Messages

Hi,
you do not have to set

opnsense > System > Access > Servers > RADIUS Server > sync groups ON, auto user creation ON

- you just need to create the groups to select them in your IPsec VPN config.
On your radius server the user accounts need to be in those groups.

These are the relevant log messages:

2025-10-03T19:09:25Informationalcharon11[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> RADIUS authentication of 'vpn.user2' successful
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> received group membership 'VPNUsers2' from RADIUS

Use the group in the "Remote Authentication" (Field "Groups") - this is how the IP pool in the connection is assigned to the user.
From here onwards the IP pool addresses should be assigned correctly.

I attached screenshots from my working configuration.

Best regards
Rainerle

Result of "sysctl -a | grep lldp"

Code Select Expand

root@opnsense01:~ # sysctl -a | grep lldp
dev.ixl.3.fw_lldp: 0
dev.ixl.2.fw_lldp: 0
dev.ixl.1.fw_lldp: 0
dev.ixl.0.fw_lldp: 0
root@opnsense01:~ #
The uplink delay times are still the same when traffic goes over the link. See screenshot. So this is not fixed yet.
Upgrade OPNsense to 25.7.2 was at 2005-08-26 17:00
Upgrade NIC firmware was at 2005-09-10 17:00

The Network card came with the server so I got the Firmware from the Lenovo support site(1).
But they do not have the FreeBSD software in that package so I thought first to use EFI.
After all I just used the FreeBSD nvmupdate64e from the latest Intel Firmware package - which just worked...

No idea if it solved my issue jet - still have to wait for more traffic later on tonight...

(1) https://datacentersupport.lenovo.com/de/de/products/servers/thinksystem/sr630/7x02/7x02cto1ww/s4age372/downloads/ds572389-intel-networking-adapterdevice-utility?category=Netzwerk%3A%20Lan%20%28%20Ethernet%29

Took me some time to get the correct firmare and the tool to do it in FreeBSD...

Code Select Expand

root@opnsense02:~/700Series_NVMUpdatePackage_v9_55/700Series/FreeBSDx64 # cp -a nvmupdate64e /root/intc-lnvgy_utl_nic_net-29.3-0_anyos_x86-64/NVMUpdatePackage/FW-FVL-NUP/Intel-NIC/EFI2x64/
root@opnsense02:~/700Series_NVMUpdatePackage_v9_55/700Series/FreeBSDx64 # cd /root/intc-lnvgy_utl_nic_net-29.3-0_anyos_x86-64/NVMUpdatePackage/FW-FVL-NUP/Intel-NIC/EFI2x64/root@opnsense02:~/intc-lnvgy_utl_nic_net-29.3-0_anyos_x86-64/NVMUpdatePackage/FW-FVL-NUP/Intel-NIC/EFI2x64 # ./nvmupdate64e

Intel(R) Ethernet NVM Update Tool
NVMUpdate version 1.43.20.0
Copyright(C) 2013 - 2025 Intel Corporation.


WARNING: To avoid damage to your device, do not stop the update or reboot or power off the system during this update.
Inventory in progress. Please wait [****|.....]


Num Description                          Ver.(hex)  DevId S:B    Status
=== ================================== ============ ===== ====== ==============
01) Intel(R) Ethernet Connection X722   4.00(4.00)   37D3 00:010 Update
    for 10GbE SFP+                                               available

Options: Adapter Index List (comma-separated), [A]ll, e[X]it
Enter selection: A
Would you like to back up the NVM images? [Y]es/[N]o: Y
Update in progress. This operation may take several minutes.
[......+***]


Num Description                          Ver.(hex)  DevId S:B    Status
=== ================================== ============ ===== ====== ==============
01) Intel(R) Ethernet Connection X722   6.80(6.50)   37D3 00:010 Update
    for 10GbE SFP+                                               successful

A reboot is required to complete the update process.

Tool execution completed with the following status: All operations completed successfully.
Press any key to exit.
root@opnsense02:~/intc-lnvgy_utl_nic_net-29.3-0_anyos_x86-64/NVMUpdatePackage/FW-FVL-NUP/Intel-NIC/EFI2x64 #

