Recent posts

#1

General Discussion / Dnsmasq reservations - "fqdn w...

Last post by Mpegger - Today at 01:14:35 AM

I'm in the process of switching from ISC to Dnsmasq and was reading through the OPNsense manual site again to make sure I'm sure configuring everything correctly when I came across this note under Dnsmasq DNS reservations:

A dynamic range like 192.168.1.100-192.168.1.199 and a reservation like 192.168.1.101 are valid and there will be no collisions.

The reservation can also be outside the dynamic range, but it is not recommended for simple setups as the dynamic dns registration with dhcp-fqdn will not work correctly.

If I understand this correctly, setting a reservation outside of the dynamic range will result in the FQDN of the reservation not working (not resolving)? Is this correct?

I've always setup those systems that require a fixed static IP (Proxmox for example) and static IP reservations via DHCP, seperate from the range that I used for dynamic assignments. I've always worked under the assumption since my early internet days, that setting a DHCP reservation in the dymanic range might result in collisions, for instance if the system that would normally recieve a fixed DHCP reservation wasn't on the network and a different system got assigned that particular IP address. I get that a modern setup like OPNsense should be "smart" enough to prevent that, but not having the FQDN resolve would be an issue. Can anyone confirm this? If its true and problems can occur, I'd have to redo how I have my IPs assigned on my LAN all over again.

#2

German - Deutsch / Re: Welches DSL-Modem für VDSL...

Last post by k0ns0l3 - Today at 01:01:47 AM

Modem ist 10.10.10.111

#3

26.1 Series / Re: [SOLVED] Upgrade in situ "...

Last post by fbantgat7 - Today at 12:27:32 AM

So just to be sure :

After logging into your OPNsense via SSH and after succesfull outcome of the procedure the file integrity of the system should be restored to safely enough reboot into the latest version ?

If so : NICE!!! :)

Yes, the opnsense-bootstrap script uninstalls all packages and re-installs them afresh.  You can select the major release branch to install, or can select snapshot mode to install from the latest development branch.  The process is pretty much automated and quite sleek.  :-)

The alternative would be to perform a fresh install, reformatting the drive.  I was about to do this, just as Franco pointed out to the opnsense-bootstrap handy tool.

#4

26.1 Series / Multi-WAN and "arpresolve: can...

Last post by demyers - February 08, 2026, 11:52:57 PM

I've been using Multi-WAN for failover via Policy Routing and Gateway Groups on 25.7.X. After upgrading directly from 25.7.11 to 26.1.1, the system log fills with "arpresolve: can't allocate llinfo for %d.%d.%d.%d" errors for the primary (lowest tier) WAN interface. Multi-WAN still appears to work, but the messages continue to be generated. This is before attempting to migrate to the new Rules interface. Rebooting does not help. I've rolled back to a 25.7.11 snapshot and all works as before.

So something must have changed in 26.1. Suggestions?

Thanks!

#5

26.1 Series / Re: kea IPv4 re-arranged Missi...

Last post by LisaMT - February 08, 2026, 11:51:22 PM

Found part of the problem:  If I searched IP reservations for ESP The entries showed up.  But they were not listed in the table unless I searched for them.  This explains why they kept getting their old reservations.

Once I found them by searching reservations, I was able to change them to their new IP addresses and NOW they do show up in the normal list.

Address 200 still is lost out there somewhere.  But that address IS in the pool.  Pool entries don't seem to show on the leases list.
Bug in the kea lease listing.

#6

26.1 Series / Re: kea IPv4 re-arranged Missi...

Last post by LisaMT - February 08, 2026, 11:32:58 PM

Modified 3 more of the IOT devices, and they still come up with their old IP addresses with nothing showing in the Kea leases.

As you can see, the devices are working, and the one on 200 is just a second IP for a device that has two ports. 

