"Recent posts
#1
Zenarmor (Sensei) / Re: Provide firm date on multi...
Last post by tangofan - Today at 05:11:14 AMTo my great surprise I noticed that in the roadmap multicore support is a feature for business plans only. I'm "only" subscribed to the "Home" plan, but I would have expected that this feature would also come to that plan, even if I had a thread limit. In fact, if ZA is serious about attracting homelab users to the Home edition, I would also expect a limited form of multithreading in the free plan.
Apart from this I am wondering how serious that roadmap is with a 1 to 6 months timeframe. The problem is that this feature essentially pays back some technical debt, but isn't a flashy feature. I get it that ZA is a small company that needs to pay the bills and that those "flashy features" are much better at making that happen. Thus I'm concerned that multicore support will remain on the back burner for the foreseeable future.
Apart from this I am wondering how serious that roadmap is with a 1 to 6 months timeframe. The problem is that this feature essentially pays back some technical debt, but isn't a flashy feature. I get it that ZA is a small company that needs to pay the bills and that those "flashy features" are much better at making that happen. Thus I'm concerned that multicore support will remain on the back burner for the foreseeable future.
#2
26.1, 26,4 Series / DEC2770 Update issues.
Last post by rgradert - Today at 02:52:56 AMCode Select
root@ilhs-fw01:~ # cat /conf/config.xml | grep -i firmware -n
24: <firmware version="1.0.1" persisted_at="1779147725.70" description="Firmware settings">
32: </firmware>
33: <firmware version="1.0.0">
37: </firmware>
root@ilhs-fw01:~ # opnsense-update -V
+ [ '' ]
+ [ '' ]
+ [ '' '=' -R ]
+ [ -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ [ ! -f /usr/local/etc/pkg/repos/OPNsense.conf ]
+ [ -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ [ '' '=' -M ]
+ [ '' '=' -x ]
+ [ '' '=' -X ]
+ [ -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ grep -q '^[[:space:]]*signature_type:[[:space:]]*"fingerprints"' /usr/local/etc/pkg/repos/OPNsense.conf
+ [ -n '' ]
+ [ -z '' ]
+ [ -n '' -o -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ [ -z '' ]
+ [ -n '' -a -n '' -a -z '' ]
+ [ -n '' -a -n '' -a -z '' ]
+ [ -n '' -a -n '' -a -z '' ]
+ [ -n '' ]
+ [ '' '=' -K ]
+ [ '' '=' -B ]
+ [ '' '=' -P ]
+ [ -n '' ]
+ [ '' '=' -p -a -z '' ]
+ [ -n '' ]
+ DEVICE=''
+ [ -n '' ]
+ KERNELSET=kernel-26.1.7-amd64.txz
+ PACKAGESSET=packages-26.1.7-amd64.tar
+ TESTSSET=tests-26.1.7-amd64.txz
+ BASESET=base-26.1.7-amd64.txz
+ mirror_abi
+ local 'DIR=\2'
+ local 'OPT='
+ [ -n '' ]
+ opnsense-verify -a
+ ABI=FreeBSD:14:amd64
+ [ -n '' ]
+ sed -n 's/^[[:space:]]*url:[[:space:]]*\"\(.*\/${ABI}\/\)\([^\/]*\)\/.*/\1\2/p' /usr/local/etc/pkg/repos/OPNsense.conf
+ MIRROR='https://nl.opnsense-update.deciso.com/license/${ABI}/26.1'
+ [ -z 'https://nl.opnsense-update.deciso.com/license/${ABI}/26.1' ]
+ [ '' '!=' raw ]
+ eval 'MIRROR=https://nl.opnsense-update.deciso.com/license/${ABI}/26.1'
+ MIRROR=https://nl.opnsense-update.deciso.com/license/FreeBSD:14:amd64/26.1
+ echo https://nl.opnsense-update.deciso.com/license/FreeBSD:14:amd64/26.1
+ MIRROR=https://nl.opnsense-update.deciso.com/license/FreeBSD:14:amd64/26.1/sets
+ [ -n '' ]
+ [ -z '' ]
+ [ 26.1.7 '=' 26.1.6 -a -n '' ]
+ [ 26.1.7 '=' 26.1.6 -a -n '' ]
+ [ 26.1.7 '=' 26.4 -a -n '' ]
+ [ -z '' ]
+ echo 'Nothing to do.'
