"Recent posts
#1
Tutorials and FAQs / Re: OPNsense HA (CARP) with IP...
Last post by Monviech (Cedrik) - Today at 08:48:29 PMThats the difference between PD and an ndp proxy.
An ndp proxy works without DHCPv6, there wont be tracked interfaces or your /58 prefix.
There will only be a single /64 prefix, the one your OPNsenes will both get via SLAAC from the Fritzbox.
Then this /64 will be propagated to all vlans behind the OPNsense, the proxy supports firewall aliases to split the same /64 into different security zones. There is no classic subnetting here (logical different prefixes per vlan), but firewall rules that target individual hosts in groups that have been dynamically learned by the proxy.
That is also wy HA will work seamlessly, all devices will always have the exact same prefix and the same address, regardless if there are multiple OPNsense, since the Fritzbox will remain the Router Identity since it owns that /64 network. What happens when you delegate a prefix, is that the router identity changes to the router that received that prefix. And in your case you end up with multiple router identities and prefixes flap bacause of this. DHCPv6 assumes the next router to be a single logical instance, not multiple different ones.
If you want this or not depends on your personal preferences, this is pretty novel, a concept like this (for HA) did not really exist just a few months ago.
Reading the man pages is a good idea, I wrote them :)
An ndp proxy works without DHCPv6, there wont be tracked interfaces or your /58 prefix.
There will only be a single /64 prefix, the one your OPNsenes will both get via SLAAC from the Fritzbox.
Then this /64 will be propagated to all vlans behind the OPNsense, the proxy supports firewall aliases to split the same /64 into different security zones. There is no classic subnetting here (logical different prefixes per vlan), but firewall rules that target individual hosts in groups that have been dynamically learned by the proxy.
That is also wy HA will work seamlessly, all devices will always have the exact same prefix and the same address, regardless if there are multiple OPNsense, since the Fritzbox will remain the Router Identity since it owns that /64 network. What happens when you delegate a prefix, is that the router identity changes to the router that received that prefix. And in your case you end up with multiple router identities and prefixes flap bacause of this. DHCPv6 assumes the next router to be a single logical instance, not multiple different ones.
If you want this or not depends on your personal preferences, this is pretty novel, a concept like this (for HA) did not really exist just a few months ago.
Reading the man pages is a good idea, I wrote them :)
#2
26.1, 26,4 Series / Re: Having SSL for all home ne...
Last post by bookie56 - Today at 08:04:00 PMHi nero355!
I definitely like Palemoon but there is a fly in the ointment....there is no support for Bitwarden.....
Have you any other suggestions that are supported in Palemoon?
bookie56
I definitely like Palemoon but there is a fly in the ointment....there is no support for Bitwarden.....
Have you any other suggestions that are supported in Palemoon?
bookie56
#3
26.1, 26,4 Series / Re: WAAgent Linux broken after...
Last post by tunnebr - Today at 07:41:20 PMYes, that is indeed strange. My guess is that the agent was fixed in the Azure Marketplace image at some point in the past, and by chance it managed to survive the latest updates.
Is there a contact point at Deciso that we can reach out to? Does anyone have any experience with this?
Is there a contact point at Deciso that we can reach out to? Does anyone have any experience with this?
#4
Tutorials and FAQs / Re: OPNsense HA (CARP) with IP...
Last post by opn_mndr12101 - Today at 07:37:38 PMQuote from: Monviech (Cedrik) on April 19, 2026, 07:07:30 PMThe magic in a HA environment is that both OPNsense learn the same on link /64 prefix from the RAs sent by the Fritzbox...
I'm not getting it: Shouldn't I the get the /58 prefix at the OPNsense and slice it up into /64 there? Reading the documentation, I do not see, how these parts (Track Interface vs. ndp-proxy) fit together. This is more a question, if I really want this, not how to do it, I love reading man pages :-)
#5
Hardware and Performance / Re: N150 Mini PC, RTL8153, AX8...
Last post by dogshome - Today at 07:35:00 PMThanks for the rapid feedback. I saw several warnings about this online. However, I had the hardware laying about (apart from the 8256) which didn't stand me for much money.
Getting a dual NIC X64 PC etc with a half decent CPU in it would be a bigger investment. I have some DDR 3 laying about somewhere though, which would help a lot these days.
If it all goes die-down (geddit) or otherwise, I'll feed back.
Getting a dual NIC X64 PC etc with a half decent CPU in it would be a bigger investment. I have some DDR 3 laying about somewhere though, which would help a lot these days.
