"Recent posts
#1
General Discussion / Re: Support AmneziaWG
Last post by OPNenthu - Today at 03:11:33 AMQuote from: Lucid1010 on April 12, 2026, 06:21:10 PMAdmins and developers who don't prioritize privacy or censorship resistance may not find this significant.
Tools have a place but resistance is a political process. Doesn't matter how many evasive tools you have; nothing changes until a critical voting mass of countrymen and women decide that they've been had and they take out the garbage at the polls.
#2
26.1 Series / Kea DHCP log /leases question....
Last post by Ed V. - Today at 02:44:10 AMPart of digging in to the new DDNS options (and my subsequent Github request for a "manual" flag), lead to reviewing logs.
I notice that in the latest 26.1.6 release of Kea, where the WebUI searches for lease information has changed.
It used to be that the "standard" was to send tagged logs ("kea-dhcp4" or "kea-dhcp6") to "syslog".
With the update from 26.1.5 to 26.1.6, the "leases" screens show "No results found", even though the CSV files are present in /var/db/kea.
The built-in ".sample" files now have the log output set as "kea-dhcp4.log" or "kea-dhcp6.log" versus "syslog", so I switched over and restarted the daemons.
Leases were being posted in "syslog" and are now being posted in "kea-dhcp4" or "6" log, but the WebUI still shows "No results found".
Where should the daemons be logging in this release?
Is there a custom location for leases information with the latest update? If so, where should I post lease data?
Thank you.
I notice that in the latest 26.1.6 release of Kea, where the WebUI searches for lease information has changed.
It used to be that the "standard" was to send tagged logs ("kea-dhcp4" or "kea-dhcp6") to "syslog".
With the update from 26.1.5 to 26.1.6, the "leases" screens show "No results found", even though the CSV files are present in /var/db/kea.
The built-in ".sample" files now have the log output set as "kea-dhcp4.log" or "kea-dhcp6.log" versus "syslog", so I switched over and restarted the daemons.
Leases were being posted in "syslog" and are now being posted in "kea-dhcp4" or "6" log, but the WebUI still shows "No results found".
Where should the daemons be logging in this release?
Is there a custom location for leases information with the latest update? If so, where should I post lease data?
Thank you.
#3
26.1 Series / Re: Kea DDNS in practice...
Last post by Ed V. - Today at 02:38:14 AMQuote from: sopex8260 on April 12, 2026, 02:55:14 AMQuote from: Ed V. on April 10, 2026, 08:59:52 PMUpdate to v26.1.6 didn't add any new options /fields in the Kea DDNS or DHCP tabs.
https://github.com/opnsense/ports/issues/265 filed at GitHub to request the "Manual" flag.
Thank you!
Under each subnet's settings there are the DDNS options.
If you're using the WebUI, you are 100% correct.
Unfortunately, I'm weird and roll my own config file manually - which removes the option from the WebUI.
#4
General Discussion / Re: Configuration Advice?
Last post by drosophila - Today at 02:35:24 AMDon't smart switches provide the option of restricting the configuration access to a specified port only anymore? At least HP had that over a decade back.
#5
26.1 Series / Re: Tried moving from Dnsmasq ...
Last post by vimage22 - Today at 02:31:47 AMI hope this does not add more confusion, but I do not think this is a completely simple issue as I think pseudonym3k has shown many valid points. It is a little complex. I do not understand every aspect of DNS, in relation to Kea, Unbound and DNSmasq, but trying to learn. But I do understand DNS, especially from a ms perspective. There is yet a fourth variable of "System: Settings: General: DNS servers". And there is the complexity of disabling ISC correctly. So you are dealing with at least 4 variables, and one must decide on the strategy to use.
Personally, I started down the road of migrating from ISC to DNSmasq. But very quickly decided I did not like the combination of DHCP and DNS (not recursive) within DNSmasq. I do like that Kea = DHCP and Unbound (recursive) = DNS. In my mind, very simple and effective. [BTW, "System: Settings: General: DNS servers" is blank. I use Cloudflare DoT, within Unbound, NOT my ISP DNS].
I guess I can only describe how my setup has met my requirements, and then see if it matches another user.
"Services: Dynamic DNS" = dynamic wan ip resolution, if the ISP changes my wan ip.
"Services: Unbound DNS: DNS over TLS" = security (without pi-hole, ad-guard, etc.)
"Services: Kea DHCP: Kea DHCPv4 AND v6" = Add static reservation for local hostname resolution does work (AFTER a restart of Unbound)
But there is this issue of MY statement of "AFTER a restart of Unbound" is in conflict with pseudonym3k comment "all sites are immediately found by DNS name again".
When I went through this exercise, one had to be very precise in terms of what was disabled or enabled and what service was restarted, and when. For example, if I did not restart Unbound at the right moment, local hostname resolution would fail. If I had to go through a fresh install again, I think I could do it, but no guarantees I could get it right on the first try.
So again, if you take actually 7 variables into account, and decide on a plan, although complex, the end result is rewarding.
ISC - disabled? correctly?
"Services: Dynamic DNS"
"System: Settings: General: DNS servers" - blank?
Kea versus DNSmasq (one or the other, not both) (If DNSmasq, is port forward set correctly to 5353?)
Unbound - all settings.
"Services: Router Advertisements" (IPv6)
(someone may argue the order of this list, which would be welcome)
I think pseudonym3k brought up a real world experience. Again, hope this helps and does not add more confusion.
One afterthought. Please do not use a common address of 192.168.1.0/24 for your LAN. Needs to be more unique, in my opinion. Not implying this has anything to do with the topic, just a suggestion.
