"Recent posts
#21
25.7, 25.10 Series / Re: IGMP Proxy broken after up...
Last post by OPNenthu - Today at 12:34:35 AMHave a look at the "snapshots" feature (a.k.a ZFS boot environments) for future upgrades:
https://docs.opnsense.org/manual/snapshots.html
https://www.youtube.com/watch?v=Z1OX0CKU__U
It doesn't fix broken plugins but it sure can spare a ruined holiday.
https://docs.opnsense.org/manual/snapshots.html
https://www.youtube.com/watch?v=Z1OX0CKU__U
It doesn't fix broken plugins but it sure can spare a ruined holiday.
#22
25.7, 25.10 Series / Re: IGMP Proxy broken after up...
Last post by Shoog - Today at 12:17:46 AMI believe I have a temporary workaround by directing all my network traffic through a dumb switch. Should hopefully get me through Xmas. A bit early to tell if this is a robust solution.
The underlying issue remains though.
The underlying issue remains though.
#23
Hardware and Performance / Re: Adapts to Marvell AQC113C-...
Last post by OPNenthu - Today at 12:06:05 AMSadly, the AQC113 doesn't yet fully behave under Linux either. I got an integrated one with the UGREEN DXP4800+ but it doesn't work with virtual interfaces. I lost connectivity when I tried to bond it in primary/failover with the 2.5GbE interface and it did the same when I tried to add a VLAN in TrueNAS. Some users over at Proxmox report similar things: https://forum.proxmox.com/threads/unable-to-reach-10gbps.148878/
It might work as a physical NIC only without layering, but it seems 10G line rate is not guaranteed.
It might work as a physical NIC only without layering, but it seems 10G line rate is not guaranteed.
#24
Virtual private networks / Re: Unable to stablish first I...
Last post by cookiemonster - December 22, 2025, 11:42:26 PMthanks for the hints @malhal . I'll revisit the thread when ready to have another go. Had to abandon it for the time being.
#25
German - Deutsch / Core Switch zusätzlich als Med...
Last post by MarroniJohny - December 22, 2025, 11:12:36 PMHoi
Hatte in einem anderen Forum schon gefagt diesbezüglich, und ausführlich mit Gemini dazu gechattet.
Gemini meint, kein Problem. Sei sogar von Vorteil, weil ich da im Switch den Status und die Werte vom WAN Link sehe. Die User aus dem anderen Forum sehen das eher skeptisch. Die würden den Switch nicht soweit exponieren. Was meint Ihr zu dem Thema? Auf die Idee bin ich erst heute gekommen, aber nach dem Input von heute tendiere ich immer noch dazu.
Bin ja nicht beratungsresistent, aber freue mich trotzdem über positives Feedback zu dem Plan, den Switch dazu zu nutzen.
Gruss, danke und fröhliche Bescherung
Hatte in einem anderen Forum schon gefagt diesbezüglich, und ausführlich mit Gemini dazu gechattet.
QuoteHabe mir einen Zyxel XS1930-10 als Core Switch geholt. Im Moment brauche ich nur Kupfer, komme von einer opnsense getagged rein. Brauche aber auch nicht alle Kupfer Ports.
Wenn ich den Provider wechsle, muss ich selber die Hardware stellen. Wäre es sinnvoll, statt einem 10 Gbit Mediaconverter den Switch dazu zu verwenden? Also dass ich von der OtO per Glas zum Switch fahre, von da aus weiter mit Kupfer zur Sense? Und dann von der Sense getagged zurück zum Switch für die privaten Netze?
Oder eher dumme Idee?
Gemini meint, kein Problem. Sei sogar von Vorteil, weil ich da im Switch den Status und die Werte vom WAN Link sehe. Die User aus dem anderen Forum sehen das eher skeptisch. Die würden den Switch nicht soweit exponieren. Was meint Ihr zu dem Thema? Auf die Idee bin ich erst heute gekommen, aber nach dem Input von heute tendiere ich immer noch dazu.
Bin ja nicht beratungsresistent, aber freue mich trotzdem über positives Feedback zu dem Plan, den Switch dazu zu nutzen.
Gruss, danke und fröhliche Bescherung
#26
25.7, 25.10 Series / IGMP Proxy broken after upgrad...
Last post by Shoog - December 22, 2025, 11:03:47 PMHi,
I upgraded last night to the latest version 25.7.10
It errored out in the middle of the first upgrade and told me to repeat the process which seemed to complete successfully.
