"Recent posts
#1
Zenarmor (Sensei) / Re: WebGui - Zenarmor item sti...
Last post by Tobanja - Today at 11:18:47 AMQuote from: almodovaris on August 23, 2023, 01:15:03 AMUse:
find / -iname "*sensei*"
find / -iname "*zenarmor*"
and rm -fr accordingly.
Then reboot.
This solved it for me. Unfortunately, the problem still exists and requires this manual clean-up. (Sorry for the necrobump).I guess a solution would be to simply reinstall the plugin, and then remove it the "proper" way from the Zenarmor settings.
#2
26.1, 26,4 Series / Re: Unbound TCP drops every 7....
Last post by lmoore - Today at 10:52:14 AMQuote from: Decaffinated_Duck on Today at 12:53:09 AMThanks, Ive taken Unbound out of the system for now while I get to the bottom of my issue, but if DHCPRenew are non interrupting then this may not have any connection to OPs issue & don't want to hijack their thread
I neither use AdGuard nor Pi-hole, just Unbound with 4 x block lists & Q-Feeds Connect (Community licence) for IP and domain protection.
In Unbound, only one of my block lists seems to get hits for domains to block.
#3
26.1, 26,4 Series / Re: Upgrade went wrong
Last post by davidgildea - Today at 10:40:39 AMQuote from: franco on May 22, 2026, 05:48:58 PMOrphaned means it coundn't load the remote repository for whatever reason. The check for update log would be much more conclusive.
Cheers,
Franco
Thanks Franco, I am pretty new to Opnsense so appreciate the help. I will have a look at that log
#4
26.1, 26,4 Series / Re: IPV6 with Orange Belgium -...
Last post by Monviech (Cedrik) - Today at 09:47:28 AMYou have checked "Request prefix only" which only asks for IA_PD.
If you also want an IA_NA address on WAN, uncheck that.
IPv6 routing uses link local addresses per default (fe80...). It does not require global unicast addresses for routing most of the time (2001...)
Using prefix delegation (IA_PD) and high availability is not going to work reliably, as the clients have a real identity. You would need some sort of NAT66 and ULAs (unique local addresses fd00...) just like with IPv4 HA (RFC1918 addresses and NAT44)
It only works if you have a static prefix and your provider routes your prefix to an address you configured as CARP on WAN.
https://docs.opnsense.org/manual/how-tos/carp.html#configuring-carp-for-ipv6
A different way could also be to use an NDP proxy that masks the client identity for you by pretending it is the only client, but that wont work with prefix delegation.
https://docs.opnsense.org/manual/ndp-proxy-go.html#high-availability
If you also want an IA_NA address on WAN, uncheck that.
IPv6 routing uses link local addresses per default (fe80...). It does not require global unicast addresses for routing most of the time (2001...)
Using prefix delegation (IA_PD) and high availability is not going to work reliably, as the clients have a real identity. You would need some sort of NAT66 and ULAs (unique local addresses fd00...) just like with IPv4 HA (RFC1918 addresses and NAT44)
It only works if you have a static prefix and your provider routes your prefix to an address you configured as CARP on WAN.
https://docs.opnsense.org/manual/how-tos/carp.html#configuring-carp-for-ipv6
A different way could also be to use an NDP proxy that masks the client identity for you by pretending it is the only client, but that wont work with prefix delegation.
https://docs.opnsense.org/manual/ndp-proxy-go.html#high-availability
#5
26.1, 26,4 Series / IPV6 with Orange Belgium - wro...
Last post by jbernardo - Today at 08:58:23 AMHello,
I found out that I can get IPV6 with orange belgium - if I set their router to bridge mode and let my router (in this case opnsense) handle it. Seems that Orange.BE has DHCPV6-PD, and in my case with a /56 delegation size.
I set it up, can see from /tmp/vtnet0_prefixv6 that it is assigning a 2a01:xxxx:xxxx:xxxx::/56 prefix, so I configure the WAN DHCPV6 as in the "WAN DHCPV6 settings" image.
However, opnsense is using, for the WAN, a different prefix and delegation size, as you can see on the "Interfaces overview censored" image. It is pushing the "correct" prefix to the LAN, but with a incorrect delegation size.
What am I missing here, why is opnsense insisting on this fe80:/64?
And checking from the shell, default IPV6 routing is also going to this wrong prefix and ping v6 doesn't work.
I am using this script for carp on a single wan ip, as Orange will only assign one ip to a single mac address behind the bridge. I have cloned the mac between both opnsense instances and carp works. I don't see anything on that script that could interfere with DHCPV6, but have included that info for completeness.
