Recent posts

#1
General Discussion / Re: Support AmneziaWG
Last post by OPNenthu - Today at 03:49:14 AM
Quote from: Patrick M. Hausen on Today at 12:08:53 AMI will never promote circumventing a company or school or uni ... firewall.

I wasn't thinking along those lines.  I think students trying to get to TikTok on school time is different than private citizens trying to access information on theirs, but unfortunately the means are the same.
#2
26.1 Series / Re: No internet with WAN using...
Last post by Yeff - Today at 03:06:22 AM
Quote from: Patrick M. Hausen on February 22, 2026, 11:30:49 PMIf you configure statically you need to also manually add the default gateway. System > Gateways. DHCP takes care of that.

I have  this gateway:
Interface: WAN
Family: IPv4
IP Addrewss: 100.100.100.1

Is that ok, should I check any other options?
#3
General Discussion / Re: Closed - How to implement ...
Last post by allan - Today at 01:38:15 AM
The following expressions include IPv4 and IPv6 addresses.

  • All Regions:
    .prefixes,.ipv6_prefixes|map(.ip_prefix//.ipv6_prefix)[]
  • GLOBAL and US regions:
    .prefixes,.ipv6_prefixes|map(select(.region=="GLOBAL" or (.region|startswith("us-")))|.ip_prefix//.ipv6_prefix)[]
#4
General Discussion / Re: Degraded printer functiona...
Last post by Lu - Today at 01:24:44 AM
Quote from: meyergru on January 14, 2026, 09:59:03 AMI was not referring to the auto-generated rules

My mistake, I meant the automatically provided ones, not the auto-generated ones. I followed the guide for WAN failover, which said to edit those rules and assign to them a gateway. I have since added another rule after those, without a gateway:

statetypestate-policysequenceactionquickinterfacenotinterfacedirectionipprotocolprotocolicmptypeicmp6typesource_netsource_notsource_portdestination_netdestination_notdestination_portdivert-togateway
keep51pass10lanininetanylan0any0v4
keep61pass10lanininet6anylan0any0v6
keep71pass10lanininet46anylan0any0

Though this has improved the LAN stability, the Printer still misbehaves, and not in a consistent manner. Sometimes it'll work as desired, but usually stops, so I have to leave it configured with IP addresses rather than names, and accept the degradation.

I'm still inclined to believe it is at least partially caused by the router because it has other odd behaviours like near total failure of IPv6 after a random amount of uptime. Restarting the router, without changing any config, will 'fix' that.
#5
German - Deutsch / Re: IPV6 Tunnel mit Route64
Last post by patient0 - Today at 12:42:35 AM
Habe kurz einen SIT/GIF Tunnel von einer OPNsense VM eingerichtet, funktioniert soweit, jedoch kein PPPoE involviert.

Quote from: Swtrse on February 15, 2026, 02:46:02 AMStatische Route gesetzt zur Endadresse von Rout64 (Weil ich nicht die eigenliche Tunneladresse verwende sondern das ebenfalls geroutete /56 subnetz)

Um sicher zu gehen, dass wir vom gleichen Sprechen. Von Route64 hast bekommen:

Our Endpoint : Deren IPv4 Endpunkt, OPNsense GIF: 'Remote Address'
Your Endpoint : Deine oeffentliche IPv4
Our Gateway : Deren IPv6 Tunnel IP (...::1), OPNsense GIF: 'Tunnel remote address'
Your IP-Address: Deine IPv6 Tunnel IP (...::2), OPNsense GIF: 'Tunnel local address'

OPNsense GIF: Tunnel netmask / prefix : 64

Und die statische Route nutzt 'Our Gateway' als den Gateway (...::1 von oben)

Kannst Du von aussen die ...::2 (Your IP-Address) pingen?
#6
General Discussion / Configuring Unbound DNS for Mu...
Last post by foss-johnny - Today at 12:26:46 AM
Hi all,

If I have multiple LAN subnets, and I want my clients in each subnet to be able to resolve/route to NGINX running on OPNSense, and then NGINX forwards to a server IP running in a DMZ subnet, what is the correct way to configure the DNS.

Do you setup a single Unbound DNS override entry to point to a single LAN gateway that you designate for NGINX, or do you somehow setup each LAN to have the DNS name of the server resolve to their respective LAN Gateway interfaces? 

#7
General Discussion / Re: Support AmneziaWG
Last post by Patrick M. Hausen - Today at 12:08:53 AM
What upstream firewalls? If they exist there is a reason. If you live in an authoritarian country you should probably use tor. Amnezia will probably allow you to connect but it's not making you anonymous.

I will never promote circumventing a company or school or uni ... firewall.
#8
General Discussion / Re: Support AmneziaWG
Last post by OPNenthu - February 22, 2026, 11:55:41 PM
Quote from: Patrick M. Hausen on February 22, 2026, 10:35:20 PMAnd why don't you just use Wireguard, if you control the firewall?
Because upstream firewalls?

Think: Empire v. Alliance. :)

https://mullvad.net/en/blog/introducing-quic-obfuscation-for-wireguard

(unless I completely misread the purpose of this tool...)

Side note: really unfortunate choice for a project logo, IMO.
#9
25.7, 25.10 Series / IPv6 LAN Rules Setup
Last post by chawk - February 22, 2026, 11:43:57 PM
Hello everyone. Looking for some insight into how some of you are blocking Inter-VLAN/LAN IPv6 traffic. Since IPv6 GUA's are globally routable the classic !RFC1918 a lot of us use for IPv4 rules won't work. I'm new to IPv6 so I may not be fully understanding this concept..

I already have an interface group that contains all of my LAN interfaces (LAN,VLANx, VLANy, etc.)
If I create a rule on VLANx's interface that is similar to the !RFC1918 setup, such as:
IPv6* Source: VLANx Port * Destination (Invert ticked) !langroup

Wouldn't this prevent any IPv6 inter-lan/vlan traffic? Any concerns with this setup other than having to explicitly allow traffic to dynamic IPv6 host(s) alias'?


I gave this and a few other posts a read:
https://forum.opnsense.org/index.php?topic=28447.0
#10
26.1 Series / Re: No internet with WAN using...
Last post by Patrick M. Hausen - February 22, 2026, 11:30:49 PM
If you configure statically you need to also manually add the default gateway. System > Gateways. DHCP takes care of that.