"Recent posts
#1
26.1 Series / TOTP + YubiKey: Local + TOTP t...
Last post by opnessense - Today at 06:12:02 AMHi,
I'm trying to enable TOTP 2FA for the admin user on the GUI using a YubiKey (Yubico Authenticator on Windows), but the Local + TOTP tester almost always fails with "Authentication failed." Once it worked, but every attempt after that has failed.
Environment
OPNsense version: 26.1.4
Authentication servers (GUI): Local Database and Local + TOTP
TOTP server:
Type: Local + Timebased One Time Password
Token length: 6
Time window: 2 (also tried empty)
Reverse token order: unchecked (also tested checked)
User / token
User: admin
OTP seed generated in GUI (System → Access → Users → admin → OTP seed, "Generate new secret" + Save)
Enrolled via QR code into YubiKey Authenticator on Windows
TOTP code: 6 digits
Time
Timezone: Europe/Rome
NTP enabled with pool servers
date on the firewall matches PC time (≤ 1–2 seconds drift)
Problem
admin can log in with username + password (via Local Database).
In System → Access → Tester:
Server: Local + TOTP
User: admin
Password: adminPassword + 6‑digit TOTP (also tried TOTP+password with reverse order)
Result: almost always "Authentication failed."
It did work once (tester accepted the credentials and showed a success), but all attempts before and after that were "Authentication failed."
What I already tried
Regenerated the admin OTP seed multiple times and saved.
Deleted and re‑added the account in YubiKey Authenticator using the new QR code each time.
Rebooted the firewall.
Restarted the webgui service under System → Diagnostics → Services.
Checked System Logs: I only see some lighttpd errors like php-fastcgi.socket-X: Connection refused, but nothing clearly related to TOTP or authentication failures.
Question
Are there any known issues with Local + TOTP + YubiKey on 26.1.4, or extra logs/debug options I can enable to see why the TOTP is rejected? The fact that the tester worked once and then never again makes me think of some state/bug rather than a simple time or password format issue.
Thanks.
I'm trying to enable TOTP 2FA for the admin user on the GUI using a YubiKey (Yubico Authenticator on Windows), but the Local + TOTP tester almost always fails with "Authentication failed." Once it worked, but every attempt after that has failed.
Environment
OPNsense version: 26.1.4
Authentication servers (GUI): Local Database and Local + TOTP
TOTP server:
Type: Local + Timebased One Time Password
Token length: 6
Time window: 2 (also tried empty)
Reverse token order: unchecked (also tested checked)
User / token
User: admin
OTP seed generated in GUI (System → Access → Users → admin → OTP seed, "Generate new secret" + Save)
Enrolled via QR code into YubiKey Authenticator on Windows
TOTP code: 6 digits
Time
Timezone: Europe/Rome
NTP enabled with pool servers
date on the firewall matches PC time (≤ 1–2 seconds drift)
Problem
admin can log in with username + password (via Local Database).
In System → Access → Tester:
Server: Local + TOTP
User: admin
Password: adminPassword + 6‑digit TOTP (also tried TOTP+password with reverse order)
Result: almost always "Authentication failed."
It did work once (tester accepted the credentials and showed a success), but all attempts before and after that were "Authentication failed."
What I already tried
Regenerated the admin OTP seed multiple times and saved.
Deleted and re‑added the account in YubiKey Authenticator using the new QR code each time.
Rebooted the firewall.
Restarted the webgui service under System → Diagnostics → Services.
Checked System Logs: I only see some lighttpd errors like php-fastcgi.socket-X: Connection refused, but nothing clearly related to TOTP or authentication failures.
Question
Are there any known issues with Local + TOTP + YubiKey on 26.1.4, or extra logs/debug options I can enable to see why the TOTP is rejected? The fact that the tester worked once and then never again makes me think of some state/bug rather than a simple time or password format issue.
Thanks.
#2
Hardware and Performance / Re: DEC3920 / DEC3940 / DEC396...
Last post by pfry - Today at 04:27:46 AMHm. Either the Ryzen 8840U/8845HS or the Epyc 2435. I'd guess the latter, but it's just a guess. Not likely an Intel, as it'd be hard to find a model with 8 homogenous cores.
