"Recent posts
#91
25.7, 25.10 Series / Re: DuckDB-related DNS/DHCP ou...
Last post by mawa2559 - January 27, 2026, 04:45:01 AMof course, forgot to upload images. Attached here.
#92
25.7, 25.10 Series / DuckDB-related DNS/DHCP outage...
Last post by mawa2559 - January 27, 2026, 04:32:27 AMHi all. First time poster and new OPNsense user here.
TLDR; DNS/DHCP breaks once per day but appears to self-resolve when duckdb restore/cleanup task runs. How to make this cycle stop?
Background:
I first set up OPNsense 25.7.11 about two weeks ago. I followed a pretty basic tutorial to set up my interfaces, a couple vlans, DNSmasq and DHCP + unbound, added in DNS over TLS, enabling IPv6, and started playing around with plugins like the node exporter and tailscale as well as adding in blocklists - it's been a lot of fun and I was really enjoying the platform.
However after a few days I started experiencing 1x daily DNS outages - first resolution becomes spotty, then fails completely, of course resulting in failures all over my network. At first I definitely blamed myself and a bad config - I tried systematically removing IPv6, DoT, getting rid of a wildcard override in unbound, removing the singular blocklist I added, and getting rid of all restrictive firewall rules, adding new ones to ensure dns ports were allowed etc. but no matter what the 1x daily DNS outage keeps occurring.
Through troubleshooting, I discovered that in addition to DNS issues, it appears that all IPv4 addressing stops working during these outages - clients lose ipv4 addresses (showing APIPA addressing) and opnsense becomes unreachable via IPv4, but remains accessible over IPv6 - and all services show as running and healthy on opnsense, including unbound and DHCP. The weirdest part is opnsense itself has no issues resolving hostnames using the diagnostic tool during these outages.
Troubleshooting:
Two days ago I factory reset my isp's router (that sits in front of opnsense in bridge mode) and did a fresh install of opnsense. My LAN firewall rules currently only consist of allowing IPv4 and IPv6 from LAN to all, pic attached. I again enabled dnsmasq, dhcp + unbound, DoT, and am still running IPv6, and the DNS issues continue 1x daily, with all of the same symptoms/behavior. Today, January 26th, DNS issues began at around 11:15am and ended at 13:30pm as evidenced by uptime-kuma DNS monitoring (image attached). I was not home so did nothing to mitigate, and the issue self resolved.
This time, I managed to catch a line in the Unbound log file that coincided with exactly when the issue self-resolved:
2026-01-26T13:30:51-06:00 Notice unboundDatabase auto restore from /var/cache/unbound.duckdb for cleanup reasons in 2.59 seconds
Likely related, metrics collected via node exporter and brought into grafana show free memory dropping from over 1GiB to below 500Mib at 13:31pm, essentially the same time as that duckdb restore/cleanup occurred (image attached).
I am assuming that this db is becoming unhealthy/corrupted/oversized in advance of the (likely scheduled?) cleanup on a regular basis, and that issue is affecting DHCP somehow. Forgive my ignorance of how duckdb is used on the platform. My primary concern is predictably- how can I make this stop happening? Turn off unbound reporting altogether? Initiate more frequent cleanups? Set stricter db size limit somewhere? I'm not quite sure how to proceed, and as you might expect, opnsense is not passing the wife test so far (keeps interrupting her shows).
I'm going to disable unbound reporting right now and see if that helps at all, but interested if anybody has any insight or suggestions! Happy to provide any other info as needed. Thanks in advance!
opnsense version: OPNsense 25.7.11_2-amd64
Hardware: Lenovo ThinkCentre M70q Gen1, 4gb RAM, 12 core CPU, 500GB SATA SSD, 1gb onboard nic used for WAN interface, 2.5gb Intel m.2 > Ethernet adapter card for LAN
Environment: ISP modem in bridge mode > opnsense box > 24 port USW pro for lan, including 1 WAP
TLDR; DNS/DHCP breaks once per day but appears to self-resolve when duckdb restore/cleanup task runs. How to make this cycle stop?
Background:
I first set up OPNsense 25.7.11 about two weeks ago. I followed a pretty basic tutorial to set up my interfaces, a couple vlans, DNSmasq and DHCP + unbound, added in DNS over TLS, enabling IPv6, and started playing around with plugins like the node exporter and tailscale as well as adding in blocklists - it's been a lot of fun and I was really enjoying the platform.
However after a few days I started experiencing 1x daily DNS outages - first resolution becomes spotty, then fails completely, of course resulting in failures all over my network. At first I definitely blamed myself and a bad config - I tried systematically removing IPv6, DoT, getting rid of a wildcard override in unbound, removing the singular blocklist I added, and getting rid of all restrictive firewall rules, adding new ones to ensure dns ports were allowed etc. but no matter what the 1x daily DNS outage keeps occurring.
