"Recent posts
#1
Tutorials and FAQs / Re: IPv6 on OPNsense with Veri...
Last post by yourfriendarmando - Today at 06:45:53 AMDon't you have to set the FiOS router into bridge mode or similar in its web page?
That way the router just functions as a modem.
That way the router just functions as a modem.
#2
General Discussion / Re: DEC600 BE 24.4 — lapsed su...
Last post by patient0 - Today at 06:24:20 AMQuote from: ed3 on Today at 02:32:31 AMFinding 1 — updates blocked by lapsed subscription (403).If you buy a OPNsense appliance, you get 1 year of the Business Edition. After the year you either renew/pay the subscription or change to Community Edition. The 403 likely means that your BE subscription has run out and therefore you are not allow access to the BE repo anymore.
You can switch to the CE and back to BE later if you choose to renew the subscription.
QuoteFinding 2 — templates errors every boot, and the serial console has no login prompt.I'm can't comment on the template error. For the serial console, make sure the 'USB-based serial' box is unchecked. You can find details in the documentation:
https://docs.opnsense.org/hardware/serial_connectivity.html#serial-console-connectivity
Regarding upgrading to latest: Fastest is usually backup the configuration and reinstall if you have fallen back a bit. Otherwise if you go via the webGUI, just upgrade to whatever OPNsense is offering you, and the next and so on.
#3
General Discussion / DEC600 BE 24.4 — lapsed subscr...
Last post by ed3 - Today at 02:32:31 AMHi all,
Solo operator self-supporting a DEC600 that's run reliably for ~1 year but is now behind and has a couple of issues I've diagnosed. I'd appreciate guidance, especially on a few direct questions up front.
Unit: DEC600, Business Edition 24.4_8 (FreeBSD 13.2-p11). Running uninterrupted for about a year. I'd mistakenly assumed the subscription kept it auto-updated; I now understand updates are manual, and it simply ran 24.4 the whole time.
Finding 1 — updates blocked by lapsed subscription (403). Attempting an update returns Forbidden against the BE repo:
Finding 2 — templates errors every boot, and the serial console has no login prompt. Over the labeled CONSOLE port (micro-USB-B → Exar XR21V1410 USB-UART, 115200 8N1) I receive the complete boot output through the OPNsense banner, stable across reboots — but no login prompt and no input response after boot completes. Every boot shows:
Direct questions to help me decide between renewing BE and moving to Community Edition:
Full GUI/shell access available; happy to run diagnostics or share logs. Thanks in advance
Solo operator self-supporting a DEC600 that's run reliably for ~1 year but is now behind and has a couple of issues I've diagnosed. I'd appreciate guidance, especially on a few direct questions up front.
Unit: DEC600, Business Edition 24.4_8 (FreeBSD 13.2-p11). Running uninterrupted for about a year. I'd mistakenly assumed the subscription kept it auto-updated; I now understand updates are manual, and it simply ran 24.4 the whole time.
Finding 1 — updates blocked by lapsed subscription (403). Attempting an update returns Forbidden against the BE repo:
Code Select
https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:13:amd64/24.4/latest/meta.txz: Forbidden
... packagesite.pkg: Forbidden
... packagesite.txz: Forbidden
Unable to update repository OPNsense
Error updating repositories!The changelog lists releases up to 25.4.1 (2025-05-22), but pulling packages is clearly gated by the lapsed (~2025-06) subscription.Finding 2 — templates errors every boot, and the serial console has no login prompt. Over the labeled CONSOLE port (micro-USB-B → Exar XR21V1410 USB-UART, 115200 8N1) I receive the complete boot output through the OPNsense banner, stable across reboots — but no login prompt and no input response after boot completes. Every boot shows:
Code Select
>>> Invoking early script 'templates'
Generating configuration: ERRConsole config: vt driver enabled, Primary = Serial Console, Secondary = None, USB-based serial enabled. Web GUI over LAN works fine. My working theory is that the failed template generation prevents the serial getty (/etc/ttys) from being configured — producing output-yes / login-no.Direct questions to help me decide between renewing BE and moving to Community Edition:
- Is A causing B? Is the templates: ERR (and the resulting absence of a serial-console login) a side-effect of the lapsed subscription making the update repository unreachable (the 403s above)? I'm trying to confirm whether the broken repo is what's breaking template generation, rather than assuming a cause.
