"Recent posts
#21
General Discussion / Re: IPv6 with a static, routed...
Last post by gmwnet - January 09, 2026, 05:38:34 PMThank you - appreciate it. I will investigate those options for us.
#22
25.7, 25.10 Series / Re: ACME Client "Invalid Domai...
Last post by keeka - January 09, 2026, 05:24:21 PMLE certificates are to be reduced to 45 days in 2028. But there is also a new DNS challenge planned that will be based on a persistent DNS record.
#23
25.7, 25.10 Series / FRR loads with wrong metric on...
Last post by alfrisch - January 09, 2026, 05:11:36 PMHi,
we have a HA setup in which we wan to have FRR (OSPF) turned on on both master and backup instances, i.e. "Enable CARP Failover" in General settings is disabled. Instead we have "CARP demote" turned on in OSPF settings and set costs for interfaces 100 in promoted and 1000 in demoted state, respectively.
In this setup, we have experienced routing problems with both master and backup appearing as equivalent routes at other routers via OSPF after the OPNsense configuration gets synced every night via the cron job. Turns out that also reloading FRR service will set the interface costs on the backup instance to wrong values, which shows up in the metric of routes of directly attached interfaces being 100 instead of expected 1000.
Triggering a CARP switch over fixes the problem as FRR on both master and backup instances will load correct costs again. Also rebooting the backup instances fixes the problem.
Pushing the FRR service reload button or waiting for the next config sync will make the problem appear again.
It seems to us as if the reloading of FRR service does not check the actual CARP state and loads costs for the master setting in any case.
Can anyone confirm this behavior or are we doing something fundamentally wrong with our setup?
We are running OPNsense 25.10.1_2-amd64 and can provide FRR logs if required.
Thanks for your help!
Cheers, Albert
we have a HA setup in which we wan to have FRR (OSPF) turned on on both master and backup instances, i.e. "Enable CARP Failover" in General settings is disabled. Instead we have "CARP demote" turned on in OSPF settings and set costs for interfaces 100 in promoted and 1000 in demoted state, respectively.
In this setup, we have experienced routing problems with both master and backup appearing as equivalent routes at other routers via OSPF after the OPNsense configuration gets synced every night via the cron job. Turns out that also reloading FRR service will set the interface costs on the backup instance to wrong values, which shows up in the metric of routes of directly attached interfaces being 100 instead of expected 1000.
Triggering a CARP switch over fixes the problem as FRR on both master and backup instances will load correct costs again. Also rebooting the backup instances fixes the problem.
Pushing the FRR service reload button or waiting for the next config sync will make the problem appear again.
It seems to us as if the reloading of FRR service does not check the actual CARP state and loads costs for the master setting in any case.
Can anyone confirm this behavior or are we doing something fundamentally wrong with our setup?
We are running OPNsense 25.10.1_2-amd64 and can provide FRR logs if required.
Thanks for your help!
Cheers, Albert
#24
German - Deutsch / Re: IPV6 von OpnSense lokal ni...
Last post by chemlud - January 09, 2026, 04:53:49 PMLoide, balkemueller ist der OP. Nochmal lesen...
Aber DNS ist die heisseste Spur, gefolgt von ULA :-D
Aber DNS ist die heisseste Spur, gefolgt von ULA :-D
#25
General Discussion / Re: Caddy, Cloudflare proxy an...
Last post by tennents - January 09, 2026, 04:53:20 PMI think i managed to do something...
first, backup the standard binary
cp /usr/local/bin/caddy /usr/local/bin/caddy.backup
download the new built binary with all the needed modules:
fetch -o /tmp/caddy-custom "https://caddyserver.com/api/download?os=freebsd&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare&p=github.com%2Fmholt%2Fcaddy-l4&p=github.com%2Fmholt%2Fcaddy-dynamicdns&p=github.com%2Fmholt%2Fcaddy-ratelimit&p=github.com%2Fcaddyserver%2Fntlm-transport&p=github.com%2Fhslatman%2Fcaddy-crowdsec-bouncer&idempotency=26094258780053"
fix permissions and move
chmod +x /tmp/caddy-custom
mv /tmp/caddy-custom /usr/local/bin/caddy
Now create a bouncer:
cscli bouncers add caddy-bouncer
save the API Key
then I created a .global file in /usr/local/etc/caddy/caddy.d
order crowdsec before reverse_proxy
crowdsec {
api_url http://opnsense LAPI
api_key key of the created bouncer
ticker_interval 15s
}
then i had to add crowdsec in the handler.