Nothing to do.
+ exit 0
root@ilhs-fw01:~ #
Within the GUI, I am all 26.4_14
If I manually update the files, I can do an update until it reverts the repo back then fails again.
I am doing the following:
Code Select
ee /usr/local/etc/pkg/repos/OPNsense.confCode Select
OPNsense: {
fingerprints: "/usr/local/etc/pkg/fingerprints/OPNsense",
url: "https://nl.opnsense-update.deciso.com/license/${ABI}/26.4/latest",
signature_type: "fingerprints",
priority: 11,
enabled: yes
}Code Select
pkg update -fEssentially for both the standard and aux repos. Changing the 26.4/latest to 26.4/aux etc. Obviously "license" is our business edition license.
Upon updating, they are changed back to 26.1 then the update fails.
Please advise as to what is going on here. This is preventing us from using plugins on the firewalls. We have 2x new DEC2770 waiting to be configured to replace a failing device on 24 firmware.
Thanks,
#3
Virtual private networks / Gateway monitoring and protonv...
Last post by rumshot - Today at 02:16:47 AMHello everyone,
I am trying to implement automatic failover between two ProtonVPN WireGuard tunnels on OPNsense, but I am hitting what seems to be unreliable behavior with WireGuard gateway groups and dpinger.
Environment:
- Latest OPNsense version
- Two ProtonVPN WireGuard tunnels
- VLAN100 traffic policy-routed through a gateway group
- Primary tunnel: CHPROTON-BKP (wg3)
- Backup tunnel: CHPROTON
- Gateway group configured with Tier1/Tier2 failover
- Both WireGuard tunnels are operational and working correctly individually
Observed behavior:
- Traffic works correctly through the primary WG tunnel
- If I manually disable the primary gateway/interface, failover works and traffic correctly moves to the backup tunnel
- However, if the primary Proton peer becomes unusable or disconnected, the WireGuard interface often still remains "UP"
- dpinger/gateway monitoring still considers the gateway healthy
- Gateway group does not fail over correctly
- Traffic blackholes until I manually disable the dead gateway/interface
Additional observations:
- Proton tunnels reuse the same local tunnel IP (10.2.0.2), which may contribute to routing/state ambiguity
- OPNsense locally-generated traffic (ping/curl from firewall itself) does not seem to follow policy-routing/gateway-group rules, making reliable local health probing difficult
- Handshake age and RX/TX counters are not reliable enough because WireGuard keepalives continue even when real Internet traffic is broken
- Packet captures confirm that route-to rules are applied and packets leave through the expected WG interface, but sessions still fail when the gateway/group logic gets stuck
What I already tested:
- Different monitor IPs
- Gateway groups with trigger levels
- State resets
- Manual route testing
- tcpdump validation on WG interfaces
- Monitoring handshake age
- curl/ping probes
- Rebooting OPNsense
- Manually disabling/enabling gateways/interfaces
At this point I am considering:
1. Keeping only one active Proton tunnel and one cold standby
2. Creating a custom watchdog script using Monit
3. Using WAN failover underneath a single WireGuard tunnel instead of multiple WG tunnels in a gateway group
My questions:
- Has anyone successfully implemented reliable automatic failover between multiple ProtonVPN WireGuard tunnels on OPNsense?
- If yes, how are you detecting tunnel failure reliably?
- Are you using gateway groups, Monit scripts, dpinger, or another method?
- Did anyone find a clean workaround for locally-generated traffic not following policy-routing rules?
- Is this considered a known limitation/bug with WireGuard + gateway groups on OPNsense?
Any feedback or working architectures would be greatly appreciated.
Thanks!
I am trying to implement automatic failover between two ProtonVPN WireGuard tunnels on OPNsense, but I am hitting what seems to be unreliable behavior with WireGuard gateway groups and dpinger.
