"Recent posts
#1
Virtual private networks / Re: Gateway priority and statu...
Last post by kfm - Today at 01:59:35 AMI can confirm this issue. Is there any progress or better workarounds?
ISSUE
--------------------------
In my situation, I define multiple non-upstream gateways with different priorities in Gateways -> Configuration:
GW100 192.168.1.100 upstream=no priority=100 monitor=10.0.0.100
GW101 192.168.1.101 upstream=no priority=101 monitor=10.0.0.101
...and then I add the same route for each gateway in Routes -> Configuration:
10.0.0.0/8 via 192.168.2.100
10.0.0.0/8 via 192.168.2.101
The expectation is that the system routing table will populate with a route for whichever gateway is up with the highest priority (in this case, it would be GW100). Instead, opensense seems to randomly select which gateway will get the route in the system table, regardless even of whether the gateway is up or down.
This issue seems to only apply to non-default gateways. Default gateways seem to handle this correctly.
WORKAROUNDS
--------------------------
1. Like zubrick said, you can manually create more precise routes for the preferred gateway to force opnsense to put both routes in the system table. However, if the preferred gateway goes down, opnsense doesn't update the routing table is not updated to remove the applicable route(s). Rather, you have to manually disable the preferred gateway to remove the route, which is not optimal.
2. Can't use gateway groups in NAT rules because the traffic is not being NATted.
3. Can't use gateway groups in Routes -> Configuration, because opensense does not allow groups to be the target of route rules.
4. Can create a gateway group and then create firewall rules for all interfaces that force the gateway for traffic going to 10.0.0.0/8, but this would mean duplicating every firewall accept rule (one for local traffic, one for remote traffic). I'm not sure if maybe there is a smarter way to do this with non-quick rules or marking?
5. Maybe some kind of monit scripting that can watch the gateway status and add/remove routes as needed? I couldn't find much documentation on it.
None of these options are great.
PREFERRED RESOLUTION
--------------------------
The two easiest ways to solve this from a user's perspective would be
(1) allow gateway groups as targets for static route configuration or
(2) have an option to treat down gateways as disabled for purposes of system routing table generation.
ISSUE
--------------------------
In my situation, I define multiple non-upstream gateways with different priorities in Gateways -> Configuration:
GW100 192.168.1.100 upstream=no priority=100 monitor=10.0.0.100
GW101 192.168.1.101 upstream=no priority=101 monitor=10.0.0.101
...and then I add the same route for each gateway in Routes -> Configuration:
10.0.0.0/8 via 192.168.2.100
10.0.0.0/8 via 192.168.2.101
The expectation is that the system routing table will populate with a route for whichever gateway is up with the highest priority (in this case, it would be GW100). Instead, opensense seems to randomly select which gateway will get the route in the system table, regardless even of whether the gateway is up or down.
This issue seems to only apply to non-default gateways. Default gateways seem to handle this correctly.
WORKAROUNDS
--------------------------
1. Like zubrick said, you can manually create more precise routes for the preferred gateway to force opnsense to put both routes in the system table. However, if the preferred gateway goes down, opnsense doesn't update the routing table is not updated to remove the applicable route(s). Rather, you have to manually disable the preferred gateway to remove the route, which is not optimal.
2. Can't use gateway groups in NAT rules because the traffic is not being NATted.
3. Can't use gateway groups in Routes -> Configuration, because opensense does not allow groups to be the target of route rules.
4. Can create a gateway group and then create firewall rules for all interfaces that force the gateway for traffic going to 10.0.0.0/8, but this would mean duplicating every firewall accept rule (one for local traffic, one for remote traffic). I'm not sure if maybe there is a smarter way to do this with non-quick rules or marking?
5. Maybe some kind of monit scripting that can watch the gateway status and add/remove routes as needed? I couldn't find much documentation on it.
None of these options are great.
PREFERRED RESOLUTION
--------------------------
The two easiest ways to solve this from a user's perspective would be
(1) allow gateway groups as targets for static route configuration or
(2) have an option to treat down gateways as disabled for purposes of system routing table generation.
#2
26.1 Series / Re: Kea DHCPv4 How to remove d...
Last post by Netlearn - Today at 01:53:44 AMI havenĀ“t tried, but it's not an easy workaround for a medium network, because one would have to connect the new machine to the "no-leases" VLAN and then to the device's destination VLAN, which is not always feasible. Plus the existence of that "no-leases" VLAN in all the infrastructure (wired and wireless).
Maybe your advice could do the trick for a small network, but I think most of OPNsense users tend to be from medium in advance networks sizes.
I proposed the new web feature because I think I'm not alone in this situation, it's a supported Kea feature, and improves the alignment with, the now plugin and mostly deprecated, ISC.
Maybe your advice could do the trick for a small network, but I think most of OPNsense users tend to be from medium in advance networks sizes.
I proposed the new web feature because I think I'm not alone in this situation, it's a supported Kea feature, and improves the alignment with, the now plugin and mostly deprecated, ISC.
