1
2
Zenarmor (Sensei) / Re: Zenarmor blocking VLAN randomly
« Last post by lorem on Today at 04:57:40 am »Setting Deployment mode to Passive Mode changes nothing. How is this possible in passive mode? Is something else the real problem?
3
Zenarmor (Sensei) / Zenarmor blocking VLAN randomly
« Last post by lorem on Today at 02:56:35 am »This is for a new install with updates. The LAN and DMZ are configured. A PC connected to the LAN is never interrupted. An Android connected to the WiFi router connected to DMZ is getting blocked after a random delay. In Zenamor->Live Sessions->Blocks tab, the application protocols such as DHCP, QUIP, NTP are showing rejected. But these are allowed in policies. Often the Android is still on the internet without apparent interruption for about 10 - 30 minutes, generating random rejected reports in the Blocks tab. then it is suddenly totally blocked. If I set Bypass mode it is always suddenly is back online with no interruptions.
4
General Discussion / "Firewall Optimization" State Table setting
« Last post by mgeoffriau on Today at 02:54:00 am »Firewall > Settings > Advanced > Miscellaneous > Firewall Optimization
Does anyone know what the Normal, High-Latency, Aggressive, and Conservative options actually correlate to in terms of session timeouts? Is that the only thing that controls or does it affect other values as well?
I'm chasing an issue where a persistently-connected application keeps disconnecting. Originally it was happening quite frequently, every 60-70 seconds. After adjusting the Firewall Optimization setting to "Conservative", it's much more stable but still disconnects at regular intervals just over 15 minutes long.
I'd like to know what each of those options actually controls as I have a feeling that somewhere there's a timeout setting that is killing sessions at 900 seconds.
Does anyone know what the Normal, High-Latency, Aggressive, and Conservative options actually correlate to in terms of session timeouts? Is that the only thing that controls or does it affect other values as well?
I'm chasing an issue where a persistently-connected application keeps disconnecting. Originally it was happening quite frequently, every 60-70 seconds. After adjusting the Firewall Optimization setting to "Conservative", it's much more stable but still disconnects at regular intervals just over 15 minutes long.
I'd like to know what each of those options actually controls as I have a feeling that somewhere there's a timeout setting that is killing sessions at 900 seconds.
5
General Discussion / Re: No internet on LAN, no webgui or ssh access from LAN devices
« Last post by meyergru on Today at 01:28:05 am »Since Jim form Jim's Garage says he is fine, it seems that those problems may have been fixed in the Linux drivers. Interestingly enough, there are no Intel OEM drivers for FreeBSD for either I225 or I226 in their current Intel Network Driver package 29.1.
Seems I was right (take it with a grain of salt as I did no deep dive):
https://github.com/torvalds/linux/blob/master/drivers/net/ethernet/intel/igc/igc_main.c , starting at line 3150:
Code: [Select]
if (test_bit(IGC_RING_FLAG_TX_DETECT_HANG, &tx_ring->flags)) {
struct igc_hw *hw = &adapter->hw;
/* Detect a transmit hang in hardware, this serializes the
* check with the clearing of time_stamp and movement of i
*/
clear_bit(IGC_RING_FLAG_TX_DETECT_HANG, &tx_ring->flags);
if (tx_buffer->next_to_watch &&
time_after(jiffies, tx_buffer->time_stamp +
(adapter->tx_timeout_factor * HZ)) &&
!(rd32(IGC_STATUS) & IGC_STATUS_TXOFF) &&
(rd32(IGC_TDH(tx_ring->reg_idx)) != readl(tx_ring->tail)) &&
!tx_ring->oper_gate_closed) {
/* detected Tx unit hang */
netdev_err(tx_ring->netdev,
"Detected Tx Unit Hang\n"
" Tx Queue <%d>\n"
" TDH <%x>\n"
" TDT <%x>\n"
" next_to_use <%x>\n"
" next_to_clean <%x>\n"
"buffer_info[next_to_clean]\n"
" time_stamp <%lx>\n"
" next_to_watch <%p>\n"
" jiffies <%lx>\n"
" desc.status <%x>\n",
tx_ring->queue_index,
rd32(IGC_TDH(tx_ring->reg_idx)),
readl(tx_ring->tail),
tx_ring->next_to_use,
tx_ring->next_to_clean,
tx_buffer->time_stamp,
tx_buffer->next_to_watch,
jiffies,
tx_buffer->next_to_watch->wb.status);
netif_stop_subqueue(tx_ring->netdev,
tx_ring->queue_index);
/* we are about to reset, no point in enabling stuff */
return true;
}
}
This section detects a TX queue hang after a timeout and then resets the adapter. I found nothing to this extent in the FreeBSD igc driver. Also, there is nothing comparable to this part from the Linux igc driver:
Code: [Select]
/**
* igc_tx_timeout - Respond to a Tx Hang
* @netdev: network interface device structure
* @txqueue: queue number that timed out
**/
static void igc_tx_timeout(struct net_device *netdev,
unsigned int __always_unused txqueue)
{
struct igc_adapter *adapter = netdev_priv(netdev);
struct igc_hw *hw = &adapter->hw;
/* Do the reset outside of interrupt context */
adapter->tx_timeout_count++;
schedule_work(&adapter->reset_task);
wr32(IGC_EICS,
(adapter->eims_enable_mask & ~adapter->eims_other));
}
6
24.1 Production Series / Re: Can't access web interface
« Last post by N00bOner on Today at 01:25:34 am »console - option 11 - restart all services.
