Recent posts

#1
Turkish - Türkçe / Re: Türkçe Çeviri Hk.
Last post by eXcitinG - Today at 02:59:31 AM
evet bende pfsense kullanmıştım daha önce şuan mikrotik kullanıyoruz ama opnsense nin çıktığını duyunca merak ettim araştırdığım kadarıyla şuan pfsense den daha iyi durumda pfsense komple ticari ye kaymış durumda orayı daha stabil yapıyorlar ücretsiz versiyon ile çok ilgilenmiyorlar ve opnsense daha çok özelleştirilebiliyor galiba
#2
General Discussion / Unbound DNS Leaking Public IP ...
Last post by opnsense1 - Today at 02:52:33 AM
According to this longstanding bug, you have to either choose using your VPN's DNS and not having options for local overrides or use Unbound's recursive DNS resolution and leak your public IP address. I was wondering if any recent developments might have made a best of both worlds where I can use Unbound for recursive DNS and have its requests routed through my Wireguard VPN so that my public IP isn't leaked.

I have successfully gotten Dnsmasq to use the upstream DNS providers I choose but the moment I forward the requests to Unbound, my public IP is leaked. Setting firewall rules and setting the `Outgoing Network Interfaces` to be my VPN interface does not help.
#3
General Discussion / AT&T Fiber full bypass on OPNs...
Last post by grevelle - Today at 02:52:02 AM
Sharing a few OPNsense 26.x-specific notes after doing a BGW210 full bypass (wpa_supplicant EAP-TLS on the WAN, no netgraph / no Auth Bridge). The EAP path from this thread and the usual cert + MAC spoof + PCP 1 setup still applies. What burned time was IPv6 coming back cleanly after a cold reboot.

1) Put the AT&T DUID where dhcp6c actually reads it

On current OPNsense, set the DUID-EN under:

Interfaces → Settings → DHCP Unique Identifier

That maps to OPNsense/Interfaces/settings/dhcp6_duid and should also be present in /var/db/dhcp6c_duid and /conf/dhcp6c_duid.

Do not rely on system.ipv6duid alone. In our case dhcp6c ignored that and fell back to a DUID-LLT derived from the real NIC MAC, so DHCPv6 Solicits never got Replies after reboot even though EAP and IPv4 were fine.

Quick check:

php -r 'require_once "util.inc"; echo dhcp6c_duid_read(),"\n";'
Confirm that prints your AT&T DUID-EN, not a link-layer DUID.

2) VLAN priority field names must be exact

For AT&T you want PCP Background (1) on both DHCP and DHCPv6.

In config the keys are:
  • dhcpvlanprio = 1
  • dhcp6vlanprio = 1

GUI: WAN → Use VLAN priority → Background (1) for IPv4 and IPv6.

Wrong names such as dhcpvlanpriority / dhcp6vlanpriority do nothing. Everything looks configured, but AT&T never answers.

Verify IPv6 PCP is in pf:

pfctl -sr | grep "dhcpv6-server set ( prio 1 )"
3) Leave "Request only an IPv6 prefix" truly unset

If you want IA_NA + IA_PD (WAN GUA + PD), do not leave an empty dhcp6prefixonly value in the config. An empty string still counts as set in the PHP generator and can suppress IA_NA. Use basic DHCPv6 with PD size 60 and Send IPv6 prefix hint, prefix-only unchecked.

Generated /var/etc/dhcp6c.conf should include both send ia-na and send ia-pd, plus prefix ::/60 and sla-len 4 for a /60.

4) Boot race: DHCP/DHCPv6 can run before EAP is Authorized

On cold boot, dhcp6c can Solicit before wpa_supplicant finishes EAP-TLS. We kept the usual early/04-wpa hook (OPENSSL_CONF + wpa_supplicant on the WAN NIC, MAC spoof), and added a short background wait for EAP state=SUCCESS, then:

configctl interface reconfigure wan
That fixed IPv6 not returning after reboot while IPv4/EAP looked fine.

Also: while staging behind the BGW LAN, leave the early hook non-executable (chmod 644). On ONT cutover, chmod +x.

5) Judge IPv6 by the LAN GUA, not WAN IA_NA pings

AT&T often will not answer ICMP from the WAN IA_NA. If you have a PD and a LAN 2600:... GUA that can ping6 out (source the LAN GUA), you are good.

