Recent posts

#1

26.1, 26,4 Series / Re: Destination NAT and Firewa...

Last post by Yudre - Today at 05:44:33 AM

One rule performs the NAT and the second permits the resulting traffic. With the previous system, it was a NAT port forward rule and a (potentially auto-managed) firewall rule.

I have not tried 26.1RC yet moto x3m. But I have a feeling, with the way I've set up NAT and FW under 25.7, a straight forward migration will not be possible. For example, the change in the priority of floating rules on single interfaces and the lack of auto/associated firewall rules for port forwards.

I've looked into this rule; it can disable the device if activated incorrectly.

#2

Tutorials and FAQs / Re: [How-To] NPTv6 with dynami...

Last post by Maurice - Today at 04:34:12 AM

For eight /64 ULA subnets, you'll need a /61 NPT rule. That's half of the /60 you get from your ISP, so not a problem.

Loopback interface prefix ID: 8
NPT internal IPv6 prefix: fd5a:xxxx:xxxx:1000::/61

This translates ULA prefixes fd5a:xxxx:xxxx:1000::/64 .. fd5a:xxxx:xxxx:1007::/64 to GUA prefixes with IDs 8 .. f.
GUA prefixes with IDs 0 .. 7 remain available for other purposes.

Cheers
Maurice

#3

General Discussion / Re: What is The Purpose of Set...

Last post by Al Muckart - Today at 03:56:26 AM

Why don't you set it to 0, then? You can add arbitrary tunables from the UI.

I do now. I don't think I should have had to deal with firewalls going offline and requiring remote hands to diagnose the issue and reboot to figure out I needed to do that though.

#4

General Discussion / Re: What is The Purpose of Set...

Last post by Al Muckart - Today at 03:54:31 AM

Requires onsite visit? Do you mean to be able to do "reboot" from the console, or recycle the power?
If that's the type of remote location it is, then maybe some form of out-of-band console access should be there?

Or, set that option to 0, and still evaluate OOB access.

Yes, it requires someone to be on-site to do a reboot from the console.

It's fine to have this feature available in the event that someone is experiencing persistent problems and needs debug information but there's no way it should be the default on a production firewall. The FreeBSD hadnbook even says this outright.

#5

General Discussion / Multi-Site DNS with same domai...

Last post by vladnik - Today at 02:23:13 AM

Hi all,

maybe some of the more experienced folks can give me some pointers...

What I have:
- 2 sites (soon to be 3) running OPNsense 26.1.7. with dnsmasq as DHCP and DNS server, no Unbound
- static DHCP/DNS entries configured in dnsmasq on both sites
- dnsmasq is configured to not be authoritative for the DNS domain example.com, and forward queries for example.com to the other sites' dnsmasq
  this works for resolving hostnames, but causes a loop in DNS query resolution which causes timeouts and slow resolution speed

The problem:
- nslookup looks like this (example from a client in site 1) and name resolution for internal services is slow in general

Code Select Expand

# nslookup server01
Server: opnsense01
Address: 10.10.10.254

DNS request timed out.
timeout was 2 seconds.

Name: server01.example.com
Address: 10.10.10.235

What I want:
- multiple sites using the same DNS domain (example.com) for internal hosts
- forward and reverse lookups of DHCP static and dynamic leases in DNS across sites
  (i.e. nslookup server01(.example.com) from site1 lan and site2 lan, as well as nslookup <IP-Address> from site1 and site2 lan)
- no duplication of records (i.e. if I have a DNS record in site1 setup, I don't have to add it to site2 as well)
- ideally, a 'single source of truth' (currently dnsmasq) for DHCP and DNS per site

Here is my sanitized dnsmasq.conf from site1. site2 looks similar.

Code Select Expand

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
rebind-localhost-ok
stop-dns-rebind
port=53
dhcp-fqdn
domain=example.com
dhcp-authoritative
# Never forward addresses in the non-routed address spaces.
bogus-priv
server=/example.com/10.20.20.254
rebind-domain-ok=/example.com/
# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases
dns-forward-max=5000
cache-size=10000
local-ttl=1
conf-dir=/usr/local/etc/dnsmasq.conf.d,*.conf
dhcp-range=tag:igc0,10.10.10.120,10.10.10.189,255.255.255.0,86400
domain=example.com,10.10.10.120,10.10.10.189
dhcp-host=aa:bb:cc:dd:ee:ff,10.10.10.190,device-xx
...
# default IPv4 DNS mapped to this server (0.0.0.0)
dhcp-option=6,0.0.0.0
# default IPv6 DNS mapped to this server (::)
dhcp-option=option6:23,[::]
no-ident


#6

General Discussion / Pls Help: I can access webgui ...

Last post by glau - May 03, 2026, 11:49:03 PM

Hello,
pls find hereafter a picture of my configuration. I try to connect to webgui on https, but I am always switched on http.
I do not understand why...
Thanks for your kind help.
Regards,
GL

#7

Tutorials and FAQs / Re: [How-To] NPTv6 with dynami...

Last post by OPNenthu - May 03, 2026, 11:48:24 PM

Hi @Maurice,

I want to implement your approach but I only get a /60 from my ISP.  Is there a clean way I could use a larger internal NTPv6 prefix than the /64 I currently have?  I'm not certain but it might help with an issue I just noticed.

I have a UniFi OS controller on LAN at the fd5a:...:1000:...:f30 address.
I have a web client (trusted PC) on CLEAR at the fd5a:...:1003:...6ac2 address.

When I access the UniFi controller those two pass lots of UDP packets but at some point the UniFi host picks up the external prefix (2601:...:316f/64) and starts trying to send traffic to my web client on the translated GUA prefix.

You cannot view this attachment.

This is the only case I've seen so far where this happens.  I put an "out" block rule on the tracking interface (lo1) to try and prevent leaks to WAN though I'm not certain that's effective. This would be difficult to filter on the LAN interface itself.

Maybe has to do with the /64 -> /64 translation?

#8

26.1, 26,4 Series / Re: Update to latest free vers...

Last post by senseOPN - May 03, 2026, 11:41:21 PM

Boot the older version, uninstall the os-microcode plugin, redo the update.

That did it, great many thanks!

I also compared /conf/backup from the older snapshot and the original (now bad) snapshot, and as it seems there was no new config - I did not loose any changes, luckily!

#9

26.1, 26,4 Series / Re: Update to latest free vers...

Last post by Patrick M. Hausen - May 03, 2026, 11:19:00 PM

Boot the older version, uninstall the os-microcode plugin, redo the update.

#10

26.1, 26,4 Series / Re: Update to latest free vers...

Last post by senseOPN - May 03, 2026, 11:04:50 PM

- power cycle with keyboard and monitor attached
- abort the boot process and escape to the boot loader prompt
- disable the loading of the microcode update

This should get you going with a search engine, possibly AI, or search function of this forum - I don't have the time to research the details of each step just right now, sorry.

HTH,
Patrick

OK, thanks already!

I managed to select another snapshot and could boot it, create a new copy from it and then retry the update - the same happened again!
So indeed, something is wrong for my PROTECTLY firewall.

I will seek out disabling the microcode update but at least am running from an older snapshot again!