Try restart and access https again.
There was similar issue here (resolved already I think):
https://forum.opnsense.org/index.php?topic=38536.0
Try restart and access https again.
There was similar issue here (resolved already I think):
https://forum.opnsense.org/index.php?topic=38536.0
7
24.1 Production Series / OPsense no internet on new fiber connection
« Last post by SammyBoi on Today at 01:06:19 am »I have been using OPNsense for about a year on my old cable internet connection with no issues. Recently switched to gigabit fibre and so the modem changed.
Everything works perfectly fine with my ISP provided equipment and the new Cat8 cables I bought. But when I try to use my OPNsense PC as the router, there is no internet (but LAN works).
Here's the equipment the ISP gave me:
Nokia XS-010X-Q (Modem, 10 Gigabit speed capable)
TP-Link Deco X50 (Router and WiFi AP)
The NIC is use the Intel I350-T2. I made sure that it is a genuine NIC too.
Here's what I did:
1) Ensured LAN and WAN ports are correctly configured and plugged in
2) Complete reinstall of OPNsense
3) Tried to see if I can get internet by plugging the PC directly to the modem's ethernet port. No internet. There's internet only if I connect the TP-LINK Deco to the ethernet port and then plug the PC into the Deco. I don't know if this is relevant though.
4) Tried using the old Cat5e cables I had lying around. Still no internet through OPNsense. Only LAN.
5) Checked that the NIC ethernet ports are working. OPNsense auto identifies link connection when manually configuring interfaces for both igb0 and igb1. So both ports seem to work.
6) Wanted to eliminate the switch from being an issue. Directly connected PC to LAN port on the NIC. Still only LAN. No internet.
NOTE: One thing I did notice though is that the "Link State UP" and Link State DOWN" messages never showed up on the OPNsense live install phase regardless of the cables used. I don't know if that is an issue as auto identification seems to work when manually configuring interfaces.
I am 99% sure the issue is with some OPNsense setting that I don't know about.
Your help would be greatly appreciated by this noob!
Everything works perfectly fine with my ISP provided equipment and the new Cat8 cables I bought. But when I try to use my OPNsense PC as the router, there is no internet (but LAN works).
Here's the equipment the ISP gave me:
Nokia XS-010X-Q (Modem, 10 Gigabit speed capable)
TP-Link Deco X50 (Router and WiFi AP)
The NIC is use the Intel I350-T2. I made sure that it is a genuine NIC too.
Here's what I did:
1) Ensured LAN and WAN ports are correctly configured and plugged in
2) Complete reinstall of OPNsense
3) Tried to see if I can get internet by plugging the PC directly to the modem's ethernet port. No internet. There's internet only if I connect the TP-LINK Deco to the ethernet port and then plug the PC into the Deco. I don't know if this is relevant though.
4) Tried using the old Cat5e cables I had lying around. Still no internet through OPNsense. Only LAN.
5) Checked that the NIC ethernet ports are working. OPNsense auto identifies link connection when manually configuring interfaces for both igb0 and igb1. So both ports seem to work.
