Recent posts

#1

26.1, 26,4 Series / Re: WAN connectivity problems ...

Last post by SilentAgnostic - Today at 06:18:42 PM

but do these ping failures start happening at exactly the same time as the DHCP lease renewal failures?

Just a few minutes ago I had this happen:

<13>1 2026-05-27T10:47:08-04:00 router.home.lab dhclient 25229 - [meta sequenceId="1"] dhclient-script: Reason RENEW on igc1 executing
<13>1 2026-05-27T10:47:08-04:00 router.home.lab dhclient 27148 - [meta sequenceId="2"] dhclient-script: Creating resolv.conf
<27>1 2026-05-27T11:47:08-04:00 router.home.lab dhclient 40635 - [meta sequenceId="1"] send_packet: Host is down
<27>1 2026-05-27T11:47:10-04:00 router.home.lab dhclient 40635 - [meta sequenceId="2"] send_packet: Host is down
<27>1 2026-05-27T11:47:14-04:00 router.home.lab dhclient 40635 - [meta sequenceId="3"] send_packet: Host is down
<27>1 2026-05-27T11:47:25-04:00 router.home.lab dhclient 40635 - [meta sequenceId="4"] send_packet: Host is down
<27>1 2026-05-27T11:47:57-04:00 router.home.lab dhclient 40635 - [meta sequenceId="5"] send_packet: Host is down
<27>1 2026-05-27T11:48:12-04:00 router.home.lab dhclient 40635 - [meta sequenceId="6"] send_packet: Host is down
<27>1 2026-05-27T11:48:30-04:00 router.home.lab dhclient 40635 - [meta sequenceId="7"] send_packet: Host is down
<27>1 2026-05-27T11:48:45-04:00 router.home.lab dhclient 40635 - [meta sequenceId="8"] send_packet: Host is down

I rebooted the router after that and made my EEE changes. But again, it feels EXTREMELY SUSPICIOUS that at 10:47:08 it did a RENEW, then at 11:47:08 host down messages started.

Unfortunately I didn't get a snapshot of the leases BEFORE the reboot, but here's what I see right now:

Lease #1

renew 3 2026/5/27 15:47:08;
  rebind 3 2026/5/27 16:32:08;
  expire 3 2026/5/27 16:47:08;

Lease #2

renew 3 2026/5/27 17:02:16;
  rebind 3 2026/5/27 17:47:16;
  expire 3 2026/5/27 18:02:16;

Again, I rebooted before the second (new) lease got assigned, hence the slight discrepancy in time shift there.

Just for clarification, the ISP is pushing 7200 for lease time, so opnsense tries to renew it at 3600 it seems, but then I think it's failing to truly renew or something weird?

#2

26.1, 26,4 Series / Re: WAN connectivity problems ...

Last post by dseven - Today at 05:54:32 PM

I have monitoring set up in different networking tools, including Uptime Kuma and some others. I also verified via SSH on the opnsense router that I was unable to ping my first hop at the ISP, but I was able to ping my "locally assigned WAN IP"

but do these ping failures start happening at exactly the same time as the DHCP lease renewal failures?

#3

General Discussion / Re: NUT is Broken After Udatin...

Last post by Dean E. Weimer - Today at 05:42:24 PM

I don't think this is a nut issue, but something more specific on the OPNsense pkg. I am running mine in net client mode with a FreeBSD actually connected to the UPS. That FreeBSD server is running NUT installed from a local Poudriere build with version 2.8.5_1. The server is working without issue.
root@supermicro:/ # pkg info nut-2.8.5_1
nut-2.8.5_1
Name           : nut
Version        : 2.8.5_1
Installed on   : Wed May 27 06:48:15 2026 CDT
Origin         : sysutils/nut
Architecture   : FreeBSD:15:amd64
Prefix         : /usr/local
Categories     : sysutils
Licenses       : GPLv3+, GPLv2+, ART10, GPLv1+
Maintainer     : cy@FreeBSD.org
WWW            : https://www.networkupstools.org/
Comment        : Network UPS Tools

#4

26.1, 26,4 Series / Re: OPNsense 26.1.8_5 Freezes ...

Last post by xenon2008 - Today at 05:38:31 PM

Hello together,
Thank you for the numerous replies.

What does the console say?

Unfortunately, I don't have a monitor at the location of the firewall, so I can't say for sure, and I can't access it via SSH anymore.

The device is running, the NICs are active, but there's no communication to or through the firewall. If it were "just" Surricata, I should at least get an IP address from the firewall's DHCP service, right? Because that doesn't work in this state either.

I'm experiencing something very similar, every 2 weeks or so, it just dies. Manually assigned ip, and tried ping, no response.

I have worked through logs (with claude) and found nothing.

cpu temps look good, and memory seems stable. A reboot clears it right up.

Any advice on what to look for would be greatly appreciated. added some screenshot of WAN/LAN traffic

I don't want to say I'm "happy" that others are also having this problem, but it's definitely reassuring not to be the only one.

It seems to have started with the last update – I had already migrated the firewall rules before (with the last update), and as far as I know, there weren't any problems then.
Unfortunately, I didn't take a snapshot, otherwise I could go back.

At first I thought it was due to my old hardware, so I bought a brand new CWWK mini Firewall, reinstalled OPNsense, and restored the backup file.
It ran fine for a few days, but today the exact same problem happened again, just like on the old hardware.

And if you don't use the old config.xml and start from scratch with a very basic setup and use that for a while : Do you experience the same issue(s) ?

I honestly can't say what it's like without a backup file, and I can't even test it because I'd have to reconfigure everything manually.

