"Recent posts
#81
25.7, 25.10 Series / Re: IPv6 link-local route does...
Last post by matt335672 - January 22, 2026, 03:12:19 PMThanks both.
I was using PD with ISC dhcpd for this, and it was working (mostly) fine. For what I'm doing there's no advantage in using PD really, so I'd like to get the static routes working.
I'm not keen on messing around with my primary router for this, so I'll try setting up a VM with just my static routes on it and see what happens. There are only 3. If I can reproduce it on that, it should make a fault report easier.
I was using PD with ISC dhcpd for this, and it was working (mostly) fine. For what I'm doing there's no advantage in using PD really, so I'd like to get the static routes working.
I'm not keen on messing around with my primary router for this, so I'll try setting up a VM with just my static routes on it and see what happens. There are only 3. If I can reproduce it on that, it should make a fault report easier.
#82
26.1 Series / Re: Upgrade to RC1 successful
Last post by patient0 - January 22, 2026, 03:00:08 PMSame for me, I did pgrades two OPNsense installation.
One from an installation which was on the Development channel, by switching as France explained, no issue.
The other was on the Dev channel too (not that it matters), exported config (to be sure) and reinstalled using the DVD ISO. The config was found on the ZFS pool and installation when smooth, and with the config found on the ZFS pool.
The only confusing thing was that after the installation and before the reboot the text on the console told me that the OPNsense GUI will be reachable on 192.168.1.1. That specific installation is IPv6 only, so I wasn't sure if the config was applied correctly - but it was.
One from an installation which was on the Development channel, by switching as France explained, no issue.
The other was on the Dev channel too (not that it matters), exported config (to be sure) and reinstalled using the DVD ISO. The config was found on the ZFS pool and installation when smooth, and with the config found on the ZFS pool.
The only confusing thing was that after the installation and before the reboot the text on the console told me that the OPNsense GUI will be reachable on 192.168.1.1. That specific installation is IPv6 only, so I wasn't sure if the config was applied correctly - but it was.
#83
26.1 Series / Upgrade to RC1 successful
Last post by Maurice - January 22, 2026, 02:46:28 PMJust a quick report that I upgraded from the 25.7.11 development version to 26.1.r1, so far without issues.
Switching back to Community doesn't replace the automatically installed os-isc-dhcp-devel plugin with the non-devel version, but I think that's expected. It's an additional manual step which might be worth mentioning in the upgrade instructions.
I keep hostwatch disabled for the time being, so no statement about that.
Cheers
Maurice
Switching back to Community doesn't replace the automatically installed os-isc-dhcp-devel plugin with the non-devel version, but I think that's expected. It's an additional manual step which might be worth mentioning in the upgrade instructions.
I keep hostwatch disabled for the time being, so no statement about that.
Cheers
Maurice
#84
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by franco - January 22, 2026, 01:59:44 PMSo https://github.com/opnsense/ports/commit/a1996a8fe27 is coming to 26.1-RC2 soon. That more or less concludes 1.)
For 2.) I'll publish new patch instructions after 26.1 is out. I think they don't apply cleanly in all cases anymore since there were more moving parts and some things from the patch have been extracted and moved to the master branch because they were safe as is.
Thanks,
Franco
For 2.) I'll publish new patch instructions after 26.1 is out. I think they don't apply cleanly in all cases anymore since there were more moving parts and some things from the patch have been extracted and moved to the master branch because they were safe as is.
Thanks,
Franco
#85
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by franco - January 22, 2026, 01:38:43 PMhttps://github.com/opnsense/hostwatch/commit/482b45ce is on the way but not in 1.0.6.
For specific issues it may make sense to raise a ticket, but multiple versions are in flight now so it would be better to wait for the final one that's going into 26.1 to make reports on.
Cheers,
Franco
For specific issues it may make sense to raise a ticket, but multiple versions are in flight now so it would be better to wait for the final one that's going into 26.1 to make reports on.
Cheers,
Franco
#86
Announcements / Re: OPNsense 26.1-RC1 released
Last post by franco - January 22, 2026, 01:00:56 PMThe upgrade path from the development version was successfully tested and unlocked now.
To go to 26.1-RC1 from 25.7.11 switch firmware settings type to "Development", save, check for updates and install. Then check for updates again to do the upgrade. After successful upgrade switch back to "Community" and save and check for updates and install to land on 26.1-RC1.
You can then either remove the ISC-DHCP plugin altogether (if you are sure you don't use it -- it provides automatic DHCPv6 servers to LANs in some cases) or switch the plugin to the non-devel version from the plugins tab.
Please note we do not vet upgrades with third party plugins and repositories.
To go to 26.1-RC1 from 25.7.11 switch firmware settings type to "Development", save, check for updates and install. Then check for updates again to do the upgrade. After successful upgrade switch back to "Community" and save and check for updates and install to land on 26.1-RC1.
You can then either remove the ISC-DHCP plugin altogether (if you are sure you don't use it -- it provides automatic DHCPv6 servers to LANs in some cases) or switch the plugin to the non-devel version from the plugins tab.
Please note we do not vet upgrades with third party plugins and repositories.
#87
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by meyergru - January 22, 2026, 12:59:59 PMI now installed 1.0.6 and re-enabled the service again. It works and CPU is not at 100%, but there is a hefty number of disk writes in bursts every minute and also, the SQLite db journal file is deleted after each transaction data batch has been committed. Using rollback capability in such a way incurs a huge penalty on writes, especially on ZFS.
