"Recent posts
#81
25.7, 25.10 Series / LAN breaks when moving from on...
Last post by tdpolo26 - December 27, 2025, 02:26:36 AMHardware:
Supermicro X10SLM 1U
OPNsense
Onboard NICs: originally igb0 + em0
Added Intel i350-T4 (now shows as igb0–igb3)
After install, the onboard NIC that used to be igb0 is now igb4
No VLANs
AdGuard for DNS (including IPv6 filtering)
A few static IPv6 assignments
Background:
I installed an Intel i350-T4 because the onboard NICs seemed flaky occasionally, and several threads recommended the i350 as a solid choice.
Once installed, the first port on the i350 became the new igb0, so I reassigned WAN to that (since WAN was originally on igb0). WAN worked fine.
LAN was previously on em0, so I went into Interfaces → Assignments and changed LAN to igb1.
That's where things fell apart.
Symptoms after moving LAN to igb1:
Wi-Fi devices appeared to still work
Wired computers could not reach the internet
Some local hosts resolving through AdGuard rewrites still worked
DNS logs showed queries hitting AdGuard, but browsing failed
Reboots changed behavior (sometimes slightly different failure)
I don't use VLANs, bridging, or anything exotic — just standard LAN/WAN plus AdGuard and some static IPv6.
After several hours of troubleshooting, I changed LAN back to em0, and everything immediately worked again.
Current working setup:
WAN = i350 (igb0)
LAN = onboard (em0)
Network stable again
My question:
What would cause LAN to break simply by moving it from em0 to igb1, especially considering the onboard NIC renumbering (igb0 → igb4)?
Possible culprits I'm wondering about:
stale interface bindings left behind
spoof-checking behavior tied to old interface identity
NAT expectations based on the previous LAN interface
IPv6/RA/static address behavior still tied to em0
FreeBSD driver/ordering oddities when NIC indexes change
I expected this to be a straightforward interface move, but clearly something subtle is happening. I'd like to understand why before trying again.
Thanks for any insight — especially from folks who have swapped NICs on existing installs.
Supermicro X10SLM 1U
OPNsense
Onboard NICs: originally igb0 + em0
Added Intel i350-T4 (now shows as igb0–igb3)
After install, the onboard NIC that used to be igb0 is now igb4
No VLANs
AdGuard for DNS (including IPv6 filtering)
A few static IPv6 assignments
Background:
I installed an Intel i350-T4 because the onboard NICs seemed flaky occasionally, and several threads recommended the i350 as a solid choice.
Once installed, the first port on the i350 became the new igb0, so I reassigned WAN to that (since WAN was originally on igb0). WAN worked fine.
LAN was previously on em0, so I went into Interfaces → Assignments and changed LAN to igb1.
That's where things fell apart.
Symptoms after moving LAN to igb1:
Wi-Fi devices appeared to still work
Wired computers could not reach the internet
Some local hosts resolving through AdGuard rewrites still worked
DNS logs showed queries hitting AdGuard, but browsing failed
Reboots changed behavior (sometimes slightly different failure)
I don't use VLANs, bridging, or anything exotic — just standard LAN/WAN plus AdGuard and some static IPv6.
After several hours of troubleshooting, I changed LAN back to em0, and everything immediately worked again.
Current working setup:
WAN = i350 (igb0)
LAN = onboard (em0)
Network stable again
My question:
What would cause LAN to break simply by moving it from em0 to igb1, especially considering the onboard NIC renumbering (igb0 → igb4)?
Possible culprits I'm wondering about:
stale interface bindings left behind
spoof-checking behavior tied to old interface identity
NAT expectations based on the previous LAN interface
IPv6/RA/static address behavior still tied to em0
FreeBSD driver/ordering oddities when NIC indexes change
I expected this to be a straightforward interface move, but clearly something subtle is happening. I'd like to understand why before trying again.
Thanks for any insight — especially from folks who have swapped NICs on existing installs.
#82
General Discussion / Re: NAXSI
Last post by someone - December 27, 2025, 01:50:28 AMYou guys are great and the forum
So I want to mention something if you dont mind, i am not always watching
While you are on the forum sometimes, have a terminal open watching for connections as you go through the pages
This checks the forum for some types of malware should a bad guy do such
This is checking for embedded software in icons and photos and anything uploaded
It is undetectible by programs, takes me days with specialized hacking programs and AI to check a single small photo
cyberchef and a couple others and google AI really speeds it up
So I wanted to mention watching connections is a way faster method in one respect
Files is another thing, thought I would mention it
So I want to mention something if you dont mind, i am not always watching
While you are on the forum sometimes, have a terminal open watching for connections as you go through the pages
This checks the forum for some types of malware should a bad guy do such
This is checking for embedded software in icons and photos and anything uploaded
It is undetectible by programs, takes me days with specialized hacking programs and AI to check a single small photo
cyberchef and a couple others and google AI really speeds it up
So I wanted to mention watching connections is a way faster method in one respect
Files is another thing, thought I would mention it
#83
General Discussion / Re: Struggles scripting with t...