Environment:
- Latest OPNsense version
- Two ProtonVPN WireGuard tunnels
- VLAN100 traffic policy-routed through a gateway group
- Primary tunnel: CHPROTON-BKP (wg3)
- Backup tunnel: CHPROTON
- Gateway group configured with Tier1/Tier2 failover
- Both WireGuard tunnels are operational and working correctly individually
Observed behavior:
- Traffic works correctly through the primary WG tunnel
- If I manually disable the primary gateway/interface, failover works and traffic correctly moves to the backup tunnel
- However, if the primary Proton peer becomes unusable or disconnected, the WireGuard interface often still remains "UP"
- dpinger/gateway monitoring still considers the gateway healthy
- Gateway group does not fail over correctly
- Traffic blackholes until I manually disable the dead gateway/interface
Additional observations:
- Proton tunnels reuse the same local tunnel IP (10.2.0.2), which may contribute to routing/state ambiguity
- OPNsense locally-generated traffic (ping/curl from firewall itself) does not seem to follow policy-routing/gateway-group rules, making reliable local health probing difficult
- Handshake age and RX/TX counters are not reliable enough because WireGuard keepalives continue even when real Internet traffic is broken
- Packet captures confirm that route-to rules are applied and packets leave through the expected WG interface, but sessions still fail when the gateway/group logic gets stuck
What I already tested:
- Different monitor IPs
- Gateway groups with trigger levels
- State resets
- Manual route testing
- tcpdump validation on WG interfaces
- Monitoring handshake age
- curl/ping probes
- Rebooting OPNsense
- Manually disabling/enabling gateways/interfaces
At this point I am considering:
1. Keeping only one active Proton tunnel and one cold standby
2. Creating a custom watchdog script using Monit
3. Using WAN failover underneath a single WireGuard tunnel instead of multiple WG tunnels in a gateway group
My questions:
- Has anyone successfully implemented reliable automatic failover between multiple ProtonVPN WireGuard tunnels on OPNsense?
- If yes, how are you detecting tunnel failure reliably?
- Are you using gateway groups, Monit scripts, dpinger, or another method?
- Did anyone find a clean workaround for locally-generated traffic not following policy-routing rules?
- Is this considered a known limitation/bug with WireGuard + gateway groups on OPNsense?
Any feedback or working architectures would be greatly appreciated.
Thanks!
#4
General Discussion / Re: youtube going offline
Last post by OPNenthu - Today at 01:52:22 AMI've read some threads on here (don't have the links handy) about people having connectivity issues with Microsoft sites/services that are worked around with MSS clamping. I wonder if YT might also be impacted by some kind of MTU issue.
The other thing I can think of that might be contributing is this: https://github.com/opnsense/src/issues/254
Are you using IPv6? Have you tried over IPv4?
This is anecdotal, but I recently changed my configuration to use NPTv6 which has the side effect that my outbound traffic is now preferring IPv4. Since then, I do see a decrease in the instances of YT freezing or giving me connection error popups. Maybe a nothingburger; maybe not.
The other thing I can think of that might be contributing is this: https://github.com/opnsense/src/issues/254
Are you using IPv6? Have you tried over IPv4?
This is anecdotal, but I recently changed my configuration to use NPTv6 which has the side effect that my outbound traffic is now preferring IPv4. Since then, I do see a decrease in the instances of YT freezing or giving me connection error popups. Maybe a nothingburger; maybe not.
#5
General Discussion / Re: youtube going offline
Last post by oriagranat9 - Today at 01:23:25 AMi dont have any blocklist setup currently, this occurs on multiple devices (chrome, youtube app etc)
#6
General Discussion / Re: youtube going offline
Last post by OPNenthu - Today at 01:20:10 AMYT is known to be hostile toward ad blockers and certain browsers (e.g. Firefox). I had this problem even with my old Asus router so I'm not convinced that it's a network issue on the client side, but I'm happy to be wrong about this.