It has a stat for Wireguard: 4.23Gbps/410kpps, which seems low, but it's not something I've tested. "Threat Protection" is 7.93Gbps/700kpps. IPS software is not specified. Also not something I've tested.
What kind of performance are you looking for?
It has a stat for Wireguard: 4.23Gbps/410kpps, which seems low, but it's not something I've tested. "Threat Protection" is 7.93Gbps/700kpps. IPS software is not specified. Also not something I've tested.
What kind of performance are you looking for?
#3
26.1 Series / Re: Feature Request: FIDO2 / W...
Last post by opnessense - Today at 03:59:42 AMYou're right that not everyone needs this level of MFA, but not everyone can or wants to pay 100+ USD per year for BE and run an external IdP just to get modern WebAuthn on a single homelab/SMB firewall.
For many users that workaround is simply not realistic. From a technical perspective, WebAuthn/FIDO2 is today's standard for phishing‑resistant authentication and is being widely deployed via passkeys and security keys, so having it as an optional method in core (alongside passwords and TOTP) would let people who already rely on hardware‑backed auth elsewhere bring OPNsense up to the same security level, without forcing any change on those who don't need it.
Out of curiosity, sopex8260 could you elaborate a bit on why you feel hardware keys "don't make sense anymore" today, given the current push towards WebAuthn/passkeys in most major platforms?
For many users that workaround is simply not realistic. From a technical perspective, WebAuthn/FIDO2 is today's standard for phishing‑resistant authentication and is being widely deployed via passkeys and security keys, so having it as an optional method in core (alongside passwords and TOTP) would let people who already rely on hardware‑backed auth elsewhere bring OPNsense up to the same security level, without forcing any change on those who don't need it.
Out of curiosity, sopex8260 could you elaborate a bit on why you feel hardware keys "don't make sense anymore" today, given the current push towards WebAuthn/passkeys in most major platforms?
#4
26.1 Series / Re: Just updated - hangs on bo...
Last post by nero355 - Today at 03:13:18 AMI have read about the bootloader being too outdated to accept new versions of OPNsense when the original first install of OPNsense was done a very long time ago.
Does that perhaps apply to your situation ?
If so, you can read about the update procedure here : https://forum.opnsense.org/index.php?topic=29304.0
I think this is the latest topic about the subject, but I could be wrong !!
So read it very carefully and decide what to do yourself based on the situation you are in !!
Does that perhaps apply to your situation ?
If so, you can read about the update procedure here : https://forum.opnsense.org/index.php?topic=29304.0
I think this is the latest topic about the subject, but I could be wrong !!
So read it very carefully and decide what to do yourself based on the situation you are in !!
#5
General Discussion / Re: internal DNS issues
Last post by Mpegger - Today at 02:55:05 AMUnbound should handle all external name lookups. Unbound should pass all internal lookups to DNSmasq. As suggested, do not use ISC as it will eventually be dropped. This is the setup I have come up with after gleaning over many articles, guides, and posts, over a long time trying to get my DNS resolution to work as I want it to on my network. It is a mixed IPv4/IPv6 setup that uses the typical 192.168.1.1, only a single LAN network segment (no VLANS either), as well as IPv6 GUA addresses as my ISP supplies a dynamic /56 IPv6 prefix. I also use 2 Pihole servers in my setup, but I will leave that part out to not complicate the setup. If you or anyone else wants I can include Pihole in the mix in another post.
Starting with Unbound:
General:
Listen Port: 53
Network Interfaces: Lan (Check all interfaces you want Unbound to listen on. Leave those you don't want it to listen to unchecked)
Enable DNSSEC Support: (If you are going to use DNSSEC with a DNS server that supports it, check it)
DHCP Domain Override: lan.internal (.internal is the only current top level local domain name for LAN use by ICANN, and is recognized by many modern apps to *not* be used in the WAN. You can add in whatever you want before .internal as your LAN FQDN. System > Settings > General > Domain: should also match)
Register DHCP Static Mappings: Checked
Overrides:
I do not use overrides as DNSmasq can take care of that for local LAN systems.
