"Recent posts
#1
26.1 Series / ReflectionException trying to ...
Last post by ltcptgeneral - Today at 09:23:23 AMI've managed to successfully migrate the FW rules to the new interface, but Opnsense throws the following error if I try to do step 5 (deleting the legacy rules):
This happens with or without legacy rules. There also seems to be ghost floating rules (which don't actually exist in the legacy floating rules list).
Code Select
[28-Feb-2026 00:05:49 America/Los_Angeles] ReflectionException: Class "OPNsense\" does not exist in /usr/local/opnsense/mvc/app/library/OPNsense/Core/ConfigMaintenance.php:62
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Core/ConfigMaintenance.php(62): ReflectionClass->__construct('OPNsense\\')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Core/ConfigMaintenance.php(42): OPNsense\Core\ConfigMaintenance->loadModels()
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/MigrationController.php(48): OPNsense\Core\ConfigMaintenance->__construct()
#3 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\Firewall\Api\MigrationController->flushAction()
#4 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#6 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/firewall/m...', Array)
#7 {main}
This happens with or without legacy rules. There also seems to be ghost floating rules (which don't actually exist in the legacy floating rules list).
#2
26.1 Series / Re: communications error to 19...
Last post by patient0 - Today at 08:10:15 AMSince the error is sporadic, it's quite hard to know. But check the DNS resolver logs on OPNsense for a exact time you had the error.
I wouldn't think it has anything to do with IPv6 since the error is ";; communications error to 192.168.3.1#53: timed out" which shows that your machine was querying using IPv4.
Do you get a result back despite the error?
And what are you using as a DNS resolver on OPNsense? And the OPNsense has got the IP 192.168.3.1?
I wouldn't think it has anything to do with IPv6 since the error is ";; communications error to 192.168.3.1#53: timed out" which shows that your machine was querying using IPv4.
Do you get a result back despite the error?
And what are you using as a DNS resolver on OPNsense? And the OPNsense has got the IP 192.168.3.1?
#3
26.1 Series / Re: Unbound Query Forwarding ....
Last post by Netlearn - Today at 05:42:43 AMJust an update with some more information.
I have found Issue from 2024 and an currently opened Issue about this.
My setup also implies VPNs and queries to other Unbounds on OPNsense, which introduces more complexity and perhaps some differences.
I have found Issue from 2024 and an currently opened Issue about this.
My setup also implies VPNs and queries to other Unbounds on OPNsense, which introduces more complexity and perhaps some differences.
#4
General Discussion / Re: Feature request: Option to...
Last post by Netlearn - Today at 05:28:41 AMAs @Patrick suggests in this thread, leaving a subnet with an empty list of pools has the effect desired, the server do not assign an IP to clients without a reservation.
Closing the issue on Github.
Closing the issue on Github.
#5
26.1 Series / Re: VoIP outbound calls not wo...
Last post by lmoore - Today at 03:01:08 AMNow for the final image.
#6
26.1 Series / Re: VoIP outbound calls not wo...
Last post by lmoore - Today at 03:00:35 AMThe remaining images -1.
#7
26.1 Series / Re: VoIP outbound calls not wo...
Last post by lmoore - Today at 02:58:24 AMI've found this document for Vodafone Germany, which may help.
https://www.vodafone.de/media/downloads/pdf/Vodafone-Kabel-Deutschland-GmbH-Telephony-Interface-Specific.pdf
In my environment I have a separate VLAN for VoIP. The way I've written my rules is to only allow connections from this VLAN to the SIP_Providers alias. In my SIP_Providers alias I have included the ITSP's SIP & RTP server addresses.
With the traffic originating from my network, the rules match the DSCP field and then tags it. This is applied to SIP, RTP voice & RTP video.
The VoIP Outbound NAT rule simply matches these tagged packets.
The outgoing firewall rule simply matches the tagged packets. This removes the need to create rules using RTP ranges, as these will differ between providers.
The screen shots may help to illustrate this.