I found out that I can get IPV6 with orange belgium - if I set their router to bridge mode and let my router (in this case opnsense) handle it. Seems that Orange.BE has DHCPV6-PD, and in my case with a /56 delegation size.
I set it up, can see from /tmp/vtnet0_prefixv6 that it is assigning a 2a01:xxxx:xxxx:xxxx::/56 prefix, so I configure the WAN DHCPV6 as in the "WAN DHCPV6 settings" image.
However, opnsense is using, for the WAN, a different prefix and delegation size, as you can see on the "Interfaces overview censored" image. It is pushing the "correct" prefix to the LAN, but with a incorrect delegation size.
What am I missing here, why is opnsense insisting on this fe80:/64?
And checking from the shell, default IPV6 routing is also going to this wrong prefix and ping v6 doesn't work.
Code Select
# netstat -nr6 | grep default
default fe80::1%vtnet0 UG vtnet0
I am using this script for carp on a single wan ip, as Orange will only assign one ip to a single mac address behind the bridge. I have cloned the mac between both opnsense instances and carp works. I don't see anything on that script that could interfere with DHCPV6, but have included that info for completeness.
#6
General Discussion / Re: Postfix message_size_limit
Last post by JeanMitchell - Today at 07:28:43 AMYeah, this confused me the first time I noticed it too. It's basically one of those old "computer storage math" leftovers where vendors mixed binary and decimal calculations together. Postfix inherited that convention years ago, so 51,200,000 bytes ended up being treated as the practical "50 MB" default even though it's technically neither pure MiB nor pure MB.
Not the cleanest convention, but pretty common in older software and storage-related tooling.
Not the cleanest convention, but pretty common in older software and storage-related tooling.
#7
General Discussion / P2P gaming between two compute...
Last post by fornax - Today at 06:59:27 AMHi all. I recently replaced my basic home wifi router with an OPNSense box. Things went mostly smoothly, but I quickly found out that certain online multiplayer games that use a P2P model (particularly GTA Online) were not happy. After a bit of research, I made a static port NAT rule for our two gaming computers and set up os-upnp, and that seemed to work. Both are able to play online simultaneously with other players, but the one thing we can't do is actually play together. When either of us attempts to join the other, it fails with a generic "Unable to connect to session".
In our setup, our ISP's provided router gives out private addresses (10.0.0.x), so that's what OPNSense's WAN interface gets. This is the same situation as the previous wifi router, which worked fine, so I know this is possible without changing the ISP router. I'm still fairly new getting into the nuts and bolts of NAT (and UPnP), so I'm not really sure how to troubleshoot this. I can say though that if one of us connects directly to the ISP router (bypassing OPNSense), we're able to play together successfully. Obviously that's not ideal.
The first of the two things I've changed is switching Outbound NAT to Hybrid and adding a rule for each machine:
Interface: WAN
Source: 192.168.1.x/32
NAT Address: WAN address
Static Port: Yes
The second thing was installing and configuring os-upnp (miniupnpd). Here's /var/etc/miniupnpd.conf. Note that the ext_allow_private_ipv4 line was added manually (and the service restarted) since it's not available in the UI. I think this was the last change that made online play work initially.
ext_ifname=igc1
ext_allow_private_ipv4=yes
http_port=2189
listening_ip=vlan06
ext_perform_stun=allow-filtered
ext_stun_host=stun.l.google.com
ext_stun_port=19302
secure_mode=yes
pcp_allow_thirdparty=no
ipv6_disable=yes
presentation_url=https://192.168.1.1/
friendly_name=OPNsense UPnP IGD & PCP
uuid=<uuid>
serial=60732055
model_number=26.1.8_5
allow 1024-65535 192.168.1.<x>/32 1024-65535
allow 1024-65535 192.168.1.<y>/32 1024-65535
deny 1-65535 0.0.0.0/0 1-65535
enable_upnp=yes
enable_pcp_pmp=yes
force_igd_desc_v1=yes
lease_file=/var/run/miniupnpd.leases
lease_file6=/var/run/miniupnpd.leases-ipv6
I haven't manually added any firewall rules for this. The only rules outside of the built-in rules for this internal interface are to drop IPv6, allow full access to the internet, and allow DNS, DHCP, and NTP to the OPNSense interface. If anyone can point me in a direction, it would be greatly appreciated.
