Messages

Yesterday I posted this article in the 23.1 Production Series Forum:

Problems w/23.1_6 Upgrade including IPv6 - Maybe a Zenarmor Issue?

After removing Zenarmor, my system crap to not great. CPU and memory usage were significantly higher than normal. Better but not normal.

I had the 23.1 image so I did a fresh 23.1 install with the last 23.1 config that I backed up.

After the fresh install WITHOUT ANY PLUGINs running, the CPU and memory returned to normal. IPv6 is working fine. CPU usage is 1%. Memory is around 20% and is steady. Thermal sensors never leave the green/low temp.

My plugins that I normally run are UPNP, Zenarmor, and ACME client. I am going to leave them off for a few days pending questions from Franco or others.

A few days ago I upgraded to 23.1 from 22.7.11. The upgrade worked fine. Nothing to report.

Tonight I upgraded to 23.1_6 and my system is a mess. Opening a Internet page takes 20-30 seconds.

Here are some observations:

1) Like others running IPv6, I am having WAN issues. In the dashboard, looking at the WAN interface. Like others I see a cycling of horizontal green arrows on the WAN interface, turning red. After a few seconds, they turn green again. I have never seen this this previously.
2) I have a powerful PC running in my house. With previous releases memory usage rarely was over 40-50%. Now memory usage is constantly at 87-88%. It never goes below that.
3) With no connections running, the CPU cycles from 1% to 20% and back to 1% and so on.
4) Going from one page in the GUI used to take a second, maybe two. Now it takes 15 seconds.
5) Saving a configuration changes used to take less than 5 seconds, now over one minute.
6) The thermal sensors were always in the red. Previously they sometimes were in the red.

My system is standard. Only packages are UPNP and Zenarmor.

I checked that Zenarmor was updated and it was.

When troubleshooting, it seems to work best when the system is as close to OEM as possible (no extra packages). I removed Zenarmor, rebooted, and everything listed in 1-6 above is now working fine.

When I have a chance I will reinstall Zenarmor to see if the issues return.

The PC is a mini-PC from ASUS with one gigabit Ethernet port. The USB port the Ethernet dongle plugs into is USB 3.0. The dongle is a generic Ethernet/USB dongle.

https://www.amazon.com/UGREEN-Ethernet-Adapter-Nintendo-Chromebook/dp/B00MYT481C/ref=sr_1_3?crid=Q2X0HBPNW010&dchild=1&keywords=ethernet+usb+adapter&qid=1586311410&sprefix=ethernet+usb+%2Caps%2C158&sr=8-3

Specs for the PC.
https://www.asus.com/us/Mini-PCs/VivoMini_UN42/specifications/

Early in the beta I reported that during the install, OPNSense would not detect a USB Ethernet connection. I also  could not manually install the adapter (UE0). My USB Ethernet connector would not work with that beta.

I just again installed the beta via ISO. No surprise it would not detect the adapter. However since the WAN adapter was working, after completing install I updated the software from the console. After the update to the latest beta, I started the console process and install the adapters. This time the USB Ethernet adapter was detected by the auto detection process and I was able to install it as UE0 adapter.

Thanks for the fix.

------------------------------------

I tried to install OPNsense-devel-20.7.b-OpenSSL-serial-amd64 from a USB Memory Stick. It would not detect my USB Ethernet dongle during the "auto detection" of the LAN/WAN connections. When I plugged in the USB dongle I would see an OS message but OPNsense would not detect that an interface was added.

I removed the dongle and tried again with the same results.

I continued with the install. When the webGUI was available, I tried to add the interface but it would not show the USB interface.

I then installed FreeBSD 11.2-RELEASE-p17-HBSD  b0b3393e380(stable/20.1) amd64 from a USB Memory Stick. During install, the "auto detection" worked fine showing the USB dongle as UE0. The dongle worked fine.

Below is data from the working "stable/20.1" using the Reporter to show the enumeration of the USB devices.

What other info can I provide?

Thanks.

usbus0 on xhci0
usbus0: 5.0Gbps Super Speed USB v3.0

usbus1: EHCI version 1.0
usbus1 on ehci0
usbus1: 480Mbps High Speed USB v2.0

uhub1: 13 ports with 13 removable, self powered
uhub0: 2 ports with 2 removable, self powered
ugen0.2:  at usbus0

Thanks for the compliment. As a developer you certainly get kicked when the occasional problem happens. No one is thanking you for the 99.999% of the time everything works right. So your perception of the issue gets affected by the undeserved grief you get. So thanks for getting it right almost every time  :).

