"Recent posts
#21
High availability / Re: CARP WAN VIP not reachable
Last post by chiro - January 27, 2026, 10:50:34 PMHi,
We recently ran into exactly the same behavior described in this thread, and after a fair amount of digging I wanted to share what we found and how we worked around it.
Symptoms (same as described above)
CARP works reliably on LAN / internal networks
CARP on the WAN interface behaves inconsistently
ARP resolution looks correct
Sometimes the first ICMP packet works
Subsequent traffic is dropped or blackholed
On the switches, we observed:
ARP table is correct (VIP → CARP virtual MAC)
MAC address table never learns the CARP virtual MAC
As a result, unicast traffic to the VIP is not forwarded reliably
Why this happens (key point)
This is not really a CARP bug, but an interaction between floating L2 identities and virtualized switching.
In virtual environments (ESXi + distributed switches in our case):
CARP replies ARP with the correct virtual MAC (00:00:5e:00:01:XX)
However, frames sourced with that MAC are not always learned by physical ToR switches
Even with Forged Transmits, MAC Address Changes, and Promiscuous Mode enabled
On LAN networks, this often works because:
Traffic stays inside the hypervisor or distributed switch
The physical switch is never involved
The CARP MAC does not need to be learned upstream
On the WAN, traffic must traverse physical uplinks:
The ToR switch must learn the source MAC
The CARP virtual MAC is never learned
Result: ARP resolves, first packet may pass, steady-state traffic fails
This explains why the issue appears WAN-only and why it is so inconsistent.
Workaround / design pattern that worked reliably for us
We solved this by separating HA control-plane from data-plane identity:
Keep CARP for state and master election only
Do not use the CARP VIP for production traffic
Create a plain IP Alias (no VHID) for the production IP
Move that alias between nodes based on CARP MASTER state
This way:
The production IP always uses the physical interface MAC
The switch can learn the MAC normally
CARP still provides HA logic and state sync
WAN traffic becomes stable and predictable
We implemented this using Monit and a small script that:
Adds the alias on the CARP MASTER
Removes it on the BACKUP node
Example logic (simplified):
Monit runs this every few seconds, so failover and failback are fast.
Conclusion
This seems to be a general limitation when using floating virtual MACs on WAN interfaces in virtualized environments, especially when traffic must traverse physical switching.
The workaround above has been stable for us and avoids relying on a MAC address that the physical fabric never learns.
Posting this in case it helps others who run into the same issue — happy to clarify or compare notes.
We recently ran into exactly the same behavior described in this thread, and after a fair amount of digging I wanted to share what we found and how we worked around it.
Symptoms (same as described above)
CARP works reliably on LAN / internal networks
CARP on the WAN interface behaves inconsistently
ARP resolution looks correct
Sometimes the first ICMP packet works
Subsequent traffic is dropped or blackholed
On the switches, we observed:
ARP table is correct (VIP → CARP virtual MAC)
MAC address table never learns the CARP virtual MAC
As a result, unicast traffic to the VIP is not forwarded reliably
Why this happens (key point)
This is not really a CARP bug, but an interaction between floating L2 identities and virtualized switching.
In virtual environments (ESXi + distributed switches in our case):
CARP replies ARP with the correct virtual MAC (00:00:5e:00:01:XX)
However, frames sourced with that MAC are not always learned by physical ToR switches
Even with Forged Transmits, MAC Address Changes, and Promiscuous Mode enabled
On LAN networks, this often works because:
Traffic stays inside the hypervisor or distributed switch
The physical switch is never involved
The CARP MAC does not need to be learned upstream
On the WAN, traffic must traverse physical uplinks:
The ToR switch must learn the source MAC
The CARP virtual MAC is never learned
Result: ARP resolves, first packet may pass, steady-state traffic fails
This explains why the issue appears WAN-only and why it is so inconsistent.
