"Recent posts
#1
26.1 Series / Lost my IPv6 prefix
Last post by robled - Today at 02:19:59 AMAfter upgrading to 26.1 I lost my IPv6 prefix. My ISP is Google Fiber, and they generally do IPv6 the right way, with DHCPv6 PD, and give out a /56 prefix. Worked fine with previous OPNSense versions. With tcpdump I can see some DHCPv6 activity:
I know there are a lot of changes with regards to IPv6 in this release. I began clicking around with the new options, trying out various permutations, like Identity Assocation and Track Interface (legacy). But it seems that things never progress that far, because my WAN interface never seems to get a IPv6 address or a prefix to delegate to the LAN interfaces. I did convert my firewall rules to the new format and deleted the legacy rules. Just to see if the new firewall config was causing issues I added a rule to allow inbound UDP 546 with no effect.
I'm posting some screenshots of my current config. Will be happy to provide more info and file a bug report if necessary once I learn more about what's going on. Thank you.
Code Select
16:46:46.740180 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:46:46.742118 IP6 fe80::1.547 > fe80::3eec:efff:fe27:ea7e.546: dhcp6 advertise
16:46:47.740534 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 request
16:46:47.742462 IP6 fe80::1.547 > fe80::3eec:efff:fe27:ea7e.546: dhcp6 reply
16:46:57.892093 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:46:58.970018 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:47:01.022492 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:47:04.989532 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:47:13.057771 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:47:28.683178 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicit
16:48:01.233762 IP6 fe80::3eec:efff:fe27:ea7e.546 > ff02::1:2.547: dhcp6 solicitI know there are a lot of changes with regards to IPv6 in this release. I began clicking around with the new options, trying out various permutations, like Identity Assocation and Track Interface (legacy). But it seems that things never progress that far, because my WAN interface never seems to get a IPv6 address or a prefix to delegate to the LAN interfaces. I did convert my firewall rules to the new format and deleted the legacy rules. Just to see if the new firewall config was causing issues I added a rule to allow inbound UDP 546 with no effect.
I'm posting some screenshots of my current config. Will be happy to provide more info and file a bug report if necessary once I learn more about what's going on. Thank you.
#2
26.1 Series / Re: RC1: hundreds of rc.newwan...
Last post by Patate - Today at 02:09:02 AMHello, I also have these errors;
/usr/local/opnsense/scripts/health/updaterrd.php: The command </usr/local/bin/rrdtool create '/var/db/rrd/WAN_DHCP-quality.rrd' --step 0 DS:'loss:GAUGE:120:0:2500000000' DS:'delay:GAUGE:120:0:2500000000' DS:'stddev:GAUGE:120:0:2500000000' RRA:'AVERAGE:0.5:1:1200' RRA:'AVERAGE:0.5:5:720' RRA:'AVERAGE:0.5:60:1860' RRA:'AVERAGE:0.5:1440:2284'> returned exit code 1 and the output was "ERROR: step size: value must be positive"
I think it's within netflowd, but nore sure
Reporting: Health --> Not working (No graph, but it's on)
What I have done
- reinstall rrdtool + reboot
- Firmware Audit (health) = no error
- Toggle rrd on/off/repair, etc...
OPNsense 26.1_4-amd64
Thx
Pat
/usr/local/opnsense/scripts/health/updaterrd.php: The command </usr/local/bin/rrdtool create '/var/db/rrd/WAN_DHCP-quality.rrd' --step 0 DS:'loss:GAUGE:120:0:2500000000' DS:'delay:GAUGE:120:0:2500000000' DS:'stddev:GAUGE:120:0:2500000000' RRA:'AVERAGE:0.5:1:1200' RRA:'AVERAGE:0.5:5:720' RRA:'AVERAGE:0.5:60:1860' RRA:'AVERAGE:0.5:1440:2284'> returned exit code 1 and the output was "ERROR: step size: value must be positive"
I think it's within netflowd, but nore sure
Reporting: Health --> Not working (No graph, but it's on)
What I have done
- reinstall rrdtool + reboot
- Firmware Audit (health) = no error
- Toggle rrd on/off/repair, etc...
OPNsense 26.1_4-amd64
Thx
Pat
#3
26.1 Series / Re: MiniUPNPD
Last post by burre90 - Today at 01:54:09 AMQuote from: franco on January 30, 2026, 11:18:37 PMI think I found it. Looks like a feature removal gone wrong:
# opnsense-patch https://github.com/opnsense/core/commit/311184daa8
# /usr/local/etc/rc.filter_configure
It should bring back the required anchors.
Cheers,
Franco
Appears to be working for me now :)
#4
Q-Feeds (Threat intelligence) / Re: Testing firewall rules wit...
Last post by vk2him - Today at 01:30:09 AMQuote from: Q-Feeds on January 26, 2026, 06:10:59 PMAllright! Will look into it together with Deciso and get back to you. Thanks for digging into it already, very helpful!
FYI - I'm seeing this issue too however I'm using the qfeed Domains blocklist only within AGH and not within Unbound. I'm running OPNsense 25.7.11_9-amd64 with AGH setup as the main DNS on port 53, and Unbound is on 5335. Within AGH I have 127.0.0.1:5335 setup as a Private reverse DNS server, and for Local resolution via Unbound on 127.0.0.1:5335 - this has been working well for years.
