"Recent posts
#81
26.1 Series / Re: Firewall rules migration
Last post by julsssark - January 23, 2026, 11:33:58 PMThanks Franco. Those patches solved the destination field validation issue. I tested after installing the patches and the default rules with "any" imported correctly without error.
Thanks Cedrik. Your changes to the instructions help. I agree with your point that checkboxes with "disable" as their name are confusing. If there is a desire to fix those settings in a future release, I am happy to test and update docs.
In playing around with the new rules layout, I noticed that if a rule is deactivated, the controls for that row are also dimmed. The controls work so they should be enabled. See the enclosed screenshot. I saw the same behavior with Safari and Firefox.
Do the imported rules and the system-generated rules have the same rule numbers in the new engine as they do in the old one? If the rule numbers can change, it would be helpful to add that to the docs, especially for people who use syslog servers and have logic based on firewall rule numbers.
Thanks Cedrik. Your changes to the instructions help. I agree with your point that checkboxes with "disable" as their name are confusing. If there is a desire to fix those settings in a future release, I am happy to test and update docs.
In playing around with the new rules layout, I noticed that if a rule is deactivated, the controls for that row are also dimmed. The controls work so they should be enabled. See the enclosed screenshot. I saw the same behavior with Safari and Firefox.
Do the imported rules and the system-generated rules have the same rule numbers in the new engine as they do in the old one? If the rule numbers can change, it would be helpful to add that to the docs, especially for people who use syslog servers and have logic based on firewall rule numbers.
#82
25.7, 25.10 Series / Re: OPNsense 25.7.10 . Noti...
Last post by pfry - January 23, 2026, 10:53:05 PMQuote from: dmacgowan on January 23, 2026, 08:33:54 PM[...]It would appear that the program doesn't know what to do with a negative temperature reading. It certainly isn't overheating in my -28 degree C garage in the middle of winter.
Impressive. I'd really worry about thermal shock.
Sheesh. It's about to freeze here. I have a cheap house, so I'd be in a bad way if it got down that low. And now I'm off to try to keep the ice buildup on my porch to a minimum.
#83
25.7, 25.10 Series / Re: WAN has no IPv6 connectivi...
Last post by andicniko - January 23, 2026, 10:40:37 PMConfirming that specifying an "Optional prefix ID" fixed my issues.
That's a very useful explanation you linked to as well. Thank you.
That's a very useful explanation you linked to as well. Thank you.
#84
25.7, 25.10 Series / Re: IPv4 ONLY Firewall Setup w...
Last post by meyergru - January 23, 2026, 10:37:35 PMThank you for taking the time to document your experience in detail. It is clear you have invested significant effort into troubleshooting, and the level of detail is appreciated.
That said, in its current form this report does not describe a demonstrable software defect in OPNsense, Kea, or dnsmasq, but rather a set of symptoms that are most commonly associated with layer-2 topology or virtualization configuration issues—particularly in Proxmox environments.
A few observations that are important to clarify:
OPNsense does not require IPv6 to be enabled for IPv4 DHCP to function correctly. IPv4-only deployments with multiple LAN interfaces are widely deployed and fully supported.
If a DHCP client briefly receives a gateway address belonging to a different interface, that almost always indicates that the interfaces are not properly isolated at layer-2 (for example, multiple interfaces attached to the same Proxmox bridge, shared subnets across interfaces, or unintended bridging).
DHCP servers do not "forward" router addresses between interfaces. If a client sees an address from another interface, it is responding to a broadcast originating from the same L2 domain.
To move this forward constructively, the following information would be required before this can be treated as a potential bug:
Without this information, it is not possible to distinguish between a software defect and a topology issue. To date, there is no known regression in OPNsense 24.x–25.x that prevents IPv4 DHCP from functioning on secondary interfaces in correctly isolated networks.
If you are willing to provide the above details, the community will be better positioned to help identify the root cause.
That being said, you have chosen to use one of the most advanced setups with OpnSense there is (i.e. OpnSense under Proxmox). I assume you have read all the helpful hints to this (like this) or have tried to get a setup running on bare metal first?
That said, in its current form this report does not describe a demonstrable software defect in OPNsense, Kea, or dnsmasq, but rather a set of symptoms that are most commonly associated with layer-2 topology or virtualization configuration issues—particularly in Proxmox environments.
A few observations that are important to clarify:
OPNsense does not require IPv6 to be enabled for IPv4 DHCP to function correctly. IPv4-only deployments with multiple LAN interfaces are widely deployed and fully supported.
If a DHCP client briefly receives a gateway address belonging to a different interface, that almost always indicates that the interfaces are not properly isolated at layer-2 (for example, multiple interfaces attached to the same Proxmox bridge, shared subnets across interfaces, or unintended bridging).