Stack that worked here (high level)

  • OPNsense 26.7, Intel igb WAN/LAN
  • Full bypass: ONT → OPNsense WAN (BGW cold spare)
  • wpa_supplicant EAP-TLS + OpenSSL SECLEVEL=0 / unsafe renegotiation (as in this thread)
  • Spoof RG WAN MAC on WAN
  • Disable hardware VLAN filtering
  • DHCP + DHCPv6 with PCP 1, DUID-EN, PD /60, LAN track interface prefix ID 0

Huge thanks to everyone who posted the SECLEVEL=0 / early-hook pattern on another thread; hope the DUID + vlanprio naming notes save someone a reboot loop.
#4
26.7 Series / Re: 26.7 continually reboots
Last post by RAL9005 - Today at 01:29:06 AM
Quote from: nero355 on July 17, 2026, 02:18:16 PMI would start with the Kernel TLS tweak mentioned in other threads and see if it helps.

Could you please point me to the mentioned Kernel TLS tweak? I also get frequent reboots due to a kernel panic on my Topton N6005 box after the 26.7 upgrade:

Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x0
panic: page fault

memmove_erms()
bpf_zerocopy_append_mbuf()
catchpacket()
bpf_mtap2()
ether_bpf_mtap_if()
lagg_transmit_ethernet() → vlan_transmit() → ether_output_frame()
ng_apply_item() → ng_snd_item() → ng_ether_output() → ether_output()
ip_output() → tcp_default_output() → tcp_usr_ready()
ktls_encrypt() → ktls_work_thread()

I've currently disabled net.bpf.zerocopy using a tunable (net.bpf.zerocopy_enable=0) and it actually seems to work for me, but maybe there is more elegant solution that I'm missing. Thanks!
#5
26.7 Series / Re: Suggestions for GUI state ...
Last post by (MARLOO) - Today at 01:19:54 AM
Quote from: Monju0525 on July 18, 2026, 11:53:08 PMI would the service widget state to look like the Wireguard connection  red for down and green for up.


agree +1
#6
26.7 Series / Re: Call for testers - new CPU...
Last post by (MARLOO) - Today at 12:51:17 AM
@OPNenthu

Agreed, the NVM version itself probably doesn't directly "cause" the microcode issue. I mentioned it mainly because my boot hangs started right after I updated the i226 firmware, so I was trying to see if there was any pattern.

The reason I updated the i226‑V NVM to 2.32 back then was that the interfaces were flapping a lot. After the firmware update, the flapping completely disappeared. I documented that here:
https://forum.opnsense.org/index.php?topic=48695.195

The fact that you're on 2.13 and I was on 2.32, yet both of us hit boot hangs with the microcode plugin, actually supports your point: it's likely not about the NIC firmware, but about how early microcode loading interacts with the N5105 platform and/or specific BIOS images.

On my box, the practical workaround for now is to keep the microcode plugin removed and wait until the "late load" fix is officially rolled out. If you're okay with a bit more testing, your setup is probably perfect to help validate the fix across different N5105 boxes.
#7
26.7 Series / Re: Call for testers - new CPU...
Last post by OPNenthu - Today at 12:40:21 AM
@(MARLOO) I have no clue how or why the NVM version would impact this, but mine is on the original 2.13 that shipped with the mini pc.  Also, there may be differences in behavior across vendors and BIOS images, which was part of my question... so I am hesitant to assume that all N5105 boxes behave the same.  I'm not sure though.
#8
26.7 Series / Re: Call for testers - new CPU...
Last post by (MARLOO) - Today at 12:36:51 AM
@OPNenthu

Thanks for sharing your logs and screenshots, it's really helpful to see that on very similar hardware (N5105, 4× i226‑V) both the bootloader update and the "late load" steps still result in a boot hang.

Just to connect the dots: my original issue appeared after updating the i226‑V NVM firmware to 2.32 on 26.1.4. With the microcode plugin installed, the box would hang at boot when both WAN and LAN were linked. Removing the microcode plugin fixed it.

Out of curiosity, which NVM/firmware version are your i226‑V NICs currently running?
You can check with:

bash
dmesg | grep -i igc
and look for lines like "EEPROM Vx.xx‑x"
#9
26.7 Series / Re: [Solved] OPNsense 27 upgra...
Last post by cookiemonster - Today at 12:27:46 AM
All good
#10
26.7 Series / Re: OPNsense 27 upgrade – warn...
Last post by (MARLOO) - Today at 12:24:26 AM
Thanks for the confirmation.

zpool status shows exactly that message:

pool: zroot
state: ONLINE
status: Some supported and requested features are not enabled on the pool.
errors: No known data errors


I have no need for the new features, so I will leave the pool as-is and not run zpool upgrade