"Recent posts
#21
25.7, 25.10 Series / Re: OPNsense 25.7.8 (amd64) **...
Last post by jim1985 - December 03, 2025, 12:57:17 PMThis occasionally happens to me.
When it does I find a full reboot from SSH fixes it for me.
Have you tried rebooting rather than just reloading the services?
When it does I find a full reboot from SSH fixes it for me.
Have you tried rebooting rather than just reloading the services?
#22
25.7, 25.10 Series / Re: What is the best strategy ...
Last post by meyergru - December 03, 2025, 12:27:47 PMIf your ISP uses dynamic IPv6 prefixes (many do), then you can create a "dynamic IPv6 host" alias using the EUI-64 and the interface it is on.
Of course, with dynamic prefixes, you also need a dynamic DNS service that allows you to use an IPv6 address that is using a predefined EUI-64 part. If it can only register the outbound IPv6, it will only see OpnSense's WAN IPv6, so you must be able to mix in the lower 64 bits if the target IP is not OpnSense itself.
Another way to do this is using a reverse proxy like Caddy, HAproxy or NGinx on OpnSense, in which case the dynamic DNS update gets easier, because OpnSense itself is the target, then. When you use that, you do not even have to use IPv6 for your internal web service, plus you do not need a specific firewall rule.
Of course, with dynamic prefixes, you also need a dynamic DNS service that allows you to use an IPv6 address that is using a predefined EUI-64 part. If it can only register the outbound IPv6, it will only see OpnSense's WAN IPv6, so you must be able to mix in the lower 64 bits if the target IP is not OpnSense itself.
Another way to do this is using a reverse proxy like Caddy, HAproxy or NGinx on OpnSense, in which case the dynamic DNS update gets easier, because OpnSense itself is the target, then. When you use that, you do not even have to use IPv6 for your internal web service, plus you do not need a specific firewall rule.
#23
25.7, 25.10 Series / Re: What is the best strategy ...
Last post by gunnarf - December 03, 2025, 12:18:59 PMI must have chosen something wrong when I tries to make an alias, because it didn't like ipv6 addresses. Now it works Thanks
#24
25.7, 25.10 Series / Re: What is the best strategy ...
Last post by Patrick M. Hausen - December 03, 2025, 12:05:57 PMA host alias takes an IPv6 address and you can then easily create a rule on WAN like:
direction: in
protocol: IPv6, TCP
source: any
destination: your web server alias
destination port: 443
action: allow
That's all. Works splendidly.
direction: in
protocol: IPv6, TCP
source: any
destination: your web server alias
destination port: 443
action: allow
That's all. Works splendidly.
#25
25.7, 25.10 Series / (SOLVED)What is the best strat...
Last post by gunnarf - December 03, 2025, 12:00:33 PMThis is a small personal network. My ISP earlier let me get a ipv4 address that was routed, so I could reach my web server from the internet. I got a new address recently (standard good ipv4 address via DHCP) and it is not routed. However I can reach my server with ipv6 (tried ping).
What is the best strategy to let traffic in to the web server (only 443) via ipv6? I tried to make a rule and point out the servers ipv6 address, but in the alias section, there is no such possibility, it doesn't like ipv6 addresses. So what do I do?
The ipv6 address span is a /56 that I get from my IPS, and I give it out to four separate networks inside.
What is the best strategy to let traffic in to the web server (only 443) via ipv6? I tried to make a rule and point out the servers ipv6 address, but in the alias section, there is no such possibility, it doesn't like ipv6 addresses. So what do I do?
The ipv6 address span is a /56 that I get from my IPS, and I give it out to four separate networks inside.
#26
25.7, 25.10 Series / Re: Feature Request: DNS-01 Su...
Last post by Zwiebelhacker - December 03, 2025, 11:42:05 AMThanks for the fast reply!
OK, That makes sense. I'll go ahead and try using the regular ACME plugin together with OPNWAF as you suggested.
Thanks again!
OK, That makes sense. I'll go ahead and try using the regular ACME plugin together with OPNWAF as you suggested.
Thanks again!
#27
German - Deutsch / Re: IPv6: Clients verlieren Ve...
Last post by bamf - December 03, 2025, 11:36:28 AMKurze Rückmeldung zum Thema: Seit dem DSLAM Line-Reset ist das Problem vollständig verschwunden. Alles funktioniert seit Juli wieder einwandfrei.
Das Problem lag offensichtlich auf Seite der Telekom und nicht bei mir.
Das Problem lag offensichtlich auf Seite der Telekom und nicht bei mir.
#28
Development and Code Review / Re: Delete one firewall rule o...
Last post by Monviech (Cedrik) - December 03, 2025, 11:31:03 AMVery nice, thank you for confirming first. If it's not easily reproducible it would be quite hard to track.
#29
Development and Code Review / Re: Delete one firewall rule o...
Last post by patient0 - December 03, 2025, 11:27:51 AMQuote from: Monviech (Cedrik) on December 03, 2025, 11:18:00 AMI have never heard of this behavior before, it is quite strange. Are you confident it is a bug and can be reproduced?Thank you Cedrik, in the current configuration I can reproduce it, yes. But I'll reset the config and try to replicate it with a minimal configuration. If it still does happen, I'll open a GH ticket and add the config.xml to the ticket.
If yes can you open a github ticket, and also share the config.xml file that you used?
Otherwise I'll have to dig deep :).
#30
25.7, 25.10 Series / Re: Feature Request: DNS-01 Su...
Last post by Monviech (Cedrik) - December 03, 2025, 11:27:33 AMHello, DNS-01 validation requires a huge mixed bag of external DNS providers who all have different APIs and requirements.
Implementing such a subsystem into OPNWAF is just not great from a technical perspective.
I can give you the perfect example how it went in Caddy (which I also maintain for OPNsense): It once had around 50+ different DNS providers all with specific configuration, now its all gone (well except in my own branch on github, but in the OPNsense branch only Cloudflare is left now)
So for OPNWAF (on which I also develop), this would go the same, its pretty much unmaintainable without having a dedicated project all around it. Which is exactly what the acme sh script is.
You can use the ACME plugin together with OPNWAF, just let it write the certificates and use them in OPNWAF. Also, create a automation in the ACME plugin to restart OPNWAF on changes.
https://github.com/opnsense/plugins/issues/4996
Implementing such a subsystem into OPNWAF is just not great from a technical perspective.
I can give you the perfect example how it went in Caddy (which I also maintain for OPNsense): It once had around 50+ different DNS providers all with specific configuration, now its all gone (well except in my own branch on github, but in the OPNsense branch only Cloudflare is left now)
So for OPNWAF (on which I also develop), this would go the same, its pretty much unmaintainable without having a dedicated project all around it. Which is exactly what the acme sh script is.
You can use the ACME plugin together with OPNWAF, just let it write the certificates and use them in OPNWAF. Also, create a automation in the ACME plugin to restart OPNWAF on changes.
https://github.com/opnsense/plugins/issues/4996
