Recent posts

#1
Tutorials and FAQs / Re: [HOWTO] Configure IPv6 in ...
Last post by OPNenthu - Today at 12:14:43 PM
Quote from: Taunt9930 on April 18, 2026, 09:27:48 AMIs there a latest and greatest summary of optimum setup steps that include the most recent changes to interface tracking that I can follow?

The tracking change isn't as dramatic as it might first seem.  I think the legacy mode ("Track interface") remains the same and they added "Identity Association" as a modern alternative now that ISC-DHCP is deprecated.  The manual explains it well:

https://docs.opnsense.org/manual/interfaces.html

QuoteIdentity Association offers similar functionality like Track Interface (legacy), but without automatic ISC-DHCPv6 and Radvd configuration. It is intended for pure RA and DHCPv6 configuration using Dnsmasq or Kea/Radvd.

So, just change the mode to "Identity Association" and then double-check that Radvd (Services->Router Advertisements) is disabled on all your VLANs if you're using Dnsmasq.  I think that's about it.

Else the recommended IPv6 setup as laid out by @meyergru remains the same, AFAIK.
#2
German - Deutsch / Magic Ping Problem bei OpenSen...
Last post by mrv - Today at 11:33:05 AM
Hallo zusammen,
ich habe hier ein seltsamen Problem bei meinem Setup.

Randdetails zum Setup
Standort1 - Opensense FW
Standort2 - Opensense FW

Auf Standort 1 läuft ein OpenVPN Server
Zwischen Standort 1 und 2 ist eine IPSEC mit der OpenVPN Private IP in P2.
Das läuft auch soweit alles.

Jetzt zum Problem:
Ich bin mit OpenVPN zu Standort 1 Verbunden.
Ich versuche ein System bei Standort 2 zu Pingen -> Timeout.
Wenn ich allerdings von Standort 2 die Private IP vom OpenVPN Client Pinge, kann ich auch vom OpenVPN Client Systeme auf dem Standort 2 Pingen.

Reconnecte ich OpenVPN wieder und bekomme eine neue Privat IP, klappt es wieder nicht.

Ich sehe im Tunnel bei Standort 1 Bytes out, aber bei Standort 2 keine Bytes in.
Sobald ich wieder von einem System bei Standort 2 die Private IP Pinge, gehen die Packete durch.


Ich brauche also Quasi immer ein Magic Ping von Standort 2 zur Private ip, damit Packete durch gehen.


Danke und VG,
Mrv
#3
26.1, 26,4 Series / Enforcing DNS through OPNsense...
Last post by TarteTatin - Today at 11:03:21 AM
Hi,

I set up DNS enforcement on my OPNsense home network to force all devices through my local Unbound resolver (with blocklists), regardless of their configured DNS server.

Setup:
  • LAN firewall rules: pass DNS to OPNsense, block DNS to anywhere else, block DoT (port 853)
  • Destination NAT rule redirecting all port 53 traffic to OPNsense (self)

Problem:
Computers, VMs and Docker containers already using OPNsense as their DNS server started experiencing intermittent timeouts. The NAT redirect was intercepting their queries (already correctly destined for OPNsense) and creating a redirect loop.

Fix:
Added a "no redirect" NAT rule, matching DNS traffic already destined for OPNsense, before the destination NAT rule redirecting all port 53 traffic to OPNsense.

Final NAT order:
  • No redirection for DNS already targeting OPNsense
  • Redirect everything else to OPNsense
#4
General Discussion / Re: No IP from DuckDNS and Ded...
Last post by OPNenthu - Today at 11:01:53 AM
Quote from: Cobra on Today at 10:22:07 AMIPV6, instead, always changes at midnight and, I think, even during the day.
Yeah, it's interesting to compare what different residential ISPs do w.r.t dynamic IPv6.  I have experience with two here: Comcast and Verizon.  They are very different.  In both cases with DHCPv6-PD in OPNsense, the former one uses long-lived prefixes that rarely change (you could be forgiven for thinking it's static) and the latter changes them almost every time you look!  There are annoying tradeoffs either way.

The problem with the long-lived prefix is that SLAAC clients, especially those with privacy extensions, break whenever the modem reboots and causes a prefix deprecation for the same prefix that is going to be used again.  It doesn't sound too problematic until you realize that Comcast reboots frequently (it feels like weekly, at least).

The problem with the short-lived ones is just that your clients accumulate all the prefixes and if they're using privacy extensions you could imagine dozens of deprecated addresses in 'ip a' or 'ifconfig' output :P  But the network heals quickly / doesn't break.  (Side note: I bet these are probably the users that complain the most about all of the addresses appearing in Hostwatch / Automatic Discovery.)

I digress.