Advanced:
Private Domains: lan.internal (Enter your domain)
Rebind protection networks: (Add in any local LAN networks you are using that are not already entered here by default)
Insecure Domains: lan.internal (Enter your domain if you are using DNSSEC)
Access List:
Default Action: Allow (unless you have multiple networks being served up by different DNS daemons, leave at Allow to let Unbound responds to all network segments its listening on that was configured earlier. There is no need for any entries when set to Allow)
Query Forwarding:
Use System Nameservers: Unchecked (We are going to use DNSmasq for local DNS FQDN resolution)
Add a new server entry:
Domain: lan.internal (what you used earlier)
Server IP: 192.168.1.1 (The LAN IP address of your Opnsense)
Server Port: 53053 (this is the port we will use to contact DNSmasq. Do not use 5353 as often suggested. I forget the exact reason, but there's another established service out there that uses that port. You can of course, use whatever port you want, just make sure its not a commonly used port)
Add another new server entry:
Domain: 1.168.192.in-addr.arpa (this entry will perform reverse lookups for you LAN addresses)
Server IP: 192.168.1.1 (same as before)
Server Port: 53053 (same as before)
Now onto DNSmasq:
General:
Interface: LAN (As with Unbound, check all interfaces you want Unbound to listen on. Leave those you don't want it to listen to unchecked)
Listen Port: 53053 (same as what you used in previous settings)
No hosts lookup: Checked
Query DNS servers sequentially: Unchecked
Require domain: Checked (I have it checked because I always use FQDN, but even then I can still nslookup a name without domain and receive the IP address)
Do not forward to system defined DNS servers: Checked (since DNSmasq is used only for Local LAN lookups, we check this)
Do not forward private reverse lookups: Checked (same as above)
DHCP FQDN: Checked (this will register system names obtain through DHCP requests)
DHCP default domain: lan.internal (enter your LAN FQDN)
DHCP local domain: Checked
DHCP authoritative: Checked
DHCP register firewall rules: Checked (I don't fully understand what rules are added or needed, so I leave it checked)
Router advertisements: Checked (because I do use dynamic IPv6 on my network)
Domains:
Nothing needed here
Skip to DHCP ranges:
Add a new entry:
Interface: LAN (I only have 1 LAN segment, if you have multiple and you want DNSmasq to serve as the DHCP on each segment, you will need to make additional server entries)
Start address: 192.168.1.10 (where to start handing out IPv4 address in your DHCP range)
End address: 192.168.1.200 (where to end)
Domain: lan.internal (enter your LAN FQDN)
If using IPv6 and you want to assign a DHCP range for IPv6, add another entry:
Interface: LAN
Start address: ::a:b:c:1000 (again, I have a dynamic IPv6 prefix address assigned to me by my ISP, so this would be where I enter the remaining bits to assign to local clients)
End address: ::a:b:c:9000
Constructor: LAN
RA mode: slaac, ra-names (this will allow clients to obtain thier own IPv6 address via SLAAC [like Android devices], as well as being able to assign a fixed IPv6 GUA address to those clients that support that feature. The mode will depend on how you are assigned IPv6 by your ISP)
Domain: lan.internal (you know the drill, enter your LAN FQDN)
DHCP options:
Add a new entry: (This will tell the DHCP client the IPv4 address of your DNS server(s))
Interface: LAN
Type: Set
Option: dns-server [6]
Option6: None
Value: 192.168.1.1 (In my setup, I have the IP addresses of my Pihole servers set here)
Force: Checked
I have IPv6, so I add another entry:
Interface: LAN
Type: Set
Option: None
Option6: dns-server [23]
Value: fe80::1 (Use the IPv6 address that starts with fe80: for your LAN interface. Link Local Addresses (LLA, fe80:) don't change unless the network hardware itself changes as it's derived from the MAC address, and will work in mixed IPv4, IPv6 networks)
Force: Checked
Now back to DHCP Hosts tab:
The DHCP Hosts tab is where you will enter any and every device on your network that you want to assign a FQDN for your local LAN, and fixed IP address, be it IPv4, or GUA IPv6 with the assigned prefix from your ISP. These IP address you assign do not have to be in the DHCP range(s) you defined earlier. You can also define devices that don't use DHCP, but have a fixed IP address and you want to assign a FQDN to them. For instance, my Opnsense firewall has a entry for it for the FQDN, IPv4 and internal Link Local IPv6 address it can be reached at. CNAME and Alias records can also be defined in this section.