Here the pciconf -l

Code Select Expand

root@opnsense01:~ # pciconf -l
hostb0@pci0:0:0:0:      class=0x060000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2020 subvendor=0x17aa subdevice=0x7800
ioat0@pci0:0:4:0:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2021 subvendor=0x17aa subdevice=0x7800
ioat1@pci0:0:4:1:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2021 subvendor=0x17aa subdevice=0x7800
ioat2@pci0:0:4:2:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2021 subvendor=0x17aa subdevice=0x7800
ioat3@pci0:0:4:3:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2021 subvendor=0x17aa subdevice=0x7800
ioat4@pci0:0:4:4:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2021 subvendor=0x17aa subdevice=0x7800
ioat5@pci0:0:4:5:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2021 subvendor=0x17aa subdevice=0x7800
ioat6@pci0:0:4:6:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2021 subvendor=0x17aa subdevice=0x7800
ioat7@pci0:0:4:7:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2021 subvendor=0x17aa subdevice=0x7800
none0@pci0:0:5:0:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2024 subvendor=0x17aa subdevice=0x7800
none1@pci0:0:5:2:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2025 subvendor=0x17aa subdevice=0x7800
ioapic0@pci0:0:5:4:     class=0x080020 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2026 subvendor=0x17aa subdevice=0x7800
none2@pci0:0:8:0:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2014 subvendor=0x17aa subdevice=0x7800
none3@pci0:0:8:1:       class=0x110100 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2015 subvendor=0x17aa subdevice=0x7800
none4@pci0:0:8:2:       class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2016 subvendor=0x17aa subdevice=0x7800
none5@pci0:0:17:0:      class=0xff0000 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1ec subvendor=0x17aa subdevice=0x7800
ahci0@pci0:0:17:5:      class=0x010601 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1d2 subvendor=0x17aa subdevice=0x7800
xhci0@pci0:0:20:0:      class=0x0c0330 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1af subvendor=0x17aa subdevice=0x7800
pchtherm0@pci0:0:20:2:  class=0x118000 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1b1 subvendor=0x17aa subdevice=0x7800
none6@pci0:0:22:0:      class=0x078000 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1ba subvendor=0x17aa subdevice=0x7800
none7@pci0:0:22:1:      class=0x078000 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1bb subvendor=0x17aa subdevice=0x7800
none8@pci0:0:22:4:      class=0x078000 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1be subvendor=0x17aa subdevice=0x7800
ahci1@pci0:0:23:0:      class=0x010601 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa182 subvendor=0x17aa subdevice=0x7800
pcib1@pci0:0:28:0:      class=0x060400 rev=0xf9 hdr=0x01 vendor=0x8086 device=0xa190 subvendor=0x17aa subdevice=0x7800
isab0@pci0:0:31:0:      class=0x060100 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1c3 subvendor=0x17aa subdevice=0x7800
none9@pci0:0:31:2:      class=0x058000 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1a1 subvendor=0x17aa subdevice=0x7800
ichsmb0@pci0:0:31:4:    class=0x0c0500 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1a3 subvendor=0x17aa subdevice=0x7800
none10@pci0:0:31:5:     class=0x0c8000 rev=0x09 hdr=0x00 vendor=0x8086 device=0xa1a4 subvendor=0x17aa subdevice=0x7800
pcib2@pci0:1:0:0:       class=0x060400 rev=0x00 hdr=0x01 vendor=0x19a2 device=0x0120 subvendor=0x0000 subdevice=0x0000
vgapci0@pci0:2:0:0:     class=0x030000 rev=0x42 hdr=0x00 vendor=0x102b device=0x0522 subvendor=0x19a2 subdevice=0x0101
pcib4@pci0:7:2:0:       class=0x060400 rev=0x04 hdr=0x01 vendor=0x8086 device=0x2032 subvendor=0x17aa subdevice=0x7800
none11@pci0:7:5:0:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2034 subvendor=0x17aa subdevice=0x7800
none12@pci0:7:5:2:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2035 subvendor=0x17aa subdevice=0x7800
ioapic1@pci0:7:5:4:     class=0x080020 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2036 subvendor=0x17aa subdevice=0x7800
none13@pci0:7:8:0:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208d subvendor=0x17aa subdevice=0x7800
none14@pci0:7:8:1:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208d subvendor=0x17aa subdevice=0x7800
none15@pci0:7:8:2:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208d subvendor=0x17aa subdevice=0x7800
none16@pci0:7:8:3:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208d subvendor=0x17aa subdevice=0x7800
none17@pci0:7:8:4:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208d subvendor=0x17aa subdevice=0x7800
none18@pci0:7:8:5:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208d subvendor=0x17aa subdevice=0x7800
none19@pci0:7:8:6:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208d subvendor=0x17aa subdevice=0x7800
none20@pci0:7:8:7:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208d subvendor=0x17aa subdevice=0x7800
none21@pci0:7:9:0:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208d subvendor=0x17aa subdevice=0x7800
none22@pci0:7:9:1:      class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208d subvendor=0x17aa subdevice=0x7800
none23@pci0:7:14:0:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208e subvendor=0x17aa subdevice=0x7800
none24@pci0:7:14:1:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208e subvendor=0x17aa subdevice=0x7800
none25@pci0:7:14:2:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208e subvendor=0x17aa subdevice=0x7800
none26@pci0:7:14:3:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208e subvendor=0x17aa subdevice=0x7800
none27@pci0:7:14:4:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208e subvendor=0x17aa subdevice=0x7800
none28@pci0:7:14:5:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208e subvendor=0x17aa subdevice=0x7800
none29@pci0:7:14:6:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208e subvendor=0x17aa subdevice=0x7800
none30@pci0:7:14:7:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208e subvendor=0x17aa subdevice=0x7800
none31@pci0:7:15:0:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208e subvendor=0x17aa subdevice=0x7800
none32@pci0:7:15:1:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x208e subvendor=0x17aa subdevice=0x7800
none33@pci0:7:29:0:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2054 subvendor=0x17aa subdevice=0x7800
none34@pci0:7:29:1:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2055 subvendor=0x17aa subdevice=0x7800