- Would switching to Community Edition restore console access? If the template error stems from the unit being unable to reach its subscription-gated repo, would migrating this DEC600 to the free Community Edition repo — which it can reach — fix template generation and bring back the serial console login?
- Is the migration reversible? If I move this DEC600 from Business Edition to Community Edition now, can I later switch it back to Business Edition with a new/renewed subscription? I'd like to know whether CE is a one-way door before committing.
- Diagnosing the template error directly: how can I find which template is failing (a way to run template generation manually with verbose output)?
- Update sequence / safety: what's the recommended path to get current from 24.4, and I'd want a working serial console as a fallback before any major upgrade or BE→CE switch — so should I resolve the console/template issue first, then update?
Full GUI/shell access available; happy to run diagnostics or share logs. Thanks in advance
Code Select
[shutdown of prior boot]
Waiting for system process `vnlru' to stop... done
Waiting for `syncer'... Syncing disks... done
Uptime: 6m55s ; uhub detached
coreboot-v4.16.5-Deciso ... CPU: AMD GX-420MC SOC ... 4 CPUs initialized
SeaBIOS rel-1.16.0
/boot/config: -S115200 -h
Consoles: serial port
FreeBSD/x86 bootstrap loader
[ OPNsense loader menu ... 24.4 "Savvy Shark" ]
Loading kernel + modules (carp, pflog, pf, zfs, if_bridge, if_lagg, if_gre, ...)
KDB: backend ddb
---<<BOOT>>---
FreeBSD 13.2-RELEASE-p11 stable/24.1 SMP amd64
CPU: AMD GX-420MC SOC (1597 MHz) ; ~8944 MB real / ~7874 MB avail ; 4 CPUs
nvme0 / nvd0: <TS256GMTE110S> 244198MB
igc0: I225-V MAC [REDACTED]
igc1: I225-V MAC [REDACTED]
igc2: I225-V MAC [REDACTED]
igc3: I225-V MAC [REDACTED]
ahci0: AMD Hudson-2 SATA ; ehci0: AMD FCH USB 2.0 ; usbus0 480Mbps
uart0: console (115200,n,8,1) port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
ZFS v5 / pool 5000
ugen0.2: <vendor 0x0438 product 0x7900> (internal USB hub)
Trying to mount root from zfs:zroot/ROOT/default
Setting hostuuid: [REDACTED] ; hostid: [REDACTED]
>>> Invoking early script 'configd' -> Starting configd.
>>> Invoking early script 'templates'
Generating configuration: ERR <-- THE ISSUE
>>> Invoking early script 'backup' ... carp: OK
Launching init system...done.
igc0/igc1: link UP
Setting timezone: [REDACTED]
Setting hostname: [REDACTED]
Configuring firewall / VLAN / interfaces ...done. [interface list redacted]
Starting web GUI...done.
Starting DHCPv4/DHCPv6, Unbound DNS, NTP, suricata, cron ...done.
Root file system: zroot/ROOT/default
[date redacted]
*** [HOSTNAME REDACTED]: OPNsense 24.4_8 ***
[interface -> IP table REDACTED]
HTTPS: SHA256 [REDACTED] #4
General Discussion / Re: Packet received by interfa...
Last post by lmoore - Today at 01:38:20 AMQuote from: Somnolus on May 30, 2026, 09:42:48 PMThe packet in question is under interface 2 and it repeats 4 times
The node at 192.168.4.27 is broadcasting the reply. For the packet to flow through pf in OPNsense, it would need to be forwarded to MAC address a8:b8:e0:04:91:1b.
#5
Tutorials and FAQs / Re: IPv6 on OPNsense with Veri...
