"Recent posts
#81
General Discussion / Re: Adding a VLAN to a transpa...
Last post by Patrick M. Hausen - January 06, 2026, 04:17:53 PMIMHO you should (if you did not already) place an IP address in the 192.168.1.0/24 network on the bridge interface and configure the ISP router as the default gateway.
With that in place you need:
- an IN permit rule on the new VLAN interface
- a NAT rule on the bridge interface with the new VLAN as source network
With that in place you need:
- an IN permit rule on the new VLAN interface
- a NAT rule on the bridge interface with the new VLAN as source network
#82
General Discussion / Re: Adding a VLAN to a transpa...
Last post by Taro - January 06, 2026, 04:13:56 PMthis is where I am stuck at the moment. I have added the VLAN and created an interface on it. DHCP works also.
IP of the interface is 192.168.20.1 I can ping this one from a test client within.
After adding an interface to the untagged VLAN (192.168.1.10) I can now ping this address from the VLAN20 testclient, however I can't ping any other client in the untagged network or the ISP router.
I have yet to find a Rule that allows this or is there any other config needed? I've tried an allow all rule in both directions for testing on the IN interface but this did not help.
IP of the interface is 192.168.20.1 I can ping this one from a test client within.
After adding an interface to the untagged VLAN (192.168.1.10) I can now ping this address from the VLAN20 testclient, however I can't ping any other client in the untagged network or the ISP router.
I have yet to find a Rule that allows this or is there any other config needed? I've tried an allow all rule in both directions for testing on the IN interface but this did not help.
#83
Tutorials and FAQs / Re: [HOWTO] Configure WAN MTU ...
Last post by carepack - January 06, 2026, 03:51:28 PMok, opnsense doin' the job right already. Thanks again!
#84
Tutorials and FAQs / Re: [HOWTO] Configure WAN MTU ...
Last post by Patrick M. Hausen - January 06, 2026, 03:48:50 PMNone at all. All of this works out of the box.
#85
Tutorials and FAQs / Re: [HOWTO] Configure WAN MTU ...
Last post by carepack - January 06, 2026, 03:43:34 PMOk. Thx Patrick. It seems we have the same setup with telekom, vlan 7, pppoe . May I ask what mtu values you definded and entered in your setup for
1. physical adapter =
2. vlan adapter =
3. pppoe mtu in pppoe config not wan =
This would a big help to me. Thank you!
@meyergru
Thx for the information. In first place the ip was another one: 1.1.1.1 But I get really strange values running the script wit an externel ip. Maximum MTU size would the be 3654 which looks incorrect to me. Iirc was 192.168.1.1 is the ip fo my modem but your right. Also makes no sense testing with that.
1. physical adapter =
2. vlan adapter =
3. pppoe mtu in pppoe config not wan =
This would a big help to me. Thank you!
@meyergru
Thx for the information. In first place the ip was another one: 1.1.1.1 But I get really strange values running the script wit an externel ip. Maximum MTU size would the be 3654 which looks incorrect to me. Iirc was 192.168.1.1 is the ip fo my modem but your right. Also makes no sense testing with that.
#86
25.7, 25.10 Series / Re: static IP configured on ho...
Last post by meyergru - January 06, 2026, 03:41:51 PMBe careful with "new" Unbound host overrides, though: https://github.com/opnsense/core/issues/9587
#87
Tutorials and FAQs / Re: [HOWTO] Configure WAN MTU ...
Last post by meyergru - January 06, 2026, 03:31:21 PM1. It is correct that normally, with modern adapters, 1504 MTU is always possible, so you usually can add 4 bytes of VLAN tags without further ado. However, this was not the case with early ethernet equipment before the advent of 802.1q and also, for the sake of the argument that you should calculate the VLAN overhead, this will come to an end if you use QinQ. ISP equipment can do anything it likes, too. For example, german ISP Telekom does not like packets larger than 1504, so you cannot apply the guide there and have a net MTU of 1500 bytes - no matter what - I added a disclaimer for Telekom in the guide.
2. What OpnSense does by default with its calculations and/or fragmentation and what the FreeBSD kernel does has changed over time and releases and AFAIK, will again change with 15.x, see this for an example.
For good measure, I like to apply explicit value and even then, the returned values of "ifconfig" sometimes to not reflect the GUI settings.
