"Recent posts
#1
26.1, 26,4 Series / Re: catch-22 with OPNsense 26....
Last post by euclid - Today at 10:58:18 AMok for some reason the <opt> entries under xml:/opnsense/interfaces were deleted. it seems it happened 4 weeks ago, but can it happen without user intervention? I don't see anything in the logs?
the plot thickens
the plot thickens
#2
General Discussion / losing internet connection aft...
Last post by Djazeiry - Today at 10:43:23 AMhello guys , i'm new to opnsense and advanced networking , where i am i started by using opensens after insatlling it on a physical machine and made it as my DHCP Server , everything works fine for a few days and then suddenly i lose the internet connection on the network , my network structure is explained on the joined image , my firewall configuration is by default didn't touch anything
network structure :
You cannot view this attachment.
network structure :
You cannot view this attachment.
#3
26.1, 26,4 Series / Re: catch-22 with OPNsense 26....
Last post by euclid - Today at 10:38:23 AMlooking at the configuration some interface definitions live under
```
<opnsense>
<interfaces>
<wan>
...
</wan>
<lan>
...
```
But I don't see the vlan interfaces <vlanif> mapping to <optX>. Where should this happen?
```
<opnsense>
<interfaces>
<wan>
...
</wan>
<lan>
...
```
But I don't see the vlan interfaces <vlanif> mapping to <optX>. Where should this happen?
#4
Hardware and Performance / Re: Adapts to Marvell AQC113C-...
Last post by Seimus - Today at 10:36:10 AMWe have as well an official kmod on OPNsense.
Its in the repository and can be installed via cli. You don't need to complete the driver yourself
https://forum.opnsense.org/index.php?topic=51767.0
Regards,
S.
Its in the repository and can be installed via cli. You don't need to complete the driver yourself
https://forum.opnsense.org/index.php?topic=51767.0
Regards,
S.
#5
26.1, 26,4 Series / Unbound not able to retrieve I...
Last post by Taomyn - Today at 10:34:19 AMI use Unbound as my DNS forwarder but I've been noticing the past few weeks a lot of failed IPv6 DNS lookups - I don't use IPv6 externally on my WAN, but as far as I can tell it's enabled on many of my internal devices, but I tend to stick with IPv4. Unbound is set to forward requests to Quad9 at 9.9.9.10 using TLS
When I try to test things against my Unbound I get this:
If I try directly against Quad9 I get:
I don't see any errors on the Unbound log for such queries, this I did on OPNsense itself:
And my DNS TLS forwarding config is:
Any idea what else I can check, especially commands to test on OPNsense itself as I cannot work out a way to check TLS lookups on the command line although I was able to see that traffic on port 853 was going out.
I just updated to 26.1.8_5 and it hasn't helped
When I try to test things against my Unbound I get this:
Code Select
root@MOE:~# kdig @192.168.1.1 AAAA one.one.one.one
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 15362
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; one.one.one.one. IN AAAA
;; Received 44 B
;; Time 2026-05-14 10:17:04 CEST
;; From 192.168.1.1@53(UDP) in 14.6 ms
If I try directly against Quad9 I get:
Code Select
root@MOE:~# kdig @9.9.9.10 +tls AAAA one.one.one.one
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56075
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; one.one.one.one. IN AAAA
;; ANSWER SECTION:
one.one.one.one. 43200 IN AAAA 2606:4700:4700::1111
one.one.one.one. 43200 IN AAAA 2606:4700:4700::1001
;; Received 100 B
;; Time 2026-05-14 10:17:09 CEST
;; From 9.9.9.10@853(TLS) in 27.1 ms
I don't see any errors on the Unbound log for such queries, this I did on OPNsense itself:
Code Select
drill AAAA one.one.one.one @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 63287
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; one.one.one.one. IN AAAA
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 114 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu May 14 09:56:57 2026
;; MSG SIZE rcvd: 33Code Select
2026-05-14T09:56:57Informationalunbound[63620:1] reply: 127.0.0.1 one.one.one.one. AAAA IN NOERROR 0.113617 0 33
2026-05-14T09:56:57Informationalunbound[63620:1] info: response for one.one.one.one. AAAA IN
2026-05-14T09:56:57Informationalunbound[63620:1] info: response for one.one.one.one. AAAA IN
2026-05-14T09:56:57Informationalunbound[63620:1] info: resolving one.one.one.one. AAAA IN
2026-05-14T09:56:57Informationalunbound[63620:1] query: 127.0.0.1 one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] reply: 127.0.0.1 one.one.one.one. AAAA IN NOERROR 0.035965 0 33
2026-05-14T09:48:17Informationalunbound[25115:0] info: response for one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] info: response for one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] info: resolving one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] query: 127.0.0.1 one.one.one.one. AAAA IN
And my DNS TLS forwarding config is:
Code Select
Domain:
Server IP: 9.9.9.10
Server Port: 853
Forward first: Disabled
Verify CN: dns10.quad9.net
Description: No Malware blocking, no DNSSEC validation
Any idea what else I can check, especially commands to test on OPNsense itself as I cannot work out a way to check TLS lookups on the command line although I was able to see that traffic on port 853 was going out.
I just updated to 26.1.8_5 and it hasn't helped
#6
Hardware and Performance / cpu-microcode-intel: no matchi...
