Recent posts

#1

26.1, 26,4 Series / Gratitious ARP from ISP causes...

Last post by basskitty - Today at 01:56:09 PM

Hello,

I changed my ISP a while ago and now got their modem in bridge mode working, so my OPNsense WAN port is bridged to the ISP.
Up to multiple times a day, my WAN connection just stops working and reloading it fixes it immediately. I've pinned this down to the ISP sending loads of gratitious ARP messages:

Code Select Expand

2026-06-08T12:31:12
Notice
kernel
<6>[1539] arp: 195.69.173.1 moved from 00:0e:00:00:01:01 to 00:0e:00:00:01:03 on ix1
2026-06-08T12:21:29
Notice
kernel
<6>[957] arp: 195.69.173.1 moved from 00:0e:00:00:01:01 to 00:0e:00:00:01:03 on ix1
2026-06-08T12:07:16
Notice
kernel
<6>[103] arp: 195.69.173.1 moved from 00:0e:00:00:01:02 to 00:0e:00:00:01:03 on ix1
2026-06-08T12:07:00
Notice
kernel
<6>[87] arp: 195.69.173.1 moved from 00:0e:00:00:01:01 to 00:0e:00:00:01:02 on ix1
Every time this happens, the WAN gateway stops responding and I need to reload, 12:25:09 is when I triggered the interface reload:

Code Select Expand

2026-06-08T12:25:11
Notice
opnsense
/usr/local/etc/rc.newwanip: ROUTING: configuring inet default gateway on wan
2026-06-08T12:25:11
Notice
opnsense
/usr/local/etc/rc.configure_interface: plugins_configure dns (execute task : unbound_configure_do(1))
2026-06-08T12:25:10
Notice
opnsense
/usr/local/etc/rc.newwanip: ROUTING: entering configure using wan
2026-06-08T12:25:10
Notice
opnsense
/usr/local/etc/rc.configure_interface: plugins_configure dns (execute task : dnsmasq_configure_do(1))
2026-06-08T12:25:10
Notice
opnsense
/usr/local/etc/rc.configure_interface: plugins_configure dns (1)
2026-06-08T12:25:10
Notice
opnsense
/usr/local/etc/rc.configure_interface: plugins_configure dhcp (execute task : radvd_configure_dhcp(1))
2026-06-08T12:25:10
Notice
opnsense
/usr/local/etc/rc.configure_interface: plugins_configure dhcp (1)
2026-06-08T12:25:10
Notice
opnsense
/usr/local/etc/rc.configure_interface: plugins_configure ipsec (execute task : ipsec_configure_do(1,wan))
2026-06-08T12:25:10
Notice
opnsense
/usr/local/etc/rc.configure_interface: plugins_configure ipsec (1,wan)
2026-06-08T12:25:10
Notice
opnsense
/usr/local/etc/rc.newwanip: IP renewal starting (new: 195.69.173.56, old: 195.69.173.56, interface: wan, device: ix1, force: yes)
2026-06-08T12:25:09
Notice
opnsense
/usr/local/etc/rc.configure_interface: plugins_configure monitor (execute task : dpinger_configure_do(1,[WAN_DHCP]))
2026-06-08T12:25:09
Notice
opnsense
/usr/local/etc/rc.configure_interface: plugins_configure monitor (1,[WAN_DHCP])
2026-06-08T12:25:09
Error
opnsense
/usr/local/etc/rc.configure_interface: ROUTING: refusing to set inet gateway on addressless wan(ix1)
2026-06-08T12:25:09
Warning
opnsense
/usr/local/etc/rc.configure_interface: ROUTING: refusing to set interface route on addressless wan(ix1)
2026-06-08T12:25:09
Notice
dhclient
dhclient-script: Creating resolv.conf
2026-06-08T12:25:09
Notice
dhclient
dhclient-script: New Routers (ix1): 195.69.173.1
2026-06-08T12:25:09
Notice
dhclient
dhclient-script: New Broadcast Address (ix1): 195.69.173.255
2026-06-08T12:25:09
Notice
dhclient
dhclient-script: New Subnet Mask (ix1): 255.255.255.0
2026-06-08T12:25:09
Notice
dhclient
dhclient-script: New IP Address (ix1): 195.69.173.56
2026-06-08T12:25:09
Notice
dhclient
dhclient-script: New Hostname (ix1): 7c5a1c846db5
2026-06-08T12:25:09
Notice
dhclient
dhclient-script: Reason REBOOT on ix1 executing
2026-06-08T12:25:09
Notice
opnsense
/usr/local/etc/rc.configure_interface: ROUTING: entering configure using wan
2026-06-08T12:25:09
Notice
dhclient
dhclient-script: Reason PREINIT on ix1 executing
2026-06-08T12:25:09
Critical
dhclient
exiting.
2026-06-08T12:25:09
Error
dhclient
short write: wanted 20 got 0 bytes
2026-06-08T12:25:09
Notice
dhclient
dhclient-script: Reason FAIL on ix1 executing
2026-06-08T12:25:09
Error
dhclient
My address (195.69.173.56) was deleted, dhclient exiting
2026-06-08T12:23:59
Notice
dhclient
dhclient-script: Creating resolv.conf
2026-06-08T12:23:59
Notice
dhclient
dhclient-script: New Hostname (ix1): 7c5a1c846db5
2026-06-08T12:23:59
Notice
dhclient
dhclient-script: Reason RENEW on ix1 executing
2026-06-08T12:21:29
Notice
kernel
<6>[957] arp: 195.69.173.1 moved from 00:0e:00:00:01:01 to 00:0e:00:00:01:03 on ix1
I've already tried these things:
* Enable "Skip rules when gateway is down"

* Disable reply-to on WAN rules

* Enable "Dynamic gateway policy" on the interface

* Setting a static ARP entry

* Disabling neighbor discovery on WAN

but nothing worked. Other users of the ISP have reported that they solved it by dropping/ignoring GARP announcements, but I cannot find a way to do this with OPNsense? Running version 26.1.9.