Quote from: Cobra on Today at 10:22:07 AMI created two accounts on DuckDNS and Dedyn.io.

Why both?

I use DuckDNS and it does work with the os-ddclient plugin.  I use the native backend in General Settings with interval=300.

Attaching a screenshot of my IPv4 ddclient config.  Put your DuckDNS domain name in the "Hostname(s)" field.  For IPv6 you would just clone it and change the "Check ip method" to "Interface [IPv6]". 

Once that is working, then you can move on to setting up the ACME client with the DNS-01 challenge type.  You'll need the DuckDNS API token.  There's one "gotcha" that's very important for certificate renewal to work with DuckDNS: you need to set the "DNS Sleep Time" parameter in the challenge type settings to some value (I use 120) which gives enough time for propagation.  Else it tends to fail.
#5
26.1, 26,4 Series / Having SSL for all home networ...
Last post by bookie56 - Today at 10:38:10 AM
Hi guys!
New guy on the block....and before I get shot down...I know that my question has been asked before...just that searching on the forum is not easy...

Here is the situation....
I have a home network consisting of many computer some Windows most Linux....
It would be nice to be able to access everything on my home network without getting ssl certificate is not safe...
Yes, I know how to add selfsigned ones....but it means adding the certificates on all devices in my network...bit time consuming.

Is there a kind sole here that can get me up and running with that....?
I have heard good things about duckdns...but am open to advice from those that can....

I have only recently made the switch from pfsense to opnsense.....when something is opensource it should be left open source....or still provide the same quality of service to home users....which sadly is not the case with pfsense any more...

Running a business I don't always have the time to research things and a family member was horrified that I was on pfsense using a closed source product...


I do not mind putting the work in to set all this up - if someone would help me.....

My router at the moment has a four port nic and instead of vlans I have a dedicated port for company...company wifi....private...and private wifi ...

With firewall rules stopping the company network being able to talk to the private network.....

I will stop waffling on now...

Thankyou!

bookie56
#6
General Discussion / No IP from DuckDNS and Dedyn.i...
Last post by Cobra - Today at 10:22:07 AM
With my internet connection I received a router that assigns me two dynamic IPs, IPV6 and IPV4.
IPV4 is quite stable because it seems to only change when the router is rebooted.
IPV6, instead, always changes at midnight and, I think, even during the day.
So, I created two accounts on DuckDNS and Dedyn.io.
There's no DDNS setting on the router.
However, no matter how hard I try in OpnSense, I can't get an IP address to assign Let's Encrypt certificates for an internal NAS.
At this point, the problem is either the ISP or a misconfigured firewall.
I also looked at guides for configuring the WAN interface with IPv6, but I'm holding off to avoid creating a mess because I know very little about IPv6.
I've now reset OpnSense to its default configuration, meaning there are no WAN or LAN rules.
OpnSense is version 26.1.6, and the only plugins installed are OS-ddclient and os-isc-dhcp.
Thanks in advance for your help.
#7
Your VLANs - no. You need to change the parent interface for each of them individually. But you should not be running tagged VLANs and the untagged LAN on the same port, anyway.
#8
Disable Automatic Discovery.
Disable Automatic Discovery.
Disable Automatic Discovery.
...
#9
General Discussion / Re: How do IPv6 Router Adverti...
Last post by OPNenthu - Today at 08:27:28 AM
Quote from: barney on Today at 04:37:40 AMisn't the idea to have separate VLANs with controlled routes between them?
Certainly, but I think some concepts are getting mixed up.  For instance, you probably have DHCP in your IPv4 networks set up so that clients get their IPs only from the "server" on their own network.  Clients in VLAN 20 don't get IPs from the DHCP pool in VLAN 30.

Similarly, you don't want a router (in this case that Dirigera hub is acting as an IPv6 router) handing out IPs from its own subnet to clients in a different subnet.  That's what would happen if the RAs crossed over.  The RA would contain the prefix of the router's network (VLAN 40) and that prefix would get configured onto the clients in VLAN 20.  That would put them effectively on the same network and bypass routing/firewalling (if it even works).

To be honest I don't know how these smart home devices work (I don't own any) but I assume that they want to be on a network together and possibly the hub is providing internet access for the connected matter devices (?).  I'm not sure how that works- do they have IPs on the OPNsense network at all, or do they connect wirelessly only to the hub?

In either case, personally, I'd treat them all as "IoT" things and keep them in a VLAN together.  That way they would all talk to each other freely and do what they need to do, but they could not access my private network.  I would be able to access them, however, from a more privileged network using firewall rules.

Maybe I'm oversimplifying because I'm thinking of these devices as typical clients...
#10
Zenarmor (Sensei) / Re: os-sunnywalley plugin inst...
Last post by raczzoltan - Today at 08:18:01 AM
Yes