r/opnsense

Need a bit of help (web printing issue)......

I'm brand new to OPNsense (running on a Protectli V1410) and I love it. My current issue is it seems the firewall is blocking my networked Brother MFC-L2750DW from web printing. Works fine on local LAN but i cant print from the web (I can save file I need to print as PDF and print locally). I've tried to add a new rule (in the (new) rules section) to pass port 80 and 443 and even IPP 631 but am having no luck. Suggestions?

I'll try again....I used to be able to go to a website (say a recipe site) and hit the print button and the page I wanted a hard copy of would print on my printer. Since I got off of the basic consumer DSL router/firewall and started using OPNsense I can no longer do this.

Current setup:

Starlink in bridge mode goes into Protectli V1410 WAN port running OPNsense. Then the LAN port goes to my TP-Link SG3210X-M2 managed switch. My NAS (X2), main PC, Brother MFC-L2750DW laser printer, 2 JetKVM,s and 2 Intel NUC's all plug into the switch all on static IP's on the same subnet. Everything behind the router works great except i can't print anything off the web without saving it as a local doc first. I hope this helps clarify :)

reddit.com
u/Cypher-Labs — 16 hours ago

are Mac mini 2014s with single ethernet ports not good for home firewalls

NICs unable to handle tagging since I am connecting another thunderbolt cable to connect ethernet via it for the 2nd LAN/WAN port.

reddit.com
u/cptjcksparr0w — 21 hours ago

New VLANs don’t work until rebooted

Hi everyone

I’ve added VLANs to my OPNsense setup, which works fine, except that it doesn’t associate traffic with the VLAN interface until I reboot OPNsense.

I originally had an IP on the LAN interface, removed that in case it was the cause of any issues but the behaviour remains. I was on 25.x and just upgraded to 26.1.2 to see if that fixed it, again, no luck.

If I run a packet capture on the physical interface and filter to my test host’s MAC address I can see DHCP requests with the correct VLAN tag, but if I run the capture on the VLAN interface there’s nothing. Static IP doesn’t work either so it isn’t a DHCP issue. As soon as I reboot the firewall and down/up my VMs NIC it works and stays working.

I am running on an old Lenovo M720 SFF desktop, LAN is on the mobo NIC and WAN is on a PCIE card I bodged into it (though that’s probably not super relevant).

All the hardware features in Interfaces > settings are disabled.

Does anyone have any ideas on how I can fix? Not a world ending issue as I won’t be creating VLANs every day, but still, annoying!

Cheers :)

reddit.com
u/Moist-Secretary641 — 1 day ago
▲ 2 r/opnsense+1 crossposts

OPNSense SR-IOV Passthrough or Full Device Passthrough?

Hey Everyone,

I'm interested in the theory/results of something. I have a proxmox host - hosting an opnsense VM. I already have a dedicated box for opnsense, but I'm looking to move to virtualization (I know, it's probably a poor idea, but I wanted HA Proxy as its own VM and I didn't want it having to route through the switch... but my question isn't about the validity of virtualization... like I said, it's probably a poor idea).

However, while building out... I realized "Hey, I can do SR-IOV and pass-through a virtual function to each of my VLANs instead of just passing through the whole physical device and putting all my VLANs onto the same MLXEN1 port)."

What would the benefits be of this? I tried gemini, but it seems to be thinking that I want to do SR-IOV vs. VMBR (which is not what I'm asking - I'm asking about passing through virtual functions vs. the physical device).

Anyone have feedback on this? Is there any security, speed, or latency gain here (management is an obvious decrease)... wouldn't, in theory, this be avoiding the software layer in opnsense as well by tying it to a nic that it thinks is a physical nic (SR-IOV) vs. it having to route multiple vlans thorugh the same device (port 2 of the device)?

Or... because I'm putting the VLAN on top of it anyway, it's already hitting the software layer and there's essentially no benefit?

