"Recent posts
#1
25.7, 25.10 Series / Hostwatch features / improveme...
Last post by psharkauburn - Today at 08:37:58 PMNot sure if this is the right place in the forum to put this, so move if needed (and/or i'll take constructive criticism for future posts). Coming from a consumer based router (asus merlin) I definitely appreciate the new addition, I know it has/had some bugs and i'm sure it'll improve. Just saw it today when I noticed an update, wanted to make a couple quick notes for improvements along with some questions:
Discovery -> Static flow: Nothing crazy here, just expecting a command available on the DiscoveredHosts row detail for 'Create Static Entry' that would pre-fill the static entry form with the values from the DiscoveredHosts row detail. Pretty similar to a normal DHCP flow in DNSMASQ from looking at dynamic lease table and turning a dynamic entry -> create static entry via [add reservation] command.
Remove IP Requirement from Static Mapping -> I know I have plenty of IOT type devices like light bulbs that I don't do static DHCP for, and their OUI org names can be fun to sleuth out (sarcasm). I DO very much want to be able to label them meaningfully (garage exterior light, front porch light, etc...) based just on MAC while keeping them dynamic on IP (maybe playing with setting up VLAN for them, etc...). Occasional use old tablets/phones are in the same boat for me. Plenty of old devices I very occasionally turn on for some reason (or the kids) and love knowing what the device actually is but definitely don't want to waste an IP assignment for it.
Staleness trimming -> My assumption is that the DiscoveredHosts table is meant to serve as a 'devices currently on the network' in some sort of loose interpretation (like recently on the network). I'd expect devices to fall off this list from some concept of last seen versus a staleness threshold (1 min, 10 min, 1 hour, etc...). Just looking for this threshold to be stated / configurable at least on a global level, I can see usefulness in a per host setting also from the static table.
Additional fields/GUI stuff -> On the DiscoveredHosts table a [Last Seen] is VERY useful, especially if we don't know the staleness trimming default. I've had systems that may not trim the discovery table but will change font color/weight/etc... to indicate a stale entry that hasn't been seen in awhile (I think FING does this for example). Bringing static [description] over to DiscoveredHosts seems really natural; if I've gone to the trouble to do the static mapping I want the friendly name showing on the DiscoveredHosts table to show what's currently on the network. Taking this out a step further, may want to consider a distinct field for [FriendlyName] (or [HostName]) on the static table so description can be used for its intended purpose (longer description of something) but a shorter helpful name can be used throughout reporting / firewall stuff / etc... May want to bring the [Last Seen] field to the static table, give an easy way to potentially help folks trim out old entries from their system that may not be used anymore.
Question side - curious about interplay with DNSMASQ DHCP static mappings for example. I was about to go thru the process in DNSMASQ [Hosts] to do most of this mapping between hardware MAC -> friendly device hostname/description. It looks like the [Hosts] table has concepts like tagging so I can add useful logical groups like 'Light Bulbs/Switches/TVs' etc... and doesn't require a fixed IP address assignment. Just wanting to kinda get validation I'm interpreting this right, I haven't moved forward and done the work yet to implement. The next logical question then becomes, what is the best place to do this sort of mapping; DHCP [Hosts] or Neighbor [Static] ? It seems like DHCP [Hosts] does all of what I want and doesn't require any changes, but surfacing that data thru to Neighbor [DiscoveredHosts] would be EXTREMELY beneficial. Just looking for guidance before going down some path trying to map out 100-200 devices in one area and then being told HostWatch is the new/future best practice, and need to redo it.
- Should be a flow from discovery -> static assignment
- Remove IP address requirement from static assignment
- Should be some control over discovery staleness trimming/garbage collection
- Should be some additional fields shown/tracked on discovery + static assignment
Discovery -> Static flow: Nothing crazy here, just expecting a command available on the DiscoveredHosts row detail for 'Create Static Entry' that would pre-fill the static entry form with the values from the DiscoveredHosts row detail. Pretty similar to a normal DHCP flow in DNSMASQ from looking at dynamic lease table and turning a dynamic entry -> create static entry via [add reservation] command.
