Recent posts

#1
General Discussion / Re: Unbound DNS keeps crashing...
Last post by RES217AIII - Today at 08:02:21 AM
You accidentally inverted the Source instead of the Destination, and your Floating Rule is currently filtering outbound traffic (which is still blocking Unbound from reaching the internet).

Here is how both rules need to be configured:

1. Correct Destination NAT Configuration

Interface: Select all your local Interfaces/VLANs (do NOT select WAN or WireGuard).

Protocol: TCP/UDP

Source: any (Leave this completely default, do not invert!).

Port: *

Destination / Invert: Check the [X] (Invert) box.

Destination: Select This Firewall (self).

Port: 53 (domain)

Redirect Target IP: 127.0.0.1

Redirect Target Port: 53 (domain)

Filter Rule Association: Set this to Pass

Your current rule applies to traffic where the Source is not the firewall. We want it to apply to any client whose Destination is not the firewall.


2. Correct Floating Rule Configuration

If you still want to use the Floating Rule as a fallback block for port 53, it must only block incoming traffic from clients, never outbound traffic from Unbound.

Action: Block or Reject

Quick: Checked [X] (Apply immediately)

Interface: Select your local Interfaces/VLANs (do NOT select WAN, WireGuard, or Loopback).

Direction: Change this to IN (Currently, it is set to OUT, which blocks Unbound from hitting WAN!).

Protocol: IPv4 TCP/UDP

Source: any (Do not invert!).

Port: *

Destination / Invert: Check the [X] (Invert) box.

Destination: Select This Firewall (self).

Port: 53 (DOMAIN)



By setting Source: ! This Firewall, your rule was trying to match packets where the sender wasn't the firewall. We need to match packets where the intended target (Destination) isn't the firewall.

Your Floating Rule had the <- arrow (Outbound). This meant whenever Unbound itself tried to send a DNS request out to the internet via WAN, the firewall blocked it. Changing the direction to IN ensures it only blocks clients trying to push unauthorized DNS traffic into your local interfaces.
#2
26.1, 26,4 Series / Re: How reliable is Firewall:D...
Last post by pfry - Today at 02:31:51 AM
Huh. What does the inbound state look like? I'd expect a pair like this...You cannot view this attachment.

Edit: Also, check "Firewall: Diagnostics: Statistics" -> "rules".
#3
General Discussion / Re: Unbound DNS keeps crashing...
Last post by apoorv569 - Today at 02:29:43 AM
Appreciate all the suggestions and comments. I added a source of "This Firewall" and checked the invert source for both the destination NAT and floating rule, and I still have the issue.
#4
26.1, 26,4 Series / Re: Upgrade Failed, signature ...
Last post by dfw3xam1n3r - Today at 02:13:25 AM
I was having this issue described on downloading both the 26.1.11 base and kernel. Turns out OPNsense itself couldn't route out to IPv6 even though the inside delegated prefix could route out. Oddly, performing a traceroute6 command for google.com from the CLI of OPNsense got it to come back up and then it upgraded like normal.
#5
26.1, 26,4 Series / Re: With IPv6, how to get both...
Last post by espenu - Today at 12:38:44 AM
Quote from: drosophila on July 08, 2026, 04:15:49 PMWith IPv6 you can set any number of addresses you wish, so it should be possible to add the ULAs in addition to the SLAAC GUAs. The only issue is that the GUI doesn't expose this feat (at all: even in the static configuration, it allows only exactly one IPv6 address to be set). I'm looking into disabling LLA autogeneration and instead manually assigning LLAs to match the ULAs so I can see which machine is burping in the logs without translating MACs all the time. But I need to enter two addresses for this to work though the GUI. Command line or script works of course, but it's a GUI-based system so...
You can add additional ULAs as virtual IPs on each interface.
#6
26.1, 26,4 Series / Re: With IPv6, how to get both...
Last post by espenu - Today at 12:34:12 AM
Quote from: meyergru on July 07, 2026, 10:48:28 AM
Quote from: Bob.Dig on July 07, 2026, 09:33:24 AMWhy not using good, old IPv4 for internal things?

I am also fond of that, see: https://forum.opnsense.org/index.php?topic=45822.0 for an in-depth discussion.

I get that, and technically I don't NEED IPv6 for internal communication.
It's an interesting exercise in understanding IPv6 better. As I understand it there is nothing "wrong" with my approach here, which is why it's frustrating that it almost works, but not quite.

I've finally had a chance to properly read through the thread you linked to, and there is a statement that I can't get to match with what I'm seeing from post 72:
"That is were ULA might be helpful. Then again, with dual stack, they will not be used when an IPv4 DNS entry exists."

But on my Debian machines it seems like ULA is prioritized over IPv4.
At least if I ping a host with both defined in DNS it's the ULA that's used.
#7
General Discussion / Re: [Solved] Opnsense DOSing u...
Last post by nero355 - July 11, 2026, 11:35:21 PM
Quote from: ciaduck on July 11, 2026, 08:32:57 PMsometimes unbound would die on the router, and pihole would just get SERVFAIL until I restarted the router.
That's what https://docs.pi-hole.net/guides/dns/unbound/ is for ;)

I really can't imagine a life without Pi-Hole anymore to be honest...

It just makes soo much sense to have it and it's easy to modify the way I want it to be!
#8
General Discussion / Re: Help with SSH and terminal...
Last post by nero355 - July 11, 2026, 11:30:40 PM
Quote from: ciaduck on July 11, 2026, 08:38:44 PMI ssh from powershell to opnsense
What happens when you use PuTTY instead ?!
#9
General Discussion / Re: How to set up Single NIC O...
Last post by Vectralis - July 11, 2026, 10:41:28 PM
Ok, I will back at this thread in some weeks/months
#10
26.1, 26,4 Series / Re: How reliable is Firewall:D...
Last post by DaElephant - July 11, 2026, 10:40:27 PM
It does follow the correct rules some times.
You cannot view this attachment.