#2

Hardware and Performance / Re: Sanity check for N100 / i2...

Last post by Ozymandias - Today at 12:39:59 PM

iperf3 was done with -P 4

#3

German - Deutsch / Squid Anfragen zu unterschiedl...

Last post by andy66 - Today at 11:38:06 AM

Hallo,

Ich möchte ein bestimmtes Quell-Subnetz über einen anderes (nicht default) Gateway rausgehen lassen.
Ich habe eine Squid Custom ACL in

Code Select Expand

/usr/local/etc/squid/pre-auth/custom.conf angelegt.
Leider kann man dort per Design nur default WAN IP-Adressen und nicht andere Interfaces verwenden
Damit landet der Traffic immer dem default WAN Interface.
Also habe eine virtuelle WAN-IP erstellt und den Traffic auf den alternativen WAN Ausgang mittels "Routing Policy ACL" gebracht.
Ich scheitere jetzt am NAT.

Bin ich da total auf dem Holzweg?

#4

26.1, 26,4 Series / Re: 26.1 upgrade chaos, Realte...

Last post by newsense - Today at 11:26:55 AM

That's a weird issue. If old_hw works without the os-realtek driver then it should be working on 26.1

Probably best to open an issue on GitHub OPNsense/src so Franco can have a look—-especially since 15.1 is on the horizon.


I've been told at some point Realtek removed some cards from the vendor driver ( so make sure you try both with and without it)

#5

26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...

Last post by Monviech (Cedrik) - Today at 09:06:36 AM

@Allan

I feel like you ran into this here:
https://github.com/opnsense/plugins/pull/5102

Sounds like an external Bind server might be better, I don't know if this can be reasonably fixed in the plugin.
If your workarounds work, well, that's good though, nice job figuring this all out.

@cinergi

Keeping it simple in your setup sounds indeed like the best plan. The configuration we recommend is this:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

Good choice :)

[You]

#6

Hardware and Performance / Re: Sanity check for N100 / i2...

Last post by meyergru - Today at 07:02:58 AM

So you are saying that when I measure iPerf3 speeds between OPNsense and a Client that the speed will always be lower than between two any other type of Clients on the same subnet ?!

Yes, of course, just because when OpnSense is itself involved, iperf3 runs on top of the actual routing. Well, "on the same subnet" is incorrect, of course, because OpnSense would not be involved at all if the traffic were between two clients on layer 2.

Ofcourse you will always have to measure with as much threads as possible and sometimes even raise the window size and stuff like that... :)

You may know, but the OP did not state how exactly the measurements were taken, which is why I pointed it out again. RSS will not do any good with just one connection.

#7

Hardware and Performance / Re: cpu-microcode-intel: no ma...

Last post by BrandyWine - Today at 05:36:59 AM

This is from my std install of v14.3 (not opnsense). The _1 ucode pkg is not in Quarterly yet, but it in in fact in Latest.




download from Latest.
curl -O https://pkg.freebsd.org/FreeBSD%3A14%3Aamd64/latest/All/Hashed/cpu-microcode-intel-20260512_1~a2a4a2e6e1.pkg
pkg install cpu-microcode-intel-20260512_1~a2a4a2e6e1.pkg

All fixed??

#8

Hardware and Performance / Re: cpu-microcode-intel: no ma...

Last post by BrandyWine - Today at 05:28:02 AM

A bit convoluted to follow.
_1 has a last import of "new" on June 5 2026 (https://www.freshports.org/sysutils/cpu-microcode-intel/)

There seems to be two builds for 14 latest
https://ports.freebsd.org/cgi/ports.cgi?stype=pkg&query=sysutils/cpu-microcode-intel

#9

26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...

Last post by allan - Today at 04:44:16 AM

OP, if you ever decide to go down this path, I suggest to first set up Monit to watch log files and run a script based on keywords. When you see journal rollforward failed, that means Bind did not load that zone file. Your static DNS assignments in addition to Kea DDNS registrations are all offline at that point. Internet through Unbound still works but no LAN devices are resolvable. You need Monit to watch for that, quickly delete those journal files and restart Bind to recover before anyone notices. Until there is a better way, that is how I have it set up. I actually match on zone not loaded as my keyword.

#10

26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...

Last post by cinergi - Today at 03:04:45 AM

OP here.  Thanks to all for sharing your viewpoints and experiences.

My network is small - a home network with about 40 devices total, and IPv6 dual stack.  I don't NEED Kea - I just thought it might be fun to try to set it up with dynamic DNS entries via Bind.  However, @Monviech's point not to overcomplicate is well taken.  I'm currently using dnsmasq for DHCP + local DNS, and Unbound for upstream recursive DNS queries which dnsmasq does not support (I prefer going directly to the authoritative DNS servers rather than relying on my ISP's DNS).  To switch to the solution I inquired about in my OP, I would need (1) Kea, (2) radvd for IPv6 router advertisements, (3) Unbound for recursive DNS, and (4) Bind for local DNS.  This is a more complex solution with a lot more moving parts (to use Monviech's wording).

Thus, after further consideration, and also after seeing the various issues encountered by @allan, I've decided to leave things alone for now and avoid an angry wife and daughters 😯.  So it's dnsmasq --> Unbound.

Thanks all!

-cinergi