Hoping someone with more and better knowledge can either get added to this conversation or direct me.

reddit.com
u/Think-Pattern1558 — 1 day ago
▲ 18 r/opnsense+1 crossposts

[HOW TO] Toggle OPNsense Firewall Rule via Home Assistant (HASS)

Not sure how many people will find this helpful, but wanted to share my documentation for toggling firewall rules via Home Assistant.

https://gist.github.com/zyphermonkey/bb039afa3d382389c60c4d3a0200efb4

Toggle OPNsense Firewall Rule via Home Assistant (HASS)

OPNsense

Create Account for HASS to authenticate with

System > Access > Users

  1. Create account in opnsense with All pages privileges
  2. Click Create and download API key for this user
  3. Create basic auth string for use with cURL.
    1. combine key:secret
    2. base64 encode
    3. prefix with "Basic "
  4. Validate auth string via simple curl command
    curl -k https://192.168.1.1/api/core/system/status \
    -H "Authorization: $AUTH_STRING"
    

Create Alias

For my scenario I want to block a specific MAC so I got it via the DHCP Leases page.
Services>ISC DHCPv4[legacy]>Leases

  1. Go to Firewall > Aliases > New
  2. Info
    • Enabled: checked
    • Name: <Hostname>
      This can be anything you want, but I set it to the Hostname because it makes the most sense.
    • Type: MAC address
    • Content: <mac_address_recorded_from_leases_page>
  3. Apply

Create Firwall Rule

If you don't already have a rule you want to toggle of if you want to create one just for initial testing with HASS.

  1. Go to Firewall > Rules[new]
  2. Create whatever

Get Firewall Rule UUID

  1. Go to Firewall > Rules[new]
  2. Open Browers developer tools (F12)
  3. Click edit on rule
  4. The latest line in the Network tab in Developer Tools should be a GET request to /api/firewall/filter/get_rule/<uuid>
    1. Record uuid for use in HASS commands

Home Assistant (HASS)

Create opnsense auth var in secrets.yaml`

  1. Open secrets.yaml and create new variable with base64 encoded api key from OPNsense.
    opnsense_api_auth: "Basic <base64_encoded key:secret>"
    

Create sensor

Home Assistant needs to be able to know the current state of the firewall rule to effectively toggle it (and show it's status on dashboards).

configuration.yaml

sensor:
  - platform: rest
    name: opnsense_fw_rule_state_yourrulenamehere
    resource: https://192.168.1.1/api/firewall/filter/get_rule/<uuid>
    method: GET
    value_template: "{{ value_json.rule.enabled }}"
    headers:
      Authorization: !secret opnsense_api_auth
    verify_ssl: false

Create switch template & rest commands

  1. Create switch template in configuration.yaml
    template:
      - switch:
          - name: internet_access_yourrulenamehere
            unique_id: internet_access_yourrulenamehere
            state: "{{ is_state('sensor.opnsense_fw_rule_state_yourrulenamehere', '1') }}"
            turn_on:
              service: rest_command.opnsense_rule_on_yourrulenamehere
            turn_off:
              service: rest_command.opnsense_rule_off_yourrulenamehere
    
  2. Create rest commands (apply, enable, disable) in configuration.yaml
    rest_command:
      opnsense_apply:
        url: https://192.168.1.1/api/firewall/filter/apply
        method: POST
        headers:
          Authorization: !secret opnsense_api_auth
        verify_ssl: false
    
      opnsense_rule_on_yourrulenamehere:
        url: https://192.168.1.1/api/firewall/filter/toggle_rule/<uuid>/1
        method: POST
        headers:
          Authorization: !secret opnsense_api_auth
        verify_ssl: false
    
      opnsense_rule_off_yourrulenamehere:
        url: https://192.168.1.1/api/firewall/filter/toggle_rule/<uuid>/0
        method: POST
        headers:
          Authorization: !secret opnsense_api_auth
        verify_ssl: false
    

Validate

Ensure changes maded to secrets.yaml and configuration.yaml are stable check your configuration after saving.