But there haven't been any changes to the firewall's configuration for months, and I still have about 10 different old configuration versions. At least the last two always have the same problem.

Unfortunately, I can't say exactly how often it happens; sometimes it's after 1-2 days, or sometimes after a week. I haven't found a way to reproduce it yet.

But in my opinion, this seems to be a software problem, especially since I'm not the only one experiencing it.

Kindly Regards

[1. state]

#5

Development and Code Review / Re: Kea DHCP leases4/search: e...

Last post by garlickim21 - Today at 05:32:41 PM

Hi Cedrik,

Thanks a lot for the detailed answer and the pointers to the source. After going through both files, all four points are now clear:

1. state — sourced directly from Kea's native lease state (lease.get("state", 0) in get_kea_leases.py), so always an integer (Kea's enum: 0=default, 1=declined, 2=expired-reclaimed, 3=released). Stable as long as Kea's own data model is.

2. is_reserved — your explanation matches the code in get_reservation_keys: any of "hwaddr", "duid", "client_id", with the array carrying one entry per matched identifier (and the subnet-id scoping comment on build_reserved_matches is a nice touch — explains exactly why client roaming doesn't false-positive).

3. Top-level interfaces — looking at LeasesController.php confirms it's the json_encode behaviour on an empty PHP array: $interfaces starts empty and only becomes associative once a record's interface resolves via the if-map. With zero matching records, it stays empty and serializes as a JSON array rather than an object. So consumers need to handle both shapes defensively (or, in our case, simply ignore the field — the per-interface map can be rebuilt from each row's if / if_descr).

4. API stability — "major redesigns done, mostly bug fixes from here" is exactly the commitment we needed. The careful subnet-id reasoning in the script reinforces that the design is being maintained thoughtfully. Good enough basis to commit to the current types on the exporter side.

I'll link this thread back at AthennaMind/opnsense-exporter#105 for the record. Thanks again for taking the time.

— Golden Garlic (garlicKim21 on GitHub)

#6

26.1, 26,4 Series / Re: OPNsense 26.1.8_5 Freezes ...

Last post by punq - Today at 05:23:14 PM

I seem to have similar issues. The firewall seems to be still up & running, but it seems to shut out everything. The issue reminds me of the "new" startup behavior with divert-to rules: all traffic is dropped until the Suricata service is up & running. But this is happening after a day of uptime and the service (probably) up. In the suricata logs I found these errors:

Error
suricata
[100216] <Error> -- thread W-8000 failed

Warning
suricata
[101690] <Warning> -- Write to ipfw divert socket failed: No buffer space available


I'm not sure what buffer space ran out. mbufs seemed to be fine when checking the health graph in reporting. I'm running with kern.ipc.nmbclusters = 1000000

Unfortunately I just upgraded the system on the weekend from the rock solid 25.7.11. I also did the rules migration and migrated Suricata to the new divert-to functionality. So many moving parts changed in just a few days.
To me the problem "feels" to be firewall related so my first mitigation attempt is to revert the divert-to changes back to netmap for now.

I'm using a Protectli FW2B on CoreBoot with an Intel Celeron J3060

I havent enabled intrusion detection in mine. I do use maxmind geoblock and crowdsec.

#7

Virtual private networks / Re: SOLVED - Gateway monitorin...

Last post by keeka - Today at 05:22:19 PM

Just change the first "2" to a different number (e.g. 10.3.0.2).

I'm glad this solves things for the OP. How come it is accommodated by the remote peer?
I admit I don't understand wireguard at all well despite the fact it seems to be performing admirably for me on opnsense.

#8

Hardware and Performance / Re: quad interface fierwall PC...

Last post by Greg_E - Today at 05:17:26 PM

There's not much Supermicro anymore

Supermicro make "Compact Edge System" with N97 cpus and 2x 2.5GbE. I see these selling for around $400 online but they may be using Realtek networking. The ones with 2x i226 are more like $530. Some of the GigaIPC boxes use 2x i225/i226 with N97 and are significantly cheaper.  AAEON and Jetway sell similar systems, some of which have more ports. Jetway is probably the cheapest--you can find their cheapest boxes for around $300. With all of these systems you usually need to add your own memory and drive. My experience of these type of systems is limited to a GigaIPC with 2x Intel 1GbE and a J6412 CPU. I bought it from a US reseller, although I think it shipped direct from Gigabyte USA, in November 2023 for $170. After adding memory and storage it was $250. It was cheap and it's been very reliable.

See: https://www.supermicro.com/en/products/edge/compact-edge-systems

Thanks, I'm going to look through those compact edge models to see what I can see. Most of them come kitted out as an AI pc, but farther down it looks like I might be able to get something with a PCIe card slot. Not sure why I didn't locate those during my searches, but I need to get on this as money is about to expire so I need to spend it.

#9

Zenarmor (Sensei) / Re: Zenarmor performance expec...

Last post by Greg_E - Today at 05:11:46 PM

Please come back and share what you find. I have a slightly lower end Xeon (closest to i3 about the same generation) and getting around the same download on monitored interfaces. It's probably just the work that needs to be done to monitor and the result is going to stay the same. Might be different with multithreaded performance.

#10

Zenarmor (Sensei) / Re: Provide firm date on multi...

Last post by Greg_E - Today at 05:08:22 PM

It seems like limiting the threads would be more work than it's worth. Once the code base migrates to multi-thread, it seems like it would be worth just keeping that for all versions.

It should be noted that they do offer a 50% discount for educational users (schools through higher ed). This was a few years ago and I haven't checked on it in a while.

I also think that homelab should have a special discount, but it's so hard to prove that this is really a lab and not a jerk running it in full production.