Recent posts

#1

26.1 Series / Re: vnstat dashboard widget

Last post by dirtyfreebooter - Today at 05:03:15 AM

PR: https://github.com/opnsense/plugins/pull/5336

#2

26.1 Series / Re: PPPOE Frequent Disconnecti...

Last post by nicholaswkc - Today at 04:08:04 AM

Which Interface should i assign to in Interface->Devices->Point-to-Point?em0 or em0_vlan621. I tried both em0 or em0_vlan621, and both not able to get an external ip address.

[this is not the issue at hand]

#3

General Discussion / Re: NAT Outbound rules, static...

Last post by noahharold - Today at 03:51:46 AM

Hey quordle

I'm trying to replace my old trusty Edgemax Edgerouter ERP-5 (because Unifi does not care about these Edgerouters any more, it seems) with a new shiny OPNSense device from Protectli. It's going well, but I've got one thing that puzzles me. First, my network topology:

(internet) -> ISP modem/router (192.168.0.1) -> OPNsense with static WAN IP (192.168.0.220) -> My LAN and all my devices (192.168.1.x)

• I'm stuck with that ISP modem/router that I cannot put into bridge mode. The only thing I can do is DMZ to a fixed IP (192.168.0.220). I've made my peace with this double NAT, it's the way it is - this is not the issue at hand. Don't worry, I've disabled the standard blocking of traffic from RFC1918 networks, otherwise the setup wouldn't work :)
• I've managed to replicate almost all functionality from the Edgerouter I want: static leases, port forwards, DNS redirect to Pihole, et cetera. Devices can contact the internet and eachother.

There is just one thing that's bugging me: I'm an avid gamer, and when I use my Edgerouter, all my consoles / PC games report NAT type 2 (moderate). When I use my new OPNSense box, that reverts to NAT type 3 (strict).

The initial reaction would be: just start configuring UPNP, but here's the thing: on my Edgerouter I could get to NAT Type 2 without having to resort to UPNP (simply not configured), and I'd like to replicate that exact behavior. I want a baseline to start from that is identical to what i had :).

I figured out it probably has something to do with outbound NAT rules, and the port selection. OPNSense, by default, randomizes the outbound port during the translation, for security reasons, if I am correct. I think my Edgerouter, by default, uses static ports mapping for outbound NAT (no randomization) for EVERY LAN CLIENT, and that makes everything "just work" to get to NAT Type 2.

In order to replicate this behavior in OPNSense, I've set Outbound NAT to Hybrid mode, copied the default auto-generated outbound rule to this section and just enabled the static port setting. For all traffic and clients, because most of the clients on my network use some online game functionality (laptops, consoles, ...). This change does indeed result in all consoles and game PC's reporting NAT Type 2 / Moderate behavior. Hurray.

Here's my questions:

• Do you think I've diagnosed the problem correctly and that is indeed the default Edgerouter behavior, and that I replicated this correctly? I know UPNP is the "correct" way of solving this, but I don't want to get into more configuration hell, and I was fine with the way the Edgerouter did it.
• Is there any downside to doing this? I know theoretically I can have issues when ports collide, let's say two XBOXes on my network try to connect to the same game server using the exact same port, and it is unclear for who the returning packet is meant. I've got to stress that I did not encounter any of those issues in doing it like this for 5 years on that Edgerouter, so this might be a non-issue.

Thank you for reading this, and happy holidays to you all.

It sounds like you've diagnosed the NAT issue correctly. Using static port mapping in OPNSense is a valid approach to replicate the Edgerouter's behavior without UPNP. While there is a potential risk of port collisions, if you've managed fine for years without issues, it should be okay. Just keep an eye on your network performance.

#4

25.7, 25.10 Series / Cant Login, even after passwor...

Last post by leafy - Today at 03:09:13 AM

I'm stuck with my router right now, its been running flawlessly for months but I need to set a new static IP and I couldn't log into the web interface, wrong password. I couldn't remember if I setup TOTP, but the fact that I have something in my authenticator app that is called router makes me believe I did. I re-set the password with single user signin on the boot menu, and I still couldn't login to the web gui. I tried that password right on the console and I still couldn't login. I even tried resetting the password to a single letter, and tried logging in with the authenticator code before and after the letter directly on the console, still with no luck. I'm at a loss here as to what my next steps should be before I decide to just nuke the whole install and start fresh.

#5

26.1 Series / Re: Telemetry widget fails to ...

Last post by UserRory - Today at 02:43:14 AM

Had some time to test more - as nice as 26.1 is it is just a bit too early for me.

1) Firewall rule migration tool failed with some of my rules
2) Suricata IPS showing 1 CPU @ 100% utilization
3) Telemetry widget fails to load / sensor_info.py timeout issue (reproducible on 26.1.2 - 26.1.6)
4) Scheduled firewall rules not working (known issue)

If I have time I might try to do a clean install and restore config to see if that behaves any better. Wondering if others had better luck vs upgrade.

#6

General Discussion / Re: Why I am retiring from con...