Last post by gadgetguy - May 30, 2026, 11:35:42 PMQuote from: daemonhorn on March 22, 2026, 03:25:57 PMWhile OPNsense has the necessary dhcp6c code path to allow your FiOS WAN interface IPv6 configuration to have both a link local (fe80:: prefix) and a global IPv6 address, it will not configure it that way by default (as of OPNsense 26.1.4 in March 2026).
You will need to also configure a custom dhcp6c client configuration file in [Interfaces->WAN->DHCPv6 Client Configuration, then select Override Configuration Mode]
Thanks for this. It has gotten me closer to getting a global address from FiOS, but I still don't receive it. The only log entry that appears to be related is a series of these which I had not seen before:
Sending Solicit on igb0
They have been occuring at ever increasing intervals (20 secs, 30 secs, 1 min., 5 min., etc.)
Any hints as to what might be going on or where to check for more details?
#6
Virtual private networks / Policy routing with WireGuard ...
Last post by Hexodark - May 30, 2026, 11:09:07 PMHi,
I've been struggling with a persistent policy routing issue on OPNsense 26.1 using WireGuard and I'm hoping someone has found a reliable solution.
Setup:
OPNsense 26.1 on a mini PC
WireGuard ProtonVPN France (wg0) with gateway GW_fr
Two LAN firewall rules routing specific aliases (domains + IPs) through GW_fr
NAT outbound configured for wg0
Gateway monitoring enabled with 8.8.8.8 as monitor IP
Gateway shows Online consistently
Problem:
Traffic randomly stops going through WireGuard and falls back to WAN, without any changes made. The WireGuard tunnel stays connected (wg show shows recent handshake), the gateway stays Online, but the traffic exits through WAN instead of wg0.
Running configctl filter reload && configctl filter sync fixes it temporarily, but it comes back after some time.
Important detail:
This happens without any IP changes or configuration changes. The tunnel is up, the gateway is online, but the routing just stops working randomly. This suggests it's purely a state table issue — existing states are somehow using the wrong gateway.
What I've tried:
Enabled "Kill states when down" on gateway
Added cron script every 5 minutes to detect and reload rules
Cleared state table manually (fixes it temporarily)
Questions:
Is there a way to force OPNsense to always re-evaluate the gateway for new connections even when a state exists?
Is there a known fix for this in 26.1?
Would OpenVPN be more stable than WireGuard for policy routing?
Any help appreciated. Thanks!
I've been struggling with a persistent policy routing issue on OPNsense 26.1 using WireGuard and I'm hoping someone has found a reliable solution.
Setup:
OPNsense 26.1 on a mini PC
WireGuard ProtonVPN France (wg0) with gateway GW_fr
Two LAN firewall rules routing specific aliases (domains + IPs) through GW_fr
NAT outbound configured for wg0
Gateway monitoring enabled with 8.8.8.8 as monitor IP
Gateway shows Online consistently
Problem:
Traffic randomly stops going through WireGuard and falls back to WAN, without any changes made. The WireGuard tunnel stays connected (wg show shows recent handshake), the gateway stays Online, but the traffic exits through WAN instead of wg0.
Running configctl filter reload && configctl filter sync fixes it temporarily, but it comes back after some time.
Important detail:
This happens without any IP changes or configuration changes. The tunnel is up, the gateway is online, but the routing just stops working randomly. This suggests it's purely a state table issue — existing states are somehow using the wrong gateway.
What I've tried:
Enabled "Kill states when down" on gateway
Added cron script every 5 minutes to detect and reload rules
Cleared state table manually (fixes it temporarily)
Questions:
Is there a way to force OPNsense to always re-evaluate the gateway for new connections even when a state exists?
Is there a known fix for this in 26.1?
Would OpenVPN be more stable than WireGuard for policy routing?
Any help appreciated. Thanks!
#7
26.1, 26,4 Series / Re: Intermittent upload collap...
Last post by dare - May 30, 2026, 10:04:57 PMHello and sorry for double posting.
so I've heard back from protectli support and they say no one else has this problem and that they have actually tested it and they cannot reproduce the problem.
