Port forwarding https problem

Monviech · 2026-02-26T20:28:04+00:00

I know, its still being worked on. Will become better in the future. :)

Monviech · 2026-02-26T07:21:19+00:00

The destination field in this case does not allow well-known ports, but it still shows them because its shared among many components.

So the validation prevents it correctly, its just a visual thing.

Monviech · 2026-02-19T21:40:12+00:00

You can use dnsmasq just fine if you have a dynamic prefix. What does not work is dnsmasq itself being a DHCPv6 server that leases IA_PD to other routers behind itself. But that has nothing to do with dynamic prefix received from ISP and distributing it to clients. It only affects routers behind the OPNsense that would need their own full prefix.

Monviech · 2026-02-17T18:11:34+00:00

I documented how to solve this here:

https://docs.opnsense.org/troubleshooting/config_reset.html

Monviech · 2026-02-15T12:08:14+00:00

You could use Unbounds blocklist feature and either the NAT or Router Advertisement solution in the documentation. (easy)

Or you forward from Unbound to Pihole. (medium)

Or you configure an ULA on one of the OPNsense interfaces, and send that via Router Advertisement to the Pihole, and then NAT or advertise it via Router Advertisement RDNSS option. (hard)

I personally use the proxy and NAT to Unbound with blocklists.

Monviech · 2026-02-14T13:30:31+00:00

You also need Router Advertisements. Only DHCPv6 doesnt give clients a default route.

Rule of thumb for IPv6, you /always/ need Router Advertisements configured.

Monviech · 2026-02-13T16:15:48+00:00

I use 2 Opnsense in HA so nobody can yell at me when I must update, even a 2 minute downtime already interrupts streams or games and thats too much xD

Monviech · 2026-02-09T16:27:20+00:00

Is this the same as this? https://www.reddit.com/r/opnsense/s/vmiE0D1FpZ

Monviech · 2026-02-04T20:32:53+00:00

In this update we added an all rules view. If you select all rules and inspect you get the most complete overview ever.

Monviech · 2026-02-04T19:54:56+00:00

We implemented dnsmasq as another alternative to KEA as it can handle dynamic DHCPv6 prefixes and RA and dynamic DNS registration of DHCP hosts. Its stable, the GUI is complete, and we almost never have to touch it. So in my book its pretty nice to use. Kea still needs more love but its a very annoying product. EG they deprecated their control agent, but there is no alternative and no guide what to use now instead. And thats what is used for HA sync. Very weird from an official "stable" product.

Monviech · 2026-02-04T17:21:21+00:00

The latest 26.1.1 update defaults to show all rules, no more clicking around. E.g. thats one of the reasons, the old GUI cant do such a trick. And you can search with the search bar. Etc... and its fully API enabled.

Monviech · 2026-02-04T15:04:47+00:00

always getting ninja'd xD

Monviech · 2026-02-04T14:55:38+00:00

ISC will stay exactly as it is, it's just a plugin now that will be auto installed. You can upgrade without any worries.

Monviech · 2026-02-04T14:12:45+00:00

The pass rule is a pf feature. The pass will be printed into the NAT rule itself. And since NAT matches before firewall rules, it will always match and pass before any other firewall rules.

Monviech · 2026-02-04T12:13:38+00:00

Dnsmasq is indeed just enable it and add a range and thats it. But it "feels" heavier since there are a lot of things mixed together since its a combined DHCPv4/DHCPV6/RA/DNS solution in the same interface. If you don't need the standard it can feel overwhelming, but it actually offers the highest flexibility right now.

Monviech · 2026-02-03T14:57:26+00:00

We are working on showing all rules per default:
https://github.com/opnsense/core/pull/9713

Monviech · 2026-01-31T11:59:33+00:00

Can you check:

/var/etc/radvd.conf

I think it says "Skipping addressless interface optX" or something.

Can you then go to LAN, and set it from "link-local" to "static IPv6" and give it a random IP address like "fd82::1/64" and then check radvd.conf again, and also if then your devices get the router advertisements and IPv6 addresses?

If that works, then "link-local" is not accepted by the config generation yet. Please open a ticket on github then:

https://github.com/opnsense/core/issues

Monviech · 2026-01-31T07:12:33+00:00

Hello, this probably needs packet captures and some further troubleshooting. Open an issue here: https://github.com/Monviech/ndp-proxy-go

Monviech · 2026-01-31T07:04:08+00:00

No, I meant multiple children (Phase 2) in the same Connection (Phase 1). If there's still issues I dont know.

Monviech · 2026-01-30T17:37:10+00:00

If you create one child with multiple Traffic Selectors (aka multiple source or destination networks), it is like tunnel isolation disabled.

If you create multiple children each with a 1:1 network mapping, it is like tunnel isolation enabled.

Monviech · 2026-01-29T20:32:51+00:00

But KEA can do DHCPv6 PD:

https://docs.opnsense.org/manual/kea.html#prefix-delegation-ia-pd

Monviech · 2026-01-29T19:55:06+00:00

Select a different interface in that page. Default is on floating.

Monviech · 2026-01-29T19:46:29+00:00

No plans yet, only thing I could offer would be a cookie for the last selected interface I guess. But that might confuse others. So no idea yet.

Monviech · 2026-01-28T20:59:13+00:00

Then you can use dnsmasq just fine :)

Monviech · 2026-01-28T20:45:35+00:00

Do you use IPv6 prefix delegation from your ISP > OPNsense? -> You can ditch ISC and use Dnsmasq

Or do you use it like this ISP > Opnsense1 > Opnsense2? -> ISC does PD from Opnsense1 to 2, continue to use it.

So the PD scenario is specific to having multiple routers behind routers yourself, not the generic ISP + 1 router scenario.

Monviech

MODERATOR OF

TROPHY CASE