Last post by passeri - Today at 01:01:17 AM

Not so great when they are building your house.

#7

German - Deutsch / Re: Multi WAN IPv6

Last post by Wired Life - Today at 12:33:22 AM

Ich glaube das Hauptproblem sind unterschiedliche Konfigurationen.
tiermutter kannst du bitte noch Screenshots von deinen Gateway Einstellungen und ggf. Firewall Rules posten?
Versuche auch vergeblich nen IPv6 Failover auf mein Starlink hin zu bekommen und vermute dass irgendwas fehlt.

#8

General Discussion / Re: Trouble understanding VLAN...

Last post by nero355 - April 14, 2026, 11:43:38 PM

I'm guessing you mean the NIC on my homeserver?

I am talking about your OPNsense Router :
- It needs at least two NICs for WAN and LAN.
- If possible let's say 4 of them like common on many Intel N100 boxes.

I only have one NIC and I'd like it to stay that way: This is the reason why I'm proposing that every packet has to arrive as tagged so that the firewall rules triggers as intended. It's what I've been wrapping my head around all the time whether OpnSense can react to tagged packets (and whether it does so automatically if an assigned VLAN tag in OpnSense matches with the incoming tagged packet).

OPNsense can handle Tagged traffic : That's not the issue here.

If you meant something else, please let me know.

See above : You can't do everything with just one NIC !!

By using Untagged/Tagged settings of the Switchport correctly :
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.

As far as I understand it you want IOT devices to be untagged. That way they can only communicate if another untagged device within the "internal" VLAN of the switch is also connected to the same switch. Because this isn't happening on my household any untagged devices will be left alone, is that right?

I have no idea what you are talking about to be honest, but I just posted how you can keep your future Advanced Accesspoint in the IoT VLAN with it's Managment Interface : That's all!

I know I'm constantly changing my mind, but I've now come to the conclusion that the IOT interface, as I've intended it, is a terrible idea:
Simply because I fear that way I'll break the Mesh functionality.

Why do you think you need Mesh at all ?!

According to your network drawing there is zero need for it : Everything is connected via the wired network!

Hence, I'll let them have complete LAN access and only let them contact their vendor cloud servers for firmware updates.
Let's not forget that I also have different IOT devices - like my printer - which requires a WLAN connection and its packets need be mapped to IOT VLAN tag as well.

Your Printer can be connected to a Untagged Switchport or via WiFi and the Printer won't know how the rest of the network works like any other Client ;)

9 out of 10 chance the Printer doesn't even have VLAN Tag Settings !!

[You'd] have to configure the switch-software in a way that the specific trunk port [untags] packages with IOT

If I got your idea wrong, please let me know!

I have no idea why you quoted that, but all in all I think you are overthinking everything : Just get some hardware you can afford and think looks reasonably good and start building and learning about your future network! :)

#9

26.1 Series / Re: glib missing dependency af...

Last post by emmitt - April 14, 2026, 11:09:16 PM

After doing a little research, I managed to fix it. Just remove the old repo and install the new one.
The error (python311) is now gone — though the update check error remains.

And another oddity: I already have version
v0.107.73 installed. But the plugin changelog says

1.16

* Update to 0.107.67

#10

General Discussion / Re: Trouble understanding VLAN...

Last post by bloodyNetworker - April 14, 2026, 09:58:53 PM

I'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?

It depends how you like to setup things :

Let's say you use the Default LAN NIC Port as it is.
This would be considered as an Untagged/Access Mode Port.

But then you need to add more networks and have the following options :
- Use another LAN NIC Port without configuring any IP Address and Assign VLAN Interfaces to it.
This would be considered as a Tagged/Trunk Mode Port.
- Use all other LAN NIC Ports with their own IP Address configured for each network.
These would all be considered as Untagged/Access Mode Ports.

I'm guessing you mean the NIC on my homeserver? If thats the case: I only have one NIC and I'd like it to stay that way: This is the reason why I'm proposing that every packet has to arrive as tagged so that the firewall rules triggers as intended. It's what I've been wrapping my head around all the time whether OpnSense can react to tagged packets (and whether it does so automatically if an assigned VLAN tag in OpnSense matches with the incoming tagged packet).
If you meant something else, please let me know.

By using Untagged/Tagged settings of the Switchport correctly :
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.

As far as I understand it you want IOT devices to be untagged. That way they can only communicate if another untagged device within the "internal" VLAN of the switch is also connected to the same switch. Because this isn't happening on my household any untagged devices will be left alone, is that right?
---
I know I'm constantly changing my mind, but I've now come to the conclusion that the IOT interface, as I've intended it, is a terrible idea:
Simply because I fear that way I'll break the Mesh functionality.
Hence, I'll let them have complete LAN access and only let them contact their vendor cloud servers for firmware updates.
Let's not forget that I also have different IOT devices - like my printer - which requires a WLAN connection and its packets need be mapped to IOT VLAN tag as well.

[You'd] have to configure the switch-software in a way that the specific trunk port [untags] packages with IOT

If I got your idea wrong, please let me know!