Workaround / design pattern that worked reliably for us
We solved this by separating HA control-plane from data-plane identity:
Keep CARP for state and master election only
Do not use the CARP VIP for production traffic
Create a plain IP Alias (no VHID) for the production IP
Move that alias between nodes based on CARP MASTER state
This way:
The production IP always uses the physical interface MAC
The switch can learn the MAC normally
CARP still provides HA logic and state sync
WAN traffic becomes stable and predictable
We implemented this using Monit and a small script that:
Adds the alias on the CARP MASTER
Removes it on the BACKUP node
Example logic (simplified):
Code Select
if ifconfig | grep -q "carp: MASTER vhid 1"; then
ifconfig vmx1 inet <PROD_IP>/24 alias
else
ifconfig vmx1 inet <PROD_IP>/24 -alias
fiMonit runs this every few seconds, so failover and failback are fast.
Conclusion
This seems to be a general limitation when using floating virtual MACs on WAN interfaces in virtualized environments, especially when traffic must traverse physical switching.
The workaround above has been stable for us and avoids relying on a MAC address that the physical fabric never learns.
Posting this in case it helps others who run into the same issue — happy to clarify or compare notes.
#22
General Discussion / Re: Memory leak or not?
Last post by droumanet - January 27, 2026, 10:36:10 PMI think it's not a memory leak, but the way FreeBSD manage memory (to avoid disk caching).
Solved (I hope... a crash with lagg0 has reset my statistics)
Solved (I hope... a crash with lagg0 has reset my statistics)
#23
25.7, 25.10 Series / Re: Comprehensive Unbound DNS ...
Last post by droumanet - January 27, 2026, 10:28:53 PMIt working correctly, just have to wait few minuts.... Solved !
It's perfect answer to my problem.
It's perfect answer to my problem.
#24
26.1 Series / Re: How to create a rule with ...
Last post by Patrick M. Hausen - January 27, 2026, 10:11:44 PMAll fine and dandy. Are you planning to continue the work through the 26.1 CE? Or will we have to wait for 26.7 until now unused parts of the UI will be removed and e.g. Source NAT completed?
And what are the plans for the next business edition? As a paying customer I would appreciate consistency and an "all or nothing" attitude very much. For the CE it's ok in my opinion.
And what are the plans for the next business edition? As a paying customer I would appreciate consistency and an "all or nothing" attitude very much. For the CE it's ok in my opinion.
#25
25.7, 25.10 Series / DHCP/DNS setup.
Last post by pasha-19 - January 27, 2026, 10:07:44 PMI started with these instructions:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
I ran into a problem where defining a DHCP pool that included dynamic and reserved assignments (a requirement of the DNSMasq DHCP servers) did not successfully allow (some maybe all) unused addresses in the reserved range to declared "static" (advanced option) if they were not subject of a reserved assignment to prevent automatic assignment of undesirable addresses. I entered each "static" entry as a single address as the window indicated was required. This problem was present in both IPv4 and IPv6 DHCP Dynamic assignments.
I switched to using DNSmasq as a local DNS server and Kea as the IPv4 & IPv6 DHCP server. I have successfully gotten all addresses (and not all suffixes) assigned as desired. Kea only includes the dynamic assigned addresses in the pool and both static and reserved assignments are made from outside the dynamic pool addresses per the Kea documention.
I have been working on getting a DNS suffix assigned to dynamic pool and reserved assignments.
The KEA IPv4 DHCP server has a field in the pool setup to contain that DNS Suffix value along with a DNS Search suffix value. This works for me.
IPv4 and IPv6 reserved addresses seem to work fine if the full FQDN including trailing period is included in the Hostname of the reservation entry The DNS Suffix value in the reserve configuration was not sufficient to be appended to Hostname (without the suffix) in my testing.
The IPv6 DHCP server DOES NOT have a DNS Suffix value and only has a DNS Search Suffix in the dynamic pool configuration window.
I tried without any real hope of success (no documentation indicated this would work) putting both suffixes in the DHCPv6 Server DNS Search Suffix (the DNS Suffix value first). No surprise it did not work.
I also found under advanced DHCPv6 pool values a V6-DNR entry. The help references finding the format of this value in the Kea Documentation. I have tried several entries the last being "1 {DNS Suffix} ::1 port=53053" (DNSMasq is the local dns server running on the router using port 53053). That entry did not generate an error in the Kea DHCP log file. However, my IPv6 dynamic assignments are not getting the DNS Suffix assigned in the DHCPv6 Leases window or according to my queries of the DNS server.
