Recent posts

#81

25.7, 25.10 Series / Re: (Solved?) Freeradius - can...

Last post by whatever - November 27, 2025, 06:58:15 PM

Awesome, thanks!

#82

Virtual private networks / Wireguard peer setup issues: "...

Last post by Obtendo - November 27, 2025, 06:25:15 PM

I'm probably an idiot missing something completely obvious..? Sorry in advance.

Setting up the peers using "Peer generator" I first expected an "Address" field for to define a peer IP within the subnet defined for interface as well as an "Allowed IPs" field which would allow me to define what should be routed through the tunnel (which I planned to use to implement split tunnel). Both fields were present in the updated guide I used.

My "Peer generator" does however not have any field for "Address". It looks like image peergen.jpg attached. Figured it might just use the first available IP in the subnet defined for the interface automatically, but nothing is listed in the config data. Config data is hence defined invalid by client as it's missing an address. Attempted to manually add the first available address in subnet to no avail.

I then found a guide indicating that "Allowed IPs" is what I expected the "Address" field to define. The address of the peer, not what to route through VPN. It's however added as "Allowed IPs" as expected, not address. See picture roadwarriorsetup.jpg.

Confused.

#83

Hardware and Performance / Re: Network behind a double NA...

Last post by Maurice - November 27, 2025, 06:21:30 PM

It would make way more sense to connect the wired WAN directly to OPNsense and the TP-Link device (in AP mode) to the OPNsense LAN port. You then could also use the TP-Link's additional Ethernet ports as a switch for your LAN.

If this is purely experimental and you can't get a wired WAN connection, I'd explore setting up the WiFi connection in Proxmox. WiFi support in FreeBSD / OPNsense is very limited.

For IPv4, you would indeed end up with (at least) double NAT.
For IPv6, it depends on whether the TP-Link device supports prefix delegation.

That's quite a challenge for a complete beginner. I'd recommend a simpler setup for your first steps with OPNsense.

Cheers
Maurice

#84

25.7, 25.10 Series / Re: 25.7.8 upgrade

Last post by Baron_Backdoor - November 27, 2025, 06:09:14 PM

Can you do a connectivity audit from the firmware status page?

> truncated: 0/1332 bytes

This could happen due to long DNS timeouts for example.


Cheers,
Franco

Thanks for the reply, see below:-

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.7.8 (amd64) at Thu Nov 27 16:57:54 UTC 2025
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes
1508 bytes from 89.149.222.99: icmp_seq=0 ttl=58 time=14.044 ms
1508 bytes from 89.149.222.99: icmp_seq=1 ttl=58 time=13.911 ms
1508 bytes from 89.149.222.99: icmp_seq=2 ttl=58 time=14.437 ms
1508 bytes from 89.149.222.99: icmp_seq=3 ttl=58 time=14.341 ms

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 13.911/14.183/14.437/0.214 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 911 packages processed.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: ..... done
Processing entries: .......... done
mimugmail repository update completed. 191 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
PING(1548=40+8+1500 bytes) 2a02:390:feed:6120:aab8:e0ff:fe02:835 --> 2001:1af8:5300:a010:1::1

--- 2001:1af8:5300:a010:1::1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
Unable to update repository OPNsense
Updating mimugmail repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository mimugmail has no meta file, using default settings
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
Unable to update repository mimugmail
Error updating repositories!
Checking server certificate for host: opn-repo.routerperformance.net
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E7
verify return:1
depth=0 CN = opn-repo.routerperformance.net
verify return:1
DONE
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***

#85

25.7, 25.10 Series / Re: 25.7.8 upgrade

Last post by franco - November 27, 2025, 05:55:45 PM

Can you do a connectivity audit from the firmware status page?

> truncated: 0/1332 bytes

This could happen due to long DNS timeouts for example.


Cheers,
Franco

#86

25.7, 25.10 Series / OPNsense 25.7.8 HA - Persisten...

Last post by martymarty004 - November 27, 2025, 05:55:23 PM

Hello, I'm new to OPNsense and networking in general, and I'm facing some issues with the IPv6 configuration of my setup.
PPPoE is working, but I'm getting "Destination unreachable: Source address failed ingress/egress policy" when trying IPv6.
I'm, attaching three files with the status of WAN, LAN and what a client receives as parameters, so you can check if anything is amiss.
Do you have any suggestions?