Let me present the issue in a different way...If your government said to you, what is the best way to protect our citizens from criminal/nation states/etc.? Choice 1: A cheap plastic router typically made in China [perhaps this is another issue to worry about] which is never touched by the consumer for the five years it sits in their residence and never updated by the manufacturer. Or choice 2: A router like Opnsense updated regularly [or even better, an Opnsense router? The answer would obviously be choice 2 except that today, choice 2 requires some degree of Internet knowledge.

My ultimate hope is that a version of Opnsense is developed similar to how the cheap plastic router works. There is a default installation that 99.99% use with one-click. For those who have the knowledge, they setup Opnsense just like they do today. Modify it, play, do whatever. The previously mentioned default install and the modified version both get updated with the default install automatically updated.

Go back to my question. Set it and forget it for me ultimately means I plug it in at my parent's house. Never touch it for five years. It updates automatically. It provides almost perfect security and that is bad than any other solution.

Think about all of the cheap plastic routers that are now hijacked and are part of botnets. Do you think any Opnsense router is in a botnet?

A default version of Opnsense that is updated automatically is 1,000% more secure than any cheap plastic router. So that is my vision of "Opnsense everywhere."

Thanks.

[not]

Appreciate the thoughts of all. Forget Opnsense for a minute. I'm a security guy. I manage risk for enterprises and now risk for my parents/family. No doubt updating systems whether it is an enterprise running Windows 7, gas utilities running an industrial control system that prevents explosions, or my parents "piece of garbage" router that has now been hijacked and is part of a botnet, are all problematic. In many breaches in the US (I'm most familiar with these), one of the reasons for the breach is that the system was not updated. The credit reporting agency, Equifax, which just had a huge breach is just one example. Wanna Cry malware is another example. Etc, etc.

So as a risk person, you know that not updating is likely to cause problems. The act  of updating occasionally causes minor issues and in rare cases causes major issues. For me, I'll deal with the rare instance in which an update causes a problem (maybe I need to drive to Mom's house with a new USB image). In cybersecurity, the only way to eliminate risk is to disconnect from the Internet (and also not use USBs). Risk is inherent. Eliminate/mitigate smartly. I am much more concerned about likely issues which cause problems.

Build into the upgrade system safeguards. Microsoft has this same problem with millions of PCs. Occasionally upgrades break. Have a rollback capability. Wait a short period of time to hear positive results before flipping the "must upgrade switch." Only flip the switch when the problem is severe.

Not doing bad is not good enough.

Thanks.

Seems like every week there is a new flaw in cheap residential routers used around the world. Worst problem is the flaws rarely get fixed.

I'd like to a feature called "the parents mode." This is a mode in which Opnsense automatically updates itself. I'd like to remove the cheap, plastic router from my parents house and replace it with an inexpensive, low energy PC running Opnsense. Just set it up with an auto update and an auto restart in case of failure mode. Millions of smart people would install this in their parents home.

Thanks.

I have been using Cox Cable as my ISP in the Northern Virginia area of the U.S. Cox provides native IPv6 support. I tried every possible WAN and LAN IPv6 configuration but could not get my LAN clients to talk via IPv6 to the WAN. IPv4 worked great.

Cox supplied an Arris cable modem that had multiple modems including bridged and routed. Routed was the default. As part of my experimenting I tried to setup the modem in bridged mode but that did not work and Cox would reset the modem to routed mode within 24 hours.

I decided to buy a Motorola DOCSIS 3.1 cable modem primarily to save money on the cable modem rental ($10 USD per month). I installed the new CM which has no routing capability, hence bridged mode is the default.

IPv6 suddenly starting working on the LAN. I tested the connection on a bunch of the IPv6 test sites. All results were perfect including not leaking the IPv6 address of the LAN clients. One site said that IPv6 ICMP was not working correctly but I have no evidence of any problems.

If you are having problems setting up IPv6 with Cox, buy a CM and set it up for bridged mode.

Setup:
WAN
DHCPv6
Prefix Delegation 60
Send IPv6 hint

LAN
IPv6 - track interface
IPv6 Interface - WAN
IPv6 Prefix ID - 0

DHCPv6 Advertisement - off
DHCPv6 Server - off