6) Wanted to eliminate the switch from being an issue. Directly connected PC to LAN port on the NIC. Still only LAN. No internet.
NOTE: One thing I did notice though is that the "Link State UP" and Link State DOWN" messages never showed up on the OPNsense live install phase regardless of the cables used. I don't know if that is an issue as auto identification seems to work when manually configuring interfaces.
I am 99% sure the issue is with some OPNsense setting that I don't know about.
Your help would be greatly appreciated by this noob!
8
Hardware and Performance / Re: BIOS and BMC firmware for Supermicro A2SDi-4C-HLN4F
« Last post by svengru on May 20, 2024, 10:13:42 pm »I applied it earlier today to two of my servers and had no issues.
All working as expected.
Did the update via UFI using the built in console which is fast and easy.
The BMC update is a separate update that I applied via the web interface.
Take note of any BIOS settings as they will all be reset to default by the update.
The BMC update gives you the option to retain all BMC related settings and that worked out fine.
All working as expected.
Did the update via UFI using the built in console which is fast and easy.
The BMC update is a separate update that I applied via the web interface.
Take note of any BIOS settings as they will all be reset to default by the update.
The BMC update gives you the option to retain all BMC related settings and that worked out fine.
9
General Discussion / Re: Need help with new setup/install Mini PC, 6x2.5GbE 1 subnet, DHCP on 5 ports
« Last post by Yewtink on May 20, 2024, 10:05:22 pm »Well my issues have return and doing some more digging it seems it was an DNS issue.
I had to go in and whitelist.
2.dl.delivery.mp.microsoft.com
7.assets1.xboxlive.com
accounts.xboxlive.com
achievements.xboxlive.com
assets.xboxlive.com
assets1.xboxlive.com
attestation.xboxlive.com
avty.xboxlive.com
cert.mgt.xboxlive.com
chatfd.xboxlive.com
client-s.gateway.messenger.live.com
client-strings.xboxlive.com
clubhub.xboxlive.com
comments.xboxlive.com
compass.xboxlive.com
def-vef.xboxlive.com
device.auth.xboxlive.com
dl.delivery.mp.microsoft.com
dlassets.xboxlive.com
editorial.xboxlive.com
eds.xboxlive.com
epix.xbox.com
epix.xbox.com
eplists.xboxlive.com
fdp-xboxone-ope-game.fromsoftware-game.net
fdp-xboxone-ope-game.fromsoftware-game.net
fdp-xboxone-ope-login.fromsoftware-game.net
fdp-xboxone-ope-login.fromsoftware-game.net
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
fe3.delivery.mp.microsoft.com
g.live.com
gameserverds.xboxlive.com
help.ui.xboxlive.com
images-eds.xboxlive.com
images-eds-ssl.xboxlive.com
inference.location.live.net
instance.mgt.xboxlive.com
leaderboards.xboxlive.com
licensing.xboxlive.com
login.live.com
mediahub.xboxlive.com
networktest.xboxlive.com
nexus.officeapps.live.com
nexusrules.officeapps.live.com
notify.xboxlive.com
peoplehub.xboxlive.com
privacy.xboxlive.com
profile.xboxlive.com
rta.xboxlive.com
s.gateway.messenger.live.com
sessiondirectory.gtm.xboxlive.com
sessiondirectory.xboxlive.com
settings.xboxlive.com
settings-ssl.xboxlive.com
skypexbox.skype.com
social.xboxlive.com
title.auth.xboxlive.com
title.mgt.xboxlive.com
titlehub.xboxlive.com
titlestorage.xboxlive.com
tournamentshub.xboxlive.com
update.xboxlive.com
update.xboxlive.com.akadns.net
update-cdn.xboxlive.com
user.auth.xboxlive.com
userpresence.xboxlive.com
userstats.xboxlive.com
vodcontent-2003.xboxlive.com
vodcontent-3001.xboxlive.com
vodcontent-3004.xboxlive.com
www.xboxlive.com
x1ds.xboxlive.com
xbox.ipv6.microsoft.com
xbox.ipv6.microsoft.com
xboxexperiencesprod.experimentation.xboxlive.com
xbox-mbr.xboxlive.com
xflight.xboxlive.com
xflight.xboxlive.com
xkms.xboxlive.com
xncsi.xboxlive.com
xnotify.xboxlive.com
xsts.auth.xboxlive.com
So far this has fixed the Open NAT and UPNP failures to connect.