The QoS settings for the N670IP Pro are on page 55 of the English manual. You could look up the settings on your Fritzbox and replicate them on the N670IP Pro. I doubt this will be the reason your outbound calls are failing.
You may need to reference this site when working out what you need to set for the DSCP/TOS field - https://tucny.com/Home/dscp-tos
https://www.vodafone.de/media/downloads/pdf/Vodafone-Kabel-Deutschland-GmbH-Telephony-Interface-Specific.pdf
In my environment I have a separate VLAN for VoIP. The way I've written my rules is to only allow connections from this VLAN to the SIP_Providers alias. In my SIP_Providers alias I have included the ITSP's SIP & RTP server addresses.
With the traffic originating from my network, the rules match the DSCP field and then tags it. This is applied to SIP, RTP voice & RTP video.
The VoIP Outbound NAT rule simply matches these tagged packets.
The outgoing firewall rule simply matches the tagged packets. This removes the need to create rules using RTP ranges, as these will differ between providers.
The screen shots may help to illustrate this.
The QoS settings for the N670IP Pro are on page 55 of the English manual. You could look up the settings on your Fritzbox and replicate them on the N670IP Pro. I doubt this will be the reason your outbound calls are failing.
You may need to reference this site when working out what you need to set for the DSCP/TOS field - https://tucny.com/Home/dscp-tos
#8
Virtual private networks / Re: Gateway priority and statu...
Last post by kfm - Today at 01:59:35 AMI can confirm this issue. Is there any progress or better workarounds?
ISSUE
--------------------------
In my situation, I define multiple non-upstream gateways with different priorities in Gateways -> Configuration:
GW100 192.168.1.100 upstream=no priority=100 monitor=10.0.0.100
GW101 192.168.1.101 upstream=no priority=101 monitor=10.0.0.101
...and then I add the same route for each gateway in Routes -> Configuration:
10.0.0.0/8 via 192.168.2.100
10.0.0.0/8 via 192.168.2.101
The expectation is that the system routing table will populate with a route for whichever gateway is up with the highest priority (in this case, it would be GW100). Instead, opensense seems to randomly select which gateway will get the route in the system table, regardless even of whether the gateway is up or down.
This issue seems to only apply to non-default gateways. Default gateways seem to handle this correctly.
WORKAROUNDS
--------------------------
1. Like zubrick said, you can manually create more precise routes for the preferred gateway to force opnsense to put both routes in the system table. However, if the preferred gateway goes down, opnsense doesn't update the routing table is not updated to remove the applicable route(s). Rather, you have to manually disable the preferred gateway to remove the route, which is not optimal.
2. Can't use gateway groups in NAT rules because the traffic is not being NATted.
3. Can't use gateway groups in Routes -> Configuration, because opensense does not allow groups to be the target of route rules.
4. Can create a gateway group and then create firewall rules for all interfaces that force the gateway for traffic going to 10.0.0.0/8, but this would mean duplicating every firewall accept rule (one for local traffic, one for remote traffic). I'm not sure if maybe there is a smarter way to do this with non-quick rules or marking?
5. Maybe some kind of monit scripting that can watch the gateway status and add/remove routes as needed? I couldn't find much documentation on it.
None of these options are great.
PREFERRED RESOLUTION
--------------------------
The two easiest ways to solve this from a user's perspective would be
(1) allow gateway groups as targets for static route configuration or
(2) have an option to treat down gateways as disabled for purposes of system routing table generation.
ISSUE
--------------------------
In my situation, I define multiple non-upstream gateways with different priorities in Gateways -> Configuration:
GW100 192.168.1.100 upstream=no priority=100 monitor=10.0.0.100
GW101 192.168.1.101 upstream=no priority=101 monitor=10.0.0.101
...and then I add the same route for each gateway in Routes -> Configuration:
10.0.0.0/8 via 192.168.2.100
10.0.0.0/8 via 192.168.2.101
The expectation is that the system routing table will populate with a route for whichever gateway is up with the highest priority (in this case, it would be GW100). Instead, opensense seems to randomly select which gateway will get the route in the system table, regardless even of whether the gateway is up or down.