  1. Settings > Developer tools > Check configuration

Use in your dashboards/automations

You should now be able to add the switch and sensor to your dashboards with the following:

  • entity: switch.internet_access_yourrulenamehere
  • entity: sensor.opnsense_fw_rule_state_yourrulenamehere
u/zyphermonkey — 1 day ago
▲ 5 r/opnsense+1 crossposts

Wireguard Roadwarrior Proton

Not sure if this is isolated to just ProtonVPN, but after recent updates we've been dealing with massive amounts of packet loss every so often on our WG tunnels. Didn't matter what server I set up. It would work for a bit and then just out of nowhere start dropping packets. Turns out the Proton RoadWarrior setup may be a bit dated. MTU settings are too big. Even setting it to 1300 was too big. Once I set to 1280, I stopped losing packets. Not sure if this will be a permanent fix, but if anyone else encounters this (seen some reports), this is how it was fixed for us.

UPDATE: Issue returned. Turned MTU down to 1200. Fixed again for now. Not sure what the hell is happening

reddit.com
u/TrekThroughTheStars — 1 day ago

Looking for feedback; Q-Feeds

Hi everyone,

We're the team behind Q-Feeds, a threat intelligence provider focused on delivering IOC feeds and integrations for firewalls (OPNsense), SIEMs, and other security platforms.

We're constantly improving our platform, and we'd really appreciate honest feedback from the community.

If you've used our:

  • Threat Intelligence feeds
  • OPNsense plugin
  • Threat Intelligence Portal
  • Website

...what would you improve? What's missing? What's annoying? What features would make it genuinely more useful?

Don't hold back, we're Dutch, we can take direct feedback. 😄

Also, a small update: we've recently added support for checkout in multiple currencies (EUR, USD, GBP, CAD, AUD, and JPY) to make purchasing easier for customers around the world.

Looking forward to hearing your thoughts!

reddit.com
u/Q-Feeds — 1 day ago

Mail routing over first WAN

I have a second line over 5G, but the adress is dynamic, so I can't send mail over that interface, cause of the missing ptr etc.

I have the same problem with some Customers with RDP connection, that's only allowed over my fixed IP.

ATM I manage that over firewall rules, but for my understanding, it belongs to routing.

In another router, I would group the required ports, select the source address or -range, and then select the interface over which the traffic should be routed.

In OPNsense only destination routing is and only the IPv6 interface is offered; I have a classic Telekom DSL contract with static IPv4 and /56 IPv6 network.

https://preview.redd.it/tq5fvgxxz7bh1.png?width=1354&format=png&auto=webp&s=edb4c45afd841920fc7c1005a212e08e909ddf81

reddit.com
u/USarpe — 1 day ago

Unbound DNS override

Hi all!

First of all; I am pretty new to networking. I got my opnsense running for a few months now. I want to make things a bit nicer, and found the Override host feature.

What I try to achieve:

Now, when accessing a local service (plex for example), I type in the local ip i gave to this service (for example 10.20.30.15)

I would like to reach this op by typing something like Plex.Internal. Before I tried working with plex.local (I like this more), but some research told me using .local for this could be a bad idea.

If I understand correctly, I can use the Override tab to create the plex.internal, and link it to the 10.30.30.15. But somehow, I can't get it to work.

So the question is: what am I doing wrong? Is there an extra step required?

And the second question: what domains would be good to use for this? I don't like the .internal very much, what are good alternatives?

reddit.com
u/Prrg88 — 1 day ago

How to port forward on new Opnsense?

I just upgraded to the new Opnsense 26.1.11, migrated over my firewall rules and now none of my port forward for my game servers are working. It looks like Destination NAT is the new way to do that, but I can't get it right by myself it seems. TBH I always follow guides with Opnsense, I know conceptually what I'm doing, but I don't understand it enough to actually do it myself and all the guide online use the old methods. Maybe it's not different and something else is blocking my port forwards.

u/N1nj4Storm — 2 days ago

Understanding certain websites connectivity issues and possible relevance to Unbound DNS

Hello everyone, I have moved from using commercially available routers to building my OPNsense router using an SFF PC with dual 10G card (WAN/LAN) and I have been quite happy with OPNsense and the flexibility it provides.