Personally, I started down the road of migrating from ISC to DNSmasq. But very quickly decided I did not like the combination of DHCP and DNS (not recursive) within DNSmasq. I do like that Kea = DHCP and Unbound (recursive) = DNS. In my mind, very simple and effective. [BTW, "System: Settings: General: DNS servers" is blank. I use Cloudflare DoT, within Unbound, NOT my ISP DNS].
I guess I can only describe how my setup has met my requirements, and then see if it matches another user.
"Services: Dynamic DNS" = dynamic wan ip resolution, if the ISP changes my wan ip.
"Services: Unbound DNS: DNS over TLS" = security (without pi-hole, ad-guard, etc.)
"Services: Kea DHCP: Kea DHCPv4 AND v6" = Add static reservation for local hostname resolution does work (AFTER a restart of Unbound)
But there is this issue of MY statement of "AFTER a restart of Unbound" is in conflict with pseudonym3k comment "all sites are immediately found by DNS name again".
When I went through this exercise, one had to be very precise in terms of what was disabled or enabled and what service was restarted, and when. For example, if I did not restart Unbound at the right moment, local hostname resolution would fail. If I had to go through a fresh install again, I think I could do it, but no guarantees I could get it right on the first try.
So again, if you take actually 7 variables into account, and decide on a plan, although complex, the end result is rewarding.
ISC - disabled? correctly?
"Services: Dynamic DNS"
"System: Settings: General: DNS servers" - blank?
Kea versus DNSmasq (one or the other, not both) (If DNSmasq, is port forward set correctly to 5353?)
Unbound - all settings.
"Services: Router Advertisements" (IPv6)
(someone may argue the order of this list, which would be welcome)
I think pseudonym3k brought up a real world experience. Again, hope this helps and does not add more confusion.
One afterthought. Please do not use a common address of 192.168.1.0/24 for your LAN. Needs to be more unique, in my opinion. Not implying this has anything to do with the topic, just a suggestion.
#6
Development and Code Review / Re: cron job parameters only w...
Last post by drosophila - Today at 02:10:40 AMThanks, this now finally got not only the parameter passing working (with both type script and script_output; stream_output still returns errors but no output is generated anyway so type script suffices.)!
Also the translation works like a charm! :)
In case anyone ever wants to do the same, this is the php wrapper that calls the script on behalf of the action file:
Thanks a lot for the helpful info and the examples!
Also the translation works like a charm! :)
In case anyone ever wants to do the same, this is the php wrapper that calls the script on behalf of the action file:
Code Select
#!/usr/local/bin/php
<?php
require_once("interfaces.inc");
require_once("config.inc");
require_once("util.inc");
$param_error=0;
/*Default to WAN interface if none given*/
$default_if='wan';
$param_if = isset($argv[1]) ? $argv[1] : $default_if;
$system_if = get_real_interface($param_if);
if (empty($system_if)) {
$system_if = get_real_interface($default_if);
$param_error=1;
}
if (!empty($system_if)) {
$result = OPNsense\Core\Shell::shell_safe('/root/priorizeprivacy.sh %s', [$system_if]);
}
else $result=-1;
if (isset($argv[1])) return $param_error ? 2 : $result;
else
return 1;
Thanks a lot for the helpful info and the examples!
#7
26.1 Series / Re: DNS Confusion
Last post by Booth - Today at 12:59:32 AMQuote from: disorganise on April 12, 2026, 02:45:09 PMFirst confusion: I don't know what DNS servers it is using, but it doesn't appear to be anything I set.
As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.
Is Unbound enabled in Services => Unbound DNS => General => Enable Unbound?
If so then Services => Unbound DNS => Query Forwarding should tell you what upstream DNS servers it's using, and whether these are the system DNS servers from System => Settings => General or not.
If Unbound isn't enabled then you're probably using Dnsmasq. Is Services => Dnsmasq DNS and DHCP => General => "Do not forward to system defined DNS servers" selected? If it is, it should be using the servers from System => Settings => General, or if not the servers from Services => Dnsmasq DNS and DHCP => Domains.
Do the log files for Unbound or Dnsmasq show any errors?
On the windows host, when getting its IP Configuration automatically from DHCP, what does "ipconfig /all" in a command prompt show? Has it picked up its DNS configuration from your OPNsense? Also it might be worth using "nslookup" to check DNS from the command line as browsers can sometimes try using their own DNS over HTTPS configuration.
Quote2nd confusion:Probably better to stick to one problem at at time for now :) Well worth trying to work out how your DNS is currently configured before getting the sites to query each other. Your plan for a forward from one site to the other sounds right though.
#8
26.1 Series / Re: Tried moving from Dnsmasq ...
Last post by pseudonym3k - Today at 12:42:48 AMQuote from: Patrick M. Hausen on Today at 12:39:38 AMthink there is much valuable information for other/new users in this thread that should not be deleted.If all the noise could be deleted, I'd agree. But it's a mess of misunderstandings.
#9
26.1 Series / Re: Tried moving from Dnsmasq ...
Last post by Patrick M. Hausen - Today at 12:39:38 AMI think there is much valuable information for other/new users in this thread that should not be deleted.
All the best,
Patrick
All the best,
Patrick
#10
26.1 Series / Re: Tried moving from Dnsmasq ...
Last post by pseudonym3k - Today at 12:34:29 AMQuote from: Patrick M. Hausen on Today at 12:31:13 AMI only joined in lateAnd help would be appreciated, if it were needed. But it wasn't. My question was already answered with the first comment and I was done. Now I've spent all my time counteracting misunderstandings when none of it was necessary. I wonder if the mods can just delete this entire thread.