Last post by allddd - December 27, 2025, 01:24:14 AMQuote from: ASteve on December 27, 2025, 12:16:30 AMand triggers an action if either of the upstream gateways is down.
Not sure about the API, but have you considered using Monit? It's designed to do exactly that.
It can notify you, execute a script, or basically do anything else you want it to.
https://docs.opnsense.org/manual/monit.html
#84
General Discussion / Struggles scripting with the r...
Last post by ASteve - December 27, 2025, 12:16:30 AMI want to write a script that polls my opnsense server [ Version 22.7.11 ] and triggers an action if either of the upstream gateways is down. Essentially, I want a 'health-check' of my (two) internet connections from a script on my local LAN.
My first idea was to use the published Rest API. I configured an user, generated an API Key and started to experiment with the APIs I found in the documentation.
I was able to use Curl to GET from https://$OPNSENSEHOST/api/core/firmware/status - which yielded sensible-looking JSON. Things didn't go so well when I tried to find an API call to give me the status of my two gateway interfaces. For example, I tried using https://$OPNSENSEHOST/api/interfaces/overview/export - but it returned code 400 with the message: "controller OPNsense\\Interfaces\\Api\\OverviewController not found". I'm not sure why - as this API call does seem to have (sparse) documentation.
My first idea was to use the published Rest API. I configured an user, generated an API Key and started to experiment with the APIs I found in the documentation.
I was able to use Curl to GET from https://$OPNSENSEHOST/api/core/firmware/status - which yielded sensible-looking JSON. Things didn't go so well when I tried to find an API call to give me the status of my two gateway interfaces. For example, I tried using https://$OPNSENSEHOST/api/interfaces/overview/export - but it returned code 400 with the message: "controller OPNsense\\Interfaces\\Api\\OverviewController not found". I'm not sure why - as this API call does seem to have (sparse) documentation.
- Am I misinterpreting the API documentation?
- Does OpnSense support scripted (Restful) queries about the status of gateway interfaces? (I'm running dpinger Gateway Monitor services - and the information I want in my script is presented in the dashboard under "Gateways")
- Is the Rest API the best way to query gateway status from a script run on a host on my LAN?
#85
General Discussion / Re: change the Web UI certific...
Last post by mccasian - December 26, 2025, 11:57:40 PMHi ProximusAl
You made my day, thank you very much. I can now update the firewall certificate in place. It still does not solve changing the Web UI certificate via the API, but once the correct certificate is selected in the UI, being able to renew it in place through the API is sufficient for me.
For anyone looking for the cURL way of updating the certificate in-place, here it is:
###
POST https://opnsense.example.com/api/trust/cert/set/<cert_uuid> HTTP/1.1
Authorization: Basic {{key}}:{{secret}}
Content-Type: application/json
{"cert":
{
"action":"import",
"descr":"dummy_description",
"cert_type":"usr_cert",
"private_key_location":"firewall",
"crt_payload":"-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----",
"prv_payload":"-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----",
"csr_payload":""
}
}
Best regards
Casian
You made my day, thank you very much. I can now update the firewall certificate in place. It still does not solve changing the Web UI certificate via the API, but once the correct certificate is selected in the UI, being able to renew it in place through the API is sufficient for me.
For anyone looking for the cURL way of updating the certificate in-place, here it is:
###
POST https://opnsense.example.com/api/trust/cert/set/<cert_uuid> HTTP/1.1
Authorization: Basic {{key}}:{{secret}}
Content-Type: application/json
{"cert":
{
"action":"import",
"descr":"dummy_description",
"cert_type":"usr_cert",
"private_key_location":"firewall",
"crt_payload":"-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----",
"prv_payload":"-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----",
"csr_payload":""
}
}
Best regards
Casian
#86
General Discussion / Re: Set WebUI Certificate via ...
Last post by mccasian - December 26, 2025, 11:52:33 PMHi
I am afraid you can't do that, not yet.