I had to go in and whitelist.
2.dl.delivery.mp.microsoft.com
7.assets1.xboxlive.com
accounts.xboxlive.com
achievements.xboxlive.com
assets.xboxlive.com
assets1.xboxlive.com
attestation.xboxlive.com
avty.xboxlive.com
cert.mgt.xboxlive.com
chatfd.xboxlive.com
client-s.gateway.messenger.live.com
client-strings.xboxlive.com
clubhub.xboxlive.com
comments.xboxlive.com
compass.xboxlive.com
def-vef.xboxlive.com
device.auth.xboxlive.com
dl.delivery.mp.microsoft.com
dlassets.xboxlive.com
editorial.xboxlive.com
eds.xboxlive.com
epix.xbox.com
epix.xbox.com
eplists.xboxlive.com
fdp-xboxone-ope-game.fromsoftware-game.net
fdp-xboxone-ope-game.fromsoftware-game.net
fdp-xboxone-ope-login.fromsoftware-game.net
fdp-xboxone-ope-login.fromsoftware-game.net
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
fe3.delivery.mp.microsoft.com
g.live.com
gameserverds.xboxlive.com
help.ui.xboxlive.com
images-eds.xboxlive.com
images-eds-ssl.xboxlive.com
inference.location.live.net
instance.mgt.xboxlive.com
leaderboards.xboxlive.com
licensing.xboxlive.com
login.live.com
mediahub.xboxlive.com
networktest.xboxlive.com
nexus.officeapps.live.com
nexusrules.officeapps.live.com
notify.xboxlive.com
peoplehub.xboxlive.com
privacy.xboxlive.com
profile.xboxlive.com
rta.xboxlive.com
s.gateway.messenger.live.com
sessiondirectory.gtm.xboxlive.com
sessiondirectory.xboxlive.com
settings.xboxlive.com
settings-ssl.xboxlive.com
skypexbox.skype.com
social.xboxlive.com
title.auth.xboxlive.com
title.mgt.xboxlive.com
titlehub.xboxlive.com
titlestorage.xboxlive.com
tournamentshub.xboxlive.com
update.xboxlive.com
update.xboxlive.com.akadns.net
update-cdn.xboxlive.com
user.auth.xboxlive.com
userpresence.xboxlive.com
userstats.xboxlive.com
vodcontent-2003.xboxlive.com
vodcontent-3001.xboxlive.com
vodcontent-3004.xboxlive.com
www.xboxlive.com
x1ds.xboxlive.com
xbox.ipv6.microsoft.com
xbox.ipv6.microsoft.com
xboxexperiencesprod.experimentation.xboxlive.com
xbox-mbr.xboxlive.com
xflight.xboxlive.com
xflight.xboxlive.com
xkms.xboxlive.com
xncsi.xboxlive.com
xnotify.xboxlive.com
xsts.auth.xboxlive.com
So far this has fixed the Open NAT and UPNP failures to connect.
10
24.1 Production Series / NAT Reflection for remote (not directly attached) network
« Last post by d4rkd3n1337 on May 20, 2024, 09:57:49 pm »Hello, folks
I see in mans that NAT reflection works only for directly attached networks.
I have next scheme:
OPNsense gate, watching to WAN network and have LAN network (10.1.1.0/24).
Cisco gate, one port attached to 10.1.1.0/24 and hame self networks (172.16.1.0/24 etc)
with nat reflection I perfectly can connect to WAN_IP:80/443 etc from any host 10.1.1.0/24
but from remote local net (ex. 172.16.3.0/24) I cant reach WAN_IP.
What manual rule I must create in outbound NAT?
I see in mans that NAT reflection works only for directly attached networks.
I have next scheme:
OPNsense gate, watching to WAN network and have LAN network (10.1.1.0/24).
Cisco gate, one port attached to 10.1.1.0/24 and hame self networks (172.16.1.0/24 etc)
with nat reflection I perfectly can connect to WAN_IP:80/443 etc from any host 10.1.1.0/24
but from remote local net (ex. 172.16.3.0/24) I cant reach WAN_IP.
What manual rule I must create in outbound NAT?