unluckly it is not doable from the GUI, so I had to deactivate all my domain in the guy, create a .conf file in /usr/local/etc/caddy/caddy.d
my.domain.com {
log {
output file /var/log/caddy/access/b49df191-a08d-4f12-9834-bb15ceb8b3d0.log {
roll_keep_for 10d
}
}
tls {
issuer acme {
dns cloudflare API KEY CLOUDFLARE
}
}
handle {
crowdsec
reverse_proxy ip:port {
}
}
}
it seems to work!
surely can be done in a more elegant way...
first, backup the standard binary
cp /usr/local/bin/caddy /usr/local/bin/caddy.backup
download the new built binary with all the needed modules:
fetch -o /tmp/caddy-custom "https://caddyserver.com/api/download?os=freebsd&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare&p=github.com%2Fmholt%2Fcaddy-l4&p=github.com%2Fmholt%2Fcaddy-dynamicdns&p=github.com%2Fmholt%2Fcaddy-ratelimit&p=github.com%2Fcaddyserver%2Fntlm-transport&p=github.com%2Fhslatman%2Fcaddy-crowdsec-bouncer&idempotency=26094258780053"
fix permissions and move
chmod +x /tmp/caddy-custom
mv /tmp/caddy-custom /usr/local/bin/caddy
Now create a bouncer:
cscli bouncers add caddy-bouncer
save the API Key
then I created a .global file in /usr/local/etc/caddy/caddy.d
order crowdsec before reverse_proxy
crowdsec {
api_url http://opnsense LAPI
api_key key of the created bouncer
ticker_interval 15s
}
then i had to add crowdsec in the handler.
unluckly it is not doable from the GUI, so I had to deactivate all my domain in the guy, create a .conf file in /usr/local/etc/caddy/caddy.d
my.domain.com {
log {
output file /var/log/caddy/access/b49df191-a08d-4f12-9834-bb15ceb8b3d0.log {
roll_keep_for 10d
}
}
tls {
issuer acme {
dns cloudflare API KEY CLOUDFLARE
}
}
handle {
crowdsec
reverse_proxy ip:port {
}
}
}
it seems to work!
surely can be done in a more elegant way...
#26
General Discussion / Re: OPNsense insists that DHCP...
Last post by ewb - January 09, 2026, 04:40:53 PMThanks to all above for the additional information about this and the "workaround."
I had the same issue, but it manifested to me as I described here:
Redundant "allow access to DHCPv6 server on LAN" rules
All I can add is that I encountered this after updating the firmware from Release 25.7 to 25.7.10 directly, and had not encountered this in a similar configuration I did under 25.7 and then incrementally upgraded to (now) 25.7.10.
I had the same issue, but it manifested to me as I described here:
Redundant "allow access to DHCPv6 server on LAN" rules
All I can add is that I encountered this after updating the firmware from Release 25.7 to 25.7.10 directly, and had not encountered this in a similar configuration I did under 25.7 and then incrementally upgraded to (now) 25.7.10.
#27
General Discussion / Re: Redundant "allow access t...
Last post by ewb - January 09, 2026, 04:32:01 PMTurns out that this problem was basically the same as discussed here (posted the next day):
https://forum.opnsense.org/index.php?topic=48181.0
And I followed the workaround described there and voila, the extra 5 firewall rules went away.
The puzzling thing is why did my first setup never have this problem? It has the IPv6 Configuration type set to None and always has AFAIK.
My suspicion is that the difference was that one was updated incrementally from 25.7 to 25.7.10 whereas this second setup was updated directly from release 25.7 to 25.7.10.
https://forum.opnsense.org/index.php?topic=48181.0
And I followed the workaround described there and voila, the extra 5 firewall rules went away.
The puzzling thing is why did my first setup never have this problem? It has the IPv6 Configuration type set to None and always has AFAIK.
My suspicion is that the difference was that one was updated incrementally from 25.7 to 25.7.10 whereas this second setup was updated directly from release 25.7 to 25.7.10.
#28
General Discussion / Re: Caddy, Cloudflare proxy an...
Last post by Monviech (Cedrik) - January 09, 2026, 04:22:38 PMSince the scope of the caddy plugin is rather tight now (only cloudflare), a cloudflare bouncer could be theoretically compiled in and made a part of it. Yet I don't want to do it, and each new part makes maintainance harder.
Right now it's so peacefully quiet :)
Right now it's so peacefully quiet :)
#29
German - Deutsch / Re: IPV6 von OpnSense lokal ni...
Last post by Zapad - January 09, 2026, 04:14:35 PMalso wenn ich recht verstehe du hast WAN ULA und Clients GUA und möchtest von den Clients WAN Pingen!?
#30
General Discussion / Re: Caddy, Cloudflare proxy an...
Last post by Patrick M. Hausen - January 09, 2026, 04:06:30 PMAh ... so blocking based on X-Forwarded-For: or similar as received from Cloudflare - get it.
