Topics

So I have a server running Docker. I have the server's IP address in as a gateway with a route to one of hte docker subnets. This works great except since 22.7 the server can no longer get DNS from the router.
The router replies back with 0.0.0.0.53 as the source when I'm checking my packet captures. If I change the IP address of the server but leave the gateway the same it's fine. Then I can change the gateway to the new server IP, but after the next reboot the issue starts again.

Interface   Capture output
LAN
ixl2   19:45:45.200444 IP 10.0.1.5.43508 > 10.0.10.1.53: UDP, length 51
LAN
ixl2   19:45:45.200673 IP 0.0.0.0.53 > 10.0.1.5.43508: UDP, length 55

10.0.1.5 is my internal Gateway that I have a single route to.

I notice in the state table all these states show "NO_Traffic:Single". The firewall rule I found for the 0.0.0.0.53 > 10.0.1.5 states all used the "let anything out from firewall" rule.

So my current install was a Freebsd install using ZFS and then bootstrap to install 21.7.
Do I gain anything by reimaging my firewall with 21.7 iso vs keeping my current install that's been upgraded to 21.7.
I don't mind taking the extra downtime now if there is an actual difference between the two, or for all intents and purposes is the bootstrap install make my machine as stock opnsense as possible.

I just upgraded to a Xeon D 2123-it and am maxing out eastpect on a single core and only pulling 200 down on my gig connection.

Running top -P I see eastpect running maxing out a single cpu.


On my old i5-7600 this was working a bit better but as you can so many of my cores are sitting there idle.

So I think I found out why unbound eventually starts refusing my lookup requests over IPV6.
When it stops working and I do an nslookup from Windows I get a "query refused" immediately.
It seems to happen anytime my IPV6 address from my ISP changes. Restarting Unbound fixes the issue immediately since Unbound reloads all the current internal network address ranges.

Is it possible to get an unbound reload to kick off whenever DHCP6 has to change addresses on my WAN port thus changing them on all my internal networks?

If not as long as I don't open my dns up on firewall can I just add 2605:e000::/32 to my allow list since that's Charter's prefix and my internal networks should always fall under those networks. As far as I understand this would allow anyone on charter to use my dns but as long as I never open it up in firewall they still can't use my dns server.

I should mention when this happens dns over ipv4 still works, but I believe part of the problems I've been having lately with slow lookups have been the pc or browser taking it's time to failover from ipv6 to ipv4.

So I upgraded to RC1 this morning. Suricata stops after starting with the error

Code Select Expand

Jul 9 08:15:25 suricata[27926]: [100117] <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
Jul 9 08:15:25 suricata[27926]: [100117] <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#01-igb0" failed to initialize: flags 0145
Jul 9 08:15:25 suricata[27926]: [100900] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Couldn't register igb0 with netmap: Cannot allocate memory
Jul 9 08:15:25 suricata[27926]: [100833] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Couldn't register igb0 with netmap: Cannot allocate memory
Jul 9 08:15:25 suricata[27926]: [100888] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Couldn't register igb0 with netmap: Cannot allocate memory
Jul 9 08:15:12 suricata: [100117] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
Jul 9 08:15:12 suricata: [100230] <Notice> -- This is Suricata version 4.1.4 RELEASE

Sensei starts and runs but shows no interfaces selected. I use igb0 on Suricata for my wan and igb1 on Sensei for my lan.

Forgot to add this was all working on 19.1 before the upgrade. I have 16gb of ram and i5-7600k, 6 ports of intel i211.

Ninja edit #2

Found the below in the general logs. I do have tunables set for the nic that were working fine in 19.1
hw.igb.rxd 4096
hw.igb.txd 4096
net.link.ifqmaxlen 8192
hw.igb.max_interrupt_rate 64000

I'll try removing those when I get a chance but not sure if they are the culprit.

Code Select Expand

Jul 9 16:54:14 kernel: 454.788949 [1916] netmap_mem2_rings_create Cannot allocate RX_ring
Jul 9 16:54:14 kernel: 454.781097 [1015] netmap_obj_malloc netmap_ring request size 65792 too large