Just a guess here: But I think that SQL rollback capability is not needed for this purpose and when I glanced at the hostwatch code, I found that the journaling mode is WAL, where other modes (like MEMORY or even OFF) might be more appropriate.
On a side note: I had some strange effects with the old version of the service - namely, that my own ping-based discovery tool suddenly had entries for every IP in the subnet active. Don't ask, IDK why or how this happened. I just disabled the service for the time being.
Just a guess here: But I think that SQL rollback capability is not needed for this purpose and when I glanced at the hostwatch code, I found that the journaling mode is WAL, where other modes (like MEMORY or even OFF) might be more appropriate.
On a side note: I had some strange effects with the old version of the service - namely, that my own ping-based discovery tool suddenly had entries for every IP in the subnet active. Don't ask, IDK why or how this happened. I just disabled the service for the time being.
#88
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by iMx - January 22, 2026, 12:03:51 PMInstalled the latest version: hostwatch-1.0.6.pkg
Writes, for me, seem to be more or less the same. Not clear whether this is just 'how things will be' with this service enabled.
But, for completeness, screenshot added again. Set to 'All' interfaces which is:
If I filter out the various VPNs, WAN - cable modem on the WAN, so can be noisy on the front end - it's then 'Initialized 11 packet device_captures', writes roughly half - as should probably be expected.
... with only a handful of interfaces, or only a handful enabled for this service, the writes are probably negligible.
But the writes do seem to be constant when monitoring with 'zpool iostat -v 1' - for me, whilst it is an Enterprise SSD, I think I can live without the convenience this service is designed to bring.
Not seeing any signs of logs etc growing in size, nor CPU spikes.
Writes, for me, seem to be more or less the same. Not clear whether this is just 'how things will be' with this service enabled.
But, for completeness, screenshot added again. Set to 'All' interfaces which is:
Code Select
Initialized 21 packet device_capturesIf I filter out the various VPNs, WAN - cable modem on the WAN, so can be noisy on the front end - it's then 'Initialized 11 packet device_captures', writes roughly half - as should probably be expected.
... with only a handful of interfaces, or only a handful enabled for this service, the writes are probably negligible.
But the writes do seem to be constant when monitoring with 'zpool iostat -v 1' - for me, whilst it is an Enterprise SSD, I think I can live without the convenience this service is designed to bring.
Not seeing any signs of logs etc growing in size, nor CPU spikes.
#89
Tutorials and FAQs / [HOWTO] OPNSense monit email a...
Last post by sevet - January 22, 2026, 11:43:58 AMVery basic adding alerts on certificate fail, to know before your users and before its an issue.
There were about two topics on this which are closed and no actual answer.
Prequisites:
Have working ACME setup
Get monit service to work and send mail (there are many howtos on this)
What to do:
In monit settings Create a new test in "Service Test Settings":
Name: Acme_failed
condition: content = "failed"
Action: Alert
Create new in monit "Service Settings"
Name: Acme_failed
type: File
Path: /var/log/system/latest.log
Tests: select the test you created: "Acme_failed", you can probably add here all tests that look in the general log to this setting.
In the monit "Alert Settings" edit your working alert or create a new working one.
Events: Add "Content failed"
Thats it, don't forget to save and apply to everything (i alwas fail on this LOL)
Just an example of my Mail format in the alert:
reply-to: opnsense@xxxxx.co
From: FireWall <xxxx@xxxxx.co>
Subject: OPNSense $HOST Alerts $SERVICE
Message:
$HOST
$EVENT
$SERVICE
$DATE
$DESCRIPTION
$ACTION
Yes i know looking for "failed" in the general logs could be an issue, but i'm only getting alerts on ACME "failed" so worse case i will get something else which have failed which i don't know even exist, thats good as long as i'm not spammed with "failed" email alerts.
You can probably have some regexp that will look for ACME and failed.
There were about two topics on this which are closed and no actual answer.
Prequisites:
Have working ACME setup
Get monit service to work and send mail (there are many howtos on this)
What to do:
In monit settings Create a new test in "Service Test Settings":
Name: Acme_failed
condition: content = "failed"
Action: Alert
Create new in monit "Service Settings"
Name: Acme_failed
type: File
Path: /var/log/system/latest.log
Tests: select the test you created: "Acme_failed", you can probably add here all tests that look in the general log to this setting.
In the monit "Alert Settings" edit your working alert or create a new working one.
Events: Add "Content failed"
Thats it, don't forget to save and apply to everything (i alwas fail on this LOL)
Just an example of my Mail format in the alert:
reply-to: opnsense@xxxxx.co
From: FireWall <xxxx@xxxxx.co>
Subject: OPNSense $HOST Alerts $SERVICE
Message:
$HOST
$EVENT
$SERVICE
$DATE
$DESCRIPTION
$ACTION
Yes i know looking for "failed" in the general logs could be an issue, but i'm only getting alerts on ACME "failed" so worse case i will get something else which have failed which i don't know even exist, thats good as long as i'm not spammed with "failed" email alerts.
You can probably have some regexp that will look for ACME and failed.
#90
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by franco - January 22, 2026, 11:19:26 AMThanks for testing! <3
sqlite db is /var/db/hostwatch/hosts.db
latest symlink is added by a cron job or
# configctl syslog archive
Cheers,
Franco
sqlite db is /var/db/hostwatch/hosts.db
latest symlink is added by a cron job or
# configctl syslog archive
Cheers,
Franco
