Recent posts

#1
26.1, 26,4 Series / Re: 26.1.9 broke my DNS?
Last post by passeri - Today at 09:07:01 AM
Quote from: newsense on Today at 08:54:03 AM
Quote from: passeri on Today at 08:05:40 AMI upgraded my internal (not edge) router to 26.1.9 this morning (AEST), promptly losing DNS resolution

Did you try a health check?

Anything unusual in unbound debug logs ?

Will try, and check. Currently it is unplugged. Tomorrow I will have time to set up to test those things without breaking internet for anyone else in the process.
#2
26.1, 26,4 Series / Re: "Inverting destinations is...
Last post by techturtle - Today at 09:04:57 AM
Quote from: Patrick M. Hausen on June 02, 2026, 08:28:30 PMIf you have an active connection which you intend to block the problem is possibly not that your aliases are not updated in a timely fashion, but that you need to flush the firewall states.
Active connections or firewall states are rather unrelated here, no need to touch anything on these. I am just asking for a immediate consistency between parent and nested child alias entries at any point in time with regards to firewall rule matching.

Quote from: techturtle on May 30, 2026, 10:48:08 AMMy case is IPset firewall alias with dnsmasq.

The flow is like:
> declare parent alias P
> declare external alias C1
> nest C1 under P (workaround for rule negation with multiple dests; not sure, if it works with external)
> optionally nest more aliases C2, CX under P, e.g. for static IP whitelists

Then for each request:
> dnsmasq resolves domain
> IP is put in C1
> Firewall whitelists packets, whose dest IP is in P, blocks everything else (*1)

For (*1), it is crucial, that resolved IP is immediately synchronized from C1 to P and available for the rule. IIRC last time I checked, there only was eventual consistency, and this causes packets to be blocked on first try. Connection only worked on second try, as now P was synced with C1.

If C1 is not nested, it works fine. But then I can't express "block, if destination neither is in C1 nor in C2" due to limitation with negation and multiple dests.
#3
26.1, 26,4 Series / Re: 26.1.9 broke my DNS?
Last post by newsense - Today at 08:58:28 AM
Quote from: Mr.Goodcat on Today at 08:42:35 AMSame issue here. Neither multiple restarts of unbound & dns-crypt as well as OPNsense nor a rollback to 26.1.5 (the entire VM image) fixed it.

If a rollback failed it is more likely you experienced a brief internet outage that messed up the ssl connections in dnscrypt most likely
#4
26.1, 26,4 Series / Re: 26.1.9 broke my DNS?
Last post by newsense - Today at 08:54:03 AM
Quote from: passeri on Today at 08:05:40 AMI upgraded my internal (not edge) router to 26.1.9 this morning (AEST), promptly losing DNS resolution

Did you try a health check?

Anything unusual in unbound debug logs ?
#5
26.1, 26,4 Series / Re: 26.1.9 broke my DNS?
Last post by Mr.Goodcat - Today at 08:42:35 AM
Same issue here. Neither multiple restarts of unbound & dns-crypt as well as OPNsense nor a rollback to 26.1.5 (the entire VM image) fixed it. Yet, pings from OPN to e.g. 8.8.8.8 worked. Didn't have the time to check beyond this, but it seems quite odd.

Update: the rollback is now back up. No idea what happened there. Will go back to the latest version later in the day and report back to nail this down.
#6
26.1, 26,4 Series / Re: [Solved] Connectivity Audi...
Last post by franco - Today at 08:31:45 AM
Nice idea, thank you. Implemented in https://github.com/opnsense/core/commit/74e76cbeaf


Cheers,
Franco
#7
26.1, 26,4 Series / Re: System: Firmware: Updates:...
Last post by franco - Today at 08:19:39 AM
No, the commit that changed the behaviour was in 26.1.8. I wrote the fix while testing 26.1.9. The fix will be part of 26.1.10.


Cheers,
Franco
#8
26.1, 26,4 Series / 26.1.9 broke my DNS?
Last post by passeri - Today at 08:05:40 AM
I upgraded my internal (not edge) router to 26.1.9 this morning (AEST), promptly losing DNS resolution although I could still ping external IP addresses. Reverting to the 26.1.8_5 snapshot did not resolve the problem. Absolutely nothing else was changed, this was a routine upgrade process. Has anyone else encountered this, such that I should report it formally?

All DNS is through Unbound on the edge. The internal router's Unbound points to the edge router.

For clarity I did not upgrade the edge router, so the other nets which do not pass through the internal router continued to behave normally. When I replaced the internal router with a switch then normal behaviour returned as expected.
#9
Quick update:

The FreeBSD fix has now been merged:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295351

and OPNsense has already shipped an updated cpu-microcode-intel package (20260512).

However, after upgrading and rebooting, my system still reports:

CPU microcode: no matching update found

The system is a Protectli VP6630 with an Intel i3-1215U running Dasharo/coreboot 0.9.0.

So the original FreeBSD issue was real and has been fixed upstream, but my specific Alder Lake R0 system still does not appear to receive a microcode update. I have added the new findings to the FreeBSD bug report for further investigation.

Will be interesting to see what the root cause turns out to be.
#10
Hi,

  Did anyone find a solution to this?