I have, however, noticed quite a bit of throttling on certain websites, like YouTube and Facebook where connection may get dropped, or just refuse to load then load fine after refresh.

My current set up:

VLANs: I have 4 VLANs (Admin, General, Guest, Webserver). I have two managed switches that are also configured to support those VLANs and no device on the whole network is VLAN aware as it is all handled by switches/router.

Unbound DNS: listens on port 53 across my 4 VLAN interfaces (WAN interface excluded). It is set up to use DNS over TLS with DNSSEQ enabled. I had Quad9 servers initially, but found them very unreliable and currently using Cloudfair and Google as secondary.

DNSMASQ: for local queries only (listens on port 53053) to resolve local network hostnames, queries targeting my router hostname will be forwarded to this by Unbound.

----------------------------------

I previously had many issues with Unbound timing out and thrashing, and if a sudden rush of DNS queries came from a device, Unbound would just stop responding altogether. I am talking about ~500 queries/s causing the service to shutdown. I have since expanded the cache size and the threads available, and stress tested the service by running +30k queries per second and it handled the test very gracefully and kept running just fine.

I also had issues with blocklists blocking many things I use, so they have now been completely disabled.

Last but not least, I do have several domains hosted and exposed using my public IP. That includes a mailserver, and several other domains/subdomains.

---------------------------------

With that in mind, I run into many issues with YouTube specifically, where it would disconnect completely, refuse loading comment/chat sections, constantly saying "Action not allowed", and this behavior is the same across all devices on the network, and on different YouTube accounts. Whenever I connect to VPN, those issues disappear for YouTube.

I have tried forcing DHCP release from my ISP by spoofing a MAC address for my WAN interface, it worked and I was able to get new IP (my ISP does not allow static IPs). That resolved the issue with YouTube for a few days, then it went back exactly to how it was before.

--------------------------------

I have thought of different reasons that could cause the issue:

  1. Misconfiguration in OPNsense on my end causing the behavior after some time passes.

  2. YouTube flagging my IP and throttling it.

  3. ISP is throttling my traffic to YouTube, given that is my most visited website in my network.

  4. My IP is being blacklisted on CDN level? Maybe the fact I have several sites hosted on the same IP is causing some issues flagging my IP in CDNs? I do know I am on two blacklists: RATS Dyna and Spamhaus ZEN, both of which list all DHCP ranges from commercial ISPs as blocked to prevent mail delivery. I could not find my IP blacklisted in other blacklists.

My IP is NOT behind GCNAT, my router WAN address is the same address exposed to the public.

My network devices are not compromised nor does any device act as part of any botnet, I do monitor my traffic.

I have been trying for months to determine what is happening and I am at a loss. I would like to rule out OPNsense from the equation, any suggestions to help me do that will be greatly appreciated.

Note: I will be changing ISP soon, and getting 2 static IPs, one will be dedicated specifically for my mailserver.

reddit.com
u/DisastrousWelcome710 — 2 days ago

wireguard and 26.1.11 bug on boot?

Hey OPNsensers :)

I upgraded to 26.1.11 and on reboot, my wireguard does not come online. There is an error in the log:

2026-07-02T10:35:54	Error	wireguard	 /usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg0' '/usr/local/etc/wireguard/wg0.conf'> returned exit code 1 and the output was "Name does not resolve: `my.foobar.server:123' Configuration parsing error"

To make things work, I disabled and re-enabled my instance and peer and wireguard came back online.

By the error, I'm guessing wireguard tried to resolve my wireguard server but the internet was still down or Unbound DNS hadn't started yet?

u/Maria_Thesus_40 — 2 days ago
▲ 9 r/opnsense+1 crossposts

Realistic idle power + 10G throughput expectations for i5-14400F + X710-DA2 + OPNsense?

