Strange issue with new Mini Server - Unable to reach Opnsense domain or Update

[tweakybam]

Hi everyone,

I've been experiencing an issue with getting Opnsense to run properly on a new Mini Server I purchased. To give you some context, I've been using Opnsense for over a year and a half on an older Acer PC with an added Intel NIC card, and I've had no issues. I've become fairly comfortable with Opnsense, and I work in networking, so I'm familiar with how it should function.

About three months ago, I purchased an N100 N100 Fengsheng, specifically the N100-5L version with 16GB RAM and a 512GB SSD. When I first set it up, Opnsense 24.7 was the latest release, so I backed up my existing setup and renamed the interfaces to match the new naming convention (e.g., igb0 → igc0).

I installed Opnsense 24.7 on the N100 and tried to get basic connectivity working via LAN/WAN. With basic rules (any/any) and auto NAT, I was able to access most websites, but oddly, I couldn't reach any Opnsense domains (such as https://opnsense.org or the Opnsense forums). This also prevented me from checking for updates, as the update process would get stuck on "fetching" and never proceed, even after leaving it overnight.

After hours of troubleshooting, I tested "promiscuous mode" on the WAN interface. Once I enabled this, the Opnsense domain became reachable, and I was able to fetch the update from 24.7 to 24.7.4.

Although I encountered some occasional instability, the N100 was working fine with WAN in promiscuous mode. However, after upgrading to Opnsense 25.1, the exact same issue resurfaced, but now, enabling promiscuous mode no longer helps. I've tried various other troubleshooting steps, but nothing has resolved the problem.

At this point, I suspect the issue may be related to a faulty NIC, some other hardware in the Mini Server, or possibly a BIOS setting affecting packet reception on the interface. I've seen a similar issue posted by someone else in the past, where they couldn't reach Opnsense domains or update Opnsense, but I haven't been able to find more details on that post.

This issue has been really frustrating, and I'm hoping someone here might have some suggestions or ideas on how I can resolve it. Any help would be greatly appreciated!

Thanks in advance! ❤️

[cookiemonster]

You probably will realise that there is detail missing. Nobody can guess correctly what settings and what setup you have. Promiscuous on WAN, that is very odd for a "normal" setup with WAN interface out to ISP directly.
One guess is IPV6 enabled/misconfigured or maybe MTU. There is a very nice How-To post from meyergry well worth checking against.

[tweakybam]

Hi mate, thanks for the reply. That's fair enough and my bad. So the issue occurs regardless of anything I have tried. For example, default settings with WAN obtaining an IP via DHCP from my ISP and LAN with the default 192.168.1.0/24 scope, I can get the internet working but any opnsense domain (example opnsense.org/forum.opnsense.org) becomes unreachable, this includes fetching updates. This exact same set up on my old hardware (Acer desktop PC with additional NIC) has no issues at all and never has, even with more advanced setting with firewall rules, Natting, OpenVPN, ACME etc. The new N100 Fengsheng has this exact issue with reaching Opnsense domains and updating no matter what settings I have configured. I've messed around with various MTU values and have completely disable IPV6 with no success.

Further to note, the 'promiscuous mode' is extremely unusual and I would have never turned it on if it wasn't the only way I could get opnsense domains working. Mind you, the old Acer PC never needed this mode selected. The mode was only ever needed on the new N100 when version 24.7 was out. Ever since version 25.1, promiscuous mode stopped doing the trick and now nothing works :(

The issue is extremely odd and I was just hoping someone else had a similar experience that ended up finding a resolution. Perhaps someone with the same N100 Fengsheng from cwwk. Or just some ideas regarding some configurations I could try.

I'll have a gander at the how-to you have sent me to see if anything can help me.

[newsense]

As long as you can browse the internet without other issues I don't see how this is HW related. The only thing missing and required by that CPU is the os-cpu-microcode-intel-1.1 package and that's an easy fix once the main issue is addressed.


