Recent posts

#1

25.7, 25.10 Series / Re: IPv4 ONLY Firewall Setup w...

Last post by Patrick M. Hausen - Today at 12:03:03 AM

What are you even talking about? There is no such thing as multiple LAN ports unless you create a LAN bridge. The procedure to do that is well documented.

https://docs.opnsense.org/manual/how-tos/lan_bridge.html

#2

Hardware and Performance / Re: Hardware sizing: Is a 345W...

Last post by pfry - April 06, 2026, 11:40:13 PM

A 180W idle is a bit high, unless you have a CRT attached to it. I'd toss out 50W as a reasonably high estimate with a sleeping LCD, which would make the difference ~90€/y, or, at $.14/kWh, ~$40. Point still taken, of course.

With a 10W firewall (Fortigate 61E), two small servers, KVM, display, and UPS, I drew ~85W. With a 45W firewall, bigger servers and two UPSs it's up near 200W, and really requires auxiliary cooling for the room in the summer (>86F/30C daytime ambient) ("summer" is ~20 days > 100F/38C; max ~113F/45C). A bit painful. But I've blown >$2000/y on Internet service for 30 years, so the pain is a bit like stubbing my toe on a land mine.

#3

Hardware and Performance / Re: DEC3920 Quick Review

Last post by OPNenthu - April 06, 2026, 11:36:45 PM

Any difference if you spoof the WAN MAC?

#4

26.1 Series / ddclient multiwan and dnsomati...

Last post by emb - April 06, 2026, 11:27:01 PM

Hi there,
I'm new in the forum but I've been using Opnsense for a long time.
I'm having some problems to use ddclient to update my wan ip on dns-o-matic service. I'm using two wan interfaces both setup as tier1 (round robin). I've configured ddclient (native mode) to update my dynamic ip address on dnsomatic service. The first interface updates without any problem but I'm getting an error on the second interface; dnsomatic tells me that "The IP Address you have supplied to DNS-O-Matic differs from the IP Address that you are coming from". So, I'm trying to update the ip related to wan2 interface but I'm using wan1 as interface (it appears as active on system gateway configuration. I've enabled the option Allow default gateway switching on system settings general.

I don't know what I'm doing wrong. Please help me.

Thanks in advance.

#5

26.1 Series / Re: Everytime I install Opnsen...

Last post by nero355 - April 06, 2026, 11:21:15 PM

However, the first link seems to be a hardware/design problem, so that one cannot be healed at all, IMHO.

The whole UDM Series were a dissaster and still have issues AFAIK...

I remember a guy having issues combining 1 Gbps and 10 Gbps speeds and also all sorts of PPPoE WAN issues that were soo bad that the poor guy simply used his old USG (One of the larger 19 inch models. Can't remember the name...) to do the PPPoE WAN part and because of that was stuck with NAT behind NAT for a long time!

#6

26.1 Series / RTT and RTTd spikes that leads...

Last post by sonic1812 - April 06, 2026, 10:05:41 PM

I am having an issue with my router that is causing spikes in RTT and RTTd. The issue is spontaneous as it will happen randomly.  Dpinger will show the RTT spike up to a high amount and that's usually when the internet will disconnect. What could the cause of this? I think it has something to do with my WAN interface settings, but I am not sure what else it could be. I have  used another router (OpenWRt) and didn't have this issue when I used it. Here is more information:
WAN Interface Settings:
1.    MTU= Blank
2.    Override MTU=Checked
3.   Block private Networks=Checked
4.   Block bogon networks=checked
5.   MSS=Blank
ISP INFO
Comcast EPON Fiber