DHCP servers do not "forward" router addresses between interfaces. If a client sees an address from another interface, it is responding to a broadcast originating from the same L2 domain.
To move this forward constructively, the following information would be required before this can be treated as a potential bug:
- Interface assignments and IP/subnet configuration for all OPNsense interfaces
- Proxmox bridge configuration (vmbr layout, VLAN awareness, and NIC attachment or in the case off passthru, physical hardware type)
- Confirmation that each LAN interface is in a unique IPv4 subnet
- DHCP logs from Kea or dnsmasq during a failed lease attempt
- A packet capture (tcpdump) on the affected interface showing the DHCP exchange
Without this information, it is not possible to distinguish between a software defect and a topology issue. To date, there is no known regression in OPNsense 24.x–25.x that prevents IPv4 DHCP from functioning on secondary interfaces in correctly isolated networks.
If you are willing to provide the above details, the community will be better positioned to help identify the root cause.
That being said, you have chosen to use one of the most advanced setups with OpnSense there is (i.e. OpnSense under Proxmox). I assume you have read all the helpful hints to this (like this) or have tried to get a setup running on bare metal first?
#85
25.7, 25.10 Series / Re: WAN has no IPv6 connectivi...
Last post by meyergru - January 23, 2026, 10:24:28 PMTry this.
#86
25.7, 25.10 Series / [SOLVED] WAN has no IPv6 conne...
Last post by andicniko - January 23, 2026, 10:08:42 PMMy WAN doesn't seem able to reach IPv6 addresses (e.g. if I "ping -6 2606:4700:4700::1111" from opnsense itself).
My configuration type is DHCP and DHCPv6, and my ISP provides me with a static /56 prefix. Clients on LAN get IPv6 addresses and communicate just fine, they can reach IPv6 addresses and "ping -6 2606:4700:4700::1111" getting a response just fine.
My interfaces overview suggests WAN has the following IPv6 addresses only:
::2e0:97ff:fe1d:8a79/64
fe80::2e0:97ff:fe1d:8a79/64
Question: How can I give my WAN interface a usable IPv6 address, or get the one's it already has to communicate with external IPv6 addresses?
Sorry I know this has been asked in the past, but I can't seem to find a clear answer. Any help is appreciated!
- I wonder if this is the root cause of update checks going painfully slowly unless I enable System: Settings: General: Prefer to use IPv4 even if IPv6 is available.
- I also wonder if this is the root cause of IPv6 connectivity tests (e.g. https://test-ipv6.com/) suggesting "Your DNS server (possibly run by your ISP) appears to have no access to the IPv6 Internet". I can get around this by adding DNS over TLS entries in Unbound pointing to an external DNS, but it didn't help the above issues.
My configuration type is DHCP and DHCPv6, and my ISP provides me with a static /56 prefix. Clients on LAN get IPv6 addresses and communicate just fine, they can reach IPv6 addresses and "ping -6 2606:4700:4700::1111" getting a response just fine.
My interfaces overview suggests WAN has the following IPv6 addresses only:
::2e0:97ff:fe1d:8a79/64
fe80::2e0:97ff:fe1d:8a79/64
Question: How can I give my WAN interface a usable IPv6 address, or get the one's it already has to communicate with external IPv6 addresses?
Sorry I know this has been asked in the past, but I can't seem to find a clear answer. Any help is appreciated!
#87
25.7, 25.10 Series / Re: OPNsense 25.7.10 . Noti...
Last post by iMx - January 23, 2026, 09:31:29 PMDid you check the suggested operating temperature for the drive in the specs?
#88
General Discussion / Re: Port Forwarding issue insi...
Last post by Land_Strider - January 23, 2026, 09:29:04 PMI figured out what the problem was. It was the "Disable reply-to on WAN rules" firewall settings default behavior. Ticking its box and leaving others at default values now makes the Port Forwarding work like a charm.
You cannot view this attachment.
You cannot view this attachment.
#89
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by iMx - January 23, 2026, 09:24:45 PMI think there's definitely an argument for it to be disabled by default.
... I'm not sure I need to put unnecessary wear on an SSD for this.
I'd have thought that most Business Edition customers will disable it and they bring in the money!
... I'm not sure I need to put unnecessary wear on an SSD for this.
I'd have thought that most Business Edition customers will disable it and they bring in the money!
#90
General Discussion / Re: ISC-DHCP to KEA Migration ...
Last post by Sheridan Computers - January 23, 2026, 08:45:39 PMQuote from: nero355 on January 23, 2026, 04:59:40 PMThis is nice to have, but it's not really needed since you can Import/Export all Static DHCP Mappings by using the .csv files Import/Export option in the OPNsense webGUI ;)
Not for IPv6, IPv4 only