#3
26.1 Series / Re: Unbound Query Forwarding ....
Last post by Netlearn - Today at 01:42:31 AMThanks for help.
I went to the section to be sure, ans it's already disabled in all five Unbounds.
The other option to register reservations ("Register DHCP Static Mappings") is selected, as I need it to declare all the needed hosts. Not sure if it interferes with query forwardings, as long as I'm not using ISC and all of them migrated to Kea and uninstalled the plugin.
I went to the section to be sure, ans it's already disabled in all five Unbounds.
The other option to register reservations ("Register DHCP Static Mappings") is selected, as I need it to declare all the needed hosts. Not sure if it interferes with query forwardings, as long as I'm not using ISC and all of them migrated to Kea and uninstalled the plugin.
#4
26.1 Series / Re: How does SLAAC for ipv6 wo...
Last post by OPNenthu - February 27, 2026, 11:43:57 PMQuote from: klinebau on February 24, 2026, 08:36:56 PMRA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.
My issue with the Linux hosts might be that some of them are using the "stable privacy" mode rather than "EUI64," so I guess Dnsmasq has no way to know that and guess the stable GUA address. Therefore it can't ping it for confirmation.
My Android clients are a bit different. They have a privacy mode which uses a randomized MAC for each network, but they do generate an EUI64 address based on that randomized MAC. So those get registered.
I guess the only way to simulate that on a desktop is to spoof the interface MAC and change the mode back to "EUI64," maybe.
#5
General Discussion / Re: Wildcards in domain names:...
Last post by Greg_E - February 27, 2026, 10:58:19 PMI've generally found that blocking anything related to outlook.com will break stuff your users need. We are a Microsoft plant so this could break way too many things for me to even try. There are only a few Microsoft related things I can block (a couple of trackers) without getting problems in applications I actually need.
#6
26.1 Series / communications error to 192.16...
Last post by olluz - February 27, 2026, 10:53:27 PMHi there,
what am I doing wrong if I get this error sporadically:
host 217.160.0.94
;; communications error to 192.168.3.1#53: timed out
94.0.160.217.in-addr.arpa domain name pointer 217-160-0-94.elastic-ssl.ui-r.com.
I've read somewhere that it might be related to IPv6 being enabled.
With host -4 217.160.0.94 I haven't encountered the timeout so far.
Any idea how to solve this without disabled IPv6? Or rather what did I do wrong to encounter the error in the first place?
Any help is appreciated.
Thanks in advance.
what am I doing wrong if I get this error sporadically:
host 217.160.0.94
;; communications error to 192.168.3.1#53: timed out
94.0.160.217.in-addr.arpa domain name pointer 217-160-0-94.elastic-ssl.ui-r.com.
I've read somewhere that it might be related to IPv6 being enabled.
With host -4 217.160.0.94 I haven't encountered the timeout so far.
Any idea how to solve this without disabled IPv6? Or rather what did I do wrong to encounter the error in the first place?
Any help is appreciated.
Thanks in advance.
#7
26.1 Series / Re: Upgrade Failed, signature ...
Last post by random1104 - February 27, 2026, 10:33:43 PMI'm still experiencing the same error.
#8
26.1 Series / OpenVPN client can't get to lo...
Last post by skullitor13 - February 27, 2026, 10:28:37 PMSo this is a weird one and I can't figure out where to even look at why this is an issue.
I have an OpenVPN server running and my client can connect, and can get to the internet just fine. I just can access stuff on my 192.168.1.0/24 network (openVPN is using 192.168.2.0/24).
This used to work just fine, but I migrated to the new firewall rules. The weirdest thing is I can ping from devices on both networks to each other, but when I try to actually try and get to a server it just spins and does not connect.
I don't see anything getting blocked in the live view of the firewall, but I do see pass messages for my device to the server in there.
I have an OpenVPN server running and my client can connect, and can get to the internet just fine. I just can access stuff on my 192.168.1.0/24 network (openVPN is using 192.168.2.0/24).
This used to work just fine, but I migrated to the new firewall rules. The weirdest thing is I can ping from devices on both networks to each other, but when I try to actually try and get to a server it just spins and does not connect.
I don't see anything getting blocked in the live view of the firewall, but I do see pass messages for my device to the server in there.
#9
26.1 Series / Re: VoIP outbound calls not wo...
Last post by olmo1501 - February 27, 2026, 10:19:10 PMDid you create the Outbound Rule for specific ports? If so, check if they still match. RTP ports may be different between a Fritzbox and a Gigaset device.
#10
Virtual private networks / Re: ipsec problem
Last post by user.42 - February 27, 2026, 10:11:03 PMpremise: firewall rules and port forwarding is correct
Windows client and strongswan server is odd because of windows.
Hint: https://docs.strongswan.org/docs/latest/interop/windowsClients.html
it might be a good idea to test the setup with linux + strongswan or android + strongswan app
Windows client and strongswan server is odd because of windows.
Hint: https://docs.strongswan.org/docs/latest/interop/windowsClients.html
it might be a good idea to test the setup with linux + strongswan or android + strongswan app