When dealing with IPv6, be aware that not every device will support being assigned a IPv6 address via DHCP. You can easily tell what devices can be assigned a IPv6 address by allowing the device to connect via DHCP and in the 'DNSmasq > Leases' window you can look for the device IPv6 address, and the DUID that you need to use to assign a IPv6 address via DHCP will be there as well. Devices that only support SLAAC (like Android) will not show up in the 'Leases' window, and cannot be assigned a fixed IPv6 GUA address.
Those devices that do not need a fixed IP or FQDN of any kind you do not need to define here, as they will just grab a random IPv4 and/or IPv6 address according to your DHCP ranges setting. Those devices that request a DHCP address, can also report to DNSmasq thier device name, and DNSmasq will register that name as a FQDN, that can be used just like any other fixed entry you yourself added.
With this setup, all local FQDN lookups will stay within Opnsense, and will be resolvable via DNSmasq. Any other lookups will go out to the net via Unbound. You will only need to maintain 1 set of entries for you LAN devices via DNSmasq, and not have to use Unbound for overrides.
Starting with Unbound:
General:
Listen Port: 53
Network Interfaces: Lan (Check all interfaces you want Unbound to listen on. Leave those you don't want it to listen to unchecked)
Enable DNSSEC Support: (If you are going to use DNSSEC with a DNS server that supports it, check it)
DHCP Domain Override: lan.internal (.internal is the only current top level local domain name for LAN use by ICANN, and is recognized by many modern apps to *not* be used in the WAN. You can add in whatever you want before .internal as your LAN FQDN. System > Settings > General > Domain: should also match)
Register DHCP Static Mappings: Checked
Overrides:
I do not use overrides as DNSmasq can take care of that for local LAN systems.
Advanced:
Private Domains: lan.internal (Enter your domain)
Rebind protection networks: (Add in any local LAN networks you are using that are not already entered here by default)
Insecure Domains: lan.internal (Enter your domain if you are using DNSSEC)
Access List:
Default Action: Allow (unless you have multiple networks being served up by different DNS daemons, leave at Allow to let Unbound responds to all network segments its listening on that was configured earlier. There is no need for any entries when set to Allow)
Query Forwarding:
Use System Nameservers: Unchecked (We are going to use DNSmasq for local DNS FQDN resolution)
Add a new server entry:
Domain: lan.internal (what you used earlier)
Server IP: 192.168.1.1 (The LAN IP address of your Opnsense)
Server Port: 53053 (this is the port we will use to contact DNSmasq. Do not use 5353 as often suggested. I forget the exact reason, but there's another established service out there that uses that port. You can of course, use whatever port you want, just make sure its not a commonly used port)
Add another new server entry:
Domain: 1.168.192.in-addr.arpa (this entry will perform reverse lookups for you LAN addresses)
Server IP: 192.168.1.1 (same as before)
Server Port: 53053 (same as before)
Now onto DNSmasq:
General:
Interface: LAN (As with Unbound, check all interfaces you want Unbound to listen on. Leave those you don't want it to listen to unchecked)
Listen Port: 53053 (same as what you used in previous settings)
No hosts lookup: Checked
Query DNS servers sequentially: Unchecked
Require domain: Checked (I have it checked because I always use FQDN, but even then I can still nslookup a name without domain and receive the IP address)
Do not forward to system defined DNS servers: Checked (since DNSmasq is used only for Local LAN lookups, we check this)
Do not forward private reverse lookups: Checked (same as above)
DHCP FQDN: Checked (this will register system names obtain through DHCP requests)
DHCP default domain: lan.internal (enter your LAN FQDN)
DHCP local domain: Checked
DHCP authoritative: Checked
DHCP register firewall rules: Checked (I don't fully understand what rules are added or needed, so I leave it checked)
Router advertisements: Checked (because I do use dynamic IPv6 on my network)
Domains:
Nothing needed here
Skip to DHCP ranges:
Add a new entry:
