Recent posts

#21

25.7, 25.10 Series / Re: ISC deprecation issues

Last post by Patrick M. Hausen - January 19, 2026, 07:50:19 PM

ISC DHCPv6 gives wan routable ipv6 from my ISP [...] to other devices

SLAAC can do that without any DHCP present at all.

#22

25.7, 25.10 Series / Re: OPNSense throwing multiple...

Last post by BigFreddy - January 19, 2026, 07:48:22 PM

I have only ever seen these:

Code Select Expand

ahcicho 0: Timeout on slot 7 port 0
CAM Status: Command Timeout
Retrying command, 2 more tries remain
with dying devices. If I saw that in a new unit I would never put that into production before I had successfully eliminated the cause. Timeouts in the CAM subsystem must not happen. If they do, something is broken. Never ignore them.

What do you mean by "vanilla" and "backwards compatible"? Save the configuration from your current unit, fix the hardware, install the very same version, restore configuration ...

Thanks, good to know what the mentioned error codes mean, I guess you really do learn something new every day haha. Once I replace the drive, I will check dmesg again but hopefully it will be fine. I must have gotten a unit with a faulty SSD and haven't realised it, it's been running fine for a long time but it became more severe recently. Thanks for helping me with the diagnosis of the issue, it's very much appreciated.

The firmware health audit can probably confirm?

Not sure if there is one, I already ordered a replacement so will replace and see how it goes. Hopefully the reboot will be instant compared to the current one where it takes quite a while to reboot.

This thread can be closed now, thanks all for your help.

#23

General Discussion / Re: Strange WiFi issue

Last post by suur13 - January 19, 2026, 07:48:00 PM

I was able to solve my main issue with Chromecast by enableing "Allow intra-BSS communication", but connecting to BubbleUPnP still gives error that I want to connect from WAN. Yes I could allow Wan settings from Bubble, but do not want (due security).
What OPNSense does block/filter that connecting via its internal Wifi makes one service in LAN to think that I'm trying to connect from WAN ?

#24

25.7, 25.10 Series / Re: ISC deprecation issues

Last post by stanthewizzard - January 19, 2026, 07:44:48 PM

every server inside the lan (homelab) has a statiq IP fddd:31e8:3076:XX:YY
DHCPv6 with prefix and RA managed on carpv6 (also updated with IPv6 changes) and RA advertises fddd:31e8:3076:XX:YY
Do not send any DNS configuration to clients

fddd:31e8:3076:: is an ULA prefix that is not routed outside of your LAN, unless you use NAT66 or you still have the assigned GUA prefix IPv6s on top for outside access. If you use those ULA IPs for server access, fine.

But then, why / how do you rely on ISC DHCPv6?

I can see only two things it could provide: routeable IPv6 addresses, which can be handed out via SLAAC as well and leases and/or reservations which allow to use internal DNS names (which you say you do not use).

Frankly, I do not get what you are missing.

Oupsi
yes you are right
and it's on purpose (internal dns for exemple with no wan rights)

then ISC DHCPv6 gives wan routable ipv6 from my ISP (2 servers are ban from being contacted from the outside world) to other devices (iphones windows mac etc)

[CSRF check failed. Your form session may have expired, or you may not have cookies enabled.]

#25

25.7, 25.10 Series / CSRF Check

Last post by spetrillo - January 19, 2026, 07:35:44 PM

Hello all,

Ever since I upgraded to 25.7.11 I am getting the following when I login:

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.

I have rebooted OPNsense but it does not fix this. What is this about?

Thanks,
Steve

#26

German - Deutsch / Re: Anfänger und sorry --- bek...

Last post by Orion1984 - January 19, 2026, 07:35:32 PM

Hast du ein WAN-GW (IP-Adresse der Fritzbox) eingetragen?

Wie konnte das denn passieren. Man sollte das nicht mal eben so nebenbei versuchen.