I mentioned that in the guide by saying: test the effective settings after a reboot and also test what actually works - I have seen the results change from checking directly after I applied them and after a reboot. This is especially true when a "stack" of interfaces like WAN (pppoe) -> VLAN -> physical NIC is in play.
BTW: Testing against a local IP like 192.168.1.1 does not make sense for a WAN optimization, but after having said that, it should always yield 1500 bytes. To enable a WAN MTU of the same size as the usual WAN MTU, to avoid fragmentation with all of its issues is the main goal in the first place. If even your LAN MTU differs, it would be useless. If you get a 1226 byte MTU with the supplied script to a local IP, sometime seems way off.
2. What OpnSense does by default with its calculations and/or fragmentation and what the FreeBSD kernel does has changed over time and releases and AFAIK, will again change with 15.x, see this for an example.
For good measure, I like to apply explicit value and even then, the returned values of "ifconfig" sometimes to not reflect the GUI settings.
I mentioned that in the guide by saying: test the effective settings after a reboot and also test what actually works - I have seen the results change from checking directly after I applied them and after a reboot. This is especially true when a "stack" of interfaces like WAN (pppoe) -> VLAN -> physical NIC is in play.
BTW: Testing against a local IP like 192.168.1.1 does not make sense for a WAN optimization, but after having said that, it should always yield 1500 bytes. To enable a WAN MTU of the same size as the usual WAN MTU, to avoid fragmentation with all of its issues is the main goal in the first place. If even your LAN MTU differs, it would be useless. If you get a 1226 byte MTU with the supplied script to a local IP, sometime seems way off.
#88
25.7, 25.10 Series / Re: static IP configured on ho...
Last post by Patrick M. Hausen - January 06, 2026, 03:25:47 PMYou are not doing anything wrong. Add a host override entry to Unbound. If the container/VM/whatever does not get its IP address from DHCP, OPNsense simply does not know about it.
#89
25.7, 25.10 Series / static IP configured on host a...
Last post by zyghom - January 06, 2026, 03:21:21 PMhi,
I have many hosts (actually probably all) that are either VMs or CTs on Proxmox.
When I set manually IP address for them, they are not being resolved by nslookup or so.
It is not the case when I either:
1- assign their IP by DHCP (dnsmasq on Opnsense) in Proxmox or
2- add them to hosts (static) on dnsmasq on Opnsense
So imagine VM with hostname signal, its IP is set on Proxmox as 192.168.10.3/24, DNS search on Proxmox is "localdomain"
Opnsense general settings domain: "localdomain"
When container starts it is not being registered by either Unbound or Dnsmasq (it does not ask for IP, right?)
I can ping it using IP but cannot ping as signal or signal.localdomain
No issue if I set DHCP on Proxmox for this container or if I set it as static host on Dnsmasq
What am I doing wrong?
Where is the problem?
thank you
I have many hosts (actually probably all) that are either VMs or CTs on Proxmox.
When I set manually IP address for them, they are not being resolved by nslookup or so.
It is not the case when I either:
1- assign their IP by DHCP (dnsmasq on Opnsense) in Proxmox or
2- add them to hosts (static) on dnsmasq on Opnsense
So imagine VM with hostname signal, its IP is set on Proxmox as 192.168.10.3/24, DNS search on Proxmox is "localdomain"
Opnsense general settings domain: "localdomain"
When container starts it is not being registered by either Unbound or Dnsmasq (it does not ask for IP, right?)
I can ping it using IP but cannot ping as signal or signal.localdomain
No issue if I set DHCP on Proxmox for this container or if I set it as static host on Dnsmasq
What am I doing wrong?
Where is the problem?
thank you
#90
General Discussion / Re: Native NAT64 support
Last post by Maurice - January 06, 2026, 03:05:51 PMWelcome to the forum, apalrd! Nice to see you here. And thanks for the clarifications.
Would it make sense to change the default udp-cksum-mode? Either in Tayga itself or in the OPNsense plugin.
While this won't magically solve all IPsec related issues, it seems to unbreak some real-world use cases (as reported by @overbored).
Cheers
Maurice
(author of the OPNsense Tayga NAT64 how-to)
Would it make sense to change the default udp-cksum-mode? Either in Tayga itself or in the OPNsense plugin.
While this won't magically solve all IPsec related issues, it seems to unbreak some real-world use cases (as reported by @overbored).
Cheers
Maurice
(author of the OPNsense Tayga NAT64 how-to)