The platform wants you to be friendly to their revenue stream so ideally you are using Chrome and you are not filtering ads. Personally that's not my cuppa tea for browsing, so I just deal with the YT service disruptions and occasional loading delays.
Some things to check/try:
Is your Unbound set up with DNSBLs? Do you see the same issue with Chrome manually set to 8.8.8.8 in DNS settings (and not redirected by OPNsense)?
The platform wants you to be friendly to their revenue stream so ideally you are using Chrome and you are not filtering ads. Personally that's not my cuppa tea for browsing, so I just deal with the YT service disruptions and occasional loading delays.
Some things to check/try:
Is your Unbound set up with DNSBLs? Do you see the same issue with Chrome manually set to 8.8.8.8 in DNS settings (and not redirected by OPNsense)?
#7
26.1, 26,4 Series / Re: DS-Lite (PPPoE|DHCPv6-PD) ...
Last post by Dark-Sider - Today at 12:26:36 AMFrom what I know M-Net's AFTR also works when you have a dual-stack contract.
#8
German - Deutsch / Re: "Lahmes" Internet seit Upd...
Last post by meyergru - May 18, 2026, 11:14:16 PMDas schrieb ich in #15: Prüf, ob die MSS-Einstellung auf 1492 Bytes steht, was bei Deinem PPPoE das Maximum darstellt.
#9
26.1, 26,4 Series / Re: DEC840 gets stuck on boot ...
Last post by feld - May 18, 2026, 10:58:54 PMoh this went very, very badly.
I set the sysctl in the webif as you suggested and instantly it killed the entire firewall. No traffic can go through, serial console spewing out debug data at max rate. I'm guessing 115200 is still a bottleneck, this clogs up the kernel from doing anything useful. Even if I wanted to SSH from one of the igb interfaces, it wouldn't work.
Not good.
Eventually manage to get a single user mode shell before those sysctls get applied on boot. I manually edit the config.xml to remove the sysctl entries. Reboot again.
Now I get a kernel panic every boot when it loads the driver. Removing the SFPs and leaving it powered off for a while doesn't help, every boot is a kernel panic.
Luckily I have a spare DEC 2700 I could install/restore my config onto and swap the hardware in place to get my network back online, but this DEC840 is pretty much a brick right now.
In the debugger after panic, I get this output:
Attempting a full reinstall on this DEC840 now.
edit: the reinstall was successful
I set the sysctl in the webif as you suggested and instantly it killed the entire firewall. No traffic can go through, serial console spewing out debug data at max rate. I'm guessing 115200 is still a bottleneck, this clogs up the kernel from doing anything useful. Even if I wanted to SSH from one of the igb interfaces, it wouldn't work.
Not good.
Eventually manage to get a single user mode shell before those sysctls get applied on boot. I manually edit the config.xml to remove the sysctl entries. Reboot again.
Now I get a kernel panic every boot when it loads the driver. Removing the SFPs and leaving it powered off for a while doesn't help, every boot is a kernel panic.
Luckily I have a spare DEC 2700 I could install/restore my config onto and swap the hardware in place to get my network back online, but this DEC840 is pretty much a brick right now.
