"Recent posts
#81
25.7, 25.10 Series / Re: ISC deprecation issues
Last post by Monviech (Cedrik) - January 19, 2026, 10:17:50 AMIf you have a changing prefix use dnsmasq for dhcpv6, it can construct from a partial prefix:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements
#82
General Discussion / Re: Where is TCP processed - C...
Last post by Seimus - January 19, 2026, 10:07:51 AMYour topic name is a bit intriguing.
When you think about a packet, the finial destination on a device is the CPU. If a packet is delivered its being pegged to the CPU to process it. Of cource the packet needs to be 1st processed on the NIC.
What Distro you are using?
What realtek NIC does it use?
What is the realtek driver loaded for the NIC?
Did you try to upgrade the BIOS?
What are the temps during high volume downloads/uploads?
Can you post the NIC statistics (counters)?
Did you disabled ASPM?
Regards,
S.
When you think about a packet, the finial destination on a device is the CPU. If a packet is delivered its being pegged to the CPU to process it. Of cource the packet needs to be 1st processed on the NIC.
What Distro you are using?
What realtek NIC does it use?
What is the realtek driver loaded for the NIC?
Did you try to upgrade the BIOS?
What are the temps during high volume downloads/uploads?
Can you post the NIC statistics (counters)?
Did you disabled ASPM?
Regards,
S.
#83
25.7, 25.10 Series / ISC deprecation issues
Last post by stanthewizzard - January 19, 2026, 10:00:12 AMHello
I understand that ISC will be deprecated end of month.
Switching to a plugin for "legacy" purposes.
I want to know if
KEA or Dnsmasq DNS&DHCP can do the same magic that I have with ISC : prepopulation of subnet, subnet mask and available range form the LAN IPv6 ?
My ISP can change the IPv6 from time to time and this functionnality from ISC is a game changer in my case
Thanks for help
I understand that ISC will be deprecated end of month.
Switching to a plugin for "legacy" purposes.
I want to know if
KEA or Dnsmasq DNS&DHCP can do the same magic that I have with ISC : prepopulation of subnet, subnet mask and available range form the LAN IPv6 ?
My ISP can change the IPv6 from time to time and this functionnality from ISC is a game changer in my case
Thanks for help
#84
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
Last post by meyergru - January 19, 2026, 09:58:57 AMPotentially yes, but depending on working PMTUD, some sites work with the wrong MTU and some do not.
#85
25.7, 25.10 Series / Re: [SOLVED] How can I automat...
Last post by meyergru - January 19, 2026, 09:55:48 AMYour assessment:
is almost surely wrong. The way the cron script detects if a wireguard connection is stale is by looking at the last handshake age and see if it is too old (> 135s). That way, you can be sure that there is still an ongoing wireguard connection. It is beyond me how that handshake should occur with the gateway down.
You can check this yourself:
https://github.com/opnsense/core/blob/ade7e9e9c7887978abf3f425c57def324ebcac03/src/opnsense/scripts/wireguard/reresolve-dns.py
The command for testing is "/usr/bin/wg show all latest-handshakes" and the last column is compared against "date +%s". If the difference is > 135, the connection is restarted. Of course, this can take up to ~2 minutes and also, if the drop is caused by the remote side changing its IP and DNS caching gets in the way, for an even longer time, because multiple tries must be taken until the connection gets up again.
If I am wrong, please create a bug report on github.
Quote from: tessus on January 19, 2026, 08:36:11 AMUnfortunately none of the solutions here worked. The Renew DNS for Wireguard on stale connections cronjob doesn't work in my case, because wg reports the connection as active (not stale) even though the gateway is down. So the action that should be triggered to restart the wg service is not triggered.
is almost surely wrong. The way the cron script detects if a wireguard connection is stale is by looking at the last handshake age and see if it is too old (> 135s). That way, you can be sure that there is still an ongoing wireguard connection. It is beyond me how that handshake should occur with the gateway down.
You can check this yourself:
https://github.com/opnsense/core/blob/ade7e9e9c7887978abf3f425c57def324ebcac03/src/opnsense/scripts/wireguard/reresolve-dns.py
The command for testing is "/usr/bin/wg show all latest-handshakes" and the last column is compared against "date +%s". If the difference is > 135, the connection is restarted. Of course, this can take up to ~2 minutes and also, if the drop is caused by the remote side changing its IP and DNS caching gets in the way, for an even longer time, because multiple tries must be taken until the connection gets up again.
If I am wrong, please create a bug report on github.
#86
25.7, 25.10 Series / Re: Update to OPNsense 25.7.11...
Last post by Monviech (Cedrik) - January 19, 2026, 09:44:19 AMThe fix is included in 25.7.11_2.
#87
25.7, 25.10 Series / Re: in dnsmasq dhcp: leases: b...
Last post by franco - January 19, 2026, 09:41:51 AM> So indeed the protocol is fail-safe and you can delete a lease on the server side without any friction in the network.
yes but
> The minor glicht [...]
> And there is a second problem [...]
> So I still do not REALLY see the advantage [...]
:)
As I said I don't mind if there is a canonical tool which there is. I'll try to get it into the dnsmasq port. If it compiles and works it's good enough for the GUI button.
Cheers,
Franco
yes but
> The minor glicht [...]
> And there is a second problem [...]
> So I still do not REALLY see the advantage [...]
:)
As I said I don't mind if there is a canonical tool which there is. I'll try to get it into the dnsmasq port. If it compiles and works it's good enough for the GUI button.
Cheers,
Franco
#88
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by franco - January 19, 2026, 09:38:27 AMInterfaces: Settings: ARP Handling is dead, long live the two tunables :)
But yes something similar needs to be done. We'll have a coordination meeting later about it and try to work through the reported items.
Cheers,
Franco
But yes something similar needs to be done. We'll have a coordination meeting later about it and try to work through the reported items.
Cheers,
Franco
#89
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by Patrick M. Hausen - January 19, 2026, 09:21:01 AM@franco I just noticed the hotfix. What about making the "changed ethernet address" messages configurable? We already have Interfaces: Settings: ARP Handling. I have that enabled although I do not have multiple interfaces in the same broadcast domain. Apple TVs do weird things with power saving states and proxy ARP ;-)
#90
Announcements / Re: OPNsense 25.7.11 released
Last post by franco - January 19, 2026, 09:12:50 AMNote to people who were already on 25.7.11 and 27.7.11_1: a modified hostwatch
version was published disabling two excessive log messages. Applying the
hotfix 25.7.11_2 will not restart hostwatch. Please do so under Interfaces:
Neighbors: Automatic Discovery by either using "apply" or the restart button
in the service widget. Other reported issues will be addressed shortly.
A hotfix release was issued as 25.7.11_2:
o system: fix edge case in tunable reset with one single tunable in the default config
o ports: hostwatch 1.0.5 disables two excessive log messages
version was published disabling two excessive log messages. Applying the
hotfix 25.7.11_2 will not restart hostwatch. Please do so under Interfaces:
Neighbors: Automatic Discovery by either using "apply" or the restart button
in the service widget. Other reported issues will be addressed shortly.
A hotfix release was issued as 25.7.11_2:
o system: fix edge case in tunable reset with one single tunable in the default config
o ports: hostwatch 1.0.5 disables two excessive log messages