Through troubleshooting, I discovered that in addition to DNS issues, it appears that all IPv4 addressing stops working during these outages - clients lose ipv4 addresses (showing APIPA addressing) and opnsense becomes unreachable via IPv4, but remains accessible over IPv6 - and all services show as running and healthy on opnsense, including unbound and DHCP. The weirdest part is opnsense itself has no issues resolving hostnames using the diagnostic tool during these outages.
Troubleshooting:
Two days ago I factory reset my isp's router (that sits in front of opnsense in bridge mode) and did a fresh install of opnsense. My LAN firewall rules currently only consist of allowing IPv4 and IPv6 from LAN to all, pic attached. I again enabled dnsmasq, dhcp + unbound, DoT, and am still running IPv6, and the DNS issues continue 1x daily, with all of the same symptoms/behavior. Today, January 26th, DNS issues began at around 11:15am and ended at 13:30pm as evidenced by uptime-kuma DNS monitoring (image attached). I was not home so did nothing to mitigate, and the issue self resolved.
This time, I managed to catch a line in the Unbound log file that coincided with exactly when the issue self-resolved:
2026-01-26T13:30:51-06:00 Notice unboundDatabase auto restore from /var/cache/unbound.duckdb for cleanup reasons in 2.59 seconds
Likely related, metrics collected via node exporter and brought into grafana show free memory dropping from over 1GiB to below 500Mib at 13:31pm, essentially the same time as that duckdb restore/cleanup occurred (image attached).
I am assuming that this db is becoming unhealthy/corrupted/oversized in advance of the (likely scheduled?) cleanup on a regular basis, and that issue is affecting DHCP somehow. Forgive my ignorance of how duckdb is used on the platform. My primary concern is predictably- how can I make this stop happening? Turn off unbound reporting altogether? Initiate more frequent cleanups? Set stricter db size limit somewhere? I'm not quite sure how to proceed, and as you might expect, opnsense is not passing the wife test so far (keeps interrupting her shows).
I'm going to disable unbound reporting right now and see if that helps at all, but interested if anybody has any insight or suggestions! Happy to provide any other info as needed. Thanks in advance!
opnsense version: OPNsense 25.7.11_2-amd64
Hardware: Lenovo ThinkCentre M70q Gen1, 4gb RAM, 12 core CPU, 500GB SATA SSD, 1gb onboard nic used for WAN interface, 2.5gb Intel m.2 > Ethernet adapter card for LAN
Environment: ISP modem in bridge mode > opnsense box > 24 port USW pro for lan, including 1 WAP
#93
26.1 Series / Re: New rule system
Last post by tessus - January 27, 2026, 04:05:12 AMThanks @OPNenthu
Yep, this might be bad for me. I actually use quite a few of those.
Of course I could move them to the specific interface, but I used the floating rules UI for a reason. It is easier and more convenient to have an overview, especially if you want to clone a rule for a new interface. You don't have to click on every interface to find the rule.
The workaround to create groups with a single interface is a massive overhead in terms of administration. Why not support a single interface instead?
Anyway, I am sure I will adapt. I just hope it's not too much work and that the result won't be less intuitive and convenient.
Quote from: OPNenthu on January 27, 2026, 02:09:47 AMnothing changes except for the ability to set Floating rules on a single, specific interface.
Yep, this might be bad for me. I actually use quite a few of those.
Of course I could move them to the specific interface, but I used the floating rules UI for a reason. It is easier and more convenient to have an overview, especially if you want to clone a rule for a new interface. You don't have to click on every interface to find the rule.
The workaround to create groups with a single interface is a massive overhead in terms of administration. Why not support a single interface instead?
Anyway, I am sure I will adapt. I just hope it's not too much work and that the result won't be less intuitive and convenient.
#94
25.7, 25.10 Series / Re: RAM usage
Last post by OPNenthu - January 27, 2026, 03:57:42 AMTake a look at this thread for virtualization recommendations: https://forum.opnsense.org/index.php?topic=44159.0
Also, the hardware sizing guide gives some info on RAM needs for various scenarios.
My firewall has 8GB (also an N5105, but bare metal) and I'm not even using half of it currently. Swap is not touched at all and I have /var/log and /tmp both on RAM disk to help preserve the SSD. That's without IDS/IDP and with ~1700 policies across 8 groups, ~500k table entries, ~800k+ domains in Unbound block lists, a few WG tunnels and WAN shaping for anti-bufferbloat. Only a few users though and normally fewer than 500 active f/w states.
Also, the hardware sizing guide gives some info on RAM needs for various scenarios.
