Recent posts

#1
26.1 Series / Re: Can the GUI levels stay ex...
Last post by nero355 - March 20, 2026, 11:58:49 PM
Quote from: tcm1010 on March 20, 2026, 05:05:12 PMThanks nero355 for pointing those out.
You are welcome! :)

QuoteI did a lot of searching before posting and did not come across those threads (probably because I used "GUI" as one of the search criteria).
No worries! Stuff happens! ;)

QuoteShall I mark this thread [SOLVED]...or [REDUNDANT]? :-)
I would wait for a reply from one of the developers of OPNsense.
#2
Virtual private networks / Re: Wireguard VPN on mobile wh...
Last post by kermitxyz - March 20, 2026, 10:52:11 PM
The endpoint is for example "vpn.domain" which resolves to the Static IP of the OPNSense WAN interface.

I think the issue is that from external networks this resovles to say 80.12.15.40 but inside the LAN this doesn't work as it's the IP of the external OPNSense interface.

I think I might need "split DNS"?  I have created an override in Unbound DNS so from inside the LAN "vpn.domain" resolves to the LAN IP of the OPNSense router.

But services still don't work...?

#3
26.1 Series / Re: cloudflare blocklist
Last post by stanps - March 20, 2026, 10:29:59 PM
If I'm not mistaken you could also use their family DNS servers that [attempt to] block porn and malware. 1.1.1.3 & 1.0.0.3
#4
26.1 Series / Re: KeaDHCP dynamic DHCP quest...
Last post by stauf - March 20, 2026, 10:10:58 PM
Interesting, thank you.  Someone was saying that Automatic Discovery sends out pings but I guess that is not the case.  The documentation I can find on it shows that it just listens for ARP and NDP messages.  Feels like there must be some defect(s) in the Automatic Discovery.  If all it does is listen for ARPs and update it's cache if there are devices on the network changing their IP -> MAC mappings, or devices with static entries not using OpnSense to get an IP address, but they would need to send out ARP requests to populate their own ARP cache if they want to talk with other devices on the network.  I can't think of anything (other than malicious/malformed ARPs, which I am certainly not sending...at least not intentionally, on my network) that would explain why OpnSense would populate entries in its DHCP table when there is no device on the network that is sending those ARPs.

It might be a nice feature to add a tag to any KeadDHCP MAC->IP entries in the csv files.  Basically how was this entry learned.  There is already a "Lease Type" column that says it is either static or dynamic.  Might be nice to have an "automatic" maybe?

As I have Proxmox and multiple hosts on individual ethernet interfaces, there could be multiple IP/MAC combinations on the same interface, but from an OpnSense point of view, that should not matter at all.

I don't have v6 configured on OpnSense so I assume, even if Automatic Discovery is on, any rogue v6 NDP packets on my network would just get dropped?  I suppose in my case, it's a moot point as there are no entries in the KeaDHCPv6 table.

When Automatic Discovery is enabled and it sees ARPs and keeps track, what is the next step?  Does it just populate the KeaDHCP cache?  Does it create a table somewhere else?
#5
26.1 Series / Re: OPNSense setting wrong add...
Last post by Monviech (Cedrik) - March 20, 2026, 10:02:17 PM
Same happened to me, thanks for posting about this.

I chose akamai now and things work again.
#6
26.1 Series / apcupsd LCK.. file
Last post by ohioyj - March 20, 2026, 09:35:32 PM
Unfortunately I'm not sure at what point this started, but at some point apcupsd stopped functioning properly. I believe it to be relatively recently. It works perfectly fine, but at some point I end up with a "LCK.." file in /var/spool/lock. If I delete this file I can restart the apcupsd and everything functions normally again.

Is this a known issue, or is there something I can do to prevent this?

I'm running:
OPNsense 26.1.4-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19
#7
Virtual private networks / Re: Wireguard Selective Routin...
Last post by FredFresh - March 20, 2026, 09:21:22 PM
Did you set the vpn gateway to an higher priority than the wan gateway?
#8
26.1 Series / Re: cloudflare blocklist
Last post by FredFresh - March 20, 2026, 09:19:30 PM
https://developers.cloudflare.com/waf/tools/lists/managed-lists/

The use of the lists require an enterprise plan.
#9
26.1 Series / Re: KeaDHCP dynamic DHCP quest...
Last post by Monviech (Cedrik) - March 20, 2026, 09:06:24 PM
Just to quote myself again:

The daemon is completely passive, it does ***NOT*** probe actively for devices with icmp.
#10
26.1 Series / Re: OPNSense setting wrong add...
Last post by Flachzange - March 20, 2026, 08:19:00 PM
Oh, thanks it's not only me...

This drives me crazy since a week or so. Without updated DNS I am locked out of my home network. In my case, I regulary update
- IPv4 of sub1.domain.com
- IPv6 of sub1.domain.com
- IPv4 of sub2.domain.com

I thought it was somehow related to having three entries and tried to isolate it to one of them, but no success.

The weird part is:

- sometimes it works
- OPNsense even adopts the wrong IP, i.e. cloudflare is confirming 104.18.0.0 back to OPNsense. But only once the correct was updated to cloudflare.

I updated the IP once via the API call directly (outside OPNsense) that seem to have worked, but maybe it was just coincidence

Edit: Understood, the "check ip method" used cloudflare to determine the ip address and that thing is broken