"Recent posts
#91
25.7, 25.10 Series / Re: 25.7.11_1 host discovery i...
Last post by franco - Today at 08:52:11 AMIt's been filed here https://github.com/opnsense/hostwatch/issues/8 for a closer look. I'll add this forum thread to the references.
Thanks,
Franco
Thanks,
Franco
#92
25.7, 25.10 Series / 25.7.11_1 host discovery issue
Last post by tn881023 - Today at 08:43:11 AMMorning all,
Devs - thanks so much for all your hard work, amazing product - I love OPNsense.
Just upgraded to 25.7.11_1, and one of my cores was pinned to 100% for 10 minutes with the new host discovery service - it stopped when I disabled host discovery.
This feels like a bug, but perhaps it's expected behaviour? I am running bare metal on an N150 mini pc with 4 x intel i226-v NICs running latest firmware. I have a PPPoe fibre connection, and 4 x VLANS.
Can provide additional info on request, but thought I'd post up here first for thoughts.
Thanks
Devs - thanks so much for all your hard work, amazing product - I love OPNsense.
Just upgraded to 25.7.11_1, and one of my cores was pinned to 100% for 10 minutes with the new host discovery service - it stopped when I disabled host discovery.
This feels like a bug, but perhaps it's expected behaviour? I am running bare metal on an N150 mini pc with 4 x intel i226-v NICs running latest firmware. I have a PPPoe fibre connection, and 4 x VLANS.
Can provide additional info on request, but thought I'd post up here first for thoughts.
Thanks
#93
25.7, 25.10 Series / Re: 25.7.11 Upgrade Issue
Last post by franco - Today at 08:13:25 AMSorry for the trouble and thanks again for reporting it so quickly!
Cheers,
Franco
Cheers,
Franco
#94
25.7, 25.10 Series / DEC2752 - How to check hardwar...
Last post by stuckoff - Today at 07:59:14 AMHi
I have some issues with my appliance and I want to run some hardware tests.
Does someone knows how to run such tests on the system:
- memtest86 or similar
- disk for bad sectors
- CPU etc..
Thanks
I have some issues with my appliance and I want to run some hardware tests.
Does someone knows how to run such tests on the system:
- memtest86 or similar
- disk for bad sectors
- CPU etc..
Thanks
#95
General Discussion / Is there a way to emulate a "q...
Last post by dark_croquetta - Today at 06:21:10 AMI am a recent adopter of OPNsense, so I apologize if this has been discussed already under a different name, and/or if it would be considered outside the scope of OPNsense.
I would like to have a "quarantine zone" where new devices would first fall into a VLAN that has no internet access, then can be assigned a different VLAN which would give them tailored access. My motivation is dealing with client devices that randomize MAC addresses while releasing/renewing IPs. I want different types of clients to have different firewall rules applied to them. With the ability to spoof MAC addresses, it seems like relying on subnet rules makes more sense.
My OPNsense router has a Unifi switch connected to it, which in turn has an Omada AP connected to that. I understand that such a solution probably requires support across the hardware stack, but I am still a bit lost at where to start. Does anyone have any pointers about implementing such a solution?
I would like to have a "quarantine zone" where new devices would first fall into a VLAN that has no internet access, then can be assigned a different VLAN which would give them tailored access. My motivation is dealing with client devices that randomize MAC addresses while releasing/renewing IPs. I want different types of clients to have different firewall rules applied to them. With the ability to spoof MAC addresses, it seems like relying on subnet rules makes more sense.
My OPNsense router has a Unifi switch connected to it, which in turn has an Omada AP connected to that. I understand that such a solution probably requires support across the hardware stack, but I am still a bit lost at where to start. Does anyone have any pointers about implementing such a solution?
#96
General Discussion / Re: Wireless Access Points
Last post by OPNenthu - Today at 05:37:04 AM(Not a pro installer; just sharing some thoughts/experience)
I had to figure out how to install WiFi for my parents but their place is also two levels with no Ethernet wiring. Drilling was a last resort. The problem is that the older building is also dense and the mesh backhaul would be too weak. UniFi uses the 5GHz band for that.
Fortunately many homes here are wired with coaxial for TV (antenna, satellite, and cable all use it) so I was able to use that with MoCA-Ethernet adapters. These are good for up to 2.5GbE depending on the quality of the wiring and the MoCA spec used. Not sure what the situation is in Australia but maybe this is an option?