Und ja, das WAN-Gateway (wahrscheinlich 192.168.178.1) fehlt. Das wäre alles korrekt, wenn Du auf dem WAN nicht Static IP, sondern DHCPv4 eingestellt hättest.

Vielleicht liest Du mal dies: https://forum.opnsense.org/index.php?topic=39556

Den Post für Dummies hatte ich zugegebenermaßen nicht sehr ausführlich gelesen.

Nachdem ich den Gateway nun richtig konfiguriert habe, konnte ich auf 25.7.11 upgraden.
Der Zugang zum Internet bleibt mir noch verwehrt, da muss ich morgen Mittag nochmal ran.
Werde mich bestimmt nochmal dazu melden.

Bis hierher sage ich aber schonmal DANKE.

#27

25.7, 25.10 Series / Re: ISC deprecation issues

Last post by meyergru - January 19, 2026, 07:25:10 PM

every server inside the lan (homelab) has a statiq IP fddd:31e8:3076:XX:YY
DHCPv6 with prefix and RA managed on carpv6 (also updated with IPv6 changes) and RA advertises fddd:31e8:3076:XX:YY
Do not send any DNS configuration to clients

fddd:31e8:3076:: is an ULA prefix that is not routed outside of your LAN, unless you use NAT66 or you still have the assigned GUA prefix IPv6s on top for outside access. If you use those ULA IPs for server access, fine.

But then, why / how do you rely on ISC DHCPv6?

I can see only two things it could provide: routeable IPv6 addresses, which can be handed out via SLAAC as well and leases and/or reservations which allow to use internal DNS names (which you say you do not use).

Frankly, I do not get what you are missing.

#28

German - Deutsch / Re: Anfänger und sorry --- bek...

Last post by meyergru - January 19, 2026, 07:15:10 PM

Du kannst in Interfaces->Overview sehen, welche Interfaces online sind. Bei diesem Router-behind-Router-Setup benötigst Du Outbound NAT, wenn Du von "hinter" der OpnSense Internet-Zugriff haben willst. Und ja, das WAN-Gateway (wahrscheinlich 192.168.178.1) fehlt. Das wäre alles korrekt, wenn Du auf dem WAN nicht Static IP, sondern DHCPv4 eingestellt hättest.

Vielleicht liest Du mal dies: https://forum.opnsense.org/index.php?topic=39556

#29

25.7, 25.10 Series / Re: ISC deprecation issues

Last post by stanthewizzard - January 19, 2026, 07:14:33 PM

If you have a changing prefix use dnsmasq for dhcpv6, it can construct from a partial prefix:

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements

Thank you :)
Already looked at it but I don't need dnsmasqu at all. Overkill for DHCP only ?

#30

25.7, 25.10 Series / Re: ISC deprecation issues

Last post by stanthewizzard - January 19, 2026, 07:13:54 PM

There is a problem with your approach with ISC DHCPv6 as well: The prefix change will potentially go unnoticed for as long as your lease time, because your clients will use the old prefix for as long.

With dynamic IPv6 prefixes, you basically have two choices:

a. Use SLAAC in "assisted" mode, where DHCPv6 only supplies the DNS server (besides RDNSS) - if at all, because DNSv4 is sufficient to supply both IPv4 and IPv6 resolution. This is the safest/easiest approach and shown here. Any local traffic is done via IPv4, such that you do not need DHCPv6 to supply specific IPv6 to your devices in order to adress those in DNS.

b. If you need to have fixed IPv6, you will need to use some adresses on top of GUA that you can use for internal DNS purposes. Keep in mind that LUA will probably not work, because it is prioritized lower than even IPv4. Still, you can use any unused IPv6 prefix.

every server inside the lan (homelab) has a statiq IP fddd:31e8:3076:XX:YY
DHCPv6 with prefix and RA managed on carpv6 (also updated with IPv6 changes) and RA advertises fddd:31e8:3076:XX:YY
Do not send any DNS configuration to clients

Not a single failure for ages but I do rely on ISC DHCPv6

thanks