Recent posts

#1

Dutch - Nederlands / Re: Nederlandse Vertaling

Last post by MartinScorp - Today at 02:35:56 PM

Voor iedereen die wil meehelpen OPNsense te vertalen naar het Nederlands:

Hier kan je een account aanmaken en het vakje naast Dutch aanvinken

daarna op "Join Translation"

Ik kan je dan toevoegen en je kunt meehelpen waar mogelijk.
Zeer eenvoudig..je krijgt veldjes met bestaande teksten te zien met ernaast veldjes waar je de NL vertaling kunt intypen.
Je kunt "vertalen engel->nederlands "op het internet ook gebruiken, kijk nog wel even of het naar je gevoel/kennis klopt met hetgeen vertaald dient te worden.

Je hoeft niet alles te doen, alle beetjes helpen..het is veel dus

Bij voorbaat dank en zo krijgen we een NL OPNsense ;-)

#2

25.7, 25.10 Series / Re: igb VLAN on WAN not workin...

Last post by gravlys - Today at 02:34:07 PM

Thanks for the suggestion.
We already have a well-known french forum about the required configuration for almost all french providers (in my case, see https://lafibre.info/remplacer-bbox/). But this is not the issue here, as I'm correctly getting IPv4 and IPv6 addresses from my provider ... but only when i run a tcpdump on my WAN interface.

#3

26.1 Series / Re: Can Unbound DNSSEC be used...

Last post by Ben S - Today at 02:26:47 PM

I do a similar thing, using Unbound as the resolver, forwarding my local domain to Dnsmasq and it seems fine.

Do you have DNSSEC validation turned on Dnsmasq?  I don't in my setup, only in Unbound.  I don't have DNSSEC hardening turned on but I notice you've tried that both ways anyway.

Another thing I notice which may not be relevant is that Dnsmasq seems to be trying to forward the query, given the response mentions NXDOMAIN with a reference to root-servers.net.  In my setup I have enabled 'Do not forward to system defined DNS servers' in Dnsmasq settings.  It may not help but since you're using Dnsmasq just to serve local domains, and Unbound should be the recursive resolver, it makes sense to me to never allow Dnsmasq to do any forwarding.  If nothing else it may make it easier to diagnose what's going on since you'll know any answer from Dnsmasq is _only_ from Dnsmasq.

I notice another potential problem in your tests: doing some similar tests myself, I noticed that the port specifier must be first

This will use the specified port:

Code Select Expand

drill -p PORT @127.0.0.1 NAME
This will not, the port seems to just be silently ignored:

Code Select Expand

drill @127.0.0.1 -p PORT NAME
(I normally use dig instead, where the order doesn't seem to matter as much.)

So what you're seeing probably is Unbound behaviour changing, rather than Dnsmasq.  The fact you don't see 'aa' (authoritative answer) in the flags response is a clue that you're going via a recursive resolver and not hitting Dnsmasq directly.

tl;dr I don't know why it doesn't work, sorry!  But maybe you can at least change your drill command and be sure Dnsmasq isn't changing here.

#4

General Discussion / Re: ddclient and deSEC

Last post by JamesFrisch - Today at 02:05:11 PM

Haha, this was more directed at @meyergru to explain why there is even a need for a better implementation, but sure, take a look.

#5

General Discussion / Re: ddclient and deSEC

Last post by skywalker007 - Today at 01:59:41 PM

These workarounds are exactly what I mean and what my script handles better.

Uh - I missed your post. I'll have a look at your script. Thanks!

#6

General Discussion / Re: ddclient and deSEC

Last post by JamesFrisch - Today at 01:55:22 PM

Are you aware that ddclient is on its way out as discussed here and that it has long be superseded by the native backend for os-ddclient?

This native backend already supports deSEC.

Yeah, but not in a great way. See my response here: https://forum.opnsense.org/index.php?topic=50903.new#new

I have just implemented it using the custom method which works well.
Documented here:
https://forum.opnsense.org/index.php?topic=50907.0

These workarounds are exactly what I mean and what my script handles better.

#7

General Discussion / Re: DynDNS client for deSEC.io

Last post by JamesFrisch - Today at 01:47:03 PM

Yes I am aware.

However, there are some quirks and features specifically tuned to deSEC.io.
I don't deny that it is a one trick pony. Because of that it has some advantages.
Disclaimer: I have not taken a deep look at the updater logic of os-ddclient, so some things might also apply for os-ddclient

- deSEC is a none profit with limited resources. In the past the severs were overloaded, because everyone is doing their update at exactly every hour. My script adds a random delay of up to 5min, so not all come at the same time.

- My script uses deSEC DNS server. That might help prevent an unnecessary update request, when the DNS was updated but not yet propagated to something like akami.

- My script only issues an update request, when the IP actually has changed. Probably also to true for os-ddclient.

- My script makes use of the slightly special update logic form deSEC. There are multiple options for deSEC:

A: You don't specify an IP at all in the update request. That is the default and what os-ddclient is using. deSEC server will try to detect your IP. This will also overwrite all manual records done in the deSEC webGUI. Logic behind that is, that if you loose for whatever reason, you should also loose the DNS there. But of course this sometimes confuses users.