I've gone back to 25.7 in the meantime and the problem persisted, but less frequently. It was the same on a basic Asus router I tried next.
So then I had weeks of back and forth with my ISP's support, who weren't very helpful. Finally they said they have "updated my modem". The problem seems to have stopped since and I have done a clean reinstall of 26.1.
Needles to say this has been a very very weird episode and the only thing I can really say is that opnsense and protectli are not at fault. The drivers on 26.1 might be different so the ISP problem might have been more apparent on 26.1. Or something.
so I've heard back from protectli support and they say no one else has this problem and that they have actually tested it and they cannot reproduce the problem.
I've gone back to 25.7 in the meantime and the problem persisted, but less frequently. It was the same on a basic Asus router I tried next.
So then I had weeks of back and forth with my ISP's support, who weren't very helpful. Finally they said they have "updated my modem". The problem seems to have stopped since and I have done a clean reinstall of 26.1.
Needles to say this has been a very very weird episode and the only thing I can really say is that opnsense and protectli are not at fault. The drivers on 26.1 might be different so the ISP problem might have been more apparent on 26.1. Or something.
#8
General Discussion / Re: Packet received by interfa...
Last post by Somnolus - May 30, 2026, 09:42:48 PMI have 2 devices that need to establish communication between eachother. each device is on its own network, but connected to the same router. These are separate physical connections, no VLANs are involved. The machine is a intel N305 router with 6 2.5gb ports using the intel i226-v chipset. The machine is running proxmox with 5 of the 6 ports directly passed through to opnsense. Both devices are on ports directly passed through to opnsense.
Device 1 is on network 10.0.0.0/24, Device 2 is on 192.168.4.0/24. Both machines have been given static IP's via KeaDHCP.
Machine 1 is set to ip 10.0.0.55, machine 2 is assigned ip 192.168.4.27
Machine 1 is a server that handles file sharing, Machine 2 is a system that requests the files. Communication occurs over 2 ports. Port 62966 and 62967. Machine 2 broadcasts a multicast request over port 62966 that hits the router and runs through UDP-Broadcast-Relay which makes its way to machine 1. machine one than responds to machine 2 letting it know its IP and the port to use for data transfer. Everything works as it should both machines see each other just fine and all communication passes normally. the problem is when machine 2 sends a UDP packet requesting data from machine 1. That packet hits the router interface but doesn't seem to go anywhere beyond that. I've enabled firewall logging for everything including NAT rules under the advances settings. I don't have captive portal, or ipsec enabled.
I've attached packet captures that were run directly inside opnsense. The packet in question is under interface 2 and it repeats 4 times.
Device 1 is on network 10.0.0.0/24, Device 2 is on 192.168.4.0/24. Both machines have been given static IP's via KeaDHCP.
Machine 1 is set to ip 10.0.0.55, machine 2 is assigned ip 192.168.4.27
Machine 1 is a server that handles file sharing, Machine 2 is a system that requests the files. Communication occurs over 2 ports. Port 62966 and 62967. Machine 2 broadcasts a multicast request over port 62966 that hits the router and runs through UDP-Broadcast-Relay which makes its way to machine 1. machine one than responds to machine 2 letting it know its IP and the port to use for data transfer. Everything works as it should both machines see each other just fine and all communication passes normally. the problem is when machine 2 sends a UDP packet requesting data from machine 1. That packet hits the router interface but doesn't seem to go anywhere beyond that. I've enabled firewall logging for everything including NAT rules under the advances settings. I don't have captive portal, or ipsec enabled.
I've attached packet captures that were run directly inside opnsense. The packet in question is under interface 2 and it repeats 4 times.
#9
German - Deutsch / Re: "Lahmes" Internet seit Upd...
Last post by cottec - May 30, 2026, 08:38:29 PMQuote from: trixter on May 28, 2026, 08:08:14 PMVielleicht das Interface selbst mal aus dem Legacy-Mode holen?Ist das denn so falsch?
Ich scheine ja per DHCP auf dem WAN Adressen zu kriegen...
Hätte eh keine Ahnung wie ich sonst v6 einrichte um ehrlich zu sein...
