"Recent posts
#1
25.7, 25.10 Series / Re: Using the same FQDN both i...
Last post by Patrick M. Hausen - Today at 12:58:17 AMHave the domain name point to your external IP address and use a reverse proxy like Caddy for access and TLS/SSL termination. Works from the inside (LAN) just as well.
If it's not HTTP or HTTPS but some other service, still have the DNS point to the external address only and use NAT reflection for your internal clients.
Split-DNS while originally a good idea leads to a very complicated setup for services that are supposed to be both public and private. Just settle with a single IP address for all.
If it's not HTTP or HTTPS but some other service, still have the DNS point to the external address only and use NAT reflection for your internal clients.
Split-DNS while originally a good idea leads to a very complicated setup for services that are supposed to be both public and private. Just settle with a single IP address for all.
#2
26.1 Series / Identity Association IPv6 mode...
Last post by tgurr - January 29, 2026, 11:50:48 PMQuoteTo accommodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups. Dnsmasq is now the default for DHCPv4 and DHCPv6 as well as RA out of the box. One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.
I'm trying to figure out what I've to change in my setup related to the statements above. When it was first mentioned that ISC-DHCP will be deprecated I already moved my stuff over to using "Dnsmasq DNS & DHCP" like the DHCP ranges for my home and guest vlans as well as the reservations / host overrides. So after updating to 26.1 today I uninstalled the os-isc-dhcp plugin, so far so good, things still appear to work as intended. However when trying to change the "IPv6 Configuration Type" in either my home or guest vlan/interface from "Track Interface (legacy)" to the new "Identity association" and try to save the changes I get an error message:
QuoteThe following input errors were detected:
The DHCPv6 Server is active on this interface and it can be used only with a static IPv6 configuration. Please disable the DHCPv6 Server service on this interface first, then change the interface configuration.
which makes me wonder what the actual problem is since "Track Interface (legacy)" works without any issue, is it because I use "Dnsmasq DNS & DHCP"? I can't seem to find an option to do what I'm instructed by "disable the DHCPv6 Server service on this interface first" like in only use Dnsmasq DNS & DHCP for IPv4, like there was for ISC-DHCP and probably also is for Kea with its two separate Kea DHCPv4 & Kea DHCPv6 services to enable/disable. But that would somehow contradict to the statement of
Quote[...] to allow better interoperability with Kea and Dnsmasq setups
On another more or less unrelated note, some parts of the release notes are harder to read/understand for me than they maybe could be, for example:
QuoteOne thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.
"the upstream software": which one? supposedly Dnsmasq? Why not call it by it's name?
"Use another DHCPv6 server in this case": when Dnsmasq doesn't work in this case and Kea is the new alternative to the now deprecated ISC-DHCP, why not just write "Use Kea DHCPv6" in this case? Or doesn't Kea work here as well, or are there too many other alternatives to mention them?
And another thing I was kind of scared is because the talk is all about DHCP and IPv6, I was afraid that removing the ISC plugin would also remove the option for the WAN interface to select "DHCPv6" in its "IPv6 Configuration Type" option, so a small mention that it doesn't touch that part and/or that they're completely unrelated and this option will stay would've probably been reassuring as well.
#3
26.1 Series / Re: Let's talk firewall rule o...
Last post by Seimus - January 29, 2026, 11:46:16 PMIndeed the sequence order in the groups sets the order of those group rules when inherited into an Interface.
And you are right its not mentioned in docs just slightly hinted in
https://docs.opnsense.org/manual/how-tos/security-zones.html#setup-interface-groups
I have several groups created, cause I look at them as policies, and policies are inherited into Interfaces (I look at them as Zones). So when you do groups its necessarily to consider the sequence order because of
https://docs.opnsense.org/manual/how-tos/security-zones.html#setup-interface-groups
At least that was my interpretation when doing the design.
Regards,
S.
