"Recent posts
#1
25.7, 25.10 Series / Re: choose shell for item 8 in...
Last post by tessus - Today at 01:35:08 AMSpawning bash from .cshrc is a rather nasty hack, I'd rather avoid. But that's just me.
The issue is I do not know which files are overwritten when packages are updated, otherwise I'd just update the /usr/local/sbin/opnsense-shell locally. But it is part of the opnsense package, so I think the file is overwritten during every upgrade.
My idea to use an optional file with a CMD_SHELL var in /etc/ or /etc/defaults/ seems the most logical solution that adheres to Unix philosophy. But maybe I am wrong.
I don't really want to discuss this on this forum, since it doesn't understand markup. It's way easier to do that in a PR.
I only needed to know the repo, because I wanted to avoid searching for it on gh, which I have done now. So this topic is now obsolete.
The issue is I do not know which files are overwritten when packages are updated, otherwise I'd just update the /usr/local/sbin/opnsense-shell locally. But it is part of the opnsense package, so I think the file is overwritten during every upgrade.
My idea to use an optional file with a CMD_SHELL var in /etc/ or /etc/defaults/ seems the most logical solution that adheres to Unix philosophy. But maybe I am wrong.
I don't really want to discuss this on this forum, since it doesn't understand markup. It's way easier to do that in a PR.
I only needed to know the repo, because I wanted to avoid searching for it on gh, which I have done now. So this topic is now obsolete.
#2
25.7, 25.10 Series / Dynamic *.home.arpa DNS with U...
Last post by kss - Today at 01:19:20 AMApologies if this is not very clear --
I am running the current stable version of OPNsense and use dnsmasq for DHCP and Unbound for all DNS. My current setup uses internal domains such as 1.mydomain.com, 2.mydomain.com, etc., with DNS queries forwarded over WireGuard, and this works reliably for both short-name and FQDN resolution across the sites.
What is the correct way to configure Unbound and dnsmasq so that DHCP clients automatically create and retain dynamic DNS records under *.home.arpa, including handling of hostname changes and lease renewals, without relying on static host overrides?
I'm trying to determine whether an equivalent configuration is supported or achievable for *.home.arpa, and if so, how I should go about it. Thanks.
I am running the current stable version of OPNsense and use dnsmasq for DHCP and Unbound for all DNS. My current setup uses internal domains such as 1.mydomain.com, 2.mydomain.com, etc., with DNS queries forwarded over WireGuard, and this works reliably for both short-name and FQDN resolution across the sites.
What is the correct way to configure Unbound and dnsmasq so that DHCP clients automatically create and retain dynamic DNS records under *.home.arpa, including handling of hostname changes and lease renewals, without relying on static host overrides?
I'm trying to determine whether an equivalent configuration is supported or achievable for *.home.arpa, and if so, how I should go about it. Thanks.
#3
25.7, 25.10 Series / Re: After upgrading to 25.7.9,...
Last post by kwo1 - Today at 12:39:57 AMHi, I'm still looking for guidance with this.
I performed the upgrade again. Predictably, after the upgrade, I cannot login to the web GUI (site cannot be reached) and ssh attempts return a "connection closed by remote host" msg. These were both working prior to the upgrade. I _CAN_ ping the IP successfully though.
I connected to the console. Looking at /var/log/lighttpd/latest.log, I don't see any suspicious events that correspond to my attempts to access the web GUI. I don't even know if this is the right log to look at.
Google said to check lighttpd. At the console, I ran "service lighttpd status" which said lighttpd is not running.
I then ran 'service lighttpd start', which returned a msg lighttpd could not be started, and to set lighttpd_enable to yes inside /etc/rc.conf, or use onestart instead of start.
I instead ran 'service lighttpd onestart' which seemed to start lighttpd. I still can't access the web GUI though.
Again, please, can someone help direct me how else to troubleshoot this?
Thank you
I performed the upgrade again. Predictably, after the upgrade, I cannot login to the web GUI (site cannot be reached) and ssh attempts return a "connection closed by remote host" msg. These were both working prior to the upgrade. I _CAN_ ping the IP successfully though.
