Topics

Hi all, I upgraded from 25.7.11_9 directly to 26.1.1 as I elected to wait for the *.1 patch before I made the move.

Immediately upon upgrading, my internet has become 'troublesome', generally laggy with slow notifications from my cameras etc. One thing that is entirely repeatable is speedtests are significantly reduced, when they run. If I try speedtest.net it seems to take ages finding the optimal server, and when I run the speedtest I get about 400-600 down on a 950 connection, after it taking a while to start. On occasion, it fails to run the speedtest at all and throws an error.

If I go back to my 25.7.11_9 snapshot, all is well again. If I return to the 26.1.1 snapshot, back to the same problems consistently.

I have had a poke about, and cannot see anything obvious. But, consistently 25.7.11_4 is fine, and 26.1.1 has these issues. I run a pppoe connection with Zen in the UK. MTU for the WAN Interface is set to 1508 (for Calculated PPP MTU:1500) as it has always been. Changing this to 1500 made no difference - for some reason it smelt a bit like an MTU issue. I have disabled any shapers/pipes, Zenarmor and no different. Going back to 25.7.9_4 solves it instantly.

Where can I start looking / what can I do to try and narrow down the issue? I am keen to work it out and stay on 26.1.1. Thanks.

Upload appears not to be affected

Hi all,

Has anyone experienced Kea not respecting reservations? I have a static reservation set (172.16.60.100) that was successfully allocated to a device and renewed for several days. I rebooted the device (update), and upon coming back up and requesting an address, Kea tagged it as a conflict address and so allocated it from the pool, rather than static address. I have checked the MAC, and that has not changed.

Kea Log below (latest at top) - how can I stop this happening? Is it just a case of the renew/request after the reboot was too soon after than latest lease allocation (1.5 minutes or so).

Code Select Expand

2024-08-15T09:30:59 Informational kea-dhcp4 INFO [kea-dhcp4.packets.0x2e709a1b4000] DHCP4_PACKET_SEND [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:03:00:01:04:17:b6:d2:59:c9], tid=0x50e1f550: trying to send packet DHCPACK (type 5) from 172.16.60.254:67 to 172.16.60.1:68 on interface vlan06

2024-08-15T09:30:59 Informational kea-dhcp4 INFO [kea-dhcp4.leases.0x2e709a1b4000] DHCP4_LEASE_ALLOC [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:03:00:01:04:17:b6:d2:59:c9], tid=0x50e1f550: lease 172.16.60.1 has been allocated for 4000 seconds

2024-08-15T09:30:59 Informational kea-dhcp4 INFO [kea-dhcp4.packets.0x2e709a1b4000] DHCP4_PACKET_RECEIVED [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:03:00:01:04:17:b6:d2:59:c9], tid=0x50e1f550: DHCPREQUEST (type 3) received from 0.0.0.0 to 255.255.255.255 on interface vlan06

2024-08-15T09:30:59 Informational kea-dhcp4 INFO [kea-dhcp4.dhcp4.0x2e709a1b4000] DHCP4_QUERY_LABEL received query: [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:03:00:01:04:17:b6:d2:59:c9], tid=0x50e1f550

2024-08-15T09:30:59 Informational kea-dhcp4 INFO [kea-dhcp4.packets.0x2e709a1b4000] DHCP4_PACKET_SEND [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:03:00:01:04:17:b6:d2:59:c9], tid=0x50e1f550: trying to send packet DHCPOFFER (type 2) from 172.16.60.254:67 to 172.16.60.1:68 on interface vlan06

2024-08-15T09:30:59 Informational kea-dhcp4 INFO [kea-dhcp4.leases.0x2e709a1b4000] DHCP4_LEASE_OFFER [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:03:00:01:04:17:b6:d2:59:c9], tid=0x50e1f550: lease 172.16.60.1 will be offered
Remote ID: (none)
Relay ID: (none)
State: default
Pool ID: 0
Subnet ID: 3
Client id: ff:b6:d2:59:c9:00:01:00:01:2d:1d:cc:fb:04:17:b6:d2:59:c9
Hardware addr: 04:17:b6:d2:59:c9
Cltt: 1723710562
Valid life: 4000

[b]2024-08-15T09:30:59 Warning kea-dhcp4 WARN [kea-dhcp4.alloc-engine.0x2e709a1b4000] ALLOC_ENGINE_V4_DISCOVER_ADDRESS_CONFLICT [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:03:00:01:04:17:b6:d2:59:c9], tid=0x50e1f550: conflicting reservation for address 172.16.60.100 with existing lease Address: 172.16.60.100