I chose a coax termination point on each level (on opposite ends of the house to minimize interference) and installed a small UniFi switch at each point. Then I connected a U6 Mesh AP to each switch. The controller lives as a headless VirtualBox VM, set up as a Windows service to start at boot on a small N100-type PC.
Why U6 Mesh? Despite its name, it works in either standalone or mesh mode and can sit on a shelf without any wall or ceiling mounts. It also radiates outward in a circle, as opposed to up/down or in a cone pattern. That way a single one can cover a floor level laterally if well placed. Roaming works well now but I had to knock down the radio power (especially on the 2.4GHz band) to minimize overlap, and I'm not sure how you would do that without the controller. They have a mobile app for setting up APs without a controller, but I don't know what it does/doesn't support.
Coincidentally, this video just dropped as another neat option that blends in to the walls: https://www.youtube.com/watch?v=Z2FbzCyiNr4
I had to figure out how to install WiFi for my parents but their place is also two levels with no Ethernet wiring. Drilling was a last resort. The problem is that the older building is also dense and the mesh backhaul would be too weak. UniFi uses the 5GHz band for that.
Fortunately many homes here are wired with coaxial for TV (antenna, satellite, and cable all use it) so I was able to use that with MoCA-Ethernet adapters. These are good for up to 2.5GbE depending on the quality of the wiring and the MoCA spec used. Not sure what the situation is in Australia but maybe this is an option?
I chose a coax termination point on each level (on opposite ends of the house to minimize interference) and installed a small UniFi switch at each point. Then I connected a U6 Mesh AP to each switch. The controller lives as a headless VirtualBox VM, set up as a Windows service to start at boot on a small N100-type PC.
Why U6 Mesh? Despite its name, it works in either standalone or mesh mode and can sit on a shelf without any wall or ceiling mounts. It also radiates outward in a circle, as opposed to up/down or in a cone pattern. That way a single one can cover a floor level laterally if well placed. Roaming works well now but I had to knock down the radio power (especially on the 2.4GHz band) to minimize overlap, and I'm not sure how you would do that without the controller. They have a mobile app for setting up APs without a controller, but I don't know what it does/doesn't support.
Coincidentally, this video just dropped as another neat option that blends in to the walls: https://www.youtube.com/watch?v=Z2FbzCyiNr4
#97
General Discussion / Re: Wireless Access Points
Last post by OzziGoblin - Today at 04:46:57 AMunfortunately there is no network between levels, but I suspect that may resolve the issue I'm facing.
Thanks everyone else for your replies, I was hoping that there was some solution that avoided seperate controllers as that's another level of management that needs to remain stable.
Thanks everyone else for your replies, I was hoping that there was some solution that avoided seperate controllers as that's another level of management that needs to remain stable.
#98
25.7, 25.10 Series / Re: Dnsmasq not responding to ...
Last post by Lu - Today at 02:54:44 AMThanks for replying.
We're not using VLANs and everything is on the v4 same subnet, and v6 prefix, so any firewall rule that blocked only the printer would have to contain address-specific parameters, right? There's nothing like that.
Further tests:
I can't take Dnsmasq down for any extended period until I have a decent maintenance window, but everything I've seen points to it, so far.
Doesn't 'floating' allow DNS requests from the WAN side? I don't want that, it would obviate the point of having overrides for private addresses on our domain. I already have a similar rule to immediately allow all DNS on the LAN interface, as recommended by the WAN failover guide, because we have a 5G backup connection.
Can you see anything in the packet captures? They're very small.
We're not using VLANs and everything is on the v4 same subnet, and v6 prefix, so any firewall rule that blocked only the printer would have to contain address-specific parameters, right? There's nothing like that.
Further tests:
- I gave my own PC static IPs by cloning the printer's reservation in Dnsmasq's Hosts page, one off of the printer's IPs, outside the normal DHCP offer ranges, and my PC still got replies from the OPNsense device.
- Set the resolver address on the printer and PC to a separate server, on the LAN, running BIND9. Both received usable DNS responses.
I can't take Dnsmasq down for any extended period until I have a decent maintenance window, but everything I've seen points to it, so far.
Quote from: meyergru on January 14, 2026, 10:56:30 AMI always create an "allow DNS on this firewall" as a floating rule.