You haven't said anything about DNS configuration/troubleshooting and update mirror you're trying. What is the output for these commands on the FW ?

Code Select Expand


 host opnsense.org

  host opnsense.org 1.1.1.1


Also from a machine in the LAN

Code Select Expand


 nslookup opnsense.org

 nslookup opnsense.org 1.1.1.1


[tweakybam]

Hey newsense. Obviously I haven't been able to check all domains and there could be other sites I cannot reach. I think Wiki acts a little strange and takes longer to load. I've tested a majority of mirrors and they all do the same, so not mirror related.

As for DSN troubleshooting:

From PC on LAN - Opnsense.org successfully resolves to an IP via nslookup using cloudflare DNS server 1.1.1.1. This is the the result on both desktop PC and Laptop.

As for nslookup on the Opnsense machine, it also successfully resolves to an IP using 1.1.1.1.

All these signs suggest that Opnsense.org should be reachable via my browser, but it isn't. I'm perplexed. I can't even install the os-cpu-microcode-intel-1.1 package as package installs do not work with this issue either.

Here is a link to a video I recorded showing the default Opnsense settings and internet issues I'm experiencing. I made this in part because some reddit user was adamant it is user error and that I've fiddle with firewall rules etc when I indeed have not. I actually work in networking so have a fairly good, but not expert understanding when it comes to switching, routing and firewalls.

Video - https://vimeo.com/1074983630/6ff25e58c0?share=copy

Nslookup from PC on LAN results:

� 13/04/2025 � � 07:25.51 � � /home/mobaxterm � nslookup opnsense.org

Name:      opnsense.org
Address 1: 89.149.225.137
Address 2: 2001:1af8:2050:a001:1::1

[newsense]

Is unbound running there ? Do you see anything relevant in the logs ?

Did you change any of the default settings related to DNS ?


If you add 1.1.1.1 to System - Settings - General can you update the FW ?

[tweakybam]

I've tested unbound enabled which is by default. I've tried disabling it and no change. I've also added 1.1.1.1 as the DSN server in the general settings, FW still doesn't update - stuck on fetching, doesn't stop fetching until I reboot the FW.

I'll check the logs a bit later today when I am back at home. From memory I was unable to find anything significant in there last time though.

A reddit user has suggested updating the i226-V drivers which I'm going to test once I figure out how too with FreeBSD (lol)

Also found this reddit sub talking about how unstable the i226-V is... wondering if I done effed up getting this mini server - Reddit Post

[newsense]

A reddit user has suggested updating the i226-V drivers which I'm going to test once I figure out how too with FreeBSD (lol)

Also found this reddit sub talking about how unstable the i226-V is... wondering if I done effed up getting this mini server - Reddit Post

This is bonkers, there's no driver to update outside regular OPNsense updates. Once the DNS issue is addressed you're good to go

[tweakybam]

I'm really struggling to make any sense of this issue aye. I just don't understand how the same default configuration can work on my old ACER PC no issues but I cannot get it working on the N100... it should be working with this config!

[cookiemonster]

anything interesting on System > Firmware > Run an audit (to the right of "check for updates") ?

[Greg_E]

Are you using the system nameservers in Unbound? I found that I had to override manual settings and allow the DHCP assigned names servers and then things worked, might be worth a try.

Click on the picture below to make it big enough to read, I can't remember how to put the image inline.

[meyergru]

The DNS being function does not say anything about IPv6 in general. Since that is prefered per default, it might be defective, potentially on your OpnSense box itself, such that your PC can work with dual-stack sites (probably by falling back to IPv4) but you OpnSense still cannot get the updates because of IPv6 being broken.

You should methodically test for full IPv4 and IPv4 functionality from both OpnSense and you LAN devices, i.e. ping, traceroute known IPs.

As to why your old setup does not works any more, it can well be that the fact that you carried over your setup may be the culprit, say, if you missed some inherent parent interface names that are still on igbX or if you have tunables that are not migrated.

Before you exactly know what works and what does not, it is futile to look for a cause, though.