And you are right its not mentioned in docs just slightly hinted in
https://docs.opnsense.org/manual/how-tos/security-zones.html#setup-interface-groups
I have several groups created, cause I look at them as policies, and policies are inherited into Interfaces (I look at them as Zones). So when you do groups its necessarily to consider the sequence order because of
Quotegroups use 300000This means 300000 + the sequence number in groups
https://docs.opnsense.org/manual/how-tos/security-zones.html#setup-interface-groups
At least that was my interpretation when doing the design.
Regards,
S.
#4
25.7, 25.10 Series / Using the same FQDN both inter...
Last post by adv - January 29, 2026, 11:34:22 PMI have a domain name, example.com. I want to use it both on my LAN and on the Internet to access my OPNsense router. I read a few how to articles and set it up but it is not working. Tried a few things but failed. I need some help.
1. External access question: example.com is pointing to public static IP of OPNsense router. Let's Encrypt example.com certificate is installed on router and also includes an alternate name of example.dyndns.org. I have example.dyndns.org listed in "Alternate Hostnames" under System > Settings > Administration and it works fine to access the router. But example.com gives me "A potential DNS Rebind attack has been detected." error. I have example.com listed as the Domain under System > Settings > General so shouldn't it work? Plus, we have the certificate for it. Am I missing something?
2. Internal access quesiton: We have 4 VLANs, vl10, vl20, vl30, and vl40 using Dnsmasq for DHCP and DNS over TLS in Unbound in the standard configuration (I think) that is described in the OPNsense Manual here:
https://docs.opnsense.org/manual/dnsmasq.html#
We have query forwarding setup in Unbound for 4 zones with:
-Domain = vl10.example.com, vl20.example.com, etc
-Server IP = 127.0.0.1
-Server Port = 53053
Plus, reverse of:
-Domain = 168.192.in-addr.arpa
-Server IP = 127.0.0.1
-Server Port = 53053
Dnsmasq has 4 Ranges set to:
-Interface = vl10, vl20, etc.
-IPs = 192.168.10.2 to 192.168.10.255, 192.168.20.2 to 192.168.20.255, etc.
-Domain = vl10.example.com, vl20.example.com, etc.
My clients are getting DHCP leases on vl10 just fine. Problem is that a client then cannot ping itself via client1.vl10.example.com. Error says it could not be found. But clients CAN ping themselves via their IP addresses. Also, the log in Unbound is set to Level 2 but it is empty.
The example in the Manual that I followed is for setting up using a different private internal domain name; lan.internal and there was a short note that if a public domain name was to be used instead then we could create a zone that is not used on the Internet, like lan.internal.example.com. I used vl10.example.com so is that a problem? Must the ".internal" be included?
Also, until a few days ago before I had the query forwarding setup I had xxx.internal entered as the Domain under System > Settings > General and all clients on the VLAN were seeing each other. Now they cannot see each other. Not sure if that is of help in diagnosing.
Anyone see any other possible solutions to get the resolution and/or VLANs to work?
1. External access question: example.com is pointing to public static IP of OPNsense router. Let's Encrypt example.com certificate is installed on router and also includes an alternate name of example.dyndns.org. I have example.dyndns.org listed in "Alternate Hostnames" under System > Settings > Administration and it works fine to access the router. But example.com gives me "A potential DNS Rebind attack has been detected." error. I have example.com listed as the Domain under System > Settings > General so shouldn't it work? Plus, we have the certificate for it. Am I missing something?
2. Internal access quesiton: We have 4 VLANs, vl10, vl20, vl30, and vl40 using Dnsmasq for DHCP and DNS over TLS in Unbound in the standard configuration (I think) that is described in the OPNsense Manual here:
https://docs.opnsense.org/manual/dnsmasq.html#
We have query forwarding setup in Unbound for 4 zones with:
-Domain = vl10.example.com, vl20.example.com, etc
-Server IP = 127.0.0.1
-Server Port = 53053
Plus, reverse of:
-Domain = 168.192.in-addr.arpa
-Server IP = 127.0.0.1
-Server Port = 53053
Dnsmasq has 4 Ranges set to:
-Interface = vl10, vl20, etc.
