Recent posts

#1
26.1 Series / Re: IPv6: OPNSense can ping, c...
Last post by hakuna - Today at 03:50:59 AM
Quote from: Boxer on February 12, 2026, 02:25:52 PMServices > Router Advertisements:

    Interface: LAN
    Mode: *Unmanaged*

Thank you so much for that.
As soon as I changed that, my PC got an IPv6 so did all the clients and I can ping IPv6 IPs now without a DHCPv6 server.
IPv6 gateway does show down, I guess that is because of the PPPoE.

What matter is that is all works, I guess I am officially running dual-stack haha

Thanks a lot.
#2
26.1 Series / Re: Enable SSH at Console
Last post by kmschneider1 - Today at 03:38:57 AM
Quote from: Kinerg on February 22, 2026, 04:53:04 PMHere's Grok's take. Can't verify if it works but it should get you started in the right direction.


This is exactly what I needed and helped me enable SSH. For anyone referencing, Grok explains how to access and update the config file and I need to do this to enable SSH. Additionally it also helped me find the error that caused all of this to begin with so that was incredibly helpful! I am frustrated that my hours of searching on this never once returned this information.
#3
26.1 Series / Re: How does SLAAC for ipv6 wo...
Last post by allebone - Today at 03:12:05 AM
Quote from: meyergru on Today at 12:45:25 AMIf your prefix is static, you can create overrides in Unbound for any client, using its EUI-64. So you get <prefix(56 bits)>+<interface prefix (8 bits)>+<client-EUI-64> as IPv6 for usual clients.

Note that some clients (e.g. Windows) choose to use arbitrary suffixess instead of a MAC-derived EUI-64 for privacy reasons. I am not talking privacy extensions here with changing suffixes, but hiding the MAC, which could normally be derived from the suffix.


Seems like neither my ubuntu boxes or windows boxes have FFFE in the addresses so guess they all use private ip's.

However they also never seem to change ever. I have had many opportunities for them to change with things down for various changes and they seem to always get the exact same address always.

Is an override in unbound the same as setting an aaaa record? Am I right to assume the ipv6 wont change on clients?
#4
26.1 Series / Re: How does SLAAC for ipv6 wo...
Last post by meyergru - Today at 12:45:25 AM
If your prefix is static, you can create overrides in Unbound for any client, using its EUI-64. So you get <prefix(56 bits)>+<interface prefix (8 bits)>+<client-EUI-64> as IPv6 for usual clients.

Note that some clients (e.g. Windows) choose to use arbitrary suffixess instead of a MAC-derived EUI-64 for privacy reasons. I am not talking privacy extensions here with changing suffixes, but hiding the MAC, which could normally be derived from the suffix.
#5
26.1 Series / Re: Best choice for mobile VPN...
Last post by nero355 - Today at 12:29:52 AM
Quote from: Diggy on February 24, 2026, 07:00:42 PMOf the three built-in VPN solutions, which is the best choice for mobile clients?
Just FYI :

Pretty much EVERYONE keeps telling me that the battery usage of Wireguard is superior compared to the battery usage of OpenVPN for mobile phones so that's something to consider too !!
#6
General Discussion / Re: default deny rule blocking...
Last post by pfry - Today at 12:26:36 AM
Quote from: nero355 on Today at 12:14:16 AM
Quote from: multazimd on February 24, 2026, 03:36:04 PMUnfortunately traffic is being dropped at OPNSENSE Internal interface by default deny rule which we do not have control over.
I can tell you that the 'Default Deny Rule' is always right so IMHO that's not your problem here... [...]

It's actually a last-match rule, so you can easily override it. I actually set my own first-match default denies and use the automatic default deny as a diagnostic. If I see it matched, something's up.
#7
26.1 Series / Re: Kea DHCPv4 How to remove d...
Last post by nero355 - Today at 12:23:46 AM
Quote from: Patrick M. Hausen on February 24, 2026, 02:55:55 PM@nero355 yet it is a common workflow to onboard a new device with a static reservation
I know : I do it too! :)

QuoteI am willing to bet every sysadmin does this. Regardless of standards and lease expiry - just power cycle the thing, done.
Windows Clients are my main issue : You REALLY need to ipconfig /release first, then reboot and hope everything goes as expected...

Everything else just respects your wishes luckily!

QuoteTherefore it would be nice if Kea on OPNsense supported deletion of leases on the server side.

As far as I read in the various discussions on Github it might be coming.
More webGUI options are always good to have, but software that respects my network is where it all should start IMHO :)
#8
26.1 Series / Re: Multi Wan broken - Vlan cu...
Last post by TheSHAD0W - Today at 12:23:30 AM
This is apparently an issue with upgrading to the new opnsense version. You can try changing the destination NAT entries to "register rule" and deleting any old rules you had regarding the forwarding. I tested this as working with a fresh install but still haven't gotten my old setup working properly. More info at https://github.com/opnsense/core/issues/9702
#9
General Discussion / Re: Errors when trying to upda...
Last post by grimelog - Today at 12:22:00 AM
Tried adding this rule with no luck.

on the lan for traffic coming in from that interface.

Source: LAN Net
Destination: any
port: 11371

with no luck. Do I need to configure port forwarding as well? I think I might need to dig through multiple menus to get this working. I tried booting from a live environment with the default settings and I can't update my pgp keys.

How would you configure a fresh system?
#10
26.1 Series / Re: [ISC vs. KEA] Is the effec...
Last post by nero355 - Today at 12:18:21 AM
Quote from: Patrick M. Hausen on February 24, 2026, 02:47:24 PMI apologize - I wrote nonsense because I confused the "Ignore Client UIDs" and Kea's "Match client-id".
No worries, I thought so :)

QuoteI have "Match client-id" unchecked, because otherwise static assignments based on MAC address do not work.
That's how I have got it here too for a while now.