OPNsense 25.7.11 - host/neighbor discovery service

[pfry]

Just opening a thread to observations on the 25.7.11 host/neighbor discovery service.

This release brings the new host discovery service which resolves and remembers
MAC addresses for IPv4 and IPv6 hosts in your connected networks and provides
this data for the firewall MAC aliases and captive portal clients.

GUI: "Interfaces: Neighbors: Automatic Discovery".

I do not use the above features, so I disabled the service. It does not appear to interfere with function, but it does report neighbors/hosts multiple times on bridges (on the bridge and on member interfaces) by default. I thought it might be useful in reporting the member interface to which a particular host is connected, but it does not (limit reporting to that). (Note that I did not exhaustively examine its behavior, e.g. to see if it reported hosts only on member interfaces where it saw a particular MAC as either a source or destination.) Note that this behavior on bridge member interfaces applies because I have them assigned but unconfigured; I assume unassigned interfaces would not be part of the discovery, and discovery scope may be limited under "Settings" in any case.

[forca]

thx for the info, unfortunately it was autoenabled since last "mini"-update and let my system run into a oom-killer:

Code Select Expand

2026-01-21T01:01:04 Notice kernel <3>[148875] pid 63743 (unbound), jid 0, uid 59, was killed: failed to reclaim memory
2026-01-21T01:01:03 Notice kernel <3>[148874] pid 94211 (netstat), jid 0, uid 0, was killed: failed to reclaim memory
2026-01-21T01:01:02 Notice kernel <3>[148872] pid 85969 (hostwatch), jid 0, uid 377, was killed: failed to reclaim memory
2026-01-21T00:54:00 Notice kernel [148450] swp_pager_getswapspace(31): failed
2026-01-21T00:54:00 Notice kernel [148450] swap_pager: out of swap space
2026-01-21T00:53:59 Notice kernel [148450] swp_pager_getswapspace(13): failed
2026-01-21T00:53:00 Notice kernel [148390] swp_pager_getswapspace(24): failed

so, ca after 2-3 days my 16GB ram was "overflowed".

here some screenshots (3, within 1 minunte or even less):






I have already disables this service, but why is it enabled per default? any ideas about "possible" memory leak?

I noticed also some logs from the service itself:

Code Select Expand

2026-01-21T08:53:42 Warning hostwatch 2026-01-21T07:53:42.608373Z WARN hostwatch: Failed to initialize capture for device: pfsync0
2026-01-21T08:53:42 Warning hostwatch 2026-01-21T07:53:42.607962Z WARN hostwatch: Failed to initialize capture for device: usbus0
2026-01-21T07:14:01 Warning hostwatch 2026-01-21T06:14:01.595423Z WARN hostwatch: Failed to initialize capture for device: pfsync0
2026-01-21T07:14:01 Warning hostwatch 2026-01-21T06:14:01.594986Z WARN hostwatch: Failed to initialize capture for device: usbus0


[JustMeHere]

Why is this discovering hosts outside of my firewall?  I can't fathom why it would try to discover anything on the WAN port. 

[OPNenthu]

Why is this discovering hosts outside of my firewall?  I can't fathom why it would try to discover anything on the WAN port. 

It'll see things on the same L2 segment, which might include ISP equipment.

I think in the latest patch that's being tested now you can control which interfaces it discovers on, if you want to limit it.