Hey all,

I'm Planning a new OPNsense build and trying to get a realistic idea of idle power and real-world throughput before I order everything. Would appreciate input from anyone running similar hardware.

Planned build:

  • CPU: Intel i5-14400F
  • Motherboard: MSI B760 Gaming Plus WIFI DDR4 (ATX)
  • RAM: 16GB DDR4
  • PSU: Seasonic Focus SGX-650 (SFX)
  • NIC 1: Intel X710-DA2 (dual SFP+ 10G)
  • NIC 2: Intel I226-V (dual 2.5G)
  • Case: 3U rackmount, 33.5cm depth

Question 1: Idle power / C-states

How much does the X710-DA2 actually hurt idle power and C-states on FreeBSD in practice? I've read that PCIe cards in the CPU-connected x16 slot can block deeper C-states (stuck at C2/C3) while putting the card in a chipset connected slot instead sometimes helps reach deeper states. My board has a chipset-connected PCIe x16 slot (x4 electrical) in addition to the CPU slot, so my plan is to put the X710-DA2 there and keep the CPU lanes empty.

Has anyone measured this in practice on OPNsense/FreeBSD specifically (not just Linux)? Trying to figure out if this is a real difference or mostly theoretical for BSD.

Question 2: Does the i5-14400F actually push 10Gbit at all?

Basic routing aside, has anyone actually pushed close to 10Gbit/s through an X710-DA2 on OPNsense with this CPU class? Trying to figure out if line rate is realistic or if I'll hit a wall somewhere below that just from routing overhead.

Question 3: What about 10G with Suricata IDS/IPS enabled?

This is the one I'm most unsure about. With IPS mode active (inline, via netmap), what throughput is actually achievable on a 6P+4E CPU like the 14400F? I know Suricata's packet reinjection in IPS mode is limited to a single thread, so I'm wondering if that becomes the real bottleneck long before 10Gbit, regardless of how many cores the CPU has.

If anyone has real numbers (even rough ones) for sustained throughput with IPS enabled on similar or comparable hardware, that would be extremely helpful.

Trying to get a realistic picture before I commit to parts. Any real world numbers (wattage at the wall, throughput with/without IPS) with similar CPU/NIC combos would be hugely appreciated.

Thanks!

reddit.com
u/Spleiter75 — 3 days ago

Cloud Gateway Ultra OPNSense interface issue

Hi,

I'm having an issue with my untrusted interface setting.

My current setup is: Devices → Cloud Gateway Ultra (CGW) → OPNsense → Verizon Fios Router → Internet

I have configured two VLANs inside my CGW, one of which is an untrusted IoT network. I set the VLAN ID to 10 on both the CGW and OPNsense; however, my untrusted IoT devices are not routing through the OPNsense untrusted interface.

What am I doing wrong?

u/gcdinc — 3 days ago

new opnsense user, looking to open SSH and webui to WAN

I'm not looking for "you shouldn't do that,that's a bad idea" type advice, I'm just plain not figuring out how to open management services to the WAN after having been an opnsense user for about an hour and finding nothing relevant on the google.

opnsense will not be a firewall for me, it will not be used for any kind of security, it will not even have an internet connection, it's just router B getting a DHCP address on it's "WAN interface" from router A within an offline private LAN, and I want to be able to manage it from one of the "green computers" in the diagram that are plugged in to router A instead of only being able to manage it from the "blue computers" plugged in to router B (opnsense).