-IPs = 192.168.10.2 to 192.168.10.255, 192.168.20.2 to 192.168.20.255, etc.
-Domain = vl10.example.com, vl20.example.com, etc.
My clients are getting DHCP leases on vl10 just fine. Problem is that a client then cannot ping itself via client1.vl10.example.com. Error says it could not be found. But clients CAN ping themselves via their IP addresses. Also, the log in Unbound is set to Level 2 but it is empty.
The example in the Manual that I followed is for setting up using a different private internal domain name; lan.internal and there was a short note that if a public domain name was to be used instead then we could create a zone that is not used on the Internet, like lan.internal.example.com. I used vl10.example.com so is that a problem? Must the ".internal" be included?
Also, until a few days ago before I had the query forwarding setup I had xxx.internal entered as the Domain under System > Settings > General and all clients on the VLAN were seeing each other. Now they cannot see each other. Not sure if that is of help in diagnosing.
Anyone see any other possible solutions to get the resolution and/or VLANs to work?
#5
26.1 Series / Re: Let's talk firewall rule o...
Last post by meyergru - January 29, 2026, 11:18:22 PMQuote from: Patrick M. Hausen on January 29, 2026, 10:17:52 PM*phew* What a rabbit hole :-)
I wonder what percentage of people can still follow what we are talking about here... ;-)
Yet, I had only the typical "Block RESTRICTED to local networks" and "Allow any to internet" rules in the RESTRICTED group, which I switched out for explicit interface rules at some point. Unless you have a large number of VLANs, it seemed more explicit that way to me.
#6
German - Deutsch / Re: "Sicheres" betreiben eines...
Last post by phil435345 - January 29, 2026, 10:35:16 PMAlles klar, dann weiß ich Bescheid. Danke nochmal für den ganzen Input, ist wirklich Gold wert! :)
#7
25.7, 25.10 Series / Re: Dnsmasq stops occasionaly
Last post by franco - January 29, 2026, 10:33:49 PMHow about testing Dnsmasq 2.92 instead?
# opnsense-revert -z dnsmasq
if this is no workie you can go back to the latest with
# opnsense-revert dnsmasq
Cheers,
Franco
# opnsense-revert -z dnsmasq
if this is no workie you can go back to the latest with
# opnsense-revert dnsmasq
Cheers,
Franco
#8
25.7, 25.10 Series / Re: Dnsmasq stops occasionaly
Last post by ligand - January 29, 2026, 10:32:20 PMI sent Simon the information. And for fun I asked Claude to take a stab.. below is its analysis...
Analysis Complete
Your dnsmasq memory issue is caused by unbounded DHCP lease tracking combined with a high volume of client activity. Here's what's happening:
The Problem
Over 16.6 hours, your dnsmasq process grew from 9.8 MB to 208 MB (a 2,017% increase). This steady growth at ~11.9 MB/hour is driven by:
355 unique MAC addresses generating continuous DHCP traffic, with dnsmasq storing lease history for:
Both IPv4 and IPv6 addresses (dual-stack)
Lease renewals and hostname resolution attempts
123 IP addresses being reused across multiple MACs
The cache is configured at size 10000, but dnsmasq doesn't automatically expire old DHCP lease data from memory, causing indefinite accumulation.
Key Contributors
High client volume: 355 unique devices is substantial for a home network
Peak activity spikes: 103-114 unique MACs active at 6 AM
Hostname conflict: Your mac-mini-server generates 740 warnings/day due to IPv6 address mismatch (DHCP trying to assign ::1863 while static entry uses ::bbc2)
Recommended Fix Priority
Immediate (today):
Restart dnsmasq to clear memory
Fix the mac-mini-server IPv6 conflict in your static host entries
Short-term (this week):
3. Monitor memory post-restart to confirm the pattern repeats
4. Enable dhcp-leasefile to persist leases to disk instead of RAM
Long-term:
5. Set up weekly automated dnsmasq restart via cron
6. Review your 355 MAC addresses - are they all legitimate/active devices?
7. Consider reducing cache-size if you don't need 10000 DNS entries
8. If the issue persists, consider dedicated DHCP server software
This is a known behavior with dnsmasq under high DHCP load rather than a bug - it simply needs periodic restarts or better lease file management.