But what you can do, is to manually set your WebUI certificate using the UI, and then update it in-place whenever you want. Use identical body as for "/add" but point it to "/set/<type_here_the_uuid_you_find_with_search_request>"
###
POST https://opnsense.example.com/api/trust/cert/set/<cert_uuid> HTTP/1.1
Authorization: Basic {{key}}:{{secret}}
Content-Type: application/json
{"cert":
{
"action":"import",
"descr":"testdummy3",
"cert_type":"usr_cert",
"private_key_location":"firewall",
"crt_payload":"-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----",
"prv_payload":"-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----",
"csr_payload":""
}
}
Best regards
Casian
I am afraid you can't do that, not yet.
But what you can do, is to manually set your WebUI certificate using the UI, and then update it in-place whenever you want. Use identical body as for "/add" but point it to "/set/<type_here_the_uuid_you_find_with_search_request>"
###
POST https://opnsense.example.com/api/trust/cert/set/<cert_uuid> HTTP/1.1
Authorization: Basic {{key}}:{{secret}}
Content-Type: application/json
{"cert":
{
"action":"import",
"descr":"testdummy3",
"cert_type":"usr_cert",
"private_key_location":"firewall",
"crt_payload":"-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----",
"prv_payload":"-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----",
"csr_payload":""
}
}
Best regards
Casian
#87
25.7, 25.10 Series / Re: dnsmasq and ipv6 config
Last post by muchacha_grande - December 26, 2025, 11:46:31 PMFinally I went with changing the local IPv6 addresses to an ULA range maintaining NAT66.
I didn't implement ndp-proxy-go yet because as soon as I started to plan the migration I realized that the amount of work to be done was too much.
My main goal was to migrate from ISC to Dnsmasq and now it's working fine with DHCPv4 and DHCPv6, RA and static entries are being assigned.
In a future instance I will implement ndp-proxy-go.
The only caveat is that static configured addresses are not resolved by Dnsmasq. So I had to add them manually in Unbound overrides.
If the device is configured to get the IP via DHCP the name resolution work with both dynamic and reserved addresses, but if the IP is fixed on the device and it doesn't get it from DHCP, the name resolution doesn't work.
With ISC-DHCP, the name resolution worked both in the cases of static IPs configured on the devices and in IPs assigned via DHCP.
I didn't implement ndp-proxy-go yet because as soon as I started to plan the migration I realized that the amount of work to be done was too much.
My main goal was to migrate from ISC to Dnsmasq and now it's working fine with DHCPv4 and DHCPv6, RA and static entries are being assigned.
In a future instance I will implement ndp-proxy-go.
The only caveat is that static configured addresses are not resolved by Dnsmasq. So I had to add them manually in Unbound overrides.
If the device is configured to get the IP via DHCP the name resolution work with both dynamic and reserved addresses, but if the IP is fixed on the device and it doesn't get it from DHCP, the name resolution doesn't work.
With ISC-DHCP, the name resolution worked both in the cases of static IPs configured on the devices and in IPs assigned via DHCP.
#88
25.7, 25.10 Series / Re: reboot will reset the conf...
Last post by gspannu - December 26, 2025, 10:00:15 PMQuote from: vijay on December 26, 2025, 12:54:27 PMHi All
I have already tried all steps but no luck, Just FYI I am installing opnsense in OCI cloud linux server
If you detail what steps you have done, it may be easier to diagnose your issues.
As a start, can you confirm that you
- have actually installed OPNsense; and not just running this in live mode?
- have removed the drive/image you installed from, and confirm that your OPNsense instance has actually booted up from the' installed' drive?
#89
German - Deutsch / Re: BGP Prefix Lists filtern
Last post by Crunk_Bass - December 26, 2025, 09:02:09 PMEs war tatsächlich ein Anfängerfehler.
Ich ging davon aus, bei der Angabe Prefixgröße mit le 16 würde le (less or equal) sich auf die Netzgröße beziehen.
Tatsächlich bezieht es sich aber, logischerweise, auf die Zahl. Und die Zahl wird nun mal größer wenn das Netz kleiner wird.
Also einfach le durch ge ersetzt und schon funktionierte es.
Ich ging davon aus, bei der Angabe Prefixgröße mit le 16 würde le (less or equal) sich auf die Netzgröße beziehen.
Tatsächlich bezieht es sich aber, logischerweise, auf die Zahl. Und die Zahl wird nun mal größer wenn das Netz kleiner wird.
Also einfach le durch ge ersetzt und schon funktionierte es.
#90
German - Deutsch / Re: FireHOL IP-Blocklisten per...
Last post by juergen2025 - December 26, 2025, 08:00:18 PMMit euren Hinweisen konnte ich die Regeln/Aliases korrekt umsetzen und das gewünschte Verhalten im LAN sauber realisieren.
Läuft jetzt wie erwartet.
Danke für die Hilfe – sehr gute Community!
Läuft jetzt wie erwartet.
Danke für die Hilfe – sehr gute Community!