Code Select Expand

[lisa@Legion-Pro-5 ~]$ nmap 192.168.10.90-254
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-08 15:25 MST
Nmap scan report for ESP8266-5.flack.net (192.168.10.93)
Host is up (0.038s latency).
All 1000 scanned ports on ESP8266-5.flack.net (192.168.10.93) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for ESP8266-7.flack.net (192.168.10.94)
Host is up (0.038s latency).
All 1000 scanned ports on ESP8266-7.flack.net (192.168.10.94) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for ESP8266-8.flack.net (192.168.10.95)
Host is up (0.0066s latency).
All 1000 scanned ports on ESP8266-8.flack.net (192.168.10.95) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for 192.168.10.200
Host is up (0.0049s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 165 IP addresses (4 hosts up) scanned in 140.01 seconds
[lisa@Legion-Pro-5 ~]$

#7

26.1 Series / Re: Kea + Subnets: Seeking hel...

Last post by hakuna - February 08, 2026, 11:24:09 PM

... so if 'vv' is 20 then it's on VLAN20 - just makes it easy to remember.... Keeps everything memorable.

I am so keeping things easy.
On a high-level, this is my humble home network but remember, as you might have noticed, I am newbie when it comes to networking haha:

• Sophos SG210v3: OPNSense latest, WireGuard for my GrapheneOS phone when out, all the traffic goes via the VPN
• Lenovo miniPC01: Proxmox: Pi-Hole + Unbound recursive DNS01
• Lenovo miniPC02: Proxmox: Pi-Hole + Unbound recursive DNS02
• Netgear SG110: Dumb 16x ports switch: Working on its replacement
• ASUS RT-AX53U: Dumb OpenWRT AccessPoint, it provides radio only, OPNSense does everything, enforces everything with firewall

I haven't looked into IPv6 yet, for what I am running, IPv4 + mDNS is working fine.
Will look into it once I have a proper network in place, mine as it stands is a mess (1 subnet with everything)

Thanks a lot :)

[HINT :]

#8

26.1 Series / Re: HELP NEEDED: unbound doesn...

Last post by nero355 - February 08, 2026, 10:52:59 PM

Today, I have re-installed my firewall.

What will I need to change so that the CNAME will be resolved?

Read the documentation carefully : https://docs.opnsense.org/manual/dnsmasq.html

HINT : Your Unbound probably does not know about DNSmasqd at this point!

While migrating my static host entries I added some alias and cname records. However they don't resolve.

Please also check the above :)

DNSmasq has always given me issues.  I only run unbound and it resolves everything on my network.  For duplicates (like multiple names for a server), I just put an entry in Unbound/overrides.

NOFI but IMHO nothing but User Error probably :)

#9

General Discussion / Unbound logs: One hosts contin...

Last post by octopus42 - February 08, 2026, 10:51:51 PM

Hey everyone, just happened to open the logs for Unbound, and noticed for only one of my connected systems I continually see the following:

Code Select Expand

error: read (in tcp initial): Connection reset by peer for 192.168.20.X port #
The port changes with every logged item. And the IP logged is actually the ip of the system I'm connecting to the webui with but what's defined on a separate vlan. So I'm connecting over 192.168.10.X but what logged is the ip defined for the 192.168.20.X vlan on the same system.

I don't see any connectivity issues. What does this error mean? I should note\, this seems to get logged even when I'm not connected to the webui

#10

26.1 Series / Re: IPv6, unbound, dns flag da...

Last post by nero355 - February 08, 2026, 10:39:09 PM

So I thought I should set
edns-buffer-size: 1232
msg-buffer-size: 8192

but had trouble figuring out how to inject these values. Eventually for a test I just edited config /var/unbound/unbound.conf directly and sent a SIGHUP.

Still the error. Then checking the unbound docs at https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html it seems as if the default for edns-buffer-size and max-udp-size is already 1232 - as an outcome from DNS flag day. Yet it doesn't seem this way

Has anyone figured out this can of worms?

For what it's worth =>

My DNS setup is Pi-Hole + Unbound and this setting is there for many years now :

Code Select Expand

# Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232So you should definitely include it in your configuration file :)

The above is a small part of the configuration shown here : https://docs.pi-hole.net/guides/dns/unbound/