Recent posts

#21

25.7, 25.10 Series / Re: DNS failures after upgrade...

Last post by pseudonym3k - December 29, 2025, 09:01:34 PM

Since the 25.7 series, I have also noticed

My setup was simple as it could get.

I'm the OP, I'm still working on my issues, possibly related to both of yours, possibly just coincidence that I'm running smoothly right now, but I'll give you what I've got and let you try it out if you're willing.

I'm not saying this is best way to go, only that apparently it's working for me thus far and maybe you can get a stable setup too before moving on with more configuration.

1. If it isn't already, disable Unbound. Put your DNS server IP's in System -> Settings -> General.

2. I was having trouble with Health reports, I think something got corrupted in the upgrade. I went to Reporting -> Settings and reset/repaired everything, then rebooted. I had to do it a couple more times over a few weeks but reporting is working OK for now.

3. I've just moved from ISC to DNSmasq. I had DNSmasq in prior routers for years and liked it. This one is working for me too.
   - The first day was a little rocky as leases expired and got picked up by DNSMasq, but settled after that.   
   - Don't enable DNSMasq until everything is ready. Then, disable ISC and enable DNSMasq. Reboot and give it a day to settle out.
   - Leave the listen port at 53 (because unbound is disabled)
   - I followed this guide: https://homenetworkguy.com/how-to/migrate-from-isc-dhcp-to-dnsmasq-or-kea-dhcp-in-opnsense/  except for leaving the listen port at 53 and skipping all the unbound info. I also put the lease time to 0 on all my reserved IPs. I don't know if that's redundant but it is what I've done on all past DNSMasq routers I've had.

   NOTE: In ISC I had a small window of IPs available for dynamic IPs, and all the reserved IPs were defined outside of that range.
         In my past DNSMasq routers I always gave the full LAN range for DHCP and reserved IPs were scattered throughout - I did the same here. The above guide also mentions this. I honestly don't know if that's required, but it's what I've always done.

4. I found out I was getting dpinger problems with gateway monitoring. I think this was causing me some instability. Probably nothing to do with DNS issues exactly, but my internet kept going unstable and only pulling the power cable would fix it. I could probably just uncheck gateway monitoring (and may still try that).

But for now I changed the IP from what was already populated, to a hop in a tracert to any public IP. I chose the IP from the fourth hop as it responded quickly. It's still within my ISP. I am not sure how the one in OPNsense was populated, I don't recall putting anything there when I first set up and don't have any notes about it. Maybe I did it and just don't remember. In any case, using the fourth hop IP on the tracert is working well and I don't have any dpinger entries anymore.

Check your logs at System -> Gateways -> Log file and see if you have any dpinger warnings or errors expecially "exit on signal 15" which I think means it was killed and restarted. (?)  If you have warnings or errors, go to System -> Gateways -> Configuration and enter that fourth hop IP for monitoring. Or just try a reliable one like 1.1.1.1 or 8.8.8.8, something for your test that has a consistent fast response and solid uptime.


If you are willing to try the above and if your internet becomes stable after a day or two (and maybe a couple of reboots at intervals), then we might be able help shed some light on why the most basic near-default installs seem to have trouble with DNS.

Let us know?

Kind regards.

#22

25.7, 25.10 Series / Re: ice driver (ddp) / latest ...

Last post by pfry - December 29, 2025, 08:46:56 PM

Nah, the driver (I guess by driver I mean DDP which I care about) wouldn't work if it doesn't match the firmware. I learned it hard way [...]

Huh! I have to say, I only use the E810 under FreeBSD (not OPNsense); my soon-to-be-wiped machine has a slightly older driver (1.43.2-k) and I use the default DDP (loader.conf: if_ice_load, ice_ddp_load = yes). (I don't believe I'll update from NVM 4.90 to 4.91 as there don't appear to be any updates relevant to my installation.)

#23

Hardware and Performance / which coreboot payload

Last post by senser - December 29, 2025, 08:33:52 PM

I want to switch from AMI Bios to coreboot on my Topton N150 box, which is currently running opnsense 25.7 (barebone).

So I am configuring coreboot (v25.12) for my mainboard (Topton ADL: TWL (X2E_N150)) on a fedora box and I am currently stuck at figuring out what payload I should choose.
This is what gpart sais about my nvme disk containing opnsense:

Code Select Expand

$ gpart show
=>       40  488397088  nda0  GPT  (233G)
         40     532480     1  efi  (260M)
     532520       1024     2  freebsd-boot  (512K)
     533544        984        - free -  (492K)
     534528   16777216     3  freebsd-swap  (8.0G)
   17311744  471085056     4  freebsd-zfs  (225G)
  488396800        328        - free -  (164K)


AFAIK, I can not use seabios payload as it requires an MBR partition...or does it? Do I have one? Maybe it is hidden?
Sorry if this is a stupid question - but when I flash this coreboot.rom I'd REALLY like my router to boot up again... :)

#24

25.7, 25.10 Series / Re: DNS failures after upgrade...

