"Recent posts
#21
25.7, 25.10 Series / Re: IPv6 erratically broken fr...
Last post by rmayr - January 04, 2026, 11:10:32 PMThe only difference is the rule allowing clients in the Guest net to WAN, all other rules have not been modified. I will keep watching if it seems to work without erratic failures with this broader rule and then try to start narrowing down again (and if that doesn't change anything, start up the backup firewall again).
#22
High availability / Re: HA setup with no WAN CARP ...
Last post by olmari - January 04, 2026, 10:50:39 PMThe one thing I've always wondered that does the CARP IP's really need to be on same subnet or could those be on "arbitrary" but lone network segment of, say 192.168.100.1/30 and .2...
I know at my previous job some UXG firewall, also freebsd based, got away without needing the interface IP's to be on same subnet, but sadly I did not investigate how it was achieved...
I know at my previous job some UXG firewall, also freebsd based, got away without needing the interface IP's to be on same subnet, but sadly I did not investigate how it was achieved...
#23
Documentation and Translation / Re: AdGuard Home setup guide
Last post by Patrick M. Hausen - January 04, 2026, 10:31:00 PMYou need to generate the new password hash offline using the "htpasswd" tool, then log in to your OPNsense via ssh and edit the file "/usr/local/AdGuardHome/AdGuardHome.yaml" replacing the password hash with the one you just generated.
https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset
https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset
#24
General Discussion / DnsMasq for VLAN
Last post by matt_novacorpdev - January 04, 2026, 10:14:43 PMI am trying to set up DNSMasq to work on my VLAN, but I cant seem to get it to register. Are there any guides to setting up DNSMasq for VLANS?
#25
Documentation and Translation / Re: AdGuard Home setup guide
Last post by nikkon - January 04, 2026, 10:09:28 PMhi all,
is there a way I can reset the password for AdGuard?
I've locked myself out due to a bitwarden fuckup
is there a way I can reset the password for AdGuard?
I've locked myself out due to a bitwarden fuckup
#26
General Discussion / Re: Wireguard requires manual ...
Last post by Monviech (Cedrik) - January 04, 2026, 09:57:50 PMQuote from: novel on January 03, 2026, 10:37:43 PMQuote from: Monviech (Cedrik) on January 03, 2026, 09:03:03 PMI don't think I can explain it better without writing way too much.
TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.
For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.
There is no selection system - settings - general and uncheck using the ISP dns servers again if you want.
You cannot view this attachment.Do you mean untick the selection Allow DNS server list to be overridden by DHCP/PPP on WAN then I put the empy line on DNS server 9.9.9.9 ????
and use gateway?
I upload screenshot
You can remove the checkbox "Allow DNS server list to be overridden by DHCP/PPP" and add 9.9.9.9 in one of these DNS fields, but do not select a gateway.
Also please read the helptexts and think about what you are doing, I cannot hand hold every configuration change you want to make. Try things out and try to understand the why and how. (E.g., why is the firewall a DNS client, and a DNS server, whats the difference...)
#27
25.7, 25.10 Series / Re: IPv6 erratically broken fr...
Last post by Monviech (Cedrik) - January 04, 2026, 09:52:35 PMIf that rule works it means something in your ruleset was wrong.
Maybe ICMPv6 was blocked (which is essential for IPv6 to work), or your aliases did not match.
Or Link Local traffic targeting the firewall was blocked.
Or other things, IPv6 is a deep dive sadly.
Maybe ICMPv6 was blocked (which is essential for IPv6 to work), or your aliases did not match.
Or Link Local traffic targeting the firewall was blocked.
Or other things, IPv6 is a deep dive sadly.
#28
General Discussion / Re: Experience with externally...
Last post by tdalej - January 04, 2026, 09:51:11 PMI'd really rather not have to manage the email server.
Not impossible but I'd rather let someone else deal with that bit of it.
And I have been using Yahoo for a long time -- Since they first started offering email addresses -- it had almost all of that when I first set up, but as generally happens, enshitification has taken over.
Time to move.
I don't mind paying for the service, just not exorbitant amounts.
I'm starting to look atservices (like fastmail) that allow a free period to see the feature and support response.
I just went through fastmail and for some reason even though dnschecker.org shows the proper DNS record propagation, fastmail still shows them in an error state. :/
Not impossible but I'd rather let someone else deal with that bit of it.
And I have been using Yahoo for a long time -- Since they first started offering email addresses -- it had almost all of that when I first set up, but as generally happens, enshitification has taken over.
Time to move.
I don't mind paying for the service, just not exorbitant amounts.
I'm starting to look atservices (like fastmail) that allow a free period to see the feature and support response.
I just went through fastmail and for some reason even though dnschecker.org shows the proper DNS record propagation, fastmail still shows them in an error state. :/
#29
German - Deutsch / Re: Caddy + ACME Client mit HT...