Doesn't 'floating' allow DNS requests from the WAN side? I don't want that, it would obviate the point of having overrides for private addresses on our domain. I already have a similar rule to immediately allow all DNS on the LAN interface, as recommended by the WAN failover guide, because we have a 5G backup connection.
Can you see anything in the packet captures? They're very small.
#99
Documentation and Translation / clarification/possible typo in...
Last post by kensan - Today at 02:50:48 AMHere https://docs.opnsense.org/manual/nat.html#some-terms-explained one can read the following :
I'm interested in the option in the context of port forwarding as it is in the UI for port forwarding (and I didn't test it to so what it really does).
When in the context for port forwarding the implication is that someone or something tried to connect (external_ip:external_port), how does the above **external IP ** square with this scenario? Internal IP makes more sense as on can have a plethora of internal IPs to forward to.
Or am I missing something here?
If it is indeed the case, doesn't his make relayd redundant?
QuotePool options: When there are multiple IPs to choose from, this option will allow regulating which IP gets used. The default, Round Robin, will simply distribute packets to one server after the other. If you only have one **external IP**, this option has no effect.though It makes perfect sense for outgoing nat as one can have multiple external ips to nat from to.
I'm interested in the option in the context of port forwarding as it is in the UI for port forwarding (and I didn't test it to so what it really does).
When in the context for port forwarding the implication is that someone or something tried to connect (external_ip:external_port), how does the above **external IP ** square with this scenario? Internal IP makes more sense as on can have a plethora of internal IPs to forward to.
Or am I missing something here?
If it is indeed the case, doesn't his make relayd redundant?
#100
25.7, 25.10 Series / Unbound reporting not working ...
Last post by wallaby501 - Today at 02:19:07 AMI could be wrong because I honestly did not know of this before this version but it's not working for me. I'm unsure if it's specific to this version or not.
I made sure I have no errors in the new blocklist features and I've reloaded it since then but have NOT rebooted yet.
I see "Cannot read properties of undefined (reading 'total')" in the dev tools on the page. I have let it go a couple hours since fixing the issues with dnsbl of unbound.
One thing I will note is that I store /var/log in RAM to avoid excessive writes to my NVME. Will that at all affect the operation of the reporting? In Services-Unbound-Logging I see all the logs clearly. In Reporting-Unbound DNS I have nothing on Overview nor anything in the Details tab. I've enabled/disabled it and cleared the stats for it but no change over several hours.
Not a huge deal- just would prefer to have some nicer tools to look at what is going on vs. parsing through logs on Loki.
Edit- along with this, I get weird errors every few weeks it seems that generate crash reports. At first I thought it was something AMD related but maybe not. I debated trying opnsense-bootstrap which, to my understanding, wipes out all the opnsense stuff and reinstalls it from scratch (while somehow not wiping the config?) So I could run that, reboot, and it reinstalls all my plugins and keeps my config? I'm not above doing that or reinstalling if necessary but have never done so and have a lot of config done (multiple VLANs, multiple WG tunnels, policy tagging, etc. etc. that I absolutely do not want to set back up in case of issues.)
I made sure I have no errors in the new blocklist features and I've reloaded it since then but have NOT rebooted yet.
I see "Cannot read properties of undefined (reading 'total')" in the dev tools on the page. I have let it go a couple hours since fixing the issues with dnsbl of unbound.
One thing I will note is that I store /var/log in RAM to avoid excessive writes to my NVME. Will that at all affect the operation of the reporting? In Services-Unbound-Logging I see all the logs clearly. In Reporting-Unbound DNS I have nothing on Overview nor anything in the Details tab. I've enabled/disabled it and cleared the stats for it but no change over several hours.
Not a huge deal- just would prefer to have some nicer tools to look at what is going on vs. parsing through logs on Loki.
Edit- along with this, I get weird errors every few weeks it seems that generate crash reports. At first I thought it was something AMD related but maybe not. I debated trying opnsense-bootstrap which, to my understanding, wipes out all the opnsense stuff and reinstalls it from scratch (while somehow not wiping the config?) So I could run that, reboot, and it reinstalls all my plugins and keeps my config? I'm not above doing that or reinstalling if necessary but have never done so and have a lot of config done (multiple VLANs, multiple WG tunnels, policy tagging, etc. etc. that I absolutely do not want to set back up in case of issues.)