Is my V6-DNR entry coded incorrectly? Is there somewhere else to specify the DNS Suffix for the IPv6 Dynamic Pool that I have not found?
Thanks; if anyone can provide some insight as to what I am doing wrong.
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
I ran into a problem where defining a DHCP pool that included dynamic and reserved assignments (a requirement of the DNSMasq DHCP servers) did not successfully allow (some maybe all) unused addresses in the reserved range to declared "static" (advanced option) if they were not subject of a reserved assignment to prevent automatic assignment of undesirable addresses. I entered each "static" entry as a single address as the window indicated was required. This problem was present in both IPv4 and IPv6 DHCP Dynamic assignments.
I switched to using DNSmasq as a local DNS server and Kea as the IPv4 & IPv6 DHCP server. I have successfully gotten all addresses (and not all suffixes) assigned as desired. Kea only includes the dynamic assigned addresses in the pool and both static and reserved assignments are made from outside the dynamic pool addresses per the Kea documention.
I have been working on getting a DNS suffix assigned to dynamic pool and reserved assignments.
The KEA IPv4 DHCP server has a field in the pool setup to contain that DNS Suffix value along with a DNS Search suffix value. This works for me.
IPv4 and IPv6 reserved addresses seem to work fine if the full FQDN including trailing period is included in the Hostname of the reservation entry The DNS Suffix value in the reserve configuration was not sufficient to be appended to Hostname (without the suffix) in my testing.
The IPv6 DHCP server DOES NOT have a DNS Suffix value and only has a DNS Search Suffix in the dynamic pool configuration window.
I tried without any real hope of success (no documentation indicated this would work) putting both suffixes in the DHCPv6 Server DNS Search Suffix (the DNS Suffix value first). No surprise it did not work.
I also found under advanced DHCPv6 pool values a V6-DNR entry. The help references finding the format of this value in the Kea Documentation. I have tried several entries the last being "1 {DNS Suffix} ::1 port=53053" (DNSMasq is the local dns server running on the router using port 53053). That entry did not generate an error in the Kea DHCP log file. However, my IPv6 dynamic assignments are not getting the DNS Suffix assigned in the DHCPv6 Leases window or according to my queries of the DNS server.
Is my V6-DNR entry coded incorrectly? Is there somewhere else to specify the DNS Suffix for the IPv6 Dynamic Pool that I have not found?
Thanks; if anyone can provide some insight as to what I am doing wrong.
#26
26.1 Series / Re: How to create a rule with ...
Last post by Monviech (Cedrik) - January 27, 2026, 09:48:53 PMThe Source NAT view is not feature complete yet and doesnt replace Outbound NAT yet, it was just there in automation too so it got a quick view overhaul so it looks like the other modern pages.
If something is missing best open a github ticket.
If something is missing best open a github ticket.
#27
26.1 Series / How to create a rule with stat...
Last post by Patrick M. Hausen - January 27, 2026, 09:43:39 PMSubject says it - I could not find any option that would do this.
#28
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feed...
Last post by Q-Feeds - January 27, 2026, 09:38:25 PMHi Sammy,
Thank you for reporting; this is indeed a bug (most likely since the last Unbound update). Few other users reported the same behavior here: https://forum.opnsense.org/index.php?topic=50502.0
We're working on it and keep you posted!
Kind regards,
David
Thank you for reporting; this is indeed a bug (most likely since the last Unbound update). Few other users reported the same behavior here: https://forum.opnsense.org/index.php?topic=50502.0
We're working on it and keep you posted!
Kind regards,
David
#29
25.7, 25.10 Series / [SOLVED] Having trouble with D...
Last post by dns_boy - January 27, 2026, 09:34:54 PMFirst I am a self designated newbie, so I will try to explain my problem.
So I have several devices on an interface (WIFI, only cause I did not want to put the device on my LAN) and mostly they work as I can specify DNS settings. I am using Unbound in Opnsense and DNS over TLS.
Some devices are fine, my phone and tablet (hard coded DNS to my PiHole). I want only 1 Opnsense interface to go to the PiHole, that being my WiFi interface.