However ever since I have the error
2025-12-22T21:52:35
Warning
igmpproxy
MRT_DEL_MFC; Errno(49): Can't assign requested address
As everyone will be aware IGMP Proxy is essential for correct functioning of multicast sat. signals on the local network and IPTV, and since the upgrade these are now broken on my local network.
Is anyone else experiencing this after the latest upgrade ?
Seems when this has happened previously its not a straightforward fix and can take considerable time for a solution to be rolled out. Really bad timing two days before Xmas.
Stephen
I upgraded last night to the latest version 25.7.10
It errored out in the middle of the first upgrade and told me to repeat the process which seemed to complete successfully.
However ever since I have the error
2025-12-22T21:52:35
Warning
igmpproxy
MRT_DEL_MFC; Errno(49): Can't assign requested address
As everyone will be aware IGMP Proxy is essential for correct functioning of multicast sat. signals on the local network and IPTV, and since the upgrade these are now broken on my local network.
Is anyone else experiencing this after the latest upgrade ?
Seems when this has happened previously its not a straightforward fix and can take considerable time for a solution to be rolled out. Really bad timing two days before Xmas.
Stephen
#27
25.7, 25.10 Series / ACME Client "Invalid Domain" e...
Last post by 300cpilot - December 22, 2025, 10:46:59 PMJust curious if this was fixed From Github bug "ACME client and dns_opnsense.sh broken - "Invalid domain" #4964"
I am running version:
OPNsense 25.7.7_4-amd64
Will update this evening, but am curious if Lets Encrypt made the changes called out in the bug report? Both the cron job and running a cert renew fail. I have created a new API with cloudflare as well. Many Thanks!
2025-12-23T04:23:23
acme.sh
[Tue Dec 23 04:23:23 +07 2025] Error adding TXT record to domain: _acme-challenge.DOMAIN
2025-12-23T04:23:23
acme.sh
[Tue Dec 23 04:23:23 +07 2025] invalid domain
I am running version:
OPNsense 25.7.7_4-amd64
Will update this evening, but am curious if Lets Encrypt made the changes called out in the bug report? Both the cron job and running a cert renew fail. I have created a new API with cloudflare as well. Many Thanks!
2025-12-23T04:23:23
acme.sh
[Tue Dec 23 04:23:23 +07 2025] Error adding TXT record to domain: _acme-challenge.DOMAIN
2025-12-23T04:23:23
acme.sh
[Tue Dec 23 04:23:23 +07 2025] invalid domain
#28
General Discussion / Re: Intermittent traffic drops
Last post by issuing_scone - December 22, 2025, 10:44:51 PMSolution was simple and an oversight on my part.
I had created a NAT outbound rule for LAN devices, but I had forgotten to make one for WireGuard devices. The reason the result was intermittent was because the firewall was allowing traffic until sessions died, at which point it would begin blocking attempts to renew sessions that were expired.
While Live View showed traffic being blocked by the default deny rule on the VPN interface, that stopped when the NAT outbound rule was made, meaning that kill switch etc. were not interfering, but just appearing as if part of the cause while they weren't actually. It also explains why the any any allow rule didn't do anything, - it wasn't a firewall rule causing the block.
Sleeping on an issue does wonders. :-)
I had created a NAT outbound rule for LAN devices, but I had forgotten to make one for WireGuard devices. The reason the result was intermittent was because the firewall was allowing traffic until sessions died, at which point it would begin blocking attempts to renew sessions that were expired.
While Live View showed traffic being blocked by the default deny rule on the VPN interface, that stopped when the NAT outbound rule was made, meaning that kill switch etc. were not interfering, but just appearing as if part of the cause while they weren't actually. It also explains why the any any allow rule didn't do anything, - it wasn't a firewall rule causing the block.
Sleeping on an issue does wonders. :-)
#29
General Discussion / Re: Stop automatic default rou...
Last post by franco - December 22, 2025, 10:22:43 PM"force down" isn't about fbsd at all, it's a sense thing that came to be with the gateway monitoring and is effectively labelled incorrectly. It's more of a "do not use for automation" flag with the twist that it blanks the status for the gateway. Won't be easy to clean this up. ;)
Cheers,
Franco
Cheers,
Franco
#30
German - Deutsch / Re: Dual WAN Setup mit IPv6 Pr...
Last post by martine - December 22, 2025, 08:39:35 PMVielen Dank für eure Hilfe, ich werde mich am Vorschlag mit dem VLANs versuchen.