If it all goes die-down (geddit) or otherwise, I'll feed back.
#6
Hardware and Performance / Re: N150 Mini PC, RTL8153, AX8...
Last post by nero355 - Today at 07:25:30 PMThank you for testing and reporting your findings but IMHO any kind of USB Networking on your OPNsense is simply wrong and not something you want to use for a long time : Any kind of (temporary) High CPU LOAD = The whole USB Bus starts tripping!
But you can keep them and use them in case any of your Clients suddenly has a NIC gone bad/defect :)
But you can keep them and use them in case any of your Clients suddenly has a NIC gone bad/defect :)
#7
26.1, 26,4 Series / Re: Having SSL for all home ne...
Last post by nero355 - Today at 07:20:48 PMQuote from: bookie56 on Today at 06:21:11 PMYes, everything that is on tha lan....which in my case covers four ports...I like your suggestion and definitely will look into Palemoon..I agree with protecting my privacy which as we all know Microsoft never will, Chrome is as bad....I think it's the easiest way to just browse to your devices in the future without annoying warnings/errors/pop-ups but just keep in mind one thing :
Sometimes you might encounter compatibility issues with certain webGUI choices because of the simpel fact that webdeveloping standards are a mess and almost everyone seems to go for "Internet Explorer 6.0 v2.0" a.k.a. Google Chrome/Chromium sadly...
So some webGUI elements/buttons/checkboxes/etc. might be missing or shown different here and there sometimes!
For example : https://forum.opnsense.org/index.php?topic=51087.msg261425#msg261425
#8
General Discussion / Re: How do IPv6 Router Adverti...
Last post by nero355 - Today at 07:13:02 PMQuote from: mooh on Today at 03:44:07 PMMaybe a quick intro to Matter over Thread will help.Thank you for the above, because I could have sworn reading the same thing about these devices in the past!
All devices - including the border-router - added to that network use IPv6 link-local addresses to communicate.
Although the border-router is called a router, it actually does the forwarding on the application layer, not layer 3.
That's how communication with Matter over Thread IPv6 devices works just fine, even if the border-router is connected to an IPv4 ethernet connection only.
So it's like I thought :
Dump them all in your IoT VLAN and let them have fun there!
No special IPv6 stuff needed :)
#9
Hardware and Performance / N150 Mini PC, RTL8153, AX88179...
Last post by dogshome - Today at 07:13:01 PMHi All, These are the results I've had with the USB3 Ethernet adaptors listed in the title. N150 Acemagic Vista V1. I used the appropriate RTL and AX plug-ins.
RTL8153. Reaches virtually the available ~900Mbps download and upload available on my fibre. crashes occasionally under load. Fail!
AX88179. Limited to 250Mbps, but reliable. Fail!
RTL8256BG. Reaches the available bandwidth. Seems reliable depite my attempts to break it with speed test, Teams etc. Win!
With various packages like a blocklist in Unbound, Crowdsec and Intrusion Protection turned on, the most CPU useage I see is 20%. Memory, far less than 1G. My reason for switching from my recent TP-Link AX73 device is mainly because their firewall setting is now an android-controlled paid app. So I have that set up as an AP with an RE705 extender located in the other end of the house. That gives me reliable +-800Mbps over wifi(6) tapped into the extenders Gigabit port.
I hope this is of use to others.
RTL8153. Reaches virtually the available ~900Mbps download and upload available on my fibre. crashes occasionally under load. Fail!
AX88179. Limited to 250Mbps, but reliable. Fail!
RTL8256BG. Reaches the available bandwidth. Seems reliable depite my attempts to break it with speed test, Teams etc. Win!
With various packages like a blocklist in Unbound, Crowdsec and Intrusion Protection turned on, the most CPU useage I see is 20%. Memory, far less than 1G. My reason for switching from my recent TP-Link AX73 device is mainly because their firewall setting is now an android-controlled paid app. So I have that set up as an AP with an RE705 extender located in the other end of the house. That gives me reliable +-800Mbps over wifi(6) tapped into the extenders Gigabit port.
I hope this is of use to others.
#10
26.1, 26,4 Series / Re: Enforcing DNS through OPNs...
Last post by TarteTatin - Today at 07:08:22 PMHey nero355,
You're right, I did not see the "invert destination" option. Now I did check it and specified my firewall.
Thanks to you, I had a better look at it!
You're right, I did not see the "invert destination" option. Now I did check it and specified my firewall.
Thanks to you, I had a better look at it!
