"Recent posts
#11
General Discussion / Re: Client IPv6 temporary addr...
Last post by OPNenthu - Today at 03:42:42 AMI think I can mark this as solved now since we identified the interactions causing this.
In the intervening time I have both migrated to Dnsmasq for RAs and also switched my primary OS from Windows 10 to Linux for other reasons. The temporary address generation is more reliable in this setup as well.
@meyergru thank you especially for your time spent on this, diagnosing and knowledge sharing. It's been educational and helpful.
In the intervening time I have both migrated to Dnsmasq for RAs and also switched my primary OS from Windows 10 to Linux for other reasons. The temporary address generation is more reliable in this setup as well.
@meyergru thank you especially for your time spent on this, diagnosing and knowledge sharing. It's been educational and helpful.
Code Select
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 24:xx:xx:xx:xx:cd brd ff:ff:ff:ff:ff:ff
inet 172.21.30.100/24 brd 172.21.30.255 scope global dynamic noprefixroute br0
valid_lft 51379sec preferred_lft 51379sec
inet6 2601:xx:xxxx:xxxx:12bc:31e7:4009:dbf8/64 scope global temporary dynamic
valid_lft 86374sec preferred_lft 84986sec
inet6 2601:xx:xxxx:xxxx:2d05:986c:b8ac:af49/64 scope global temporary deprecated dynamic
valid_lft 86374sec preferred_lft 0sec
inet6 2601:xx:xxxx:xxxx:ce0e:4b9d:e4a5:5477/64 scope global temporary deprecated dynamic
valid_lft 86374sec preferred_lft 0sec
inet6 2601:xx:xxxx:xxxx:4c75:f80c:5f80:db72/64 scope global temporary deprecated dynamic
valid_lft 86374sec preferred_lft 0sec
inet6 2601:xx:xxxx:xxxx:604:6861:6145:ff83/64 scope global temporary deprecated dynamic
valid_lft 86374sec preferred_lft 0sec
inet6 2601:xx:xxxx:xxxx:8af4:2fd2:493f:3684/64 scope global temporary deprecated dynamic
valid_lft 86374sec preferred_lft 0sec
inet6 2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:9dca/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86374sec preferred_lft 86374sec
inet6 fe80::dc69:xxxx:xxxx:xxxx/64 scope link noprefixroute
valid_lft forever preferred_lft forever
#12
25.7, 25.10 Series / Re: Intermittent WAN Drops w/ ...
Last post by letsief - October 21, 2025, 11:24:02 PMI switched ntopng to only run on the LAN interface, so the WAN doesn't end up in promiscuous mode. It seems to be working for now. We'll see if it creates other problems, though, on the LAN side.
#13
25.7, 25.10 Series / Revisiting "Firewall: Diagnost...
Last post by pfry - October 21, 2025, 10:31:54 PMA search on this topic came up with a number of threads, but no resolution (that I saw offhand). I can induce this behavior myself by adding or deleting rules; this does not seem to cover all of the posted cases (it persists through the life of the session only). I really have one question: Are these dialogs scheduled for rewrite/revision? I don't see anything obvious in the roadmap; I didn't dig through github. I won't bother poking at them if they're going to be obsolete soon (or if I missed a resolution).
#14
25.7, 25.10 Series / Re: Intermittent WAN Drops w/ ...
Last post by letsief - October 21, 2025, 10:17:26 PMThings were running stable after I disabled ntopng. Turning it back on very quickly broke the ipv4 stack again.
It seems to be related to ntopng putting the interface in promiscuous mode.
https://github.com/opnsense/core/issues/7478
Not sure if there is any way to work around this problem.
It seems to be related to ntopng putting the interface in promiscuous mode.
https://github.com/opnsense/core/issues/7478
Not sure if there is any way to work around this problem.
#15
General Discussion / Business Edition and License b...
Last post by seroal - October 21, 2025, 09:53:02 PMHi there,
I´m wondering, how the Business Edition works in regards of the binding/association of that license. Can I easily switch the used hardware? Can I also rebuild a system with a fresh install without a backup? I didn´t found any documentation about this. Maybe somebody can help out.
Thanks.
Sebastian
I´m wondering, how the Business Edition works in regards of the binding/association of that license. Can I easily switch the used hardware? Can I also rebuild a system with a fresh install without a backup? I didn´t found any documentation about this. Maybe somebody can help out.
Thanks.
Sebastian
#16
25.7, 25.10 Series / Re: Intermittent WAN Drops w/ ...