Last post by tokade - December 29, 2025, 07:57:48 PM

Since the 25.7 series, I have also noticed strange behavior where a few individual pages can no longer be accessed (ERR_CONNECTION_RESET), e.g., www.spiegel.de, or where I have to refresh the browser several times before other pages are displayed.

This happens with different browsers as well as on the LAN with Windows PCs and on the WLAN with Android.

I have already disabled all possible settings in Unbound (DNSSec, block lists, etc.) and tried different DNS servers for DoT, cleared the cache in the browser, cleared the DNS cache in Windows... but the pages still cannot be accessed. The block list tester also returns OK / PASS.

I can't make sense of the Unbound logs.
How could I further investigate the problem?

Kind regards
Torsten

#25

General Discussion / Re: Caddy Reverse Proxy + Fire...

Last post by kiekar - December 29, 2025, 07:53:31 PM

I'm now able to access my home assistant device.

I already had a rule on my LAN network with Source: LAN net to the firewall on ports 80 and 443.

To make it work I added a new rule below with Source: This Firewall to 192.168.30.87 on port 8123

#26

25.7, 25.10 Series / Re: ice driver (ddp) / latest ...

Last post by bugacha - December 29, 2025, 07:50:02 PM

They're not paired. The driver will work fine (and not complain) with a "later-than-recommended" NVM. I'd always go for the latest NVM, but the E810 has been around for long enough (2019?) that the major bugs should have been killed by now. I'd have to look at the release notes to be sure. At any rate, I'll update if convenient or necessary (I experienced the latter with some old X710s).

What issue were you having with the update? Your link is for Windows; I don't know what the package includes. (I use the EFI updater.)

Nah, the driver (I guess by driver I mean DDP which I care about) wouldn't work if it doesn't match the firmware. I learned it hard way

Code Select Expand

[1] ice0: <Intel(R) Ethernet Network Adapter E810-XXV-2 - 1.43.3-k> mem 0x380000000000-0x380001ffffff,0x380002000000-0x38000200ffff irq 16 at device 0.0 on pci1
[1] ice0: Loading the iflib ice driver
[1] ice0: Error configuring transmit balancing: ICE_ERR_AQ_ERROR
[1] ice0: An unknown error occurred when loading the DDP package.  Entering Safe Mode.
[1] ice0: fw 7.10.1 api 1.7 nvm 4.91 etid 800214ab netlist 4.4.5000-1.18.0.db8365cf oem 1.3909.0
[1] ice0: Using 1 Tx and Rx queues
[1] ice0: Using MSI-X interrupts with 2 vectors
[1] ice0: Using 1024 TX descriptors and 1024 RX descriptors
[1] ice0: Ethernet address: 50:7c:6f:79:ca:e8
[1] ice0: PCI Express Bus: Speed 16.0GT/s Width x8
[1] ice0: ice_init_dcb_setup: No DCB support
[1] ice0: link state changed to UP
[1] ice0: Link is up, 25 Gbps Full Duplex, Requested FEC: RS-FEC, Negotiated FEC: RS-FEC, Autoneg: False, Flow Control: None
[1] ice0: netmap queues/slots: TX 1/1024, RX 1/1024
[1] ice1: <Intel(R) Ethernet Network Adapter E810-XXV-2 - 1.43.3-k> mem 0x380800000000-0x380801ffffff,0x380802000000-0x38080200ffff irq 16 at device 0.0 on pci2
[1] ice1: Loading the iflib ice driver
[1] ice0: link state changed to DOWN
[1] ice1: Error configuring transmit balancing: ICE_ERR_AQ_ERROR
[1] ice1: An unknown error occurred when loading the DDP package.  Entering Safe Mode.
[1] ice1: fw 7.10.1 api 1.7 nvm 4.91 etid 800214ab netlist 4.4.5000-1.18.0.db8365cf oem 1.3909.0
[1] ice1: Using 1 Tx and Rx queues
[1] ice1: Using MSI-X interrupts with 2 vectors
[1] ice1: Using 1024 TX descriptors and 1024 RX descriptors
[1] ice1: Ethernet address: 50:7c:6f:79:ca:e9
[1] ice1: PCI Express Bus: Speed 16.0GT/s Width x8
[1] ice1: ice_init_dcb_setup: No DCB support
[1] ice1: link state changed to UP
[1] ice1: Link is up, 25 Gbps Full Duplex, Requested FEC: RS-FEC, Negotiated FEC: FC-FEC/BASE-R, Autoneg: False, Flow Control: None
[1] ice1: netmap queues/slots: TX 1/1024, RX 1/1024
[1] ice1: link state changed to DOWN
[9] ice0: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_TIMEOUT aq_err OK
[10] ice1: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[11] ice0: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_TIMEOUT aq_err OK
[12] ice1: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[14] ice0: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_TIMEOUT aq_err OK
[15] ice1: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[19] ice0: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_TIMEOUT aq_err OK
[20] ice1: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[21] ice0: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_TIMEOUT aq_err OK
[22] ice1: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[24] ice0: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_TIMEOUT aq_err OK
[25] ice1: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[26] ice0: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_TIMEOUT aq_err OK
[27] ice1: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[28] ice1: Failed to set LAN Tx queue 0 (TC 0, handle 0) context, err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[28] ice1: Unable to configure the main VSI for Tx: ENODEV
[29] ice1: Failed to add VLAN filters:
[29] ice1: - vlan 2, status -105
[29] ice1: Failure adding VLAN 2 to main VSI, err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[30] ice1: Failed to set LAN Tx queue 0 (TC 0, handle 0) context, err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[30] ice1: Unable to configure the main VSI for Tx: ENODEV
[31] ice1: Failed to add VLAN filters:
[31] ice1: - vlan 2, status -105
[31] ice1: Failure adding VLAN 2 to main VSI, err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[32] ice1: Failed to set LAN Tx queue 0 (TC 0, handle 0) context, err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[32] ice1: Unable to configure the main VSI for Tx: ENODEV
[34] ice1: Failed to add VLAN filters:
[34] ice1: - vlan 20, status -105
[34] ice1: Failure adding VLAN 20 to main VSI, err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[35] ice1: Failed to set LAN Tx queue 0 (TC 0, handle 0) context, err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[35] ice1: Unable to configure the main VSI for Tx: ENODEV
[36] ice1: Failed to add VLAN filters:
[36] ice1: - vlan 20, status -105
[36] ice1: Failure adding VLAN 20 to main VSI, err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[37] ice1: Failed to set LAN Tx queue 0 (TC 0, handle 0) context, err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[37] ice1: Unable to configure the main VSI for Tx: ENODEV
[38] ice0: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_TIMEOUT aq_err OK
[39] ice1: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[40] ice0: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_TIMEOUT aq_err OK
[41] ice1: ice_read_sff_eeprom: Error reading I2C data: err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[42] ice1: Could not add new MAC filters, err ICE_ERR_AQ_FW_CRITICAL aq_err OK
[42] ice1: Failed to synchronize multicast filter list: EIO