My firewall has 8GB (also an N5105, but bare metal) and I'm not even using half of it currently. Swap is not touched at all and I have /var/log and /tmp both on RAM disk to help preserve the SSD. That's without IDS/IDP and with ~1700 policies across 8 groups, ~500k table entries, ~800k+ domains in Unbound block lists, a few WG tunnels and WAN shaping for anti-bufferbloat. Only a few users though and normally fewer than 500 active f/w states.
#95
Intrusion Detection and Prevention / Re: Suricata with os-stunnel
Last post by breatheunruly - January 27, 2026, 03:22:19 AMI appreciate the information offered about configuring Suricata with os-stunnel—it's a complicated but necessary topic for improving network security. I've previously struggled with comparable situations in which tiny configuration errors resulted in huge problems. It may be beneficial to describe specific instances or issues we encountered while monitoring traffic; these personal anecdotes can assist highlight optimal practices and common pitfalls. I look forward to learning from everyone's experiences!
#96
26.1 Series / Re: New rule system
Last post by OPNenthu - January 27, 2026, 03:05:13 AMI added a feature request: https://github.com/opnsense/core/issues/9652
If this gets rejected, so be it. I don't know what limitations or challenges there are to doing this with the new MVC approach.
If this gets rejected, so be it. I don't know what limitations or challenges there are to doing this with the new MVC approach.
#97
26.1 Series / kea dhcpv6 hw-address in 26.1-...
Last post by awlynn - January 27, 2026, 02:15:09 AMThe announcement states the hw-address is added for DHCP reservation, but in kea dhcpv6 only duid is avaialbel in the GUI. Is there another setting to allow hw-address to be entered?
#98
26.1 Series / Re: New rule system
Last post by OPNenthu - January 27, 2026, 02:09:47 AM@tessus The "Automation" rules UI in 25.7 has been moved to "Rules [new]" in 26.1. The idea is that this UI (regardless of whether you use automation or not) will eventually replace the legacy Rules UI. I think what we're talking about here will eventually affect everyone, but not for a while.
What I'm hearing from the responses so far is that nothing changes except for the ability to set Floating rules on a single, specific interface. That is a loss in flexibility with the new rules system, but I don't know if it will be a big deal or not. If that doesn't affect you then you can happily use the new system.
I don't think anything is changed in the old rules system so if you're still using that you're good for now. The concerns people had around NAT and rule order impacts were regarding the new rules system and those turned out to be incorrect as @meyergru explained to me.
What I'm hearing from the responses so far is that nothing changes except for the ability to set Floating rules on a single, specific interface. That is a loss in flexibility with the new rules system, but I don't know if it will be a big deal or not. If that doesn't affect you then you can happily use the new system.
I don't think anything is changed in the old rules system so if you're still using that you're good for now. The concerns people had around NAT and rule order impacts were regarding the new rules system and those turned out to be incorrect as @meyergru explained to me.
#99
25.7, 25.10 Series / RAM usage
Last post by gmartin - January 27, 2026, 01:48:50 AMI'm running 25.11 as a vm under proxmox. Underlying CPU is a Intel N5105 and the only other VM is running pihole. I'd appreciate any recommendations on how to configure RAM. I have a 400Mb internet connection. Heaviest use is a torrent client with many active connections. I stream hulu and share plex with a couple folks but internet usage is generally sub 100Mb.
Currently I've assigned it 4GB and per top it is using 2GB of swap. Here are the top stats:
is the 4GB adequate? Could it be "too much"?
Could I assign it 2GB and baloonm to 4GB?
Appreciate any thoughts you have.
\\Greg
Currently I've assigned it 4GB and per top it is using 2GB of swap. Here are the top stats:
Code Select
last pid: 58271; load averages: 0.15, 0.19, 0.21 up 0+02:59:52 19:33:53
65 processes: 1 running, 64 sleeping
CPU: 0.8% user, 0.0% nice, 0.1% system, 0.4% interrupt, 98.8% idle
Mem: 202M Active, 2333M Inact, 467M Laundry, 610M Wired, 393M Buf, 290M Free
ARC:
Swap: 9979M Total, 2063M Used, 7916M Free, 20% Inuseis the 4GB adequate? Could it be "too much"?
Could I assign it 2GB and baloonm to 4GB?
Appreciate any thoughts you have.
\\Greg
#100
Portuguese - Português / Re: Comunidade - Língua Portug...
Last post by gabrielf3 - January 27, 2026, 12:49:11 AMMe chamo Gabriel Ferreira, sou de Aracaju - Sergipe.
Trabalho com o OPNSense profissionalmente desde 2025, já implantei em várias empresas aqui na Cidade.
Gostaria de ajudar ainda mais, no fortalecimento da comunidade.
Trabalho com o OPNSense profissionalmente desde 2025, já implantei em várias empresas aqui na Cidade.
Gostaria de ajudar ainda mais, no fortalecimento da comunidade.