Last post by letsief - October 21, 2025, 09:47:46 PMI've been struggling with something similar all day. I'm just setting up opnsense for the first time (migrating from pfsense), so I've been making a lot of config changes. It seemed like things were working ok yesterday, but the IPv4 stack on my WAN interface keeps breaking. Oddly, IPv6 keeps working fine.
The ntopng angle is interesting. I'm running that too and will try to turn it off. I was running that yesterday without problems, but I've been playing around with the ntopng config today. HAproxy, too.
One interesting thing I've observed is running `dhclient igc0` fixes it, but only for another ~15 minutes.
I'm running opnsense on a N305 box with I226-V NICs, too, but on bare metal.
The ntopng angle is interesting. I'm running that too and will try to turn it off. I was running that yesterday without problems, but I've been playing around with the ntopng config today. HAproxy, too.
One interesting thing I've observed is running `dhclient igc0` fixes it, but only for another ~15 minutes.
I'm running opnsense on a N305 box with I226-V NICs, too, but on bare metal.
#17
25.7, 25.10 Series / Re: OPNcentral – Disable autom...
Last post by Monviech (Cedrik) - October 21, 2025, 09:28:00 PM #18
German - Deutsch / Re: [SOLVED] DynamicDNS, Hetzn...
Last post by Patrick M. Hausen - October 21, 2025, 09:17:11 PMIch hab hier - aber ich habe ja auch statische Adressen - ebenfalls einen eigenen ACME-DNS Server. Hab ja schließlich den FreeBSD-Port gebaut.
#19
German - Deutsch / Re: [SOLVED] DynamicDNS, Hetzn...
Last post by meyergru - October 21, 2025, 09:15:39 PMAlso ich warte das Drama auch nicht ab und setze einfach statisch Aliases auf _acme-challenge für alle Domains.
Wenn Hetzner seine APIs nicht stabil halten kann und derartige Probleme verursacht, muss ich ja ohnehin etwas tun, spätestens Mitte Mai, wie Hetzner jetzt sagt, weil dann die alte Konsole und API stirbt.
Wenn ich also sowieso etwas umstellen muss, will ich das gar nicht auf die lange Bank schieben und nutze gleich etwas Vernünftiges - in meinem Fall meinen eigenen DDNS (da weiß ich, was ich habe).
Wenn Hetzner seine APIs nicht stabil halten kann und derartige Probleme verursacht, muss ich ja ohnehin etwas tun, spätestens Mitte Mai, wie Hetzner jetzt sagt, weil dann die alte Konsole und API stirbt.
Wenn ich also sowieso etwas umstellen muss, will ich das gar nicht auf die lange Bank schieben und nutze gleich etwas Vernünftiges - in meinem Fall meinen eigenen DDNS (da weiß ich, was ich habe).
#20
25.7, 25.10 Series / OPNcentral – Disable automatic...
Last post by ews - October 21, 2025, 08:28:27 PMHello everyone,
we are using OPNsense Business 25.10 with the OPNcentral module enabled and would like to adjust the current login behavior when accessing managed hosts.
At the moment, when clicking on a host in OPNcentral, an automatic WebGUI login is performed using the API user credentials stored in OPNcentral.
We would like to disable this automatic login, so that instead the regular login dialog (OpenID Connect / Keycloak) appears.
The goal is to ensure that all administrative access is authenticated through our central Identity Provider and properly logged for auditing purposes.
OpenID integration already works reliably on the individual firewalls.
However, within OPNcentral we cannot find any option to disable the automatic login or switch to OpenID-based authentication.
So our questions are:
Is there any way (e.g. via a configctl opncentral.* parameter or configuration setting) to disable automatic WebGUI login via OPNcentral?
Alternatively, can OPNcentral be configured to always show the regular OpenID login when accessing a managed host?
Thanks in advance for any advice or workaround!
Christian
we are using OPNsense Business 25.10 with the OPNcentral module enabled and would like to adjust the current login behavior when accessing managed hosts.
At the moment, when clicking on a host in OPNcentral, an automatic WebGUI login is performed using the API user credentials stored in OPNcentral.
We would like to disable this automatic login, so that instead the regular login dialog (OpenID Connect / Keycloak) appears.
The goal is to ensure that all administrative access is authenticated through our central Identity Provider and properly logged for auditing purposes.
OpenID integration already works reliably on the individual firewalls.
However, within OPNcentral we cannot find any option to disable the automatic login or switch to OpenID-based authentication.
So our questions are:
Is there any way (e.g. via a configctl opncentral.* parameter or configuration setting) to disable automatic WebGUI login via OPNcentral?
Alternatively, can OPNcentral be configured to always show the regular OpenID login when accessing a managed host?
Thanks in advance for any advice or workaround!
Christian