B: You specify a preserve option to not touch the corresponding IPv4 or IPv6

C: You detect the IPs yourself and hand them out in the update URL. This is what my script does. 


The current implementation of os-ddclient needs two update requests, one for IPv4 and one for IPv6, both with manually added preserve option to not delete each other. So out of the box, the current implementation is not even dual stack ready. My script does this in a more elegant way. Just one update request and handing out the previously detected IP(s) and depending on what the users goal is, with a preserve option in the update URL. Instead of making the deSEC servers detect it and leave them to decide.

Yes, I know that there is a specific problem - yet I think it would be better working towards a solution in OpnSense than to use external scripts.

I wrote my script because it not only works on OPNsense, but also on macOS / Linux / FreeBSD.
But I agree and a native OPNsense implementation would be even better. However there are some issues with that.

I don't know when I have the time and motivation to do this. I am also just a user and don't really know how to program (don't worry, I still did not use any AI for this).

So I am very happy for someone else to take up the work. Or if someone is willing to help me and nudge me in the right direction from time to time. This is what happened over at deSEC, one employee toke the time and helped and guided me through. But IMHO he would have been faster writing it himself :)

As a total amateur, to me it looks like there would need to be made some changes to the current implementation, to get what my script currently offers:

- adding deSEC as a check IP DNS server
- adding a secondary backup DNS server for check IP in the webGUI. Not sure how this is currently handled when a DNS server does not respond.
- adding a random delay between 1s and 5min (or a user max configurable number). Maybe that is not even needed, if the os-ddclient tool is currently not time based, but interface changes based? Don't know to be honest.
- complete overhaul the current desec-v4 and desec-v6 in the webGUI. This would be the big one *

* instead of differentiating between v4 and v6, we only need one called deSEC. That, and these checkbox options
- enableIPv4
- enableIPv6
- preserveIPv4
- preserveIPv6

the enable and preserve option are the same thing.
They are just there to make it nicer and simpler for the user. One user might think "I don't have IPv6 so no need to enable it" while the other user thinks "I have set a static IPv6 in the webGUI of deSEC, I don't want the updater to touch that so I want the preserve option".

From an update logic standpoint, they behave exactly the same.
But both options are just there to make sure there is no need to check said IP protocol and to not touch the deSEC webGUI records by using the preserve option.

#8

26.1 Series / dhclient/dhcp6c running when I...

Last post by JadElClemens - Today at 01:17:14 PM

Hey all,

I'm seeing some weird behavior with my new OPNSense CARP secondary. For background, it's a weird but not a totally unique setup - CARP on the LAN which controls the WAN interface with a hook in `/usr/local/etc/rc.syshook.d/carp` since I only have one WAN IP. My idea being to enable DHCP on the CARP Master and disable on the Backup.

My Master currently holds the WAN IP while the Backup has IPv4 and IPv6 Assignment Type "None", but the Backup is still soliciting DHCP addresses all the while. Same if the interface is not "Enabled" but is left up. Is this expected behavior?

#9

Hardware and Performance / Re: DEC750 realistic 10G expec...

Last post by OPNenthu - Today at 12:14:32 PM

I should have mentioned that you can confirm #2 with 'ifconfig' (the line starting with 'media:' on the interface).

Also from the GUI if you go to Interfaces->Overview->[WAN/LAN]->Details and look for the same (Media) as well as Line Rate.

Sorry I don't have more helpful hints.  Hopefully someone with one of these devices has some more thoughts, or you might also e-mail Deciso support.  Will be good for us to know the outcome for future upgrade decisions.

#10

25.7, 25.10 Series / Upgrade 25.7.10 -> 25.7.11_9 s...

Last post by Bulk9958 - Today at 12:03:12 PM

Just wanted to upgrade 26.1, so had to upgrade first latest 25.7.11, but it stucks since 2 hours.

Update Log:

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7.10 (amd64) at Sat Feb 14 10:23:30 CET 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking for upgrades (72 candidates): .......... done
Processing candidates (72 candidates): . done
The following 7 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
hostwatch: 1.0.6 [OPNsense]

Installed packages to be UPGRADED:
cpu-microcode-intel: 20251111 -> 20251111_1 [OPNsense]
libsodium: 1.0.19 -> 1.0.21 [OPNsense]
opnsense: 25.7.10 -> 25.7.11_9 [OPNsense]
opnsense-update: 25.7.10 -> 25.7.11 [OPNsense]
os-sensei: 2.3.1 -> 2.3.3 [SunnyValley]
suricata: 8.0.2 -> 8.0.3 [OPNsense]