In the debugger after panic, I get this output:
Code Select
db> bt
Tracing pid 0 tid 100000 td 0xffffffff81d81d60
kdb_enter() at kdb_enter+0x33/frame 0xffffffff82e6d6b0
panic() at panic+0x43/frame 0xffffffff82e6d710
trap_pfault() at trap_pfault+0x3da/frame 0xffffffff82e6d760
calltrap() at calltrap+0x8/frame 0xffffffff82e6d760
--- trap 0xc, rip = 0xffffffff810f9dc0, rsp = 0xffffffff82e6d830, rbp = 0xffffffff82e6d850 ---
xgbe_dump_dma_registers() at xgbe_dump_dma_registers+0x3c0/frame 0xffffffff82e6d850
axgbe_pci_init() at axgbe_pci_init+0xe0/frame 0xffffffff82e6d870
axgbe_if_attach_post() at axgbe_if_attach_post+0x395/frame 0xffffffff82e6d8b0
iflib_device_register() at iflib_device_register+0x2655/frame 0xffffffff82e6d9e0
iflib_device_attach() at iflib_device_attach+0xaa/frame 0xffffffff82e6da10
device_attach() at device_attach+0x43d/frame 0xffffffff82e6da60
bus_generic_attach() at bus_generic_attach+0x2d/frame 0xffffffff82e6da80
pci_attach() at pci_attach+0xc7/frame 0xffffffff82e6dab0
acpi_pci_attach() at acpi_pci_attach+0x15/frame 0xffffffff82e6daf0
device_attach() at device_attach+0x43d/frame 0xffffffff82e6db40
bus_generic_attach() at bus_generic_attach+0x2d/frame 0xffffffff82e6db60
acpi_pcib_pci_attach() at acpi_pcib_pci_attach+0x95/frame 0xffffffff82e6db90
device_attach() at device_attach+0x43d/frame 0xffffffff82e6dbe0
bus_generic_attach() at bus_generic_attach+0x2d/frame 0xffffffff82e6dc00
pci_attach() at pci_attach+0xc7/frame 0xffffffff82e6dc30
acpi_pci_attach() at acpi_pci_attach+0x15/frame 0xffffffff82e6dc70
device_attach() at device_attach+0x43d/frame 0xffffffff82e6dcc0
bus_generic_attach() at bus_generic_attach+0x2d/frame 0xffffffff82e6dce0
acpi_pcib_acpi_attach() at acpi_pcib_acpi_attach+0x42b/frame 0xffffffff82e6dd50
device_attach() at device_attach+0x43d/frame 0xffffffff82e6dda0
bus_generic_attach() at bus_generic_attach+0x2d/frame 0xffffffff82e6ddc0
acpi_probe_children() at acpi_probe_children+0x6f/frame 0xffffffff82e6de20
acpi_attach() at acpi_attach+0x9dc/frame 0xffffffff82e6deb0
device_attach() at device_attach+0x43d/frame 0xffffffff82e6df00
bus_generic_attach() at bus_generic_attach+0x2d/frame 0xffffffff82e6df20
device_attach() at device_attach+0x43d/frame 0xffffffff82e6df70
bus_generic_new_pass() at bus_generic_new_pass+0x109/frame 0xffffffff82e6dfa0
root_bus_configure() at root_bus_configure+0x26/frame 0xffffffff82e6dfc0
configure() at configure+0x9/frame 0xffffffff82e6dfd0
mi_startup() at mi_startup+0xb5/frame 0xffffffff82e6dff0
Attempting a full reinstall on this DEC840 now.
edit: the reinstall was successful
#10
General Discussion / youtube going offline
Last post by oriagranat9 - May 18, 2026, 10:40:10 PMHey folks,
I have an OPNsense router that has lately been causing me a lot of trouble. Whenever I'm browsing YouTube trying to watch videos, it takes a really long time to load and even pops up a "YouTube is offline" message.
I have diagnosed that the issue is coming from the network, as it happens to all devices (Wi-Fi and LAN). When using a cellular network on my phone or a hotspot, this doesn't happen.
My current setup is: ISP (FTTH) -> Router (SFP port - PPPoE) -> Main switch -> LAN + Wi-Fi.
I'm using Unbound on both Cloudflare and Google DNS, and Dnsmasq for DHCP. There are no VLAN definitions or anything configured to block traffic on the main LAN network.
I would really appreciate the help!
I have an OPNsense router that has lately been causing me a lot of trouble. Whenever I'm browsing YouTube trying to watch videos, it takes a really long time to load and even pops up a "YouTube is offline" message.
I have diagnosed that the issue is coming from the network, as it happens to all devices (Wi-Fi and LAN). When using a cellular network on my phone or a hotspot, this doesn't happen.
My current setup is: ISP (FTTH) -> Router (SFP port - PPPoE) -> Main switch -> LAN + Wi-Fi.
I'm using Unbound on both Cloudflare and Google DNS, and Dnsmasq for DHCP. There are no VLAN definitions or anything configured to block traffic on the main LAN network.
I would really appreciate the help!
