Recent posts

#1
26.1 Series / Re: RC1: hundreds of rc.newwan...
Last post by meyergru - Today at 08:14:35 AM
My problem seems unrelated as of now, probably just a glitch. At least it never turned up again.
#2
General Discussion / Certificate update
Last post by stanps - Today at 06:02:04 AM
First off, bravo on v26!

Anyhoo, with my cert expiring in a couple weeks, I went ahead and created a new one.  I got it assigned in System > Settings > Administration, but when I went to delete the old cert, I was presented with a message I've attached to this post.

I did install ntopng at one time, but it has been uninstalled for a few months.  Is there some manual cleanup that needs to be done?  And if so, can someone point in the right direction?

I have updated to 26.1_4amd64.

Thanks in advance,
S
#3
26.1 Series / Re: RC1: hundreds of rc.newwan...
Last post by Patrick M. Hausen - Today at 05:09:41 AM
This is in no way related to the topic of this thread. Better open a new one with a matching topic line.
#4
26.1 Series / Re: MiniUPNPD
Last post by epyon9283 - Today at 03:58:13 AM
Looks good. Working for me too :)

Thanks!!
#5
26.1 Series / Lost my IPv6 prefix
Last post by robled - Today at 02:19:59 AM
After upgrading to 26.1 I lost my IPv6 prefix.  My ISP is Google Fiber, and they generally do IPv6 the right way, with DHCPv6 PD, and give out a /56 prefix.  Worked fine with previous OPNSense versions.  With tcpdump I can see some DHCPv6 activity:

16:46:46.740180 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:46:46.742118 IP6 fe80::1.547 > fe80::3eec:efff:fe27:ea7e.546: dhcp6 advertise
16:46:47.740534 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 request
16:46:47.742462 IP6 fe80::1.547 > fe80::3eec:efff:fe27:ea7e.546: dhcp6 reply
16:46:57.892093 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:46:58.970018 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:47:01.022492 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:47:04.989532 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:47:13.057771 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:47:28.683178 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:48:01.233762 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit

I know there are a lot of changes with regards to IPv6 in this release.  I began clicking around with the new options, trying out various permutations, like Identity Assocation and Track Interface (legacy).  But it seems that things never progress that far, because my WAN interface never seems to get a IPv6 address or a prefix to delegate to the LAN interfaces.   I did convert my firewall rules to the new format and deleted the legacy rules.  Just to see if the new firewall config was causing issues I added a rule to allow inbound UDP 546 with no effect.

I'm posting some screenshots of my current config.  Will be happy to provide more info and file a bug report if necessary once I learn more about what's going on.  Thank you.
#6
26.1 Series / Re: RC1: hundreds of rc.newwan...
Last post by Patate - Today at 02:09:02 AM
Hello, I also have these errors;

/usr/local/opnsense/scripts/health/updaterrd.php: The command </usr/local/bin/rrdtool create '/var/db/rrd/WAN_DHCP-quality.rrd' --step 0 DS:'loss:GAUGE:120:0:2500000000' DS:'delay:GAUGE:120:0:2500000000' DS:'stddev:GAUGE:120:0:2500000000' RRA:'AVERAGE:0.5:1:1200' RRA:'AVERAGE:0.5:5:720' RRA:'AVERAGE:0.5:60:1860' RRA:'AVERAGE:0.5:1440:2284'> returned exit code 1 and the output was "ERROR: step size: value must be positive"

I think it's within netflowd, but nore sure

Reporting: Health --> Not working (No graph, but it's on)

What I have done

- reinstall rrdtool + reboot
- Firmware Audit (health) = no error
- Toggle rrd on/off/repair, etc...

OPNsense 26.1_4-amd64

Thx

Pat
#7
26.1 Series / Re: MiniUPNPD
Last post by burre90 - Today at 01:54:09 AM
Quote from: franco on January 30, 2026, 11:18:37 PMI think I found it.  Looks like a feature removal gone wrong:

# opnsense-patch https://github.com/opnsense/core/commit/311184daa8
# /usr/local/etc/rc.filter_configure

It should bring back the required anchors.


Cheers,
Franco


Appears to be working for me now :)


#8
Quote from: Q-Feeds on January 26, 2026, 06:10:59 PMAllright! Will look into it together with Deciso and get back to you. Thanks for digging into it already, very helpful!

FYI - I'm seeing this issue too however I'm using the qfeed Domains blocklist only within AGH and not within Unbound.  I'm running OPNsense 25.7.11_9-amd64  with AGH setup as the main DNS on port 53, and Unbound is on 5335. Within AGH I have 127.0.0.1:5335 setup as a Private reverse DNS server, and for Local resolution via Unbound on 127.0.0.1:5335 - this has been working well for years.

Blocking of sites on the qfeeds Domains blocklist within AGH worked well previously, however it now seems to have stopped as the example problem url's posted earlier in this thread are no longer blocked and they display warnings in my browser.

The widget shows the blocked number incrementing as I have the floating rules setup to block the qfeeds IPs which works properly - it's just the Domain blocklist isn't working anymore

edited to add - this is the url added to the AGH Qfeeds Malware Domains shown in the screenshot:
https://api.qfeeds.com/api.php?feed_type=malware_domains&api_token=tip_xxxxxxx


#9
25.7, 25.10 Series / Re: DuckDB-related DNS/DHCP ou...
Last post by mawa2559 - Today at 12:56:10 AM
Well, a few days later and I'm really spinning my wheels.

With hostwatch disabled things were more stable for about 48 hours but the problems returned, only slightly different. DNS gets spotty but DHCP no longer drops out, however opnsense's IPv4 address becomes unreachable and unable to be pinged by any devices on the network. I can still log in to the webgui and am not seeing any helpful messages in any logs I can find.

For now, I've rolled DNS and DHCP over to a pihole docker container I was using previously - this has made things MUCH more stable, however the IPv4 address of opnsense still becomes unpingable 1-2x per day for seemingly no reason, continuing to cause network dropouts. Before the IPv4 address becomes unreachable, I can see https GET requests for URLs on the public internet start timing out intermittently. I'm going to try and get more metrics from opnsense using an additional node exporter but at this point I'm planning to get it off the network if I can't identity the cause and fix it soon.
#10
26.1 Series / Re: Suricata - Divert (IPS)
Last post by xpendable - Today at 12:22:19 AM
That's true, my OPNsense runs as a VM on XCP-ng, however I use SR-IOV with Intel X710 NICs. So never had an issue with using Netmap, but using the Divert method is way more efficient on memory usage. I have 16GB of memory allocated and before the memory would typically sit at 40-50% usage. I just checked and it's now down to about 10%. Will probably reduce the memory allocation in the near future as the system obviously doesn't need it anymore.