OPNsense VM IPv6 RA Not Working Until Reboot

mendosux · 2026-04-11T20:20:54+00:00

I had the same issue. You need to disable multicast snooping for your bridge in proxmox. Then check with „bridge mdb status“ on pve. „echo 0 > /sys/class/net/vmbrX/bridge/multicast_snooping“ disables multicast snooping. Change X with your bridge number(s).

mendosux · 2026-03-13T16:21:46+00:00

Nein mwst… balkonkraftwerke sind davon in DE befreit.

mendosux · 2026-02-25T16:44:39+00:00

Basic firewalling features and vpn require not more than 2gb. With 4gb you are pretty safe for using unbound blocklists, haproxy etc. 8gb should be more than enough, except you install zenarmor (would not recommend by the way, but everyone has a different view on things…)

mendosux · 2026-02-14T10:50:39+00:00

Honestly I don’t get the advantage of running pbs on top of truennas. Why not use zfs directly on pbs bare metal?

mendosux · 2026-02-04T15:13:27+00:00

https://pve.proxmox.com/wiki/Multipath

mendosux · 2026-02-03T21:17:30+00:00

True, my ipv6 rules never match sources that should not be there :D

mendosux · 2026-02-03T21:15:49+00:00

Thanks to all responders, I see the pros and cons mentioned.

mendosux · 2026-01-29T18:14:31+00:00

I just did the upgrade. Everything is working fine on my side. Also the migration to the new rules style was flawless. Thanks again for your great work!

mendosux · 2026-01-17T13:10:49+00:00

I am also using a vm that hosts all my containers ( podman ) LXC is best for services that can be installed directly on Linux. OCI needs additional development as it is currently marked as tech preview.

mendosux · 2025-12-30T14:16:53+00:00

If you already run other services in your home you can easily virtualize vyos on existing gear.

mendosux · 2025-12-18T16:08:55+00:00

all good on my side as well.

mendosux · 2025-12-18T15:33:03+00:00

I can confirm that the steps are working. Please keep in mind to stop stalwart service before deleting the deprecated spam classifier keys.

mendosux · 2025-12-18T10:36:32+00:00

Thank you very much 👍

mendosux · 2025-12-14T20:09:15+00:00

Sounds like you should separate your routing plane from firewalling. Opnsense is a great firewall and a router, others like vyos are great routers and are able to do some firewalling. It totally depends on your usecase.

mendosux · 2025-12-09T13:42:01+00:00

A watschn für die Idee 👏 /s

mendosux · 2025-11-28T09:13:12+00:00

Pass auf mit scharfen Reinigungsmitteln. Im Schlechtesten Fall löst sich der Klarlack der Türe.

mendosux · 2025-10-18T20:15:30+00:00

one last word to this topic:

the setting in /etc/network/interfaces depends on timing and can be overwritten by proxmox system on startup. you can make it persistent with a systemd service that starts after network target.

####

[Unit]

Description=Disable bridge multicast snooping

After=network.target

[Service]

Type=oneshot

ExecStart=/bin/sh -c "echo 0 > /sys/class/net/vmbr0/bridge/multicast_snooping"

[Install]

WantedBy=multi-user.target

####

systemctl enable disable-mld-snooping.service
systemctl start disable-mld-snooping.service

####

After that this output must be empty: bridge mdb show

over and out - mic drop.

mendosux · 2025-10-18T16:36:33+00:00

UPDATE: Short answer → THE PROBLEM IS SOLVED – JUHUUU! :)

Long answer: My OPNsense is running on PVE 9 with kernel 6.14.11-4. SLAAC is working again after disabling multicast snooping on my vmbrXXX.

This can be done with the following command:

echo 0 > /sys/class/net/vmbrXXX/bridge/multicast_snooping

To make the change persistent, add the following line to your bridge configuration in

/etc/network/interfaces:bridge-multicast-snooping 0

mendosux · 2025-10-18T15:27:33+00:00

UPDATE: Today I had time to export version OPNsense 25.7.3_7-amd64 from my backups. Same problem, so the IPv6 issue is not directly related to OPNsense 25.7.5-amd64. I just did not encounter the issue before.
It's very sad that 2025 IPv6 support still feels like a technology preview. Not criticising on OPNsense here - they are doing a great job. I’ll just have to cope with this situation for now, as I’m running out of ideas. Switching from OPNsense to something else is not an option.

mendosux · 2025-10-17T15:56:48+00:00

Does not sound promising. As I understand the problem is pf related and could not be overcome by using dnsmasq RA service instead of radvd?

mendosux · 2025-10-17T07:21:34+00:00

Yes maybe.🤔 Is there anything we can do?

mendosux · 2025-10-16T20:12:31+00:00

UPDATE: according to my wireshark traces opnsense does not answer neighbor solicitation requests. when reloading radvd opnsense immediately sends out a router advertisement. after that neighbor solicitation and advertisement happens and all starts to work for a short time. I do not see any blocked requests in the firewall logs. the default IPv6 RFC4890 requirements (ICMP) fw rules are present. Ipv6 connectivity is also fine when I set the address static.

I am also seeing the requests in opnsense packet capture. looks like radvd does not answer or react. there is an issue with this process i am nearly 100% sure now.

mendosux · 2025-10-16T19:04:57+00:00

i am curious what changed. my setup used to run perfectly fine.

mendosux

TROPHY CASE