This issue seems to only apply to non-default gateways. Default gateways seem to handle this correctly.
WORKAROUNDS
--------------------------
1. Like zubrick said, you can manually create more precise routes for the preferred gateway to force opnsense to put both routes in the system table. However, if the preferred gateway goes down, opnsense doesn't update the routing table is not updated to remove the applicable route(s). Rather, you have to manually disable the preferred gateway to remove the route, which is not optimal.
2. Can't use gateway groups in NAT rules because the traffic is not being NATted.
3. Can't use gateway groups in Routes -> Configuration, because opensense does not allow groups to be the target of route rules.
4. Can create a gateway group and then create firewall rules for all interfaces that force the gateway for traffic going to 10.0.0.0/8, but this would mean duplicating every firewall accept rule (one for local traffic, one for remote traffic). I'm not sure if maybe there is a smarter way to do this with non-quick rules or marking?
5. Maybe some kind of monit scripting that can watch the gateway status and add/remove routes as needed? I couldn't find much documentation on it.
None of these options are great.
PREFERRED RESOLUTION
--------------------------
The two easiest ways to solve this from a user's perspective would be
(1) allow gateway groups as targets for static route configuration or
(2) have an option to treat down gateways as disabled for purposes of system routing table generation.
#9
26.1 Series / Re: Kea DHCPv4 How to remove d...
Last post by Netlearn - Today at 01:53:44 AMI havenĀ“t tried, but it's not an easy workaround for a medium network, because one would have to connect the new machine to the "no-leases" VLAN and then to the device's destination VLAN, which is not always feasible. Plus the existence of that "no-leases" VLAN in all the infrastructure (wired and wireless).
Maybe your advice could do the trick for a small network, but I think most of OPNsense users tend to be from medium in advance networks sizes.
I proposed the new web feature because I think I'm not alone in this situation, it's a supported Kea feature, and improves the alignment with, the now plugin and mostly deprecated, ISC.
[EDIT]
Your advice works perfectly.
What I didn't know was that subnets can be created with an empty list of pools, so I didn't understand your approach at first. As far as I can remember, that couldn't be done in ISC, so I had all my subnets with, at least, a little pool. Following your advice, I tried to delete the pool from some of the subnets (those that I want to function with reserves only). It does what it is supposed to do and no lease is given.
Maybe that should be documented, specially for people migrating from ISC.
Closing the issue I opened...
Maybe your advice could do the trick for a small network, but I think most of OPNsense users tend to be from medium in advance networks sizes.
I proposed the new web feature because I think I'm not alone in this situation, it's a supported Kea feature, and improves the alignment with, the now plugin and mostly deprecated, ISC.
[EDIT]
Your advice works perfectly.
What I didn't know was that subnets can be created with an empty list of pools, so I didn't understand your approach at first. As far as I can remember, that couldn't be done in ISC, so I had all my subnets with, at least, a little pool. Following your advice, I tried to delete the pool from some of the subnets (those that I want to function with reserves only). It does what it is supposed to do and no lease is given.
Maybe that should be documented, specially for people migrating from ISC.
Closing the issue I opened...
#10
26.1 Series / Re: Unbound Query Forwarding ....
Last post by Netlearn - Today at 01:42:31 AMThanks for help.
I went to the section to be sure, ans it's already disabled in all five Unbounds.
The other option to register reservations ("Register DHCP Static Mappings") is selected, as I need it to declare all the needed hosts. Not sure if it interferes with query forwardings, as long as I'm not using ISC and all of them migrated to Kea and uninstalled the plugin.
I went to the section to be sure, ans it's already disabled in all five Unbounds.
The other option to register reservations ("Register DHCP Static Mappings") is selected, as I need it to declare all the needed hosts. Not sure if it interferes with query forwardings, as long as I'm not using ISC and all of them migrated to Kea and uninstalled the plugin.