Dpinger logs
2026-04-06T15:20:35-04:00NoticedpingerMONITOR: WAN_GW (Addr: 1.1.1.1 Alarm: delay -> none RTT: 159.4 ms RTTd: 641.3 ms Loss: 0.0 %)
2026-04-06T15:20:32-04:00NoticedpingerMONITOR: WAN_GW (Addr: 1.1.1.1 Alarm: down -> delay RTT: 446.0 ms RTTd: 1384.5 ms Loss: 0.0 %)
2026-04-06T15:19:40-04:00NoticedpingerMONITOR: WAN_GW (Addr: 1.1.1.1 Alarm: none -> down RTT: 573.8 ms RTTd: 1665.2 ms Loss: 0.0 %)
2026-04-06T14:45:52-04:00NoticedpingerMONITOR: WAN_GW (Addr: 1.1.1.1 Alarm: delay -> none RTT: 151.7 ms RTTd: 583.3 ms Loss: 0.0 %)
2026-04-06T14:45:49-04:00NoticedpingerMONITOR: WAN_GW (Addr: 1.1.1.1 Alarm: down -> delay RTT: 429.6 ms RTTd: 1326.8 ms Loss: 0.0 %)
2026-04-06T14:44:12-04:00NoticedpingerMONITOR: WAN_GW (Addr: 1.1.1.1 Alarm: delay -> down RTT: 611.4 ms RTTd: 2048.2 ms Loss: 10.0 %)
2026-04-06T14:44:06-04:00NoticedpingerMONITOR: WAN_GW (Addr: 1.1.1.1 Alarm: none -> delay RTT: 238.4 ms RTTd: 1106.6 ms Loss: 3.0 %)
2026-04-06T13:40:31-04:00NoticedpingerMONITOR: WAN_GW (Addr: 1.1.1.1 Alarm: delay -> none RTT: 148.7 ms RTTd: 608.8 ms Loss: 0.0 %)
2026-04-06T13:40:28-04:00NoticedpingerMONITOR: WAN_GW (Addr: 1.1.1.1 Alarm: down -> delay RTT: 424.0 ms RTTd: 1326.9 ms Loss: 0.0 %)
2026-04-06T13:39:19-04:00NoticedpingerMONITOR: WAN_GW (Addr: 1.1.1.1 Alarm: delay -> down RTT: 515.1 ms RTTd: 887.9 ms Loss: 0.0 %)

Versions
OPNsense 26.1.5-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19
Processor N100
RAM 32 GB
Hard Drive: 512 SSD

Services Turned OFF:
1.   Intrusion detection
2.   Zenarmor
3.   Squid Proxy

#7

General Discussion / Re: DNS, DoH, DoT, DoQ, DNSCry...

Last post by Mario_Rossi - April 06, 2026, 09:55:37 PM

The next step is to understand how to do and implement https inspection.

Easy: You don't. See this, point 12.

"You can't" is relative; point 12 itself states that it's difficult (not impossible) and requires resources that can only be justified within a corporate context.

At work, we have Paloalto and perform https inspection, with, of course, bypass rules that we often add.
It's definitely a very different context; we have AD and distribute certificates via policies, as well as a ton of integrations between Paloalto and the Microsoft world (Enter).

A home lab should be a place where you can experiment and gain experience without worrying about shutting down the entire company.

#8

General Discussion / Re: DNS, DoH, DoT, DoQ, DNSCry...

Last post by meyergru - April 06, 2026, 07:45:11 PM

The next step is to understand how to do and implement https inspection.

Easy: You don't. See this, point 12.

#9

German - Deutsch / Re: Telekom Business Pro Tarif...

Last post by meyergru - April 06, 2026, 07:43:21 PM

Deine Screendumps zeigen ein /56 für das LAN, das wäre falsch, es muss /64 sein. Du musst ein beliebiges /64 Präfix aus Deinem /56er Bereich wählen.

Typischerweise ist die WAN-IP übrigens /128. Geht IPv6 von der OpnSense selbst?

#10

German - Deutsch / Telekom Business Pro Tarif mit...

Last post by esoor - April 06, 2026, 07:31:41 PM

Erst einmal vorweg, bis vor zwei Wochen hatte ich Opnsense nie gehehen.

Von der Telekom habe ich folgendes zugeteilt bekommen:

IPv6 (Öffentlich/WAN):
2003:000a:117f:xxxx:0000:0000:0000:0000

IPv6 (Kundennetz/LAN):
2003:000a:113f:xxxx:0000:0000:0000:0000

Das WAN1 Interface über PPOE, VLAN. IPv4 läuft mit fester Adresse bereits prima. Bei IPv6 komme ich nicht weiter.

Im WAN1 Interface habe ich folgendes hinterlegt:

IPv6 Configuration Type: Static
IPv6 Address: 2003:a:117f:xxxx::1/64
Gateway Rules:
- Interface WAN1
- Priority: 1
- IP Address: fe80::1
- Upstream Gateway: checked
- Far Gateway: checked
- Disable Gateway Monitoring: checked

Am LAN Interface:
- IPv6 Configuration Type: Static
- 2003:a:113f:xxxx::1/64
- (keine IPv6 Gateway Rules)

Der Client am LANPORT kann keine IPv6 Adressen außen erreichen, von der Routershell gehts nicht und über interfaces -> diagnostics auch nicht.

Jemand eine Idee?