"Recent posts
#21
25.7, 25.10 Series / Re: Unbound to forward .home d...
Last post by Patrick M. Hausen - Today at 06:46:45 AMThere will be an SOA and a couple of NS records but nothing else. Why would the domain registrar put any A or AAAA record in the zone if you don't tell them to?
#22
25.7, 25.10 Series / DNSMASQ IPSET update delay for...
Last post by epomatti - Today at 06:02:26 AMI'm using DNSMASQ with IPSETs to enable wildcard firewall rules. I reference the DNSMASQ IPSET with External (Advanced) alias firewall rules.
There seems to be a delay affecting the firewall rule ability to recognize newly resolved IP addresses. Once the DNS query gets answered, the client immediately tries to connect to the destination but the firewall rule rejects the IP. It seems that OPNsense has not yet recognized the updated DNSMASQ IP address resolved for the IPSET.
After a short while it works again, but this is becoming a problem for us.
Is this an expected behavior? Or am I doing something wrong?
There seems to be a delay affecting the firewall rule ability to recognize newly resolved IP addresses. Once the DNS query gets answered, the client immediately tries to connect to the destination but the firewall rule rejects the IP. It seems that OPNsense has not yet recognized the updated DNSMASQ IP address resolved for the IPSET.
After a short while it works again, but this is becoming a problem for us.
Is this an expected behavior? Or am I doing something wrong?
#23
General Discussion / Re: Dnsmasq forwarding not wor...
Last post by epomatti - Today at 05:49:36 AMJust to close this, I was able to do it in the domains feature of DNSMASQ.
#24
25.7, 25.10 Series / Re: 1 Device blocked by defaul...
Last post by passeri - Today at 03:41:14 AM@xXHelperXx, I think you misunderstood the meaning of "here". The problem with using an image service is it is more likely to disappear, leaving this thread largely incomprehensible to anyone who might have a similar problem in the future. Is there any particular reason you are unable to post images here, within your replies, rather than as links?
Regarding your further comment, are you filtering on the interfaces or on the bridge? https://docs.opnsense.org/manual/how-tos/lan_bridge.html (see Step Six, System Settings Tunables)
Regarding your further comment, are you filtering on the interfaces or on the bridge? https://docs.opnsense.org/manual/how-tos/lan_bridge.html (see Step Six, System Settings Tunables)
#25
25.7, 25.10 Series / Re: 1 Device blocked by defaul...
Last post by xXHelperXx - Today at 02:15:59 AMQuote from: passeri on January 06, 2026, 12:36:03 AMThanks man!!Quote from: xXHelperXx on January 05, 2026, 11:53:06 PMNot really sure why it still block and why especially on LAN and not on VPN.Different rules, most likely. LAN and Wireguard are not the same subnets.
If you publish your rules here, I will look at them to see whether I can help. Using imgur is not publishing here.
See here:
WG rules + the auto generated: https://imgur.com/a/E5v6qZ4
BridgeLAN + Auto generated: https://imgur.com/a/WGDmaz7
Quote from: viragomann on January 06, 2026, 10:45:42 AMThe block log you've posted, shows the source IP is 192.168.11.38 and destination is 192.168.11.66. If it is a /24 subnet the devices would be within the same subnet. And as mentioned, traffic between these shouldn't go to the router, except if they are connected to different interfaces of a bridge. If it does anyway the network settings of the source is wrong.Correct the source is ...11.38 or any other machine.. and the destination is ...11.66 but before it was work and somethings changed. not sure what?!
The Opnsense appliance have 6 ports in total. 4 of them I created under 1 bridge call BridgeLAN.
They must go throughout the Opnsense/Router.
#26
General Discussion / Re: Dual Public IP Usage
Last post by pfry - Today at 01:54:17 AMOut of curiosity, why the indirection? As opposed to simply assigning one or more public IPs to each server. Are you overloading your public address space?
#27
General Discussion / Install problem on NVMe (nvme0...
Last post by Jwidess - Today at 01:31:19 AMHi all,
I have been struggling the last few hours trying to figure out how to suppress messages I am getting during the install on my Mini PC. During the install, after I boot normally into multi-user mode, the console is spammed with the following lines,
The only other post I can find referencing a similar issue is here, but @MattD76 reported they were still getting the async messages. Please let me know if anyone has a solution to this problem; it would be much appreciated!
NOTE: I tested this with another model of NVMe drive (WD Blue) and this issue completely disappeared, so if I can't get this resolved, I will return my current drive and get another WD, but I'd prefer not to.