In our setup, our ISP's provided router gives out private addresses (10.0.0.x), so that's what OPNSense's WAN interface gets. This is the same situation as the previous wifi router, which worked fine, so I know this is possible without changing the ISP router. I'm still fairly new getting into the nuts and bolts of NAT (and UPnP), so I'm not really sure how to troubleshoot this. I can say though that if one of us connects directly to the ISP router (bypassing OPNSense), we're able to play together successfully. Obviously that's not ideal.
The first of the two things I've changed is switching Outbound NAT to Hybrid and adding a rule for each machine:
Interface: WAN
Source: 192.168.1.x/32
NAT Address: WAN address
Static Port: Yes
The second thing was installing and configuring os-upnp (miniupnpd). Here's /var/etc/miniupnpd.conf. Note that the ext_allow_private_ipv4 line was added manually (and the service restarted) since it's not available in the UI. I think this was the last change that made online play work initially.
ext_ifname=igc1
ext_allow_private_ipv4=yes
http_port=2189
listening_ip=vlan06
ext_perform_stun=allow-filtered
ext_stun_host=stun.l.google.com
ext_stun_port=19302
secure_mode=yes
pcp_allow_thirdparty=no
ipv6_disable=yes
presentation_url=https://192.168.1.1/
friendly_name=OPNsense UPnP IGD & PCP
uuid=<uuid>
serial=60732055
model_number=26.1.8_5
allow 1024-65535 192.168.1.<x>/32 1024-65535
allow 1024-65535 192.168.1.<y>/32 1024-65535
deny 1-65535 0.0.0.0/0 1-65535
enable_upnp=yes
enable_pcp_pmp=yes
force_igd_desc_v1=yes
lease_file=/var/run/miniupnpd.leases
lease_file6=/var/run/miniupnpd.leases-ipv6
I haven't manually added any firewall rules for this. The only rules outside of the built-in rules for this internal interface are to drop IPv6, allow full access to the internet, and allow DNS, DHCP, and NTP to the OPNSense interface. If anyone can point me in a direction, it would be greatly appreciated.
#8
26.1, 26,4 Series / Captive Portal access to firew...
Last post by JamesL - Today at 01:46:30 AMOpnSense 26.1 on Dell Precision 3420 Core i5 7th Gen, 12GB Ram.
Our guest network firewall rules include a daily schedule to prevent parking lot use after hours.
The captive portal JavaScript includes a copy of the current schedule, but it will be easier to maintain if the firewall could be queried to get the current days values for a specified schedule.
Is this information already available or easy to make available (I didn't see it in the documentation)?
I haven't determined yet how to download the opnSense source modules, and will need to sufficiently learn the language (python?) to attempt implementing something myself.
Thanks
Our guest network firewall rules include a daily schedule to prevent parking lot use after hours.
The captive portal JavaScript includes a copy of the current schedule, but it will be easier to maintain if the firewall could be queried to get the current days values for a specified schedule.
Is this information already available or easy to make available (I didn't see it in the documentation)?
I haven't determined yet how to download the opnSense source modules, and will need to sufficiently learn the language (python?) to attempt implementing something myself.
Thanks
#9
26.1, 26,4 Series / Re: Unbound TCP drops every 7....
Last post by Decaffinated_Duck - Today at 12:53:09 AMThanks, Ive taken Unbound out of the system for now while I get to the bottom of my issue, but if DHCPRenew are non interrupting then this may not have any connection to OPs issue & don't want to hijack their thread
#10
26.1, 26,4 Series / Unbound restarting on interfac...
Last post by HerkomerKlamm - Today at 12:35:17 AMMy Unbound is restarting frequently, even every 15 seconds under heavy load. This is being caused--I believe--by my WAN interface flapping. That is a separate issue I am trying furiously to resolve, but in the meantime I am trying to get Unbound not to restart with every WAN flap.
I have seen in previous forum posts that this can be caused by having DHCP registration enabled in Unbound. I do not have it enabled. I have also seen that it can be caused by having specific interfaces specified for Unbound to listen on. I did have this set, but on seeing the recommendation to use the recommended setting of 'all' (no specific interfaces set), I configured it that way. But the problem persists.
Any other ideas why Unbound is repeatedly restarting?
I have seen in previous forum posts that this can be caused by having DHCP registration enabled in Unbound. I do not have it enabled. I have also seen that it can be caused by having specific interfaces specified for Unbound to listen on. I did have this set, but on seeing the recommendation to use the recommended setting of 'all' (no specific interfaces set), I configured it that way. But the problem persists.
Any other ideas why Unbound is repeatedly restarting?