#10
German - Deutsch / Re: Umgang mit VLAN
Last post by s.meier68 - May 30, 2026, 08:30:47 PMQuote from: meyergru on May 20, 2026, 09:02:00 PMEinen managebaren Switch beschaffen. Dort ein LAN (VLAN 1) und GAST (VLAN x) anlegen (oder eventuell weitere). OpnSense und alle APs (wichtig: VLAN-fähig) werden auf Trunk-Ports geschaltet, die Endgeräte je nach Vertrauensstellung auf VLAN 1 oder x.
Ich empfehle, wenn es KEIN Rack-Switch werden soll, den Zyxel XGS 1250-10. 8 1G Ports, 3 10G Ports und ein SFP+. Auf dem Switch lässt sich hervorragend OpenWRT installieren. (Du brauchst leider einmalig ein UART 3.3V Kabel) Dazu dann z.B. ein oder mehrere Zyxel NWA50pro (auf dem lässt sich auch OpenWRT installieren) So hast Du für die Netzwerktechnik eine Oberfläche die sich z.B. auch mit opensoho managen lässt.
Bei Mir macht die Fritzbox ebenso noch Telefonie, alles andere nicht mehr.
Quote from: meyergru on May 20, 2026, 09:02:00 PMAuf den APs werden pro VLAN jeweils SSIDs angelegt mit unterschiedlichen Passworten. Somit kann man beiUnd Du kannst z.B. auch für IoT Geräte nur ein 2.4Ghz Wlan aufspannen, Client Seperation nutzen oder andere Verschlüsselungseinstellungen....
WLAN-Clients durch Auswahl der SSID bestimmen, was sie dürfen.
ich würde statt Kea allerdings dnsmasq empfelen. Durch die DNS Integration erspart man sich einiges an Konfigurationsaufwand. Auch ipv6 ist problemlos möglich.
Quote from: meyergru on May 20, 2026, 05:49:39 PMNetzwerk-Clients, bei denen der Switch das zugewiesene VLAN ausgangsseitig entfernt und eingangsseitig hinzufügt (sogenannter "Tagged"-Port).Das ist allerdings ein untagged Port. Dieser ist bei einem vLAN-fähigen Switch trotzdem einem vLAN zugehörig.
Ein Tagged Port ist eine andere Bezeichnung für einen Trunk-Port. Das ist Herstellerabhängig wie der genannt wird.
Ein TrunkPort ist ein Tagged-Port der ein oder mehrere vLANs enthält.
Wie Du deine Endgeräte (dazu gehört die Opnsense letztendlich auch) konfigurierst, hängt davon ab wie der Port auf dem Switch konfiguriert ist. Ein kurzes Beispiel. Wenn der Port auf dem Switch untagged ist, kannst Du das mit dem Port verbundene Interface der Opnsense ganz normal wie sonst auch konfigurieren. Du musst auf dem jeweiligen Endgerät nichts beachten.
Ein mit EINEM vLAN getaggter Port auf dem Switch führt dazu dass Du auf dem Endgerät das eine vLAN konfigurieren musst. Das geht in der Opnsense, aber auch unter Linux und Windows. Macht man in der Regel so nicht, findet sich aber manchmal bei VOIP-Telefonen, dass ein einzelnes vLAN für die Netzkonfiguration vorrausgesetzt wird.
Ein Trunkport ist für alle vLANs konfiguriert, die an diesem Port ankommen und aus diesem Port ausgehend raus gehen sollen. Das wird z.B. genutzt um einem AP mehrere vLANs für mehrere SSID's bereitzustellen. Du kannst aber auch alle vLANs (die Du konfigurierst) mittels eines Trunkports an die Opnsense (oder auch ein Windows, Linux etc Device) übergeben. Dazu musst Du dann auf dem Interface der Opnsense, welches physikalisch mit dem Trunkport verbunden ist, logische vLAN-Interfaces erstellen.
Hier finde ich das auch sehr gut erklärt: https://www.thomas-krenn.com/de/wiki/VLAN_Grundlagen