I connected to the console. Looking at /var/log/lighttpd/latest.log, I don't see any suspicious events that correspond to my attempts to access the web GUI. I don't even know if this is the right log to look at.
Google said to check lighttpd. At the console, I ran "service lighttpd status" which said lighttpd is not running.
I then ran 'service lighttpd start', which returned a msg lighttpd could not be started, and to set lighttpd_enable to yes inside /etc/rc.conf, or use onestart instead of start.
I instead ran 'service lighttpd onestart' which seemed to start lighttpd. I still can't access the web GUI though.
Again, please, can someone help direct me how else to troubleshoot this?
Thank you
#4
25.7, 25.10 Series / Re: Unbound to forward .home d...
Last post by nero355 - Today at 12:18:01 AMQuote from: tuxlemmi on January 09, 2026, 07:05:40 AMIt was not my intention to start a fundamental discussion about the .home domain.IMHO another case of using a wrong configuration for years and when the software you have been using all that time finally makes some adjustments to avoid people using such wrong configurations then they all start yelling : "But it has worked like this for years!!!111oneoneone"
A customer has such a domain which wasn't a problem for the last 5 years as unbound forwarded the domain correctly to the customers dns-server (Win).
But since the last update it doesn't.
LOL! ^_^
#5
25.7, 25.10 Series / Re: os-acme-client 4.11 on Bus...
Last post by greY - January 09, 2026, 11:35:59 PMThanks Franco!
I followed your suggestion and the upgrade itself worked fine (installed the CE packages via pkg add -f and the ACME client is now on the newer version).
However, the DNS-01 flow still fails and the logs show that acme.sh is still using the old Hetzner DNS API endpoint:
it calls https://dns.hetzner.com/api/v1/zones?...
resulting in Error adding TXT record ... Invalid domain
From what I can see, the upstream acme.sh implementation for Hetzner Cloud DNS uses the new Cloud API (https://api.hetzner.cloud/v1/...) in dns_hetznercloud.sh, e.g.: https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_hetznercloud.sh
So it looks like the plugin update did not bring in the expected dns_hetznercloud behavior (or the OPNsense-packaged acme.sh dnsapi scripts differ from upstream / are not updated accordingly).
I followed your suggestion and the upgrade itself worked fine (installed the CE packages via pkg add -f and the ACME client is now on the newer version).
However, the DNS-01 flow still fails and the logs show that acme.sh is still using the old Hetzner DNS API endpoint:
it calls https://dns.hetzner.com/api/v1/zones?...
resulting in Error adding TXT record ... Invalid domain
From what I can see, the upstream acme.sh implementation for Hetzner Cloud DNS uses the new Cloud API (https://api.hetzner.cloud/v1/...) in dns_hetznercloud.sh, e.g.: https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_hetznercloud.sh
So it looks like the plugin update did not bring in the expected dns_hetznercloud behavior (or the OPNsense-packaged acme.sh dnsapi scripts differ from upstream / are not updated accordingly).
#6
25.7, 25.10 Series / Re: Dnsmasq stops occasionaly
Last post by ligand - January 09, 2026, 11:15:03 PMI just had another outage... so I switched to a combination of unbound and kea.
#7
25.7, 25.10 Series / Re: choose shell for item 8 in...
Last post by Patrick M. Hausen - January 09, 2026, 10:40:38 PMHow about adding to root's .cshrc something like e.g.
Code Select
test -x /usr/local/bin/bash && exec /usr/local/bin/bash -l
#8
25.7, 25.10 Series / Re: choose shell for item 8 in...
Last post by tessus - January 09, 2026, 10:18:47 PMYes, this is a very nice idea. However, I am great with backend and scripts, but suck at anything with UI and/or frontend.
To answer your question: I don't know how to do that.
To answer your question: I don't know how to do that.
#9
German - Deutsch / Re: Firewallregeln lassen sich...
Last post by Pelikan Netzwerk - January 09, 2026, 10:07:49 PMAlso zur fehlenden Kopiermöglichkeit darf ich mitteilen, dass ich mit Edge, Edge im abgesicherten Modus, und Firefox auf die Firewall verbunden habe. In allen drei Fällen blieb es dabei, dass die Kopieroption nicht gezeigt wurde.