Number of packages to be installed: 1
Number of packages to be upgraded: 6

The process will require 3 MiB more space.
153 MiB to be downloaded.
[1/7] Fetching opnsense-update-25.7.11.pkg: ..... done
[2/7] Fetching hostwatch-1.0.6.pkg: .......... done
[3/7] Fetching os-sensei-2.3.3.pkg: .......... done
[4/7] Fetching suricata-8.0.3.pkg: .......... done
[5/7] Fetching libsodium-1.0.21.pkg: ......... done
[6/7] Fetching opnsense-25.7.11_9.pkg: .......... done
[7/7] Fetching cpu-microcode-intel-20251111_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/7] Upgrading cpu-microcode-intel from 20251111 to 20251111_1...
[1/7] Extracting cpu-microcode-intel-20251111_1: .......... done
[2/7] Installing hostwatch-1.0.6...
===> Creating groups
Creating group 'hostd' with gid '377'
===> Creating users
Creating user 'hostd' with uid '377'
[2/7] Extracting hostwatch-1.0.6: ..... done
[3/7] Upgrading libsodium from 1.0.19 to 1.0.21...
[3/7] Extracting libsodium-1.0.21: .......... done
[4/7] Upgrading opnsense-update from 25.7.10 to 25.7.11...
[4/7] Extracting opnsense-update-25.7.11: .......... done
[5/7] Upgrading os-sensei from 2.3.1 to 2.3.3...
[5/7] Extracting os-sensei-2.3.3: .......... done
Zenarmor service is running, saving state to resume after upgrade...
Removing Zenarmor cron jobs...
CLI crons: Info: Cron jobs deleted: 1
CLI crons: Success
Local path is : /usr/local/opnsense/service
total 69
-rw-r--r--  1 root wheel   32B Jun  5  2025 serial
-rw-r--r--  1 root wheel    0B Jun  5  2025 .fixed-security-categories
-rw-r-----  1 root wheel    7B Jun  5  2025 sensei_cpu_score
-rw-r-----  1 root wheel    4B Jun  5  2025 .configdone
-rw-r-----  1 root wheel   32B Jun  5  2025 token
-rw-r-----  1 root wheel  113B Jun  9  2025 overlay.conf.templ
-rw-r--r--  1 root wheel    0B Dec 27 01:27 .mustrestart
-rw-r--r--  1 root wheel  113B Jan  2 12:11 overlay.conf
-rwxr-xr-x  1 root wheel  136B Feb  2 18:51 workers.map.default
-rwxr-xr-x  1 root wheel   40B Feb  2 18:51 .buildtime
-rwxr-xr-x  1 root wheel  5.5K Feb  2 18:51 eastpect.cfg.default
-rw-r-----  1 root wheel  440B Feb  2 19:25 workers.map
-rw-r--r--  1 root wheel  6.6K Feb 13 08:23 eastpect.cfg
create link for python in virtualenv...Create link python3 to /usr/local/zenarmor/py_venv/bin/python....
Create link python3 to /usr/local/zenarmor/py_venv/bin/python3....
done
Restarting configd service...done
Activating features for Freemium Edition...
Clearing OPNsense menu cache...done
Invalidating OPNsense cache...done
Invalidating Zenarmor cache...done
Running Zenarmor post-install scripts...
Check python version
Sat Feb 14 09:24:05 UTC 2026
Removing Zenarmor cron jobs...
CLI crons: Info: Cron jobs deleted: 0
CLI crons: Success
Preparing Settings Db...
Backup configurations...
Configuration Migration .....
License Migration.....
Node.csv Migration.....
Certification Migration.....
Token Migration.....
Userpin Migration.....
Serial Migration.....
Userenricher Tokens Migration.....
Hostmap Cache Database migration.....
Creating user_device_cache.db...
Creating hostmap_cache.db...
Creating settings.db...
Application database base path is /usr/local/zenarmor//db/
12 web 2.0 categories added.
Prepared Default Policy
Checking Schedule Reports...
Preparing Userenrich Db...
Checking Cloud Nodes...ASAN LIBRARY CHECK....
Generating Zenarmor configuration files...done
Menu.xml template copied
StaticConfig template copied
CLI generate-static-file: OK
CLI setretireafter:
CLI setretireafter: DB Type: ES
CLI setretireafter: (Elasticsearch) 7
CLI setretireafter: Skipped:
CLI setflavor:
CLI setflavor: Warning: Not settings flavor size in eastpect.cfg
CLI settimestamp: Success
CLI migrate: Info: Report Mail Configuration Checking
CLI migrate: Info: done
CLI migrate: Info: Web category migration ...
CLI migrate: Info: done
CLI migrate: Info: Custom web category migration ...
CLI migrate: Info: done
CLI migrate: Info: Applications category migration ...
CLI migrate: Success
CLI migratewebcat: Success
CLI bufsysctl (ring): skipped dev.netmap.ring_num: 1024
CLI bufsysctl: skipped  mem: 8589934592 buf: 1000000
CLI setClusterUUID: Success
CLI setdefaultswap: Info: Swap Rate: 60
CLI setdefaultswap: Success
CLI fillscheduledreportchart
CLI fillscheduledreportchart: Success
CLI setlicensesize: Success: Warning: License is not premium
CLI check-fix-websites skipped
CLI check-fix... 
CLI check-fix done

Firewall is still working normally.
Nothing found, someone had also this issue.

Nothing special in /var/log/system/latest.log

What should i do?