Recent posts

#1

General Discussion / Multi-WAN IPv6 Prefix Deprecat...

Last post by ciaduck - Today at 12:03:11 AM

I'm having some issues with multi-wan failover using IPv6.

WAN is DHCPv6

WAN2 is set to SLAAC via LTE Modem, I'm not as concerned that this doesn't seem to work for ipv6 at the moment. I've been able to get things to work with NPT, but I think I will assign dedicated NAT addresses in the future, because NPT needs to also be updated every time the WAN prefix changes.

LAN is set to "Track Interface"

I'm using radv "Router Advertisements" in the services.
It set to "Assisted" with "Automatic" source address.
I've not set any advanced options, everything is default.

I tested my failover by unplugging the cable from my cable modem. When service was restored, the gateway monitoring functioned, and fail to LTE was fine. Once I plugged it back in, I noticed a lot of delay trying to get to test-ipv6.com

I had the same issue on my phone. I cycled the wifi connection on and off and it solved it.

I can see from a windows client that I still have the old prefix/address.

What can I do to solve this issue? I'd like to have clients properly deprecate/abandon an old address when the WAN flaps.

Here is an example output from ifconfig. The c881 is the new address, and the c800 is the old one.

Code Select Expand

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : home.arpa
   IPv6 Address. . . . . . . . . . . : 2601:281:c881:fb80:1a7a:5927:4cd4:e21b
   IPv6 Address. . . . . . . . . . . : 2601:281:c800:3910:3e2f:a436:d203:d072
   Temporary IPv6 Address. . . . . . : 2601:281:c800:3910:a512:d226:8873:46cb
   Temporary IPv6 Address. . . . . . : 2601:281:c881:fb80:a857:a7c4:21fe:3929
   Link-local IPv6 Address . . . . . : fe80::d1fd:217e:6ec2:961%25
   IPv4 Address. . . . . . . . . . . : 192.168.1.161
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
Should I set radv lifetimes to something more aggressive than the defaults?

#2

26.1, 26,4 Series / Re: Rules [new] vs. Rules

Last post by nero355 - May 25, 2026, 11:59:36 PM

Now my question and request to help/hints is: where should I create new firewall rules in OPNsense?

I feel like your issue does not sound like allowing the traffic you mentioned but more like making sure Static-port is applied for this Client after Enabling Hybrid NAT : Am I right ?


/Just checking...

#3

26.1, 26,4 Series / Re: issue with update with pkg...

Last post by nero355 - May 25, 2026, 11:52:25 PM

Nothing applies to this user!

As we say here : "Did not know you would get mad!"

LOL! :P

#4

Hardware and Performance / Re: TOPTON Mini PC Running OPN...

Last post by nero355 - May 25, 2026, 11:48:19 PM

the issue is that the power connector and data connector are so close together they cant be both in at the same time.

And it's not one of those connector combinations that need a special cable when you want to actually use them ?

I think my TopTon has the same one that one of my older AsRock motherboards use :)

#5

Hardware and Performance / Re: DEC750 NVMe thermal pad?

Last post by nero355 - May 25, 2026, 11:44:11 PM

PS: yes, that is two layers of masking tape on the DEC750 power LED, it is just waaayyyy too bright.

There is a simple solution for bright LEDs used by PC cases/Servers/etc. => https://sleepbetterco.com/blackout-stickers/ :)

You can find these pretty much anywhere and from different brands so check your favorite eBay/Amazon/AliExpress-like website and order some :P

#6

Hardware and Performance / Re: CPU Recommendations?

Last post by nero355 - May 25, 2026, 11:38:10 PM

I obviously won't have 10G service from my ISP, but I'd like to upgrade my local networks to 10G.  Do I absolutely need that, no.  But we do stream a lot of movies from our local NAS servers and sometimes across the internet from a remote NAS.  We do have a fair amount of 4K movies to stream.  We're in the PLEX eco system for all of our media.

You don't need 10 Gbps for that : Movies needing more than 120 Mbps are rare AFAIK so in theory you can stream 8 of those via 1 Gbps ;)

I don't see any WAN Connection info :
- Does your ISP perhaps use PPPoE ?
- What will be the WAN bandwidth ?

#7

General Discussion / Re: Average CPU temperature go...

Last post by nero355 - May 25, 2026, 11:32:59 PM

Another thing that is weird is that after changing the thermal paste it stays below 40 for the entire night then stays at 60 never goes down to 55.

Sounds normal to me : Seen it enough times in the past with active cooled PCs too! :)

#8

Hardware and Performance / Re: CPU Recommendations?

Last post by XrayDoc88 - May 25, 2026, 11:32:25 PM

Budget is fluid.  I have to build or buy two mini PCs so I'd like to keep each purchase less than about $700.  The actual price will depend a lot on the current pricing of RAM, which is still ridiculous.  I obviously won't have 10G service from my ISP, but I'd like to upgrade my local networks to 10G.  Do I absolutely need that, no.  But we do stream a lot of movies from our local NAS servers and sometimes across the internet from a remote NAS.  We do have a fair amount of 4K movies to stream.  We're in the PLEX eco system for all of our media.  Plus, I work remotely and want the fastest site-to-site VPN, internet download speeds, etc.