none35@pci0:7:29:2:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2056 subvendor=0x17aa subdevice=0x7800
none36@pci0:7:29:3:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2057 subvendor=0x17aa subdevice=0x7800
none37@pci0:7:30:0:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2080 subvendor=0x17aa subdevice=0x7800
none38@pci0:7:30:1:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2081 subvendor=0x17aa subdevice=0x7800
none39@pci0:7:30:2:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2082 subvendor=0x17aa subdevice=0x7800
none40@pci0:7:30:3:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2083 subvendor=0x17aa subdevice=0x7800
none41@pci0:7:30:4:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2084 subvendor=0x17aa subdevice=0x7800
none42@pci0:7:30:5:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2085 subvendor=0x17aa subdevice=0x7800
none43@pci0:7:30:6:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2086 subvendor=0x17aa subdevice=0x7800
pcib5@pci0:8:0:0:       class=0x060400 rev=0x09 hdr=0x01 vendor=0x8086 device=0x37c0 subvendor=0xbeef subdevice=0xdead
pcib6@pci0:9:3:0:       class=0x060400 rev=0x09 hdr=0x01 vendor=0x8086 device=0x37c5 subvendor=0xbeef subdevice=0xdead
ixl0@pci0:10:0:0:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
ixl1@pci0:10:0:1:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
ixl2@pci0:10:0:2:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
ixl3@pci0:10:0:3:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
none44@pci0:90:5:0:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2034 subvendor=0x17aa subdevice=0x7800
none45@pci0:90:5:2:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2035 subvendor=0x17aa subdevice=0x7800
ioapic2@pci0:90:5:4:    class=0x080020 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2036 subvendor=0x17aa subdevice=0x7800
none46@pci0:90:8:0:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2066 subvendor=0x17aa subdevice=0x7800
none47@pci0:90:9:0:     class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2066 subvendor=0x17aa subdevice=0x7800
none48@pci0:90:10:0:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2040 subvendor=0x17aa subdevice=0x7800
none49@pci0:90:10:1:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2041 subvendor=0x17aa subdevice=0x7800
none50@pci0:90:10:2:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2042 subvendor=0x17aa subdevice=0x7800
none51@pci0:90:10:3:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2043 subvendor=0x17aa subdevice=0x7800
none52@pci0:90:10:4:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2044 subvendor=0x17aa subdevice=0x7800
none53@pci0:90:10:5:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2045 subvendor=0x17aa subdevice=0x7800
none54@pci0:90:10:6:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2046 subvendor=0x17aa subdevice=0x7800
none55@pci0:90:10:7:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2047 subvendor=0x17aa subdevice=0x7800
none56@pci0:90:11:0:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2048 subvendor=0x17aa subdevice=0x7800
none57@pci0:90:11:1:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2049 subvendor=0x17aa subdevice=0x7800
none58@pci0:90:11:2:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x204a subvendor=0x17aa subdevice=0x7800
none59@pci0:90:11:3:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x204b subvendor=0x17aa subdevice=0x7800
none60@pci0:90:12:0:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2040 subvendor=0x17aa subdevice=0x7800
none61@pci0:90:12:1:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2041 subvendor=0x17aa subdevice=0x7800
none62@pci0:90:12:2:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2042 subvendor=0x17aa subdevice=0x7800
none63@pci0:90:12:3:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2043 subvendor=0x17aa subdevice=0x7800
none64@pci0:90:12:4:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2044 subvendor=0x17aa subdevice=0x7800
none65@pci0:90:12:5:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2045 subvendor=0x17aa subdevice=0x7800
none66@pci0:90:12:6:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2046 subvendor=0x17aa subdevice=0x7800
none67@pci0:90:12:7:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2047 subvendor=0x17aa subdevice=0x7800
none68@pci0:90:13:0:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2048 subvendor=0x17aa subdevice=0x7800
none69@pci0:90:13:1:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2049 subvendor=0x17aa subdevice=0x7800
none70@pci0:90:13:2:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x204a subvendor=0x17aa subdevice=0x7800
none71@pci0:90:13:3:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x204b subvendor=0x17aa subdevice=0x7800
pcib9@pci0:173:2:0:     class=0x060400 rev=0x04 hdr=0x01 vendor=0x8086 device=0x2032 subvendor=0x17aa subdevice=0x7800
none72@pci0:173:5:0:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2034 subvendor=0x17aa subdevice=0x7800
none73@pci0:173:5:2:    class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2035 subvendor=0x17aa subdevice=0x7800
ioapic3@pci0:173:5:4:   class=0x080020 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2036 subvendor=0x17aa subdevice=0x7800
none74@pci0:173:14:0:   class=0x110100 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2058 subvendor=0x17aa subdevice=0x7800
none75@pci0:173:14:1:   class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2059 subvendor=0x17aa subdevice=0x7800
none76@pci0:173:15:0:   class=0x110100 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2058 subvendor=0x17aa subdevice=0x7800
none77@pci0:173:15:1:   class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2059 subvendor=0x17aa subdevice=0x7800
none78@pci0:173:18:0:   class=0x110100 rev=0x04 hdr=0x00 vendor=0x8086 device=0x204c subvendor=0x17aa subdevice=0x7800
none79@pci0:173:18:1:   class=0x110100 rev=0x04 hdr=0x00 vendor=0x8086 device=0x204d subvendor=0x17aa subdevice=0x7800
none80@pci0:173:18:2:   class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x204e subvendor=0x17aa subdevice=0x7800
none81@pci0:173:21:0:   class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2018 subvendor=0x17aa subdevice=0x7800
none82@pci0:173:22:0:   class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2018 subvendor=0x17aa subdevice=0x7800
none83@pci0:173:22:4:   class=0x088000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x2018 subvendor=0x17aa subdevice=0x7800
mpr0@pci0:174:0:0:      class=0x010700 rev=0x01 hdr=0x00 vendor=0x1000 device=0x00af subvendor=0x1d49 subdevice=0x0200
root@opnsense01:~ #