Interface: LAN (I only have 1 LAN segment, if you have multiple and you want DNSmasq to serve as the DHCP on each segment, you will need to make additional server entries)
Start address: 192.168.1.10 (where to start handing out IPv4 address in your DHCP range)
End address: 192.168.1.200 (where to end)
Domain: lan.internal (enter your LAN FQDN)
If using IPv6 and you want to assign a DHCP range for IPv6, add another entry:
Interface: LAN
Start address: ::a:b:c:1000 (again, I have a dynamic IPv6 prefix address assigned to me by my ISP, so this would be where I enter the remaining bits to assign to local clients)
End address: ::a:b:c:9000
Constructor: LAN
RA mode: slaac, ra-names (this will allow clients to obtain thier own IPv6 address via SLAAC [like Android devices], as well as being able to assign a fixed IPv6 GUA address to those clients that support that feature. The mode will depend on how you are assigned IPv6 by your ISP)
Domain: lan.internal (you know the drill, enter your LAN FQDN)
DHCP options:
Add a new entry: (This will tell the DHCP client the IPv4 address of your DNS server(s))
Interface: LAN
Type: Set
Option: dns-server [6]
Option6: None
Value: 192.168.1.1 (In my setup, I have the IP addresses of my Pihole servers set here)
Force: Checked
I have IPv6, so I add another entry:
Interface: LAN
Type: Set
Option: None
Option6: dns-server [23]
Value: fe80::1 (Use the IPv6 address that starts with fe80: for your LAN interface. Link Local Addresses (LLA, fe80:) don't change unless the network hardware itself changes as it's derived from the MAC address, and will work in mixed IPv4, IPv6 networks)
Force: Checked
Now back to DHCP Hosts tab:
The DHCP Hosts tab is where you will enter any and every device on your network that you want to assign a FQDN for your local LAN, and fixed IP address, be it IPv4, or GUA IPv6 with the assigned prefix from your ISP. These IP address you assign do not have to be in the DHCP range(s) you defined earlier. You can also define devices that don't use DHCP, but have a fixed IP address and you want to assign a FQDN to them. For instance, my Opnsense firewall has a entry for it for the FQDN, IPv4 and internal Link Local IPv6 address it can be reached at. CNAME and Alias records can also be defined in this section.
When dealing with IPv6, be aware that not every device will support being assigned a IPv6 address via DHCP. You can easily tell what devices can be assigned a IPv6 address by allowing the device to connect via DHCP and in the 'DNSmasq > Leases' window you can look for the device IPv6 address, and the DUID that you need to use to assign a IPv6 address via DHCP will be there as well. Devices that only support SLAAC (like Android) will not show up in the 'Leases' window, and cannot be assigned a fixed IPv6 GUA address.
Those devices that do not need a fixed IP or FQDN of any kind you do not need to define here, as they will just grab a random IPv4 and/or IPv6 address according to your DHCP ranges setting. Those devices that request a DHCP address, can also report to DNSmasq thier device name, and DNSmasq will register that name as a FQDN, that can be used just like any other fixed entry you yourself added.
With this setup, all local FQDN lookups will stay within Opnsense, and will be resolvable via DNSmasq. Any other lookups will go out to the net via Unbound. You will only need to maintain 1 set of entries for you LAN devices via DNSmasq, and not have to use Unbound for overrides.
#6
26.1 Series / Re: Upgrade to 26.1.3 - my fir...
Last post by nero355 - Today at 02:22:55 AMQuote from: drosophila on March 12, 2026, 03:25:24 AMOn my system /var/log is written to as root:Hmm... OK... bad example then I guess... d0h!Code Select-rw-r--r-- 1 root wheel 255345 Mar 11 23:13 messages
QuoteThe only safeguard against this filling up the drive is to put /var on its own fs, which is how it's done here.I think the other images don't have that because it's only the nano image that has the minimized writes to storage config.
On the OPNsense box, /var/log is mounted as tmpfs (running a -nano image, may be different on others).
#7
General Discussion / Re: internal DNS issues
Last post by donee - Today at 02:14:52 AMI don't want to do manual overrides just like I don't want to manually IP each client with its own ip address. It is just way too much work. that is why I use DHCP And DNS so they do the work for me.
