Messages

Franco - ok, I did install the new kernel:

# opnsense-update -kr 18.7.2-re2
# opnsense-shell reboot

After the reboot, I get this:

#:~ # uname -a
FreeBSD gw.foo.local 11.1-RELEASE-p13 FreeBSD 11.1-RELEASE-p13  0259f6a4413(stable/18.7)  amd64
#:~ #

Firmware shows that a update is available:
ackage Name   Current Version   New Version   Required Action
kernel   18.7.2-re2   18.7.2   upgrade

which leads me to believe the new kernel was installed.

However, dmesg still reports:
re0: <Realtek PCIe GBE Family Controller> port 0xd000-0xd0ff mem 0xfe900000-0xfe900fff,0xd0900000-0xd0903fff irq 27 at device 0.0 on pci3
re0: Using Memory Mapping!
re0: Using 1 MSI-X message
re0: version:1.94.01

I installed 18.7.2 this morning:

OPNsense 18.7.2-amd64
FreeBSD 11.1-RELEASE-p13
OpenSSL 1.0.2p 14 Aug 2018

uname -a shows:
FreeBSD gw.foo.local 11.1-RELEASE-p13 FreeBSD 11.1-RELEASE-p13  0259f6a4413(stable/18.7)  amd64

Dmesg shows this:
e0: <Realtek PCIe GBE Family Controller> port 0xd000-0xd0ff mem 0xfe900000-0xfe900fff,0xd0900000-0xd0903fff irq 27 at device 0.0 on pci3
re0: Using Memory Mapping!
re0: Using 1 MSI-X message
re0: version:1.94.01
re0: Ethernet address: 00:13:3b:0f:13:0a

re1: <Realtek PCIe GBE Family Controller> port 0xc000-0xc0ff mem 0xfe800000-0xfe800fff,0xd0800000-0xd0803fff irq 27 at device 0.0 on pci4
re1: Using Memory Mapping!
re1: Using 1 MSI-X message
re1: version:1.94.01
re1: Ethernet address: 00:13:3b:0f:13:0b

re2: <Realtek PCIe GBE Family Controller> port 0xe000-0xe0ff mem 0xfea00000-0xfea00fff,0xd0a00000-0xd0a03fff irq 32 at device 0.0 on pci5
re2: Using Memory Mapping!
re2: Using 1 MSI-X message
re2: version:1.94.01
re2: Ethernet address: 1c:1b:0d:1a:49:a5

(Motherboard has a RTL8111E and there is a dual-port card with 2 RTL8111G)

Franco - I installed the update:
# opnsense-update -kr 18.7.2-re
# opnsense-shell reboot

but when I rebooted I see this in dmesg:
re0: Ethernet address: 00:13:3b:0f:13:0a
pcib4: <PCI-PCI bridge> irq 27 at device 7.0 on pci2
pci4: <PCI bus> on pcib4
re1: <Realtek PCIe GBE Family Controller> port 0xc000-0xc0ff mem 0xfe800000-0xfe800fff,0xd0800000-0xd0803fff irq 27 at device 0.0 on pci4
re1: Using Memory Mapping!
re1: Using 1 MSI-X message
re1: version:1.94.01

Did I miss something? I didn't get any errors when I installed

If you've configured Cloudflare's dns (or any other) in Unbound using a port other than 53, you'll need to add @53 to the end of the dns server up. I ran into this with my overrides - they stopped working after adding the Cloudflare dns over TVs config.

Mostly - yes.

Some folks experience poor ISP provided dns (poorly maintained, outsourced to a data mining organization, etc) and are just looking for a fast reliable dns service. Several companies have stepped up to offer DNS, but people often don't take the time to understand what the motivation is for these companies.

Cloudflare has stated their motivation. I suspect it's what they've said plus that they can make a better content delivery decision when they know the real ip generating the query and not a intermediary DNS recursive server.

I manage several firewalls that allow guest connections. I'd like to see the DHCP pools utilization displayed in the Reporting/Health/Services view so that I can monitor the pools over time to increase them when necessary.

I'd also like to see the unbound stats displayed there also.

Thanks!

Yes I have data in /var/db/aliastables
Yes - I created a alias of type "URL Table"
Yes - it does show up in firewall/Diagnostics/pftables

No - it is not an option available to select when I am adding a new firewall rule (or when I edit an existing rule).

Could the monitoring be enhanced to include/graph the unbound statistics and dhcp pool(s) utilization?

The dhcp pool utilization would help where I've deployed "guest" networks (churches and "free" stores) so I could if it's trending up so I can change the subnet before there's a problem.

The unbound stats would be useful for tuning.

Thanks!

Trying to setup a URL alias by following the directions in the wiki https://wiki.opnsense.org/manual/aliases.html. I created the two SPAMHAUS aliases. I checked /var/db/aliases and the files are getting created for the aliases and are populating with data.

When I try to create a new rule on any interface, when I select source, the aliases do not show up. I have created ip aliases, and they do show up and allow me to select them.

I've never used a URL alias, so I don't know if it used to work and now doesn't.

What can I do to further troubleshoot the issue?

My upgrade went smoothly, and the system seems more responsive on 18. Very happy with it so far.

I've updated my home machine (I work from home, so it gets a good workout).

And A8-5545M
8GB RAM
3 Realtec rtl8111 nics

The guy is noticeably faster now.

I have Suricata 4.0.1 running, and I have it watching native and clan interfaces. No issues, has been very stable - very good job!

Loaded fine for me:
OPNsense 18.1.a_334-amd64
FreeBSD 11.0-RELEASE-p12
OpenSSL 1.0.2l 25 May 2017

I have a fairly large ruleset and had no issues.

VIP = Virtual IP's. Under the firewall menu, there is an option to configure them.It's very useful when you get a subnet from your ISP - you can define additional IP's on your WAN interface, then create rules/NAT to leverage them.

hutiucip - thankjs! That's what I have in place, but explained poorly :)

I've run into some issues where this causes problems, specifically with Android phones. They seem to be determined to try the Google DNS servers before falling back to the locally assigned DNS servers from DHCP.

I help manage the IT around for a church, and we provide free Wifi to those would like to use it. We use OpenDNS to make sure that users don't stray from appropriate content for the setting.

So to help in this, I configured Unbound to run locally, forwarding it's request to OpenDNS. DHCP assigns the firewall as DNS server via the appropriate DHCP option. Firewall rules allow access to the firewall on port 53. I then added a NAT on the LAN interface to redirect all port 53 traffic (not destined for the firewall itself) to localhost port 53 on the firewall. This way, if a device tries to send DNS to something other than the firewall, the firewall sends it to unbound, and unbound responds after getting a response from OpenDNS.

I did the same with NTP traffic - block access to everything but the firewall, then setup a nat to redirect everything to localhost on the firewall.

Hope this helps others.

Adam