Recent posts

#1
General Discussion / Dnsmasq help: how to suppress ...
Last post by OPNenthu - Today at 11:08:46 AM
I'm trying an experiment to assign both GUA and ULA ranges in Dnsmasq, but to logically separate them with DHCP tags.  The idea is to let clients auto-configure IPs on both ranges, one for stable internal IPv6 networking, and one for internet access.  Since I have a dynamic ISP prefix, I want to exclude any DNS assignment on the GUA range and offer only a ULA address for Unbound in Dnsmasq RAs (RDNSS).

As per the Dnsmasq manual, we should be able to override the default option which sets the OPNsense interface address as the DNS by setting the option with an empty value:

Quote-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
...
An option without data is valid, and includes just the option without data. (There is only one option with a zero length data field currently defined for DHCPv4, 80:rapid commit, so this feature is not very useful in practice). Options for which dnsmasq normally provides default values can be omitted by defining the option with no data. These are netmask, broadcast, router, DNS server, domainname and hostname. Thus, for DHCPv4 --dhcp-option = option:router will result in no router option being sent, rather than the default of the host on which dnsmasq is running. For DHCPv6, the same is true of the options DNS server and refresh time.

So I tried this-

On each of my VLANs I used a tagged 'xGUA' range with the interface constructor (constructor=LAN) and a second tagged 'xULA' range with the ULA that I defined in VIP configs (constructor=None).

Then in DHCP options I offered the OPNsense ULA address as the DNS on the 'xULA' range and I overrode the DNS with a blank value for the 'xGUA' range, as the manual says I can do.

You cannot view this attachment.

You cannot view this attachment.


What works:

- The SLAAC addressing is fine.  Clients are configuring themselves with IPs on both ranges.

What fails:

- Clients are still getting the OPNsense GUA interface address as the IPv6 DNS.

$ ip a
...
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
    link/ether <redacted> brd ff:ff:ff:ff:ff:ff
    inet 172.21.30.100/24 brd 172.21.30.255 scope global dynamic noprefixroute enp6s0
       valid_lft 86248sec preferred_lft 86248sec
    inet6 fd7b:1236:9970:1003:e717:cc84:66e1:d8f3/64 scope global temporary dynamic
       valid_lft 86357sec preferred_lft 85901sec
    inet6 fd7b:1236:9970:1003:44df:603e:214c:824f/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 86357sec preferred_lft 86357sec
    inet6 26xx:xx:xxxx:3163:a54b:860e:9bf9:3109/64 scope global temporary dynamic
       valid_lft 86357sec preferred_lft 85901sec
    inet6 26xx:xx:xxxx:3163:xxxx:xxxx:xxxx:xxx/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 86357sec preferred_lft 86357sec
    inet6 fe80::xxxx:xxxx:xxx:xxxx/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

$ resolvectl status
Current DNS Server: 172.21.30.1
       DNS Servers: 172.21.30.1 26xx:xx:xxxx:3163::1
        DNS Domain: clear.h1.internal

I expected to see an fd7b:...::1 address here ^.

Anybody know what I missed?
#2
Всем доброго дня!
Подскажите, пожалуйста!
Файл os-amneziawg-v2.tar на странице GitHub os-amneziawg не нашел. Скачал ZIP-архив через кнопку "Code"->Download ZIP, распаковал его на OPNsense в папке /tmp/os-amneziawg.
При инсталляции выдает ошибку обновления репозитория и, соответственно, не копирует бинарники. Пробовал переустановить - не помогает.
В чем может быть дело?

root@hds-firewall:/tmp/os-amneziawg # sh install.sh
============================================================
  os-amneziawg plugin installer
============================================================

  Current version : 2.6.0
  New version    : 2.6.0

  Version 2.6.0 is already installed.
  Reinstall? [y/N] y

==> Pre-check: Verifying pkg integrity...
[OK]  pkg is healthy

==> Step 1: Checking AmneziaWG packages...