2024-08-15T09:30:59 Informational kea-dhcp4 INFO [kea-dhcp4.packets.0x2e709a1b4000] DHCP4_PACKET_RECEIVED [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:03:00:01:04:17:b6:d2:59:c9], tid=0x50e1f550: DHCPDISCOVER (type 1) received from 0.0.0.0 to 255.255.255.255 on interface vlan06

2024-08-15T09:30:59 Informational kea-dhcp4 INFO [kea-dhcp4.dhcp4.0x2e709a1b4000] DHCP4_QUERY_LABEL received query: [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:03:00:01:04:17:b6:d2:59:c9], tid=0x50e1f550

2024-08-15T09:29:22 Informational kea-dhcp4 INFO  [kea-dhcp4.packets.0x2e709a1b4000] DHCP4_PACKET_SEND [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:01:00:01:2d:1d:cc:fb:04:17:b6:d2:59:c9], tid=0x7232ff65: trying to send packet DHCPACK (type 5) from 172.16.60.254:67 to 172.16.60.100:68 on interface vlan06

2024-08-15T09:29:22 Informational kea-dhcp4 INFO  [kea-dhcp4.leases.0x2e709a1b4000] DHCP4_LEASE_ALLOC [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:01:00:01:2d:1d:cc:fb:04:17:b6:d2:59:c9], tid=0x7232ff65: lease 172.16.60.100 has been allocated for 4000 seconds[/b]

2024-08-15T09:29:22 Informational kea-dhcp4 INFO  [kea-dhcp4.packets.0x2e709a1b4000] DHCP4_PACKET_RECEIVED [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:01:00:01:2d:1d:cc:fb:04:17:b6:d2:59:c9], tid=0x7232ff65: DHCPREQUEST (type 3) received from 172.16.60.100 to 172.16.60.254 on interface vlan06

2024-08-15T09:29:22 Informational kea-dhcp4 INFO  [kea-dhcp4.dhcp4.0x2e709a1b4000] DHCP4_QUERY_LABEL received query: [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:01:00:01:2d:1d:cc:fb:04:17:b6:d2:59:c9], tid=0x7232ff65

2024-08-15T08:56:02 Informational kea-dhcp4 INFO  [kea-dhcp4.packets.0x2e709a018200] DHCP4_PACKET_SEND [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:01:00:01:2d:1d:cc:fb:04:17:b6:d2:59:c9], tid=0xc0de8be8: trying to send packet DHCPACK (type 5) from 172.16.60.254:67 to 172.16.60.100:68 on interface vlan06

2024-08-15T08:56:02 Informational kea-dhcp4 INFO  [kea-dhcp4.leases.0x2e709a018200] DHCP4_LEASE_ALLOC [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:01:00:01:2d:1d:cc:fb:04:17:b6:d2:59:c9], tid=0xc0de8be8: lease 172.16.60.100 has been allocated for 4000 seconds

2024-08-15T08:56:02 Informational kea-dhcp4 INFO  [kea-dhcp4.packets.0x2e709a018200] DHCP4_PACKET_RECEIVED [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:01:00:01:2d:1d:cc:fb:04:17:b6:d2:59:c9], tid=0xc0de8be8: DHCPREQUEST (type 3) received from 172.16.60.100 to 172.16.60.254 on interface vlan06

2024-08-15T08:56:02 Informational kea-dhcp4 INFO  [kea-dhcp4.dhcp4.0x2e709a018200] DHCP4_QUERY_LABEL received query: [hwtype=1 04:17:b6:d2:59:c9], cid=[ff:b6:d2:59:c9:00:01:00:01:2d:1d:cc:fb:04:17:b6:d2:59:c9], tid=0xc0de8be8

Thanks.

I've recently upgraded to OPNSense 24.1.7 and Zenarmor 1.17.3 and I've noted that I no longer have a 'Devices' Section in the Zenarmor UI.

I've just checked and Devices is still shown/accessible in the cloud console. Is this a bug with the latest version?

EDIT: I have submitted a report/logs through the UI

Hi All,

I seem to have an issue where I have lost all DNS capability following update to 23.7.11. I am using Unbound, DoT configured for Cloudflare (I have also since tried quad9 with no luck). Working config working for over a year now, no changes to config.

If I manually set a secondary DNS (8.8.8.8 ) in Windows, I get internet/DNS access. As soon as I delete the alternate and point it to OPNSense, no connectivity. The firewall has no connectivity/DNS either - update checks fail etc.

I have tried restarting unbound, and looked through logs but to be honest I am out of my depth. Rebooted the firewall, no change. Has anyone else had any issues, or any steps I might be able to take to better diagnose the problem?