------------------------

EDIT: Resolved! I needed to both create rules to allow 443 and 22 on the WAN interface, as well as go to Interfaces > [WAN] > uncheck "Block private networks", because my "WAN" address is just another private network range.

u/Even-Truck-3851 — 3 days ago
▲ 144 r/opnsense

OPNsense 26.1.11 released

26.1.11_5:

  • firmware: support for patch release matching
  • openvpn: add a specific regex constraint for static keys to fix previous safeguarding

26.1.11_3:

  • system: hasPrivilege() not merging user privs correctly (reported by iys8)
  • firewall: fix some small issues in menu registration for legacy pages
  • monit: re-allow spaces in start, stop and condition

26.1.11:

  • system: configuration line injection via multiple GUI text fields (reported by lujiefsi)
  • system: add missing legacy_html_escape_form_data() for $a_cert on administration settings (reported by Jonas Ampferl of Hacking Cult)
  • system: lockout: address newline injection and correct IP parsing (reported by lujiefsi)
  • system: add "local_uri" type in SanitizeFilter() and use it to avoid hardcoding
  • system: several compatible adjustments for upcoming PHP 8.5
  • system: fix ACL pattern for carp_status action (contributed by Etienne Girault)
  • system: enhance live log widget (contributed by Greelan)
  • firewall: safeguard ISO country codes in alias download (reported by Jonas Ampferl of Hacking Cult)
  • firewall: escape user-controlled values in tooltip attributes (reported by Jonas Ampferl of Hacking Cult)
  • firewall: add the same new rules GUI design to the MVC NAT pages
  • firewall: add CSV download/upload to MVC NAT pages
  • firewall: add migration for outbound NAT into source NAT page
  • firewall: destination NAT: display effective port when local-port is omitted
  • firewall: source NAT: allow empty target which means the interface address
  • firewall: source NAT: skip rendering rules when mode is not advanced/manual or hybrid
  • firewall: improve performance on MVC pages using virtualDOM
  • firewall: allow WAN as "associated interface" for NPTv6 when prefix ID is set
  • firewall: fix TypeError on alias getItem() with unknown UUID (contributed by haxorton)
  • firewall: unify group names of OpenVPN, WireGuard and IPsec encapsulation
  • firewall: show rule counts that can be exported and hide tab if no rules exist
  • firewall: improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter request
  • firewall: add validations for "No RDR" option to prevent target and local-port being set
  • firewall: skip alias on new rules GUI apply
  • interfaces: prohibit the use of advanced DHCP option settings by non-administrators
  • interfaces: properly format API times to ISO format and convert timezone for display in automatic discovery
  • captive portal: pass in ip_address as a set for accounting
  • firmware: fix small glitch that re-prompts for showing community plugins
  • kea: add widget to show DHCP leases
  • kea: simplify model option values
  • monit: use throwNotFullAdmin() to restrict monit GUI write access to full admins due to intended system wide execution rights
  • network time: fix stored XSS in GPS init string display (reported by Jonas Ampferl of Hacking Cult)
  • openvpn: prevent path traversal in "common_name" attribute (reported by lujiefsi)
  • openvpn: escape client common_name in connection-status views (reported by Jan Kahmen of turningpoint and lujiefsi)
  • openvpn: simplify model option values
  • mvc: checkAndThrowValueInUse validate input token which may only contain alphanum and dashes (reported by Jonas Ampferl of Hacking Cult)
  • mvc: guard BaseField::setNodes() against a list given for a scalar leaf (contributed by haxorton)
  • mvc: DescriptionField: disable special and newline characters
  • mvc: FileObject: fix exception bug (contributed by Greelan)
  • mvc: also do not translate empty labels in grids
  • mvc: give throwReadOnly() a sibling named throwNotFullAdmin()
  • mvc: use camelCase for carp_status action
  • ui: bootgrid: minor optimizations
  • ui: add generic escaping function htmlSafe() for JavaScript
  • plugins: os-cloudflared 1.1
  • plugins: os-freeradius 1.10.2
  • plugins: os-vnstat 1.4
  • src: vm: use-after-free in device pager page list
  • src: execve: local privilege escalation via execve(2) TOCTOU race
  • src: openzfs: multiple vulnerabilities in OpenZFS
  • src: libalias: bffer overflow in libalias RTSP handler
  • src: unlinkat: unlinkat(2) ignores AT_RESOLVE_BENEATH flag
  • src: tcp: use-after-free in TCP RACK stack option handler
  • src: posixshm: multiple vulnerabilities in POSIX largepage objects
  • src: audit: incorrect audit records for ptrace(2) syscall requests
  • src: ktls: remote DOS via uninitialized memory access in KTLS receive
  • src: linux: kernel stack disclosure in Linux compatibility layer
  • src: iconf: multiple vulnerabilities in iconv(3)
  • ports: curl 8.21.0
  • ports: expat 2.8.2
  • ports: ldns 1.9.2
  • ports: lighttpd 1.4.84
  • ports: phalcon 5.16.0
  • ports: py-duckdb 1.5.4
  • ports: syslog-ng 4.12.0
forum.opnsense.org
u/fitch-it-is — 4 days ago