  Missing packages detected:
    - amnezia-tools (awg, awg-quick)

  Install from FreeBSD quarterly repo? [Y/n]
[OK]  Temporary FreeBSD quarterly repo configured
[OK]  pkg locked (preventing self-upgrade from quarterly)
Updating FreeBSD-quarterly repository catalogue...
Fetching meta.conf: 100%    179 B  0.2kB/s    00:01
Fetching packagesite.pkg: 100%  10 MiB  5.5MB/s    00:02
Processing entries: 100%
FreeBSD-quarterly repository update completed. 37061 packages processed.
All repositories are up to date.
  Installing amnezia-tools...
Updating FreeBSD-quarterly repository catalogue...
Unable to update repository FreeBSD-quarterly
Error updating repositories!
[WARN] Failed to install amnezia-tools via pkg.
      Try manually: pkg add <URL from pkg.freebsd.org>
[OK]  Temporary FreeBSD repo config removed

[WARN] One or more binaries/modules are still missing.
[WARN] Plugin will be installed but AmneziaWG will NOT start.

==> Step 2: Checking for existing AmneziaWG configuration...
[OK]  No existing configuration found (clean install).

==> Step 3: Installing plugin files...
[OK]  Plugin files installed.

==> Step 4: Restarting configd...
Stopping configd...done
Starting configd.

==> Step 5: Clearing cache...

============================================================
  os-amneziawg v2.6.0 installed!
============================================================
#4
General Discussion / Re: Help needed, LAN to LAN co...
Last post by viragomann - Today at 10:32:46 AM
Your rules allow any IPv4 traffic on both interfaces.
So if both, the LAN and LAN2 devices, have internet access, they should also be able to access each other.

To investigate the issue, sniff the traffic on both interfaces one by one.
OPNsense has pcap onboard: Interfaces: Diagnostics: Packet Capture

Select LAN2 at interface and ICMP as protocol and start the capture.
Then try to ping a server from a LAN device and display the result after. Don't forget to stop the capture.
You should see the packets going to the server, and if it's all right, response packets from the server to the client.
If there are no responses, there is something wrong with the servers firewall or with its routing table.
If you see responses, run a capture on the LAN to see if they are routed back properly in OPNsense.
#5
Well, there is the "Dynamic IPv6 Host" type in Firewall: Aliases that you can use to identify devices based on their MAC address regardless of which (changing) IPv6 address they use. Does not help with e.g. modern phones, that even obfuscate their MAC address, though.
#6
Zenarmor (Sensei) / os-sunnywalley plugin install ...
Last post by raczzoltan - Today at 10:19:11 AM
Hello!

My problem is that right after I install the os-sunnyvalley package and I try to check for updates I get an error: "Could not find the repository on the selected mirror" and "repository SunnyValley has no meta file, using default settings". And also after the packages install all the other plugins that are not installed are not avalible untill I check for update. I tried a lot of things updating through shell, installing through command line, changing the mirror etc...

I tried to solve it but I did not find any information aboutb this on the internet. Also solving with AI was a dead end...

I don't know if it could be a regional thing? I am from Hungary. But I also tried to change regions that did not help.

Also I'm on the latest version of OPNsense.

I'm new to Zenarmor and I usnig OPNsense for a while but I'm not that experienced.







***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 26.1.6 (amd64) at Fri Apr 17 09:29:21 CEST 2026
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 929 packages processed.
Updating SunnyValley repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository SunnyValley has no meta file, using default settings
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
Unable to update repository SunnyValley
Error updating repositories!
***DONE***




#7
26.1, 26,4 Series / Re: What is the best practice ...
Last post by hakuna - Today at 09:11:29 AM
Quote from: Patrick M. Hausen on Today at 08:36:05 AMSeparating clients of different trust levels into different networks, e.g. via VLANs, is common best practice, yes.

Hmm so I am gonna have to speed things up. It has been hard to find managed network switches that do not have locked SFP.

I am novice into advanced networking and I assumed that I could set up two subnet from 10.19.0.0/16 but that is not how things works.
It could also in theory have VLANs set on OPNSense without a managed network switch, although it may be possible it is not the best practice.

So reading between lines, I cannot force OPNSense to solve my problem on its own and do things the right way.

Thanks a lot Patrick
#8
Separating clients of different trust levels into different networks, e.g. via VLANs, is common best practice, yes.
#9
The single page endless scrolling interface of Discourse sucks. Plus there are not even buttons to jump to the first or last post.
#10
Minicom über Brew oder Macports installiert funktioniert sehr zuverlässig.