Bei einer neuen Regel hast Du absolut Recht. Sobald ich hier das entsprechende Protokoll wähle, können auch die Ports ausgewählt werden. Super! Hierfür besten Dank.
Zu dem ersten Fehler, dem, dass keine Regeln kopiert werden können, wohin adressiere ich den jetzt? Schon merkwürdig, dass es da wieder nur mich erwischt hat. :-(
Bei einer neuen Regel hast Du absolut Recht. Sobald ich hier das entsprechende Protokoll wähle, können auch die Ports ausgewählt werden. Super! Hierfür besten Dank.
Zu dem ersten Fehler, dem, dass keine Regeln kopiert werden können, wohin adressiere ich den jetzt? Schon merkwürdig, dass es da wieder nur mich erwischt hat. :-(
#10
General Discussion / Proxmox PCI Passthrough & re-e...
Last post by rs_taylor - January 09, 2026, 09:33:10 PMHi,
I have a small x4 2.5gb port Mini PC bought to play around with OPNSense 25.7.10 and Proxmox 9.1.4.
I setup Proxmox and used PCI passthrough to pass 3 NIC to OPNSense VM and setup OPNSense from there.
Those ports comes through as IGC0,1,2 and i assign to WAN(1)/LAN(2) (never found a use for 0), it all works great for a year or so.
My problem is that i've now decided i only really need 2 ports and want to stop passing 1 port (The unassigned IGC0 in OPNSense).
I identified which PCI device that related to and thought i could just Stop OPNSense and tell Proxmox not to send the NIC anymore but it wasn't so simply.
What i found was the my OPNSense simply says LAN = IGC1 and WAN is IGC2 and if i stop sending IGC0 from Proxmox when FressBSD/OPNSense reboots it simply enumerates that IGCx's as it finds, only finding x2 now.
This meant that the IGCx's are not the NIC they had been (the new IGC0 became what was IGC1 and the new IGC1 became what was IGC2, and there is no longer and IGC2).
Really screwing up OPNSense.
Do i have to just spend time getting OPNSense working after switching or is there some way to link/lock the Interfaces to a MAC or fix the IGCx's numbering?
Once I found out what was going on i rolled back to the Orginal x3 NIC Passthrough, but would prefer to find a way to pass only x2 NICs.
It also seems odd that it 1 rebooted OPNSense 1 day and FreeBSD decided to put the IGC's in a different order it would screw things up again.
What am i missing?
I have a small x4 2.5gb port Mini PC bought to play around with OPNSense 25.7.10 and Proxmox 9.1.4.
I setup Proxmox and used PCI passthrough to pass 3 NIC to OPNSense VM and setup OPNSense from there.
Those ports comes through as IGC0,1,2 and i assign to WAN(1)/LAN(2) (never found a use for 0), it all works great for a year or so.
My problem is that i've now decided i only really need 2 ports and want to stop passing 1 port (The unassigned IGC0 in OPNSense).
I identified which PCI device that related to and thought i could just Stop OPNSense and tell Proxmox not to send the NIC anymore but it wasn't so simply.
What i found was the my OPNSense simply says LAN = IGC1 and WAN is IGC2 and if i stop sending IGC0 from Proxmox when FressBSD/OPNSense reboots it simply enumerates that IGCx's as it finds, only finding x2 now.
This meant that the IGCx's are not the NIC they had been (the new IGC0 became what was IGC1 and the new IGC1 became what was IGC2, and there is no longer and IGC2).
Really screwing up OPNSense.
Do i have to just spend time getting OPNSense working after switching or is there some way to link/lock the Interfaces to a MAC or fix the IGCx's numbering?
Once I found out what was going on i rolled back to the Orginal x3 NIC Passthrough, but would prefer to find a way to pass only x2 NICs.
It also seems odd that it 1 rebooted OPNSense 1 day and FreeBSD decided to put the IGC's in a different order it would screw things up again.
What am i missing?