dmesg

Code Select Expand

root@opnsense01:~ # grep ixl2 /var/run/dmesg.boot
[1] ixl2: <Intel(R) Ethernet Connection X722 for 10GbE SFP+ - 2.3.3-k> mem 0x21ffb000000-0x21ffbffffff,0x21fff008000-0x21fff00ffff irq 36 at device 0.2 numa-domain 0 on pci6
[1] ixl2: fw 3.10.53077 api 1.5 nvm 4.00 etid 8000183c oem 1.263.0
[1] ixl2: PF-ID[2]: VFs 32, MSI-X 129, VF MSI-X 5, QPs 384, I2C
[1] ixl2: Using 1024 TX descriptors and 1024 RX descriptors
[1] ixl2: Using 8 RX queues 8 TX queues
[1] ixl2: Using MSI-X interrupts with 9 vectors
[1] ixl2: Ethernet address: 7c:d3:0a:d8:34:a2
[1] ixl2: Allocating 8 queues for PF LAN VSI; 8 queues active
[1] ixl2: SR-IOV ready
[1] ixl2: netmap queues/slots: TX 8/1024, RX 8/1024
[1] ixl2: Link is up, 10 Gbps Full Duplex, Requested FEC: None, Negotiated FEC: None, Autoneg: False, Flow Control: None
[1] ixl2: link state changed to UP
root@opnsense01:~ #

pciconf -lv

Code Select Expand

...
ixl0@pci0:10:0:0:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection X722 for 10GbE SFP+'
    class      = network
    subclass   = ethernet
ixl1@pci0:10:0:1:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection X722 for 10GbE SFP+'
    class      = network
    subclass   = ethernet
ixl2@pci0:10:0:2:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection X722 for 10GbE SFP+'
    class      = network
    subclass   = ethernet
ixl3@pci0:10:0:3:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection X722 for 10GbE SFP+'
    class      = network
    subclass   = ethernet
...


Hi,
after the upgrade on Tuesday the uplink delay went up from 1.2ms to 24ms.

Where can I look to fix this?

The measurement is taken from another machine behind the opnsense.

