"Recent posts
#41
26.1 Series / Re: Firewall rules migration
Last post by thoth - February 11, 2026, 07:07:06 PMIn my import step I get lot's of these:
but the old rules seem to reference these aliases just fine. Do I need to recreate them?
Code Select
[source_net] opt2 is not a valid source IP address or alias.but the old rules seem to reference these aliases just fine. Do I need to recreate them?
#42
26.1 Series / Re: IPv6 downstream router (Fr...
Last post by Monviech (Cedrik) - February 11, 2026, 06:52:20 PMPatrick is right.
And to make it even more precise, the IPv6 setup could be configured statically entirely.
Static IPv6 on LAN/vlan etc.
Static route of a subnet (prefix) to the fritzbox.
Static IPv6 configuration on the Fritzbox WAN port.
Router Advertisements is all thats needed to advertise the default route.
No DHCPv6 server needed anywhere, only the WAN DHCPv6 Client configuration.
Essentially this is completely normal manual subnetting almost the same as IPv4.
And to make it even more precise, the IPv6 setup could be configured statically entirely.
Static IPv6 on LAN/vlan etc.
Static route of a subnet (prefix) to the fritzbox.
Static IPv6 configuration on the Fritzbox WAN port.
Router Advertisements is all thats needed to advertise the default route.
No DHCPv6 server needed anywhere, only the WAN DHCPv6 Client configuration.
Essentially this is completely normal manual subnetting almost the same as IPv4.
#43
26.1 Series / Re: OPNSense 26.1.1 new instal...
Last post by Warbreaker - February 11, 2026, 06:46:10 PMQuote from: Patrick M. Hausen on February 11, 2026, 06:34:46 PMIf you follow the official documentation for creating a LAN bridge, specifically step six, that will fix your problem.
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
Perfect, that worked, thank you very much, I should had gone to the official doc first, I didn't think it needed a tweak and that's on me ;-)
#44
26.1 Series / IPFire Domain Blocklist ( Suri...
Last post by yeraycito - February 11, 2026, 06:39:20 PM #45
26.1 Series / Malware Lab hardening - Instal...
Last post by talowicz - February 11, 2026, 06:39:03 PMHello all.
I have an 26.1 installed under QEMU/KVM to firewall and monitor some malicious VMs. Im not 100% familiar with 26.1 and it brings some changes to my previous knowledge of 25.1. I would very much appreciate if someone could provide some insight on how to achieve the following things:
- Force cleartext DNS to go through the UnboundDNS server
- Ensuring that guests behind the OPNsense firewall cannot talk to the VM host or its network.
The force DNS redirect HOW-TOs I have found are all pretty out of date.
What confused me with the private network firewalling was that, under the interfaces > LAN section, enabling the Block Private Networks and Bogon network switches resulted in the clients on this network not being able to reach the internet. With them disabled the machines can reach out fine, but they can obviously reach the VM host and its network.
Thanks in advance for your time.
#46
26.1 Series / Re: OPNSense 26.1.1 new instal...
Last post by Patrick M. Hausen - February 11, 2026, 06:34:46 PMIf you follow the official documentation for creating a LAN bridge, specifically step six, that will fix your problem.
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
#47
26.1 Series / Re: OPNSense 26.1.1 new instal...
Last post by Warbreaker - February 11, 2026, 06:32:29 PMQuote from: Patrick M. Hausen on February 11, 2026, 06:29:30 PMDid you set the two mandatory tunables as documented?
No, pretty new to OPNSense, everything is working though, I have AdGuard, moved to Chrony, I have firewall rules for DNS and time server, care to tell what I need to check and where? I have just a basic network, bridged LAN ports + WAN with VLAN required by my ISP.
#48
26.1 Series / Re: OPNSense 26.1.1 new instal...
Last post by Patrick M. Hausen - February 11, 2026, 06:29:30 PMDid you set the two mandatory tunables as documented?
#49
26.1 Series / OPNSense 26.1.1 new install: L...
Last post by Warbreaker - February 11, 2026, 06:28:42 PMI have the following rules created by default, exported then imported in the new Rues [new] (I followed the migration assistant)
My LAN is a bridge of all Ethernet except for the WAN, but in order for any PC within the LAN be able to communicate with another member of the LAN I need a 3rd rule (1st on the screenshot), if I specify the LAN as interface, it doesn't work (tested with basic ping), in other words, it is only working in the way it is in my current screenshot:
My LAN is a bridge of all Ethernet except for the WAN, but in order for any PC within the LAN be able to communicate with another member of the LAN I need a 3rd rule (1st on the screenshot), if I specify the LAN as interface, it doesn't work (tested with basic ping), in other words, it is only working in the way it is in my current screenshot:
#50
26.1 Series / Re: IPv6 downstream router (Fr...
Last post by Patrick M. Hausen - February 11, 2026, 06:21:24 PMIn other words if you reliably (because the contract says so) get a static prefix from your ISP, then configure your WAN with DHCPv6 but forget all "track" and similar crap on your internal interfaces and use static configuration throughout. Then Kea can - also by static configuration - perform PD to downstream clients.