I'm not certain, but I think it might be only ipv4 with ipv6 working (I don't use IPv6 much, so am not very familiar).

Unbound logs are showing:

2024-01-07T09:38:23   Critical   unbound   [2797:2] fatal error: Could not initialize thread   
2024-01-07T09:38:23   Error   unbound   [2797:2] error: Could not set root or stub hints   
2024-01-07T09:38:23   Error   unbound   [2797:2] error: reading root hints /root.hints 2:12: Syntax error, could not parse the RR's type   
2024-01-07T08:59:48   Critical   unbound   [78925:1] fatal error: Could not initialize thread   
2024-01-07T08:59:48   Error   unbound   [78925:1] error: Could not set root or stub hints   
2024-01-07T08:59:48   Error   unbound   [78925:1] error: reading root hints /root.hints 2:12: Syntax error, could not parse the RR's type

If I run a checkconf from the shell I get:

root@router:~ # unbound-checkconf /var/unbound/unbound.conf
[1704626241] unbound-checkconf[20216:0] error: pythonmod: can't open file dnsbl_module.py for reading
[1704626241] unbound-checkconf[20216:0] fatal error: bad config for python module

Is that a clue?

Thanks.

Hello,

I have just upgraded to Packet engine 1.15.1 and I notice that DNS over HTTPS is an option in the 'Security' section (I didn't notice if it was there before).

I have a Home license, with 3 Policies - Guest, Main, and Default (in that order from the top). If I select DNS over HTTPS as enabled on the Main or Guest policy, and click apply changes, it switches off. It stays enabled for default policy, however. Is this a bug?

Hi All,

I currently have an FTTP Setup in the UK that uses PPPoE (Unfortunately) with only 1 IPv4 Public IP Address available to me, and also IPv6 (Zen UK).

For some time I have been running as OPNSense <-----> ONT setup with my OPNSense appliance establishing/terminating the PPPoE connection directly on the WAN interface.

Due to niggles with BSD not being amazing at PPPoE on some devices (need some grunt) once you start doing packet inspection etc, I started to investigate the option of putting something in front of my OPNSense router to handle/terminate the PPPoE connection and present it to the OPNSense device - effectively 'offloading' PPPoE to the more efficient device. I concluded the only way this would be possible, is to have a device able to 'half-bridge' - e.g terminate the PPPoE and present the WAN IP to the secondary device transparently. Sadly this does not seem possible on any equipment I have access to, as far as I can tell.

Question - is there another way of doing it using a DMZ on the ISP Router, and some kind of static route, or something? Would this mess with NAT rules I have got set-up to allow 2 xboxes on the network to work? I also have multiple VLANs on the internal network, so presumably this also needs to be considered. I always thought the WAN IP had to be presented to the OPNSense box but now I am not so sure!

I would appreciate if there is a sensible way, if someone could describe how to convert my Single OPNSense device setup to one sat behind an ISP router doing the PPPoE encapsulation. Be gentle, I am mostly clueless..

If it's not possible, then happy to be told that as well!

Thanks.

Hi all,

I appreciate that there is a warning/caveat, but has anyone got RSS enabled on the Intel i210 / igb interfaces and all working well with Zenarmor? As far as I can tell, I'm having no issues, but I am also currently having some issues with my provider.

Also, secondary question - I've been using native Netmap with (as far as I can tell) no issues at all. I appreciate that the emulated driver has had more recent development - any advantage of disadvantage to switching to emulated?

Would having RSS enabled influence the Native/emulated Netmap question?

Thanks.

Sent from my SM-S918B using Tapatalk

Hi All,

I had an SSD failure in my OPNSense appliance (Pondesk). Whilst diagnosing the issue, I fitted a 'temporary' 128Gb SSD I had laying around to fault find, and ended up re-building my system. It is an old SSD, so for piece of mind I would like to replace it with a new 250Gb version I now have.

Is there an easy way / best practice to migrate from one SSD to the other? I am a Windows man, so may need some help with shell commands if there is a way to image to an external drive/USB directly - that might be useful for backup.

Equipment I have, that might be useful:

256 Gb USB Stick
1 x USB to SATA Drive adaptor - I could use this to connect to either the appliance (would this work?) or indeed my windows Machine.
128Gb SSD - in Appliance, running OPNSense.
250 Gb SSD - intended target / replacement.
Windows 11 machine with USB (no spare SATA slots, sadly).
I do also have a paid version of Macrium Reflect Home (v8) Installed on my Windows 11 machine.