CPU usage between 2% and 12%,
More than 50% Memory free,
no idea where to look further...

Thanks
Rainer
 

I had to re-open an older back door to our network since somehow the RADIUS based IPSec VPN suddenly was not working anymore.
So I removed the disabled section in the firewall rules and then tried to reload the config from the CLI. I only had CLI access as I was using an even older back door from another location and was using various SSH and Telnnet "jump servers" to get to the CLI of the opnsense...

Our VPN IPSec service just broke today at 16:00 CEST due to Microsoft requiring the config change.
"RequireMsgAuth and/or limitProxyState configuration is in Disable mode. These settings should be configured in Enable mode for security purposes. See https://support.microsoft.com/help/5040268 to learn more."

So enabling the requirement to send RequireMsgAuth breaks the OPNsense Client - disabling it on the Windows Server NPS gives above error message.

I think a quick patch is required here!

I tried reloading my adjusted config in /conf/config.xml with option 11 and it just hangs at the VLAN interfaces (see attachment)...

How can I make the output more verbose???

Sorry for finding this so late.

The workaround mentioned here still works for me.
https://github.com/opnsense/core/issues/3291#issuecomment-479827420

My current add on config looks like this:

Code Select Expand


root@opnsense01:~ # cat /usr/local/etc/strongswan.opnsense.d/strongswan.ikev2.conf
charon {
# See https://wiki.strongswan.org/issues/1216
    make_before_break = yes
# See https://github.com/opnsense/core/issues/3291
    retransmit_tries = 10
    retransmit_timeout = 2
    retransmit_base = 1
}
root@opnsense01:~ #


Maybe you should get in touch with this guy here...
https://forum.opnsense.org/index.php?topic=41194.0

Recently upgraded from 22.7.11 to 24.1.8 and the configuration is now completely in the gui.

I followed the official https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

Per user group one connection.
Per user group a dedicated v4 and v6 IP address pool that gets assigned per connection.

Rekey set to 0 where available in advanced settings.

Ok, I am sorry, you are right.

Code Select Expand


root@opnsense01:~ # cat /usr/local/opnsense/service/templates/custom/Unbound/+TARGETS
custom_server_options.conf:/usr/local/etc/unbound.opnsense.d/custom_server_options.conf
root@opnsense01:~ # rm /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /usr/local/etc/unbound.opnsense.d/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound check
no errors in /var/unbound/unbound.conf
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # nslookup m.s.test 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

root@opnsense01:~ #
root@opnsense01:~ # ls -al /var/unbound/etc/custom_server_options.conf
-rw-r-----  1 unbound  unbound  100 Apr 15 18:40 /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # scp -r /usr/local/opnsense/service/templates/custom opnsense02:/usr/local/opnsense/service/templates/
custom_server_options.conf                                                                                                                                                                                                                            100%  101   316.8KB/s   00:00
+TARGETS                                                                                                                                                                                                                                              100%   88   299.2KB/s   00:00
root@opnsense01:~ #


And it now works on both nodes. I believe I first started using the directory in the +TARGETS file from the configuration - so on the primary it was already correct and in the proper place. That did not happen on the secondary - so there it was missing and then it failed after a proper restart...

The configuration file in /var/unbound/... is generated from the one you are supposed to put in /usr/local/etc/unbound.opnsense.d.

As documented in the link posted by netnut.

I very much doubt that. Have a look at the generated config in use by unbound:

Code Select Expand


root@opnsense01:~ # ps aux | grep unbound
unbound 39061    0.0  1.0 356572 163636  -  Ss   18:11         0:02.11 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    38534    0.0  0.0  12748   2364  1  S+   18:14         0:00.00 grep unbound
root@opnsense01:~ # cat /var/unbound/unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python validator iterator"
num-threads: 16
msg-cache-slabs: 32
rrset-cache-slabs: 32
infra-cache-slabs: 32
key-cache-slabs: 32
auto-trust-anchor-file: /var/unbound/root.key



# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes



# Private networks for DNS Rebinding prevention (when enabled)
private-address: 0.0.0.0/8
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.2.0/24
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128
private-address: 2001:db8::/32
private-address: fc00::/8
private-address: fd00::/8
private-address: fe80::/10


# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf

# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)


# Custom includes
include: /var/unbound/etc/*.conf

# Forwarding
forward-zone:
    name: "."
        forward-addr: 10.20.30.254
        forward-addr: 10.20.30.22
        forward-addr: 10.20.50.5
        forward-addr: 10.20.50.6


python:
python-script: dnsbl_module.py

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem
root@opnsense01:~ #