I just want opnsense to automatically add anything that is in
Services: Dnsmasq DNS & DHCP: Leases
IP and hostname to be added to DNS
I just want opnsense to automatically add anything that is in
Services: Dnsmasq DNS & DHCP: Leases
IP and hostname to be added to DNS
#8
Hardware and Performance / DEC3920 / DEC3940 / DEC3960 CP...
Last post by dirtyfreebooter - Today at 02:06:18 AMdoes anyone know what CPU is in the DEC3920 / DEC3940 / DEC3960 series? why opnsense product page never state this is annoying. trying to figure out if it how well it would do wireguard and zenarmor, my guess is terrible, otherwise they would publish the specs
#9
Hardware and Performance / Re: DEC750 NVMe thermal pad?
Last post by OPNenthu - Today at 01:39:47 AMThese videos show a DEC740 taken apart (same channel):
https://www.youtube.com/watch?v=v86V-E70RKA
https://www.youtube.com/watch?v=jl23_mrM7cQ
Not sure if it's the same dimensions exactly as the 750 but at least some more angles you can look at.
https://www.youtube.com/watch?v=v86V-E70RKA
https://www.youtube.com/watch?v=jl23_mrM7cQ
Not sure if it's the same dimensions exactly as the 750 but at least some more angles you can look at.
#10
Hardware and Performance / Re: DEC750 NVMe thermal pad?
Last post by foxxx0 - Today at 01:27:53 AMQuote from: patient0 on March 13, 2026, 09:08:27 PMAre you using a RJ45 module in one of the 10G SFP+? The NVME sits behind the SFP+ ports and got warm/hot when I did test RJ45 modules.
Nope, just a passive DAC SFP+ cable, so pretty much as low-power as you can go.
I've managed to completely stay away from those SFP+ RJ45 modules, precisely because of that.
Quote from: patient0 on March 13, 2026, 09:08:27 PMI think the gap between the NVMe and the enclosure is quite substantial but maybe that changed with later models. There was a cutout for the RAM stick and like a pedestal (whatever the correct english word would be) for the CPU, nothing else.
Motherboard on the shop website:
https://shop.opnsense.com/dec700-series-opnsense-desktop-security-appliance/
https://shop.opnsense.com/wp-content/uploads/2021/11/NetBoard-A10_Gen.3_P1.0-CN_2021-Nov-08_03-52-59PM-000_CustomizedView15531474162.png
Update: four photos under https://kupper.org/OPNsense-DEC740/ . Open the images in a separate tab/window for the bigger size. And I'm very much not a web guy, so sorry about that.
Thank you so much for the detailed high-res photos. That finally gives some insight.
Based on these I might try to fit a thin m.2 heatsink onto the NVMe, I've got a couple different ones lying around somewhere^tm. The gap does indeed look way to big for just a thermal pad.
At least I have something to go off of and if I do indeed find a different case-heatsink-design in my DEC750 I'll just have to adapt.
Quote from: pfry on March 13, 2026, 02:27:44 PMQuote from: foxxx0 on March 13, 2026, 10:15:11 AM[...]I'm kinda hoping I could just purchase a thermal pad of the necessary thickness (guessing somewhere between 0.5-3mm) to improve the NVMe temperature.[...]
Some things to consider:
- Thermal pad will be better than air;
- ...But contact/pressure is important, and M.2 boards are worthless/weak and generally unsupported;
- The controller is the major power consumer, so your focus should be on it;
- Be aware of component height - I have M.2 SSDs where the controller is .25mm lower than surrounding components, a critical but hard-to-see issue.
You'll want a dead soft pad. I'd recommend getting a few and seeing what you can work with. Ideally you can trial the thing (such that you can directly view contact) or take an impression (via, say, very soft clay) to try to see how applying pressure to the controller will flex the board. Some motherboards use medium foam supports under the board, but sourcing something like that might be tough. On one of my tiny ARMs I had to trial several pads and thicknesses to find one that didn't simply flex the board such that the controller surface was no longer parallel to the opposite surface, resulting in limited contact. Foam pads are garbage from a thermal standpoint, but may be better from a physical standpoint.
Good hints, thanks for that. If necessary I'll try to fit some (foam) padding underneath the NVMe to prevent its PCB from bending (i.e. between the NVMe and the mainboard).
Given the pictures above, I might have to just go for a low-profile off the shelf m.2 heatsink instead though.