Last post by fastboot - Today at 09:37:05 AMHi @Franco,
I may have found a microcode packaging/split-file issue on OPNsense.
System:
Protectli VP6630
Intel Core i3-1215U, Alder Lake R0
coreboot 0.9.0
Installed packages:
Current microcode after boot:
Boot message:
The package only provides this split file for CPUID 06-9a-04:
but for Intel Core Gen12 / Alder Lake R0 I would expect platform 06-9a-04/80, not /40.
Full relevant output:
Is it possible that the split microcode file 06-9a-04.80 is missing from the package, so the Intel microcode plugin cannot update this CPU and keeps the firmware-provided 0x432?
Thanks!
FB
I may have found a microcode packaging/split-file issue on OPNsense.
System:
Protectli VP6630
Intel Core i3-1215U, Alder Lake R0
coreboot 0.9.0
Installed packages:
Code Select
cpu-microcode-intel-20260227
os-cpu-microcode-intel-1.1Current microcode after boot:
Code Select
x86info -a | grep -i micro
Microcode version: 0x0000000000000432Boot message:
Code Select
dmesg | grep -i micro
[1] CPU microcode: no matching update foundThe package only provides this split file for CPUID 06-9a-04:
Code Select
/usr/local/share/cpucontrol/06-9a-04.40but for Intel Core Gen12 / Alder Lake R0 I would expect platform 06-9a-04/80, not /40.
Full relevant output:
Code Select
pkg info -x microcode
cpu-microcode-intel-20260227
os-cpu-microcode-intel-1.1
pkg info -l cpu-microcode-intel | grep -E 'intel-ucode|06-9a-04|microcode'
cpu-microcode-intel-20260227:
/boot/firmware/intel-ucode.bin
/usr/local/share/cpucontrol/06-9a-04.40
find /usr/local/share/cpucontrol /boot/firmware -iname '*06-9a-04*' -o -iname '*intel*ucode*'
/usr/local/share/cpucontrol/06-9a-04.40
/boot/firmware/intel-ucode.bin
Is it possible that the split microcode file 06-9a-04.80 is missing from the package, so the Intel microcode plugin cannot update this CPU and keeps the firmware-provided 0x432?
Thanks!
FB
#7
26.1, 26,4 Series / Re: catch-22 with OPNsense 26....
Last post by euclid - Today at 09:24:50 AMAlso applies in 26.1.8_5
#8
26.1, 26,4 Series / catch-22 with OPNsense 26.1.7_...
Last post by euclid - Today at 09:19:47 AMHi,
I updated opnsense to 26.1.7 and after the update, I see a few issues with how the *soft interfaces* (/interfaces_assign.php) are started.
Host with 2 physical interfaces, and some VLANs + wireguard interfaces.
I have an interface that is using the [legacy] ISC DHCPv4 (OPT1). because of that it is not registered in the UI. then, all the consecutive interfaces OPT2, OPT3, ... do not appear because I assume the process to start the soft interfaces at boot stops immediately on the first error [I consider this bug #1 - because one interface failed, the following interfaces are not even registered]. There is a bug #1.1 additionally, because all the interfaces were marked as enabled and prevent interface removal.
Now because I don't have these soft interfaces, my [legacy] ISC DHCPv4 does not show me the configured interfaces to move the DHCP configuration, so I cannot really solve this unless I touch the system [I consider this bug #2 - this is the catch-22]
In general the user ergonomics of the transition of deprecating DHCPv4 and move some of its parts (for better or worse) as part of the interface UI, is not well thought, and I consider this bug #3. User Interface experience lacks.
Because the interface didn't start as expected, my gateways did random things I had a system that some things work, but without me having any possibility to modify from the UI.
I've been using opnsense for 6 years. This release must have been the least quality assured release I remember.
I updated opnsense to 26.1.7 and after the update, I see a few issues with how the *soft interfaces* (/interfaces_assign.php) are started.
Host with 2 physical interfaces, and some VLANs + wireguard interfaces.
I have an interface that is using the [legacy] ISC DHCPv4 (OPT1). because of that it is not registered in the UI. then, all the consecutive interfaces OPT2, OPT3, ... do not appear because I assume the process to start the soft interfaces at boot stops immediately on the first error [I consider this bug #1 - because one interface failed, the following interfaces are not even registered]. There is a bug #1.1 additionally, because all the interfaces were marked as enabled and prevent interface removal.
Now because I don't have these soft interfaces, my [legacy] ISC DHCPv4 does not show me the configured interfaces to move the DHCP configuration, so I cannot really solve this unless I touch the system [I consider this bug #2 - this is the catch-22]
In general the user ergonomics of the transition of deprecating DHCPv4 and move some of its parts (for better or worse) as part of the interface UI, is not well thought, and I consider this bug #3. User Interface experience lacks.
Because the interface didn't start as expected, my gateways did random things I had a system that some things work, but without me having any possibility to modify from the UI.
I've been using opnsense for 6 years. This release must have been the least quality assured release I remember.
#9
Tutorials and FAQs / Re: Technitium DNS Server on O...
Last post by jaykumar2005 - Today at 09:17:55 AMWill the Technitium installation survive a OPNsense major upgrade?
#10
Q-Feeds (Threat intelligence) / Re: Invalid license after upda...
Last post by vpx23 - Today at 08:48:46 AMJust a quick response, it now works again without any changes on my side.