Blocking of sites on the qfeeds Domains blocklist within AGH worked well previously, however it now seems to have stopped as the example problem url's posted earlier in this thread are no longer blocked and they display warnings in my browser.
The widget shows the blocked number incrementing as I have the floating rules setup to block the qfeeds IPs which works properly - it's just the Domain blocklist isn't working anymore
edited to add - this is the url added to the AGH Qfeeds Malware Domains shown in the screenshot:
https://api.qfeeds.com/api.php?feed_type=malware_domains&api_token=tip_xxxxxxx
#5
25.7, 25.10 Series / Re: DuckDB-related DNS/DHCP ou...
Last post by mawa2559 - Today at 12:56:10 AMWell, a few days later and I'm really spinning my wheels.
With hostwatch disabled things were more stable for about 48 hours but the problems returned, only slightly different. DNS gets spotty but DHCP no longer drops out, however opnsense's IPv4 address becomes unreachable and unable to be pinged by any devices on the network. I can still log in to the webgui and am not seeing any helpful messages in any logs I can find.
For now, I've rolled DNS and DHCP over to a pihole docker container I was using previously - this has made things MUCH more stable, however the IPv4 address of opnsense still becomes unpingable 1-2x per day for seemingly no reason, continuing to cause network dropouts. Before the IPv4 address becomes unreachable, I can see https GET requests for URLs on the public internet start timing out intermittently. I'm going to try and get more metrics from opnsense using an additional node exporter but at this point I'm planning to get it off the network if I can't identity the cause and fix it soon.
With hostwatch disabled things were more stable for about 48 hours but the problems returned, only slightly different. DNS gets spotty but DHCP no longer drops out, however opnsense's IPv4 address becomes unreachable and unable to be pinged by any devices on the network. I can still log in to the webgui and am not seeing any helpful messages in any logs I can find.
For now, I've rolled DNS and DHCP over to a pihole docker container I was using previously - this has made things MUCH more stable, however the IPv4 address of opnsense still becomes unpingable 1-2x per day for seemingly no reason, continuing to cause network dropouts. Before the IPv4 address becomes unreachable, I can see https GET requests for URLs on the public internet start timing out intermittently. I'm going to try and get more metrics from opnsense using an additional node exporter but at this point I'm planning to get it off the network if I can't identity the cause and fix it soon.
#6
26.1 Series / Re: Suricata - Divert (IPS)
Last post by xpendable - Today at 12:22:19 AMThat's true, my OPNsense runs as a VM on XCP-ng, however I use SR-IOV with Intel X710 NICs. So never had an issue with using Netmap, but using the Divert method is way more efficient on memory usage. I have 16GB of memory allocated and before the memory would typically sit at 40-50% usage. I just checked and it's now down to about 10%. Will probably reduce the memory allocation in the near future as the system obviously doesn't need it anymore.
#7
25.7, 25.10 Series / Re: Dnsmasq stops occasionaly
Last post by ligand - Today at 12:03:35 AMHere are the log files I sent Simon
https://drive.google.com/file/d/1N16fclaKNR6PaC3_f82hPn-mGaoRsuzI/view?usp=sharing
I couldn't post them directly here.
https://drive.google.com/file/d/1N16fclaKNR6PaC3_f82hPn-mGaoRsuzI/view?usp=sharing
I couldn't post them directly here.
#8
26.1 Series / Re: RTSP proxy does not work a...
Last post by JGeek00 - January 30, 2026, 11:57:43 PMIt's not. It was originally developed by someone else but I ended up taking that code, applying some fixes and installing manually on my machine. It has been doing its job since then. After upgrading from 25.7.11 to 26.1 it still worked in terms of not crashing, but it wasn't doing it's job because it can no longer capture the requests that the tv box sends to the RTSP server. I never submitted the plugin to the plugins repo because I think the code quality is not good enough to be used by someone else (I'm not a python dev, I fixed it just enough for it to work), but it was doing its job for me. I started using it with OPNsense 24 and it never failed or crashed. And as far I know there's no "compatibility mode" for the firewall on 26.1 that would allow me to continue using the plugin. Also on that plugins list I see that igmp-proxy is no longer maintained (I also use it). I'm a bit concerned that some future update will include a breaking change that will cause also igmp-proxy to stop working.
#9
25.7, 25.10 Series / Re: Dnsmasq stops occasionaly
Last post by ligand - January 30, 2026, 11:57:24 PMYup. I restarted dnsmasq after the update.
#10
26.1 Series / Re: 26.1 is out!!!
Last post by nero355 - January 30, 2026, 11:32:49 PMQuote from: OPNenthu on January 30, 2026, 05:42:54 PMUPDATE: to close the loop, I was able to bring the bridge interface down with 'nmcli conn down br0', but the inverse 'nmcli conn up br0' returned success and never actually brought it up.There are a couple more nmcli options I see mentioned in the man page : Maybe try those too ?
I followed up with 'nmcli device up br0' and this timed out (failed).
I then used the GUI toggle switch for the parent interface (which was already up in 'ip a' but showed as down in the GUI) and it brought it back up.
However the same toggle switch does not bring the br0 interface down :P
So it's quite an inconsistent mess. Probably either a Mint / Ubuntu bug, or my configuration is just too complex or I set it up incorrectly.
Another option is nmtui which might help.
And if you are in for an adventure you could try configuring networking via SystemD and remove NetworkManager completely like I did last year :)