Last post by Monviech (Cedrik) - January 04, 2026, 09:45:47 PM- Die Anleitung hat viel Zeit gekostet aber niemand gab Feedback oder verbesserte sie. Bitte hilf mit wenn Dinge unklar sind.
- Multi Domain Zertifikate werden nicht unterstützt, nur wenn sie manuell ausgewählt werden. Wildcard ist die beste Alternative, ansonsten sind es mit dem eingebauten ACME immer single name.
- HSTS muss man in der Caddy Anleitung nachschauen, es auszuschalten ist nicht im Plugin eingebaut wenn es das gibt, hat aber auch noch nie jemand gefragt
- CAs müssen im Trust Pool ausgewählt werden um bei HTTPS zum Backend den Trust herzustellen, aber ich hatte die vermutung dass es bei Lets Encrypt automatisch wäre da Caddy diese CAs ja kennt
- TLS Skip wird nicht default weil der User lieber HTTP zum Backend verwenden soll (ist der Caddy standard). Bisher gab es nicht viel Feedback dass es schwer zu finden ist.
- Redirect Code ist derzeit hardgecoded, gab bisher kein Feedback dass andere benötigt werden
- Automatischer redirect kann in den General Settings ausgestellt werden (Disable Redirects dort wo man die Acme Email eingibt)
- TlS versionen und Cipher kann man nicht einstellen weil ab TLS 1.3 in der go stdlib extra keine Optionen dafür angeboten werden. Gibt es lange github diskussione drüber in der stdlib. Hauptargument ist dass man es eh nur falsch macht wenn man es selber einstellt.
Uff so ich hoffe ich konnte alles beantworten.
Wenn dir was fehlt helfe mit feature requests oder PRs in opnsense/docs und opnsense/plugins auf github.
- Multi Domain Zertifikate werden nicht unterstützt, nur wenn sie manuell ausgewählt werden. Wildcard ist die beste Alternative, ansonsten sind es mit dem eingebauten ACME immer single name.
- HSTS muss man in der Caddy Anleitung nachschauen, es auszuschalten ist nicht im Plugin eingebaut wenn es das gibt, hat aber auch noch nie jemand gefragt
- CAs müssen im Trust Pool ausgewählt werden um bei HTTPS zum Backend den Trust herzustellen, aber ich hatte die vermutung dass es bei Lets Encrypt automatisch wäre da Caddy diese CAs ja kennt
- TLS Skip wird nicht default weil der User lieber HTTP zum Backend verwenden soll (ist der Caddy standard). Bisher gab es nicht viel Feedback dass es schwer zu finden ist.
- Redirect Code ist derzeit hardgecoded, gab bisher kein Feedback dass andere benötigt werden
- Automatischer redirect kann in den General Settings ausgestellt werden (Disable Redirects dort wo man die Acme Email eingibt)
- TlS versionen und Cipher kann man nicht einstellen weil ab TLS 1.3 in der go stdlib extra keine Optionen dafür angeboten werden. Gibt es lange github diskussione drüber in der stdlib. Hauptargument ist dass man es eh nur falsch macht wenn man es selber einstellt.
Uff so ich hoffe ich konnte alles beantworten.
Wenn dir was fehlt helfe mit feature requests oder PRs in opnsense/docs und opnsense/plugins auf github.
#30
25.7, 25.10 Series / Re: IPv6 erratically broken fr...
Last post by rmayr - January 04, 2026, 09:38:21 PMThanks for the pointers towards debugging options!
I have completely shut down the backup firewall for the time being, just to be certain that CARP is not part of the problem (I didn't expect it based on previous experience, but it's good to be clear). As of a day ago, no host could have received any secondary RAs even if the backup firewall had restarted radvd without my noticing.
I have checked the Aliases definitions under Firewall -> Diagnostics, and they are all correct. Also, just to be sure, I have added another debugging "pass" rule to the Guest incoming interface from any to any (non-quick, IPv4+6, all protocols, with logging).
At the moment, after manually re-connecting my current Android test client, it seems to work and this debugging firewall rule engages. I will wait and see if it stops again at some point and debug further. So far, if it continues to work, I am still puzzled why this debugging rule might hit but the other one won't match all those packets.
I have completely shut down the backup firewall for the time being, just to be certain that CARP is not part of the problem (I didn't expect it based on previous experience, but it's good to be clear). As of a day ago, no host could have received any secondary RAs even if the backup firewall had restarted radvd without my noticing.
I have checked the Aliases definitions under Firewall -> Diagnostics, and they are all correct. Also, just to be sure, I have added another debugging "pass" rule to the Guest incoming interface from any to any (non-quick, IPv4+6, all protocols, with logging).
At the moment, after manually re-connecting my current Android test client, it seems to work and this debugging firewall rule engages. I will wait and see if it stops again at some point and debug further. So far, if it continues to work, I am still puzzled why this debugging rule might hit but the other one won't match all those packets.