Remove IP Requirement from Static Mapping -> I know I have plenty of IOT type devices like light bulbs that I don't do static DHCP for, and their OUI org names can be fun to sleuth out (sarcasm). I DO very much want to be able to label them meaningfully (garage exterior light, front porch light, etc...) based just on MAC while keeping them dynamic on IP (maybe playing with setting up VLAN for them, etc...). Occasional use old tablets/phones are in the same boat for me. Plenty of old devices I very occasionally turn on for some reason (or the kids) and love knowing what the device actually is but definitely don't want to waste an IP assignment for it.
Staleness trimming -> My assumption is that the DiscoveredHosts table is meant to serve as a 'devices currently on the network' in some sort of loose interpretation (like recently on the network). I'd expect devices to fall off this list from some concept of last seen versus a staleness threshold (1 min, 10 min, 1 hour, etc...). Just looking for this threshold to be stated / configurable at least on a global level, I can see usefulness in a per host setting also from the static table.
Additional fields/GUI stuff -> On the DiscoveredHosts table a [Last Seen] is VERY useful, especially if we don't know the staleness trimming default. I've had systems that may not trim the discovery table but will change font color/weight/etc... to indicate a stale entry that hasn't been seen in awhile (I think FING does this for example). Bringing static [description] over to DiscoveredHosts seems really natural; if I've gone to the trouble to do the static mapping I want the friendly name showing on the DiscoveredHosts table to show what's currently on the network. Taking this out a step further, may want to consider a distinct field for [FriendlyName] (or [HostName]) on the static table so description can be used for its intended purpose (longer description of something) but a shorter helpful name can be used throughout reporting / firewall stuff / etc... May want to bring the [Last Seen] field to the static table, give an easy way to potentially help folks trim out old entries from their system that may not be used anymore.
Question side - curious about interplay with DNSMASQ DHCP static mappings for example. I was about to go thru the process in DNSMASQ [Hosts] to do most of this mapping between hardware MAC -> friendly device hostname/description. It looks like the [Hosts] table has concepts like tagging so I can add useful logical groups like 'Light Bulbs/Switches/TVs' etc... and doesn't require a fixed IP address assignment. Just wanting to kinda get validation I'm interpreting this right, I haven't moved forward and done the work yet to implement. The next logical question then becomes, what is the best place to do this sort of mapping; DHCP [Hosts] or Neighbor [Static] ? It seems like DHCP [Hosts] does all of what I want and doesn't require any changes, but surfacing that data thru to Neighbor [DiscoveredHosts] would be EXTREMELY beneficial. Just looking for guidance before going down some path trying to map out 100-200 devices in one area and then being told HostWatch is the new/future best practice, and need to redo it.
#2
25.7, 25.10 Series / Re: After updating Opnsense fr...
Last post by wide - Today at 08:27:54 PMI managed to update to version 25.7.11_2 by using opnsense-shell and then run restart all the services from shell also.
System remains stable. No exessive disk writes, normal memory consuption and regular CPU load.
But still immediately after I open the WebGUI the systems goes haywire. Tens and then hundreds of PHP processes spawn and system runs out of memory.
System remains stable. No exessive disk writes, normal memory consuption and regular CPU load.
But still immediately after I open the WebGUI the systems goes haywire. Tens and then hundreds of PHP processes spawn and system runs out of memory.
#3
25.7, 25.10 Series / Re: ISC deprecation issues
Last post by meyergru - Today at 08:24:55 PMAnd the difference to DHCPv6-derived IPs is that SLAAC-provided IPs are pushed, i.e. they are applied immediately when the GUA prefix changes.
The only thing you do not have is "known" static IPv6s that you can reference in DNS names (because the prefix can change). Usually, you do not need them anyways, because you can always use the IPv4 for internal purposes in DNS. All of that is covered in the HOWTO I linked above.
The only thing you do not have is "known" static IPv6s that you can reference in DNS names (because the prefix can change). Usually, you do not need them anyways, because you can always use the IPv4 for internal purposes in DNS. All of that is covered in the HOWTO I linked above.
#4
25.7, 25.10 Series / Re: ISC deprecation issues
Last post by Patrick M. Hausen - Today at 08:08:20 PMThe IPs will be automatic but predictable and stable. Unless the clients use privacy extensions but they are free to do that with DHCP, too.
A server configured with SLAAC will always get the same GUA unless its MAC address changes.
A server configured with SLAAC will always get the same GUA unless its MAC address changes.