The problem is my ROKU device as it does not have the ability to specify a DNS IP. It uses whatever the router (aka Opnsense) does.
I have checked and my Unbound logs show that the DNS for that device is working and showing ANSWER with no errors. However I would like the Unbound DNS data to be sent to the PiHole. It currently is not ?
It worked fine in ISC but now I have setup DNSMASQ and it is not working. One thing I have seen in Zenarmor is that it tries to go to 8.8.8.8 and 8.8.4.4.
Thus I would like to forward all DNS traffic from that one IP/device to the PiHole. I cannot see the query information in the PiHole currently.
I am ok with the Opnsense GUI interface, but I am not knowledgeable on how to force the DNS to work as desired.
Looking for any assistance as I would like to use DNSMASQ as ISC is EOL.
Thanks
dns_boy
You cannot view this attachment.You cannot view this attachment.
So I have several devices on an interface (WIFI, only cause I did not want to put the device on my LAN) and mostly they work as I can specify DNS settings. I am using Unbound in Opnsense and DNS over TLS.
Some devices are fine, my phone and tablet (hard coded DNS to my PiHole). I want only 1 Opnsense interface to go to the PiHole, that being my WiFi interface.
The problem is my ROKU device as it does not have the ability to specify a DNS IP. It uses whatever the router (aka Opnsense) does.
I have checked and my Unbound logs show that the DNS for that device is working and showing ANSWER with no errors. However I would like the Unbound DNS data to be sent to the PiHole. It currently is not ?
It worked fine in ISC but now I have setup DNSMASQ and it is not working. One thing I have seen in Zenarmor is that it tries to go to 8.8.8.8 and 8.8.4.4.
Thus I would like to forward all DNS traffic from that one IP/device to the PiHole. I cannot see the query information in the PiHole currently.
I am ok with the Opnsense GUI interface, but I am not knowledgeable on how to force the DNS to work as desired.
Looking for any assistance as I would like to use DNSMASQ as ISC is EOL.
Thanks
dns_boy
You cannot view this attachment.You cannot view this attachment.
#30
26.1 Series / Re: New rule system
Last post by Patrick M. Hausen - January 27, 2026, 08:59:19 PMThe migration assistant produced one route in the CSV that the import complained about, because the interface does not exist:
Which is correct - I ran an IPsec tunnel once, but replaced it with WireGuard years ago. It's trivial to delete the rule from the CSV, then import, but how am I going to delete "all legacy rules", anyway? Do I really need to click on every single interface and remove every single rule? And how do I get at that enc0 rule?
If I have to edit the XML to remove that enc0 rule, anyway, I'm possibly better off using vi to remove everyting ;-)
What do you think/recommend?
Kind regards,
Patrick
EDIT: ah ... the "Remove all legacy rules" in the assistant is functional, not only documentation. OK, trying this first, then I can check the XML for leftovers.
EDIT^2: Looks good, no legacy rules.
EDIT^3: The migration turns an '&' in a rule description - a 7 bit ASCII character - into '&' Eager HTML escape.
Code Select
660d1363-f0e0-4dac-985c-b963552f8e69,1,keep,,211,pass,1,0,enc0,in,inet,any,,,,,0,0,0,0,0,,,,,,,,,,,,,,,,,,,,,,,"allow all IPv4",0,any,,0,any,
Which is correct - I ran an IPsec tunnel once, but replaced it with WireGuard years ago. It's trivial to delete the rule from the CSV, then import, but how am I going to delete "all legacy rules", anyway? Do I really need to click on every single interface and remove every single rule? And how do I get at that enc0 rule?
If I have to edit the XML to remove that enc0 rule, anyway, I'm possibly better off using vi to remove everyting ;-)
What do you think/recommend?
Kind regards,
Patrick
EDIT: ah ... the "Remove all legacy rules" in the assistant is functional, not only documentation. OK, trying this first, then I can check the XML for leftovers.
EDIT^2: Looks good, no legacy rules.
EDIT^3: The migration turns an '&' in a rule description - a 7 bit ASCII character - into '&' Eager HTML escape.