Both ports would be offline, only revert to 4.50 nvm helped. 4.60 didn't work as well.

I didn't try to compile Intel's FreeBSD driver, which is much newer than what 14.3-p5 comes with.

#27

German - Deutsch / Re: Hetzner Cloud Server Wire...

Last post by Peter68 - December 29, 2025, 07:22:57 PM

Danke für eure Antworten. Hat sich erledigt

#28

General Discussion / Re: FIB/VRF support in OPNsens...

Last post by pfry - December 29, 2025, 06:34:16 PM

[...]it should be a priority[...]

Heh. Whose confirmation bias is justified? (Does that matter?)

I'd implement it, as I come from a routing background. (Note that I started with firewalls at the same time.) I'm a lousy persuader; money talks, but I don't have enough for this one.

#29

German - Deutsch / Re: ISC DHCP - neu angelegte N...

Last post by mkreu - December 29, 2025, 06:30:56 PM

Hi observing0436,

danke für den Tipp. Funktioniert tatsächlich so. Habe es gerade auf meiner Testmaschine ausprobiert, da ich die produktive OPNsense in meiner Verzweiflung schon auf Dnsmasq umgebaut habe...   
Super, dass es so klappt, aber das kann doch eigentlich nicht der gewünschte Weg sein, oder..?

Wünsche dann noch einen "Guten Rutsch" und viele Grüße,
mkreu

#30

25.7, 25.10 Series / Re: LAN unreachble from OPNSen...

Last post by TheAutomationGuy - December 29, 2025, 06:23:58 PM

What is the IP address that your computer is assigned?  Is it is something like 169.254.x.x?  That would indicate a connection problem between the computer and firewall where the computer failed to get a DHCP address because of this connection problem.  I would suggest that you connect the computer directly to the LAN port of the firewall.  If you are already doing this, change the network cable to a known working cable.  If that still fails, then it is likely a hardware or driver problem with the LAN port on the firewall.

If you can access OPNsense's  command line interface, you should be able to confirm what your LAN subnet is set to.  It's possible that you originally had changed it to something other than the stock configuration and when you reset the box it set the LAN subnet back to the stock configuration (which is 192.168.1.0/24 with the firewall getting the 192.168.1.1 address).  You can always reassign the LAN interface to another physical port (if available), choose a different LAN subnet address if desired, and also make sure that DHCP is turned on for that LAN subnet.