Analysis Complete
Your dnsmasq memory issue is caused by unbounded DHCP lease tracking combined with a high volume of client activity. Here's what's happening:
The Problem
Over 16.6 hours, your dnsmasq process grew from 9.8 MB to 208 MB (a 2,017% increase). This steady growth at ~11.9 MB/hour is driven by:
355 unique MAC addresses generating continuous DHCP traffic, with dnsmasq storing lease history for:
Both IPv4 and IPv6 addresses (dual-stack)
Lease renewals and hostname resolution attempts
123 IP addresses being reused across multiple MACs
The cache is configured at size 10000, but dnsmasq doesn't automatically expire old DHCP lease data from memory, causing indefinite accumulation.
Key Contributors
High client volume: 355 unique devices is substantial for a home network
Peak activity spikes: 103-114 unique MACs active at 6 AM
Hostname conflict: Your mac-mini-server generates 740 warnings/day due to IPv6 address mismatch (DHCP trying to assign ::1863 while static entry uses ::bbc2)
Recommended Fix Priority
Immediate (today):
Restart dnsmasq to clear memory
Fix the mac-mini-server IPv6 conflict in your static host entries
Short-term (this week):
3. Monitor memory post-restart to confirm the pattern repeats
4. Enable dhcp-leasefile to persist leases to disk instead of RAM
Long-term:
5. Set up weekly automated dnsmasq restart via cron
6. Review your 355 MAC addresses - are they all legitimate/active devices?
7. Consider reducing cache-size if you don't need 10000 DNS entries
8. If the issue persists, consider dedicated DHCP server software
This is a known behavior with dnsmasq under high DHCP load rather than a bug - it simply needs periodic restarts or better lease file management.
#9
26.1 Series / Re: MiniUPNPD
Last post by Marius_ - January 29, 2026, 10:18:02 PMHi,
It worked perfectly fine on 25.7.11 before upgrade... :)
I got the same errors... After upgrade.
2026-01-29T22:10:40Errorminiupnpdpfctl_get_rules_info: Invalid argument
2026-01-29T22:10:40ErrorminiupnpdFailed to add NAT-PMP 28159 TCP->192.168.1.19:32400 'NAT-PMP 28159 TCP'
2026-01-29T22:10:40Errorminiupnpdioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Invalid argument
2026-01-29T22:10:40Errorminiupnpdpfctl_get_rules_info: Invalid argument
It worked perfectly fine on 25.7.11 before upgrade... :)
I got the same errors... After upgrade.
2026-01-29T22:10:40Errorminiupnpdpfctl_get_rules_info: Invalid argument
2026-01-29T22:10:40ErrorminiupnpdFailed to add NAT-PMP 28159 TCP->192.168.1.19:32400 'NAT-PMP 28159 TCP'
2026-01-29T22:10:40Errorminiupnpdioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Invalid argument
2026-01-29T22:10:40Errorminiupnpdpfctl_get_rules_info: Invalid argument
#10
26.1 Series / Re: Let's talk firewall rule o...
Last post by Patrick M. Hausen - January 29, 2026, 10:17:52 PMQuote from: meyergru on January 29, 2026, 10:14:21 PMLook under Firewall: Groups, the interface group have an assigned "sequence" which I believe to determine the order.
I never noticed this exists. Bummer! Thanks!
They are both set to 0 - so it's alphabetical or order of creation or whatever, but at least now I know how to force a specific order.
EDIT:
I could not find that in the docs - lowest number wins. All automatic groups (IPsec, OpenVPN, WireGuard) are set to 10 by default, all user created ones to 0.
If I set "Internal" to 1 and "Restricted" to 2, outbound SMTP is still blocked, if I change "Internal" to 3, it's allowed.
*phew* What a rabbit hole :-)
