Has anyone tested this yet with a protectli device?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Show posts MenuQuote from: franco on May 13, 2024, 11:33:31 AM
> FreeBSD 14.0 was released in November 2023.
FWIW, this is just a fact. If we act on release schedules by third parties we can't maintain our own schedules. If we don't look at quality of releases either we run the risk of complaints more than "why haven't you XYZ" as it ends up as "why have you XYZ" much more loudly ;)
Also keep in mind that when comparing to other projects they tend to market everything they did better as sensational, but don't really tell you they avoided FreeBSD 13 with all of its benefits and haven't really put an effort into backporting their changes into this stable version either so nobody who uses FreeBSD 13 can benefit from it in the interrim... which would have been a more standard FreeBSD release engineering policy. But all of this is what it is and we will reach an acceptable goal for ourselves eventually.
Quote from: Patrick M. Hausen on May 13, 2024, 12:48:57 AMQuote from: JasonJoel on May 13, 2024, 12:37:31 AMSeriously? I run FreeBSD 14.0 in (not OPNsense) production so even with the "never run a .0 release" recommendation 14.1 looks like a very reliable bet to me. I sincerely hope the team around Franco and Ad jump to 14.1.
I genuinely hope NOT! This is supposed to be a security platform, not a bleeding edge / use fresh untested code platform.
I mean, they can do what they want of course, but I definitely would not install the 24.7 release if it is FreeBSD 14.1 based. Too new for my tastes.
Kind regards,
Patrick
Quote from: hazuki on May 13, 2024, 12:31:40 AM
One may test FreeBSD 14 kernel in OPNSense after selecting the snapshotopnsense-update -zkbr 14-STABLE -a FreeBSD:14:amd64
WARNING:
1)ISC DHCPv4 (and probably ISC DHCPv6) will fail to start (at least in my setup) after applying the FreeBSD 14 kernel, which is due to [object "libcrypto.so.111" not found]. One should migrate to Kea DHCP before test.
2) In relation to [object "libcrypto.so.111" not found], "pkg" command and any binary in relation to libcrypto.so also not working. "pkg-static bootstrap -f" will not solve the problem, as basically all required binary/packages under FreeBSD 14 kernel is not available in OPNSense repo.
Test FreeBSD 14 kernel at your own risk!
This FreeBSD 14.1 kernel indeed boost up wireguard speed.
More information are in https://forum.opnsense.org/index.php?topic=40413.msg198242#msg198242
EDIT 1: add missing -b switch in code. Solely updating kernel without base file will lead to messed-up routing.
EDIT 2: add warning regarding failed ISC DHCPv4
EDIT 3: add warning regarding failed pkg command
Quote from: hazuki on May 13, 2024, 11:08:06 AM
I am not sure if I am looking into the right place. In https://github.com/opnsense/src/blob/volatile/24.7/sys/conf/newvers.sh , looks like 24.7 will be in FreeBSD 14.1.TYPE="FreeBSD"
REVISION="14.1"
BRANCH="BETA1"
If this is true, I really looking forward to test the BETA 24.7 as the performance gain in wireguard is really astonishing.
EDNS Client Subnet Module Options
The ECS module must be configured in the module-config: "subnetcache
validator iterator" directive and be compiled into the daemon to be
enabled. These settings go in the server: section.
If the destination address is allowed in the configuration Unbound will
add the EDNS0 option to the query containing the relevant part of the
client's address. When an answer contains the ECS option the response
and the option are placed in a specialized cache. If the authority
indicated no support, the response is stored in the regular cache.
Additionally, when a client includes the option in its queries, Unbound
will forward the option when sending the query to addresses that are
explicitly allowed in the configuration using send-client-subnet. The
option will always be forwarded, regardless the allowed addresses, if
client-subnet-always-forward is set to yes. In this case the lookup in
the regular cache is skipped.
The maximum size of the ECS cache is controlled by 'msg-cache-size' in
the configuration file. On top of that, for each query only 100
different subnets are allowed to be stored for each address family.
Exceeding that number, older entries will be purged from cache.
send-client-subnet: <IP address>
Send client source address to this authority. Append /num to
indicate a classless delegation netblock, for example like
10.2.3.4/24 or 2001::11/64. Can be given multiple times.
Authorities not listed will not receive edns-subnet information,
unless domain in query is specified in client-subnet-zone.
client-subnet-zone: <domain>
Send client source address in queries for this domain and its
subdomains. Can be given multiple times. Zones not listed will
not receive edns-subnet information, unless hosted by authority
specified in send-client-subnet.
client-subnet-always-forward: <yes or no>
Specify whether the ECS address check (configured using
send-client-subnet) is applied for all queries, even if the
triggering query contains an ECS record, or only for queries for
which the ECS record is generated using the querier address (and
therefore did not contain ECS data in the client query). If
enabled, the address check is skipped when the client query
contains an ECS record. And the lookup in the regular cache is
skipped. Default is no.
max-client-subnet-ipv6: <number>
Specifies the maximum prefix length of the client source address
we are willing to expose to third parties for IPv6. Defaults to
56.
max-client-subnet-ipv4: <number>
Specifies the maximum prefix length of the client source address
we are willing to expose to third parties for IPv4. Defaults to
24.
min-client-subnet-ipv6: <number>
Specifies the minimum prefix length of the IPv6 source mask we
are willing to accept in queries. Shorter source masks result in
REFUSED answers. Source mask of 0 is always accepted. Default is
0.
min-client-subnet-ipv4: <number>
Specifies the minimum prefix length of the IPv4 source mask we
are willing to accept in queries. Shorter source masks result in
REFUSED answers. Source mask of 0 is always accepted. Default is
0.
max-ecs-tree-size-ipv4: <number>
Specifies the maximum number of subnets ECS answers kept in the
ECS radix tree. This number applies for each qname/qclass/qtype
tuple. Defaults to 100.
max-ecs-tree-size-ipv6: <number>
Specifies the maximum number of subnets ECS answers kept in the
ECS radix tree. This number applies for each qname/qclass/qtype
tuple. Defaults to 100.