Filesystem is ZFS

I do, of course, appreciate that there will have to be down-time to swap the drives over - that's fine.

Thanks  :)

Hi All,

Is anyone using Zen as an ISP, or any other PPPoE provider in the UK? I have successfully configured my connection using the wizard, and all is working well. However, the tinkerer in me wants to set a 1500MTU on the WAN Connection (out of principle lol) - it is supported by my ISP, and the Openreach ONT supports Jumbo frames.

From what I've seen, it should be as simple as setting Interfaces > WAN > MTU to 1500 (Thus showing underneath calculated MTU: 1500, rather than 1492). If I do that, the interface comes up, Interfaces > Overview > WAN interface (wan, pppoe0) shows an MTU of 1500, but I have broken connectivity.

Any clues, what am I missing? Where can I look?

Thanks.

Hi There,

I have an issue where dhcpdv6 keeps stopping, and won't restart, which results in LAN side devices not being served an ipv6 address and subsequently random things seem to stop working on the internet. I'm new to OPNSense, so I may need some direction on what to do/where to look to seek out what the issue is!

I am using a PPPoE Connection (in the UK) on Zen UK. IPv6 is enabled and I get a WAN IPv6 address from my provider. They serve a /48 delegated prefix, through DHCPv6 over the IPv4 interface.

My OPNsense appliance is setup as per the first section 'Setting up IPv6 using DHCPv6' on the OPNSense documentation - https://docs.opnsense.org/manual/how-tos/IPv6_ZenUK.html#setting-up-ipv6-using-dhcpv6

On initial boot / setup, everything works fine.

After a random period of time (sometimes days, sometimes hours) I notice things timing out on the internet, pages not loading etc - without fail when I look at the Dashboard dhcpdv6 is showing as stopped. I still have a WAN ipv6 address as shown in Interfaces > Overview > WAN Interface (wan, pppoe0). Attempting to restart the service through the dashboard fails. Sometimes, rebooting the appliances brings it back up - every now and then it doesn't, and I have to disable ipv6 and re-set it up for it to work.

As said, if someone can give me a steer on what to do to look for relevant logs, outputs from the shell etc. I am more than happy to go and get the information for someone to help figure this out! I am up to date on 22.7.2, but it did happen on 22.7.1 also.

Thanks.

HI there, I have done a search, but nothing I have found appears to work.

On my OPNSense firewall I have allocated static IP's and Hostnames for every device that has connected. I use unbound DNS, and have ticked 'Register DHCP static mappings'. If I do a local check on the network with a netscan, the hostnames as per my static reservations are shown.

However, I cannot get these host names to show in the Zenarmor reports. I have in ZenArmor > configuration > reporting and data ENABLED 'Perform real-time DNS reverse queries for local IP addresses' & 'Use OPNsense Host aliases for DNS enrichment'. I have put the OPNSense firewall LAN IP in 'DNS server IP addresses to do reverse IP lookups:' - is this correct?

I do not have either of the two 'anonymize' or 'do not perform' settings checked in the next section.

Should I not be seeing my Host names as per my DHCP address static reservations, or have I misunderstood?

Thanks,

Jason.

Hi All,

I've watched tons of videos and read loads of threads about Sensei/Zenarmor and one thing that has got me confused is that the terms 'Number of devices/Number of users' seems to be used interchangeably. I'm looking at using it in a home environment, and if I count all devices on my network, IoT, Phones, Tablets, Cameras, TV etc. It is close to 100 I reckon. Should I be selecting 100 devices on setup and/or if I want to get a premium license? One of the options in 1-5 - surely today, no-one only has 5 devices on their home network, or am I getting confused with terminology?

Thanks. 

Hi All,

I've done a lot of searching, and tried various things, but none of the previous examples seem to be exactly like mine (although, I would suggest mine is super-simple!)

Bottom Line, I have an HP Printer (8720) on an IOT VLAN. I want to be able to Print from my main LAN.

• I have firewall rules in place so my LAN can see everything on my IOT VLAN
  I can get to the Printer Web Interface using its IP
  I cannot print or add the Printer through windows, even using it's know IP.

I tried installing os-mdns-repeater and activated it, listening on LAN and IOT VLAN. Now when I search for my printer, I at least see the 'Scanner' part of it. Still no luck with discovering the printer.

I'm assuming I am missing a firewall rule or something, but have quickly got confused in my searching. If so, I assume there is a rule I can set-up to allow printer discovery/printing from the LAN, but not so as I might as well just put it on my LAN in the first place?

I'd appreciate it if someone could help - hopefully a really, really easy one for someone to quickly knock off :-)

Thanks.