PING [PREFIX]:0::1 OK
PING fe80::1%enp42s0 OK
PING google.com KO > From _gateway (fe80::1%enp42s0) icmp_seq=1 Destination unreachable: Source address failed ingress/egress policy

Physical network>

Two identical Proxmox nodes (v9.1.1) with two NICs, one NIC in a Tagged 835VLAN, the other is Untagged LAN.
Each NIC has a virtual bridge on top, connected to the OPNsense VM (v25.7.8) and other containers. Bridges are VLAN aware, virtual NICs are VIRTIO (queues enabled, Firewall OFF).

Everything is attached to a TL-SG3424, stock config except for ports 1-4 being assigned to VLAN 835 (TRUNK).

My ISP provides me with a public dynamic IPv4 (which never actually changes) as well as a static /48 IPv6 prefix.


OPNsense Environment>

- WAN : Block private, Block bogon
IPv4 : PPPoE
IPv6 : DHCPv6, Prefix delegation /48, request only prefix, send hint

- LAN
IPv4 : 10.79.0.2/24 (static) - (10.79.0.2/24)
IPv6 : [PREFIX]:0::2/64 (static) - ([PREFIX]:0::3/64)

- WAN_PARENT : assigned to vtnet1 just for CARP logic

CARP>
VHID 1 - LAN - 10.79.0.1/24
VHID 2 - LAN - fe80::1/64
VHID 3 - LAN - [PREFIX]:0::1/64
VHID 4 - OPT1 - 10.254.254.1/32 (brings down PPPoE when BACKUP)

One VM is MASTER, the other BACKUP, I can see the spoofed MACs from the switch's ARP table, so they should be fine

KEA DHCPv6>
Subnet : [PREFIX]:0::/64
Range : [PREFIX]:0::1000 - [PREFIX]:0::ffff
DNS : [Pi-Hole1], [Pi-Hole2]
HA : Enabled

Router Advertisements>
Mode : Assisted
Priority : High
Source Address : fe80::1/64
Advertise Routes : [PREFIX]:0::/64
Advertise Default Gateway,  Do not send any DNS configuration to clients


Dnsmasq, ISCDHCP, Unbound DNS> OFF

System : High Availability> Active and synchronized

For internet connectivity on BACKUP router>
- Firewall: NAT: Outbound : Hybrid
  Rule : WAN - Src: LAN - Dst: * - NAT: Interface addr
- Gateways
  Fallback_GW : Interface: LAN - IP: 10.79.0.1 (lower priority, FAR gateway)

#87

General Discussion / Re: Missing Interfaces

Last post by Unregistered Member - November 27, 2025, 05:42:24 PM

Thanks for the suggestion @pfry. I updated the NVM and the problem still persists - I still get netmap_transmit ixl0 full from time to time.

As for missing interfaces, I'll update to 25.7.8 and see if it fixes it.

#88

25.7, 25.10 Series / Re: 25.7.8 upgrade

Last post by Baron_Backdoor - November 27, 2025, 05:27:34 PM

That looks as if 25.7.8 upgrade was done (potentially incomplete) and now you do not have internet access.

From what version did you start out? If it was < 25.7, see https://forum.opnsense.org/index.php?topic=48343.msg244891#msg244891

If that is your situation, you need to apply the fixes, preferably before the upgrade.

I want to say 25.7.5 so i'll lok at those fixes as luckily despit it being upset i still have internet (thank the lord as she is catching up on stranger things and i don't wish to stop that lol)


UPDATE

Yes 25.7.5 as under updates it still say to update despite dashboard saying all good.

#89

25.7, 25.10 Series / Re: 25.7.8 upgrade

Last post by Baron_Backdoor - November 27, 2025, 05:25:27 PM

Have you tried a different Mirror?  You can change it under System > Firmware > Setting.

Thank you for the reply, yes 3 or 4 of them

#90

25.7, 25.10 Series / Re: Using Adguard Home and DNS...

Last post by meyergru - November 27, 2025, 05:00:45 PM

Quad9 are located in Switzerland and seem to be ok:

https://quad9.net/about/foundation-council/

1.1.1.1 also seems O.K. to me (and it is by far the fastest DNS resolver I know of).