Recent posts

#21
General Discussion / Re: Seeking advice for first G...
Last post by Seldon - Today at 06:38:58 PM
@coffeecup25 My router, which is no more than a mini PC with an added Ethernet port, needs VLANs because of only one LAN Ethernet port. I haven't had any instabilities so far with the VLANs (fingers crossed), I'm curious what causes that.
#22
The DNS servers in the general settings are the ones the OPNsense uses for its own DNS requests.

In Dnsmasq create a DHCP option containing the DNS server instead.
#23
25.7, 25.10 Series / Pi-hole -> Unbound. Clients no...
Last post by glenb2 - Today at 06:14:46 PM
I have tried updating the dns server in the general settings to specify my pi-hole instance, but my dhcp clients are still receiving the default gateway ip for dns instead of my pihole ip. If I specify the pihole ip on the client, it will go to pihole and work normally.

I seem to remember this was a simple setting when using ISC, but I'm not absolutely clear how to do it now with Dnsmasq. I was under the impression the dns servers under the general settings would be sent to DHCP clients. Is DNS forwarding the way to do this? I'm sure I'm missing something simple. There is nothing complex about my setup.

Since the upgrade from ISC, I have just used the Unbound blocklists but want the pi-hole dashboard now for materics.
#24
High availability / Re: Connectivity from a HA sec...
Last post by crlt - Today at 06:12:12 PM
Quote from: crlt on December 06, 2025, 07:17:46 AMI suspect the cause is that routes are added before the wireguard site-to-site tunnel is ready.

Actually now I believe the cause is something to do with the failed node giving an improper route because this does not happen when FRR is set to only be active on the master node and even then wireguard tunnel usually takes a minute to come back up.
#25
25.7, 25.10 Series / vtnet offloading since 25.7.8
Last post by grind - Today at 04:51:36 PM
I'm running opnsense in a virtualized env and was aware about the problems that the vtnet driver had. Now that this is fixed in freebsd core and the patches have found their way into opnsense since 25.7.8, I'm not sure, why hw.vtnet.csum_disable="1" is still present in loader.conf. Shouldn't this go away now?
#26
General Discussion / Re: Seeking advice for first G...
Last post by meyergru - Today at 04:30:45 PM
Quote from: Seldon on Today at 03:07:53 AMI have to access the WAN net because I'm behind another NAT unfortunately. Should The Admin Aliases to Firewall be placed in the Floating, or are they best left specifically for the Admin VLAN rules?

If they are really VLAN-specific, they do not need to be in the floating rules. As I said, I put everything there that I need to have for many VLANs or things that must override inbound NAT rules. Those with "pass" rules are evaluated before any interface-specific rules, so they must be done in the floating rules. As an example, when you want geoblocking on WAN, you may have to do that in the floating rules, because otherwise, your forwarded ports will not be protected.
#27
General Discussion / Re: Unbound strange behavior
Last post by ricksense - Today at 04:08:02 PM
Quote from: OPNenthu on Today at 09:25:44 AMThe release notes for 25.7.8 have an important note:

https://forum.opnsense.org/index.php?topic=49869.0

QuoteThe Unbound blocklists feature formerly known as a business feature is
now a community feature.  Since this required merging both the existing
community one with the business one you need to make sure to reapply the
blocklist settings after the reboot since it will not generate a new and
possibly incompatible format
.  Make sure to check your automatically
migrated settings while at it.

Maybe this is it?

My blocklist is disabled at the moment, if I got what you mean.
Thanks
#28
General Discussion / Re: Seeking advice for first G...
Last post by coffeecup25 - Today at 03:57:11 PM
Just to throw this into the hat, If your router has a spare port, why not put it on a 2nd subnet? Add a new interface then define the network. Firewall rules are easy. Copy the default rules from LAN to the new subnet and edit accordingly. Then add another one to prevent access to LAN. On LAN, add a rule to prevent access to the new subnet.

That's about it. That's how I have my IOT subnet set up.

I had a switch controlled VLAN once but it was unstable. It took the entire network down to 100mb for no particular reason one day. That prompted the 2nd subnet solution.
#29
General Discussion / Re: Some sites think I live in...
Last post by coffeecup25 - Today at 03:48:51 PM
The comment that suggested the new internet provider got some new numbers that were associated with Canada is probably right.

I signed up for the new Comcast offer mentioned above yesterday. The Canada mismatch has become more than a little annoying. Some sites are hard to get along with now. Comcast made it painless so far. I was with them for over 10 years before, so I expect they should do fine by me again after the install.  The gateway will be set to modem-only mode. Self-Install. Free Peacock Premium for 2 years, too. $15/mo savings with no contract, $50 / month for 1 gb 5 years locked in no data caps. Lucky it came by when it did.
#30
General Discussion / Re: OPNsense can't update.
Last post by coffeecup25 - Today at 03:31:27 PM
Weird, but I fixed it.

I added 1.1.1.1 to Systems / Settings / General / DNS and the update ran perfectly. Prior, I had no DNS entries there, having removed them to see if Unbound was carrying the load.  It updated afterward.

To test if Unbound was working, I removed all dns sites other than my router:5353 ipconfig on windows pointed to my router.  Everything worked great for weeks like that. That made me assume Unbound was doing everything. The Adguard Home install instructions also said Unbound was doing all the work.

So, I will put my old DNS entries back on that page and let OPNsense figure out which DNS is in use at any given time. All I really care about is ad blocking.

Thanks for your help.