[Strict NAT]

#9

General Discussion / Re: P2P gaming between two com...

Last post by nero355 - May 25, 2026, 11:26:32 PM

In our setup, our ISP's provided router gives out private addresses (10.0.0.x), so that's what OPNSense's WAN interface gets.

I can say though that if one of us connects directly to the ISP router (bypassing OPNSense), we're able to play together successfully.
Obviously that's not ideal.

Does your network have Managed Switches that can handle VLAN Tagging ?

If so, then just create a VLAN in which you connect the ISP Router as a Untagged Device and forward it also Untagged to the LAN Ports of the two Gaming PC's and you are DONE! :)

This is the same situation as the previous wifi router, which worked fine, so I know this is possible without changing the ISP router. I'm still fairly new getting into the nuts and bolts of NAT (and UPnP), so I'm not really sure how to troubleshoot this.

You only need UPNP if you want to have Automatic Port Forwards for your Clients so their NAT Status is OPEN instead of Moderate or Strict.

- Default OPNsense configuration = Strict NAT
The Client Port and WAN Port are different in this case : LAN Port 34976 becomes WAN Port 54298 for example for one Client.

- When you configure Outbound NAT (In the future Source NAT) to Hybrid and create a Static-port NAT Rule with an Alias that contains all your Clients that require 1:1 Port Mapping during NAT = Moderate NAT
The Client Port and WAN Port are the same in this case : LAN Port 34976 stays WAN Port 34976 for example for one Client.

- When you Enable UPNP or create Port Forwards (Destination NAT Rules) then you open your network to anyone connecting from the Internet to it either temporary (UPNP) or permanently (Port Forward) and expose services and hosts on your LAN this way = OPEN NAT
The Client Port and WAN Port are the same in this case : LAN Port 34976 stays WAN Port 34976 for example for one Client.
And added to that is the fact that ANYONE can connect to them at any time instead of only when you initiate the connection !!



Now to get to the silly Gaming P2P stuff for any game that needs it :

IMHO you should keep things at Moderate NAT since this will connect you with more than enough fellow gamers out there.

To give you an idea of what is possible :
- OPEN NAT can connect to EVERYONE.
- Moderate NAT can connect to OPEN NAT.
- Moderate NAT can connect to Moderate NAT.
- Moderate NAT can NOT connect to Strict NAT.
- Strict NAT can ONLY connect to OPEN NAT.



I hope this cleared up some stuff for you when it comes to NAT behaviour and Games that use P2P Networking instead of Dedicated Servers like they should ;)

#10

26.1, 26,4 Series / I'm having problems with IPv6 ...

Last post by PoMpIs - May 25, 2026, 11:17:56 PM

Hello, 😊

I have a problem related to LAN link state events in OPNsense 26.1.8_5.

Environment:

* OPNsense 26.1.8_5-amd64
* FreeBSD 14.3-RELEASE-p12
* PPPoE WAN
* Digi Spain FTTH
* DHCPv6 PD (/56)
* Identity Association mode (not legacy Track Interface)
* KEA only for IPv4
* Classic RADVD RA

What works:

* WAN receives IPv6 correctly
* PD /56 delegated correctly
* LAN gets /64 correctly
* IPv6 routing works perfectly

The issue:
A simple physical LINK DOWN event on a LAN interface consistently breaks dhcp6c.

Reproduction is extremely reliable:

* OPNsense directly connected to a PC on a LAN interface ( OpnSense is the network core; everything connects to it. I don't use switches. OpnSense has a Mellanox X4 LX, a 4-port i226v, and an Intel X550 T2. And each PC is a separate LAN )

* Turn the PC OFF
* LAN link goes DOWN
* Immediately dhcp6c restarts and enters SOLICIT loops

Typical logs:

duplicated interface: pppoe0
remove a site prefix ...
remove an IA: PD-17
restarting
Sending Solicit on pppoe0
```

I also repeatedly observed:

* `/var/etc/radvd.conf` losing all `prefix .../64` entries
* only DNSSL remaining
* IA_PD disappearing temporarily
* IPv6 connectivity dying completely

Very important finding:
If I insert a dumb unmanaged Ethernet switch between OPNsense and the PC:

OPNsense <-> switch <-> PC

the problem disappears completely.

I can:

* turn the PC off/on repeatedly
* reboot the PC
* flap the client NIC
* and IPv6 remains stable forever

This strongly suggests the trigger is specifically the physical LAN interface link-state transition reaching OPNsense.

Additional things tested:

* Identity Association vs Track Interface
* Rapid Commit disabled
* Prefix Hint enabled/disabled
* Prevent Release enabled
* Shutdown Advertisement OFF
* Different prefix IDs
* Different MTUs

None solved the core issue.

In my case, after a LAN link event triggers dhcp6c into SOLICIT state, the delegated prefix gets cleared immediately and the whole IPv6 stack starts collapsing/rebuilding.

This issue seems extremely similar to older reports from 2023/2024 mentioning:

* LAN link-state events
* disappearing IA_PD
* duplicated interface: pppoe0
* recovery after manual interface reload
* radvd.conf losing prefixes

I don't know what else to do.

Thanks for all the ongoing IPv6 work.