#5
25.7, 25.10 Series / Re: ISC deprecation issues
Last post by stanthewizzard - Today at 08:04:46 PMQuote from: Patrick M. Hausen on Today at 07:50:19 PMQuote from: stanthewizzard on Today at 07:44:48 PMISC DHCPv6 gives wan routable ipv6 from my ISP [...] to other devices
SLAAC can do that without any DHCP present at all.
Yes but at my knowledge without fixed IPs ?
#6
25.7, 25.10 Series / Re: ISC deprecation issues
Last post by Patrick M. Hausen - Today at 07:50:19 PMQuote from: stanthewizzard on Today at 07:44:48 PMISC DHCPv6 gives wan routable ipv6 from my ISP [...] to other devices
SLAAC can do that without any DHCP present at all.
#7
25.7, 25.10 Series / Re: OPNSense throwing multiple...
Last post by BigFreddy - Today at 07:48:22 PMQuote from: Patrick M. Hausen on January 18, 2026, 11:35:58 PMI have only ever seen these:Code Selectahcicho 0: Timeout on slot 7 port 0
CAM Status: Command Timeout
Retrying command, 2 more tries remain
with dying devices. If I saw that in a new unit I would never put that into production before I had successfully eliminated the cause. Timeouts in the CAM subsystem must not happen. If they do, something is broken. Never ignore them.
What do you mean by "vanilla" and "backwards compatible"? Save the configuration from your current unit, fix the hardware, install the very same version, restore configuration ...
Thanks, good to know what the mentioned error codes mean, I guess you really do learn something new every day haha. Once I replace the drive, I will check dmesg again but hopefully it will be fine. I must have gotten a unit with a faulty SSD and haven't realised it, it's been running fine for a long time but it became more severe recently. Thanks for helping me with the diagnosis of the issue, it's very much appreciated.
Quote from: franco on Today at 04:05:14 AMThe firmware health audit can probably confirm?Not sure if there is one, I already ordered a replacement so will replace and see how it goes. Hopefully the reboot will be instant compared to the current one where it takes quite a while to reboot.
This thread can be closed now, thanks all for your help.
#8
General Discussion / Re: Strange WiFi issue
Last post by suur13 - Today at 07:48:00 PMI was able to solve my main issue with Chromecast by enableing "Allow intra-BSS communication", but connecting to BubbleUPnP still gives error that I want to connect from WAN. Yes I could allow Wan settings from Bubble, but do not want (due security).
What OPNSense does block/filter that connecting via its internal Wifi makes one service in LAN to think that I'm trying to connect from WAN ?
What OPNSense does block/filter that connecting via its internal Wifi makes one service in LAN to think that I'm trying to connect from WAN ?
#9
25.7, 25.10 Series / Re: ISC deprecation issues
Last post by stanthewizzard - Today at 07:44:48 PMQuote from: meyergru on Today at 07:25:10 PMQuote from: stanthewizzard on Today at 07:13:54 PMevery server inside the lan (homelab) has a statiq IP fddd:31e8:3076:XX:YY
DHCPv6 with prefix and RA managed on carpv6 (also updated with IPv6 changes) and RA advertises fddd:31e8:3076:XX:YY
Do not send any DNS configuration to clients
fddd:31e8:3076:: is an ULA prefix that is not routed outside of your LAN, unless you use NAT66 or you still have the assigned GUA prefix IPv6s on top for outside access. If you use those ULA IPs for server access, fine.
But then, why / how do you rely on ISC DHCPv6?
I can see only two things it could provide: routeable IPv6 addresses, which can be handed out via SLAAC as well and leases and/or reservations which allow to use internal DNS names (which you say you do not use).
Frankly, I do not get what you are missing.
Oupsi
yes you are right
and it's on purpose (internal dns for exemple with no wan rights)
then ISC DHCPv6 gives wan routable ipv6 from my ISP (2 servers are ban from being contacted from the outside world) to other devices (iphones windows mac etc)
#10
25.7, 25.10 Series / CSRF Check
Last post by spetrillo - Today at 07:35:44 PMHello all,
Ever since I upgraded to 25.7.11 I am getting the following when I login:
CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
I have rebooted OPNsense but it does not fix this. What is this about?
Thanks,
Steve
Ever since I upgraded to 25.7.11 I am getting the following when I login:
CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
I have rebooted OPNsense but it does not fix this. What is this about?
Thanks,
Steve