Computer: Generic Amazon "MOGINSOK Mini PC 2.5Gbe Intel Celeron N5095 Quad Core, 4*Intel I225-V"
Drive with async errors: Silicon Power 128GB NVMe M.2 PCIe Gen3x4 2280 SSD (SP128GBP34A60M28)
Install: OPNsense-25.7-vga-amd64.img.bz2
I have been struggling the last few hours trying to figure out how to suppress messages I am getting during the install on my Mini PC. During the install, after I boot normally into multi-user mode, the console is spammed with the following lines,
Code Select
nvme0: async event occurred (type 0x1, info 0x01, page 0x02)They are spammed at such a rate I cannot get through the installer as even the end GUI when run with installer and opnsense is overwritten by the console messages.The only other post I can find referencing a similar issue is here, but @MattD76 reported they were still getting the async messages. Please let me know if anyone has a solution to this problem; it would be much appreciated!
NOTE: I tested this with another model of NVMe drive (WD Blue) and this issue completely disappeared, so if I can't get this resolved, I will return my current drive and get another WD, but I'd prefer not to.
Computer: Generic Amazon "MOGINSOK Mini PC 2.5Gbe Intel Celeron N5095 Quad Core, 4*Intel I225-V"
Drive with async errors: Silicon Power 128GB NVMe M.2 PCIe Gen3x4 2280 SSD (SP128GBP34A60M28)
Install: OPNsense-25.7-vga-amd64.img.bz2
#28
General Discussion / Re: Adding a VLAN to a transpa...
Last post by pfry - Today at 01:26:03 AMHeh. Consider the target NAT data flow.
#29
Hardware and Performance / Re: DEC4280
Last post by pfry - Today at 01:17:28 AMI'm not surprised that the quoted performance is a bit hard to achieve. The device is a throughput device - did you try it with 12 or 16 threads?
#30
Virtual private networks / Tailscale - Site-to-Site Subne...
Last post by nsmith17044 - Today at 01:12:55 AMHas anyone successfully installed Tailscale on two instances of OPNSense and got sub-net routing to work/route between OPNSense tailnet nodes?
I'm running V25.7.10 with Tailscale Plugin 1.3 / Tailscale 1.92.2
I've been working on this for a couple weeks and just can't seem to move forward. Subnets are IPv4 and WAN is CGNAT fixed wireless on both ends. Individual nodes on the tailnet can connect to machines on each OPNSense network and visa-versa so I know that the basic sub-net routing IN is working but I have been unsuccessful at getting the tcp/udp traffic to route between the subnets. Ping between OPNSense instances does work but no tcp/udp sessions. I suspected this could be a NAT issue but i'm struggling to understand how to diagnose the problem and fix it. My experimentation with NAT rules has only broken what was working so I keep going back to the initial Tailscale configuration for OPNSense. Packet capture around the tailscale interface hasn't given me anything as I only see the initiation of a request on the LAN and a bunch of the tailscale wiregaurd protocol packets on the WAN interface. I'm also struggling to see any firewall messages where something is blocked in or out. My tailnet routing grants are still the default src
Anyone know how to troubleshoot this or have a guide on how to set this up?
I'm running V25.7.10 with Tailscale Plugin 1.3 / Tailscale 1.92.2
I've been working on this for a couple weeks and just can't seem to move forward. Subnets are IPv4 and WAN is CGNAT fixed wireless on both ends. Individual nodes on the tailnet can connect to machines on each OPNSense network and visa-versa so I know that the basic sub-net routing IN is working but I have been unsuccessful at getting the tcp/udp traffic to route between the subnets. Ping between OPNSense instances does work but no tcp/udp sessions. I suspected this could be a NAT issue but i'm struggling to understand how to diagnose the problem and fix it. My experimentation with NAT rules has only broken what was working so I keep going back to the initial Tailscale configuration for OPNSense. Packet capture around the tailscale interface hasn't given me anything as I only see the initiation of a request on the LAN and a bunch of the tailscale wiregaurd protocol packets on the WAN interface. I'm also struggling to see any firewall messages where something is blocked in or out. My tailnet routing grants are still the default src
- , dst
- so I'm expecting everything to be routing right now. Interestingly when I specified the specific sub-nets in tailscale JSON per the tailscale documentation on sub-net routing nothing routes in from individual tailnet nodes.
Anyone know how to troubleshoot this or have a guide on how to set this up?
