich, dass das falsch ist und bei einem Gerät, das direkt an OPT2 hängt, als Gateway immer die OPT2-IP der Firewall (192.168.15.1) eingetragen werden muss – unabhängig davon, aus welchem Netz später zugegriffen wird.
Ist diese Annahme korrekt und war genau das der Fehler, warum die Proxmox-Weboberfläche vom LAN aus nicht erreichbar war?