Traffic Shaper on multiwan(PPPOE+DHCP)

Hi

Does traffic shaper works for both uplinks in latest version ? I have struggled with it somehow because shaper worked only for PPPOE but not for DHCP and I need shaper to work on both.

I have tested as follows:

Turn download on both WANs, switch on shaper on PPPOE link, works correctly. Now I have switch on shaper for WAN2(DHCP) but it does not shape anything.

Somebody with same results ?

reddit.com
u/GezusChristSuperstar — 3 days ago

IPv6 experiment - RADVD for GUA, DNSMASQ for ULA... possible? (Theory / Experiment)

Prefacing this post with my concept being something completely experimental/theoretical to see what is/isn't doable. I'm keenly aware of "happy eyeballs" putting GUA > IPv4 > ULA as of the time of this post (for future AI bot scrapers).

I would like to accomplish the following, if possible:

My ISP gives me a /56 that has the quirk that it changes every time my PPPoE is redialed / opnsense reboots. It's therefore not a truly stable address pool, if I am being pedantic, for internal addressing.

My preference is to use radvd for the GUA assignments. Why? radvd sends shutdown and prefix deprecation messages that DNSMASQ does not appear to do. I have a few clients that are sticky to the old GUA prefix without these messages, causing a few odd headaches with clients keeping now-dead prefix addresses active.. Please correct me if DNSMASQ does in fact send these shutdown and deprecation messages!

I'd like to assign a ULA /64 to an interface and use only DNSMASQ distribute addresses from that ULA /64 range via SLAAC and/or DHCPv6. DNSMASQ is preferred for this scenario so that I can then automatically register clients in DNS as well. Added bonus would be that I can assign other services (NTP etc.) via a stable, internal IPv6.

I do not want DNSMASQ assigning GUA DHCPv6 addresses due to their stateful nature and the changing prefix. DNSMASQ should only be giving ULA DHCPv6 addresses given the pool's stability; being stateful here is a-ok.

I've done a bit of tinkering and can get radvd to advertise the ULA without issue, but without the DNS benefit I am trying to achieve with DNSMASQ. I'd also like to avoid adding static lookups to unbound.

Thanks!

reddit.com
u/FUNTOWNE — 4 days ago

OPNSense Firewall Backup stand in

Friends,

Right now, I am running 100% with OPNSense integrated with Proxmox hypervisor.

There have been times that I needed to re-do my Proxmox hypervisor and have had 100% downtime. The people in my house "Mrs." and my two sons "that miss their cartoons" complain..;-)

So I started wondering can I install OPNSense in Oracle VirtualBox and use this as a temp firewall/router while I am resolving what ever issue with Proxmox hypervisor could be experiencing?

I have had success prior installing OPNSense in VirtualBox but never making it as my main router for standby.

To understand my network
- Cable modem is connected to my LAN in on my MS01 Minis Forum box. LAN out goes into my network panel to my Ubiquity Network. From there OPNSense provides the IP address via DHCP inconjunction with the Network switch.

My laptop is connected through the patch panel direct via ethernet. Only thing that I can think of is that the laptop would need to mirror the MS01 Minisforum for the ethernet ports and one port would not suffice?

Ideas, Suggestions?

reddit.com
u/tvosinvisiblelight — 4 days ago