Messages

dmesg

Code Select Expand

root@opnsense01:~ # grep ixl2 /var/run/dmesg.boot
[1] ixl2: <Intel(R) Ethernet Connection X722 for 10GbE SFP+ - 2.3.3-k> mem 0x21ffb000000-0x21ffbffffff,0x21fff008000-0x21fff00ffff irq 36 at device 0.2 numa-domain 0 on pci6
[1] ixl2: fw 3.10.53077 api 1.5 nvm 4.00 etid 8000183c oem 1.263.0
[1] ixl2: PF-ID[2]: VFs 32, MSI-X 129, VF MSI-X 5, QPs 384, I2C
[1] ixl2: Using 1024 TX descriptors and 1024 RX descriptors
[1] ixl2: Using 8 RX queues 8 TX queues
[1] ixl2: Using MSI-X interrupts with 9 vectors
[1] ixl2: Ethernet address: 7c:d3:0a:d8:34:a2
[1] ixl2: Allocating 8 queues for PF LAN VSI; 8 queues active
[1] ixl2: SR-IOV ready
[1] ixl2: netmap queues/slots: TX 8/1024, RX 8/1024
[1] ixl2: Link is up, 10 Gbps Full Duplex, Requested FEC: None, Negotiated FEC: None, Autoneg: False, Flow Control: None
[1] ixl2: link state changed to UP
root@opnsense01:~ #

pciconf -lv

Code Select Expand

...
ixl0@pci0:10:0:0:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection X722 for 10GbE SFP+'
    class      = network
    subclass   = ethernet
ixl1@pci0:10:0:1:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection X722 for 10GbE SFP+'
    class      = network
    subclass   = ethernet
ixl2@pci0:10:0:2:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection X722 for 10GbE SFP+'
    class      = network
    subclass   = ethernet
ixl3@pci0:10:0:3:       class=0x020000 rev=0x09 hdr=0x00 vendor=0x8086 device=0x37d3 subvendor=0x17aa subdevice=0x4021
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection X722 for 10GbE SFP+'
    class      = network
    subclass   = ethernet
...


Hi,
after the upgrade on Tuesday the uplink delay went up from 1.2ms to 24ms.

Where can I look to fix this?

The measurement is taken from another machine behind the opnsense.

CPU usage between 2% and 12%,
More than 50% Memory free,
no idea where to look further...

Thanks
Rainer
 

I had to re-open an older back door to our network since somehow the RADIUS based IPSec VPN suddenly was not working anymore.
So I removed the disabled section in the firewall rules and then tried to reload the config from the CLI. I only had CLI access as I was using an even older back door from another location and was using various SSH and Telnnet "jump servers" to get to the CLI of the opnsense...

Our VPN IPSec service just broke today at 16:00 CEST due to Microsoft requiring the config change.
"RequireMsgAuth and/or limitProxyState configuration is in Disable mode. These settings should be configured in Enable mode for security purposes. See https://support.microsoft.com/help/5040268 to learn more."

So enabling the requirement to send RequireMsgAuth breaks the OPNsense Client - disabling it on the Windows Server NPS gives above error message.

I think a quick patch is required here!

I tried reloading my adjusted config in /conf/config.xml with option 11 and it just hangs at the VLAN interfaces (see attachment)...

How can I make the output more verbose???

Sorry for finding this so late.

The workaround mentioned here still works for me.
https://github.com/opnsense/core/issues/3291#issuecomment-479827420

My current add on config looks like this:

Code Select Expand


root@opnsense01:~ # cat /usr/local/etc/strongswan.opnsense.d/strongswan.ikev2.conf
charon {
# See https://wiki.strongswan.org/issues/1216
    make_before_break = yes
# See https://github.com/opnsense/core/issues/3291
    retransmit_tries = 10
    retransmit_timeout = 2
    retransmit_base = 1
}
root@opnsense01:~ #


Maybe you should get in touch with this guy here...
https://forum.opnsense.org/index.php?topic=41194.0

Recently upgraded from 22.7.11 to 24.1.8 and the configuration is now completely in the gui.

I followed the official https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

Per user group one connection.
Per user group a dedicated v4 and v6 IP address pool that gets assigned per connection.

Rekey set to 0 where available in advanced settings.

Ok, I am sorry, you are right.

Code Select Expand


root@opnsense01:~ # cat /usr/local/opnsense/service/templates/custom/Unbound/+TARGETS
custom_server_options.conf:/usr/local/etc/unbound.opnsense.d/custom_server_options.conf
root@opnsense01:~ # rm /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /usr/local/etc/unbound.opnsense.d/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound check
no errors in /var/unbound/unbound.conf
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # nslookup m.s.test 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

root@opnsense01:~ #
root@opnsense01:~ # ls -al /var/unbound/etc/custom_server_options.conf
-rw-r-----  1 unbound  unbound  100 Apr 15 18:40 /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # scp -r /usr/local/opnsense/service/templates/custom opnsense02:/usr/local/opnsense/service/templates/
custom_server_options.conf                                                                                                                                                                                                                            100%  101   316.8KB/s   00:00
+TARGETS                                                                                                                                                                                                                                              100%   88   299.2KB/s   00:00
root@opnsense01:~ #


And it now works on both nodes. I believe I first started using the directory in the +TARGETS file from the configuration - so on the primary it was already correct and in the proper place. That did not happen on the secondary - so there it was missing and then it failed after a proper restart...

The configuration file in /var/unbound/... is generated from the one you are supposed to put in /usr/local/etc/unbound.opnsense.d.

As documented in the link posted by netnut.

I very much doubt that. Have a look at the generated config in use by unbound:

Code Select Expand


root@opnsense01:~ # ps aux | grep unbound
unbound 39061    0.0  1.0 356572 163636  -  Ss   18:11         0:02.11 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    38534    0.0  0.0  12748   2364  1  S+   18:14         0:00.00 grep unbound
root@opnsense01:~ # cat /var/unbound/unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python validator iterator"
num-threads: 16
msg-cache-slabs: 32
rrset-cache-slabs: 32
infra-cache-slabs: 32
key-cache-slabs: 32
auto-trust-anchor-file: /var/unbound/root.key



# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes



# Private networks for DNS Rebinding prevention (when enabled)
private-address: 0.0.0.0/8
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.2.0/24
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128
private-address: 2001:db8::/32
private-address: fc00::/8
private-address: fd00::/8
private-address: fe80::/10


# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf

# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)


# Custom includes
include: /var/unbound/etc/*.conf

# Forwarding
forward-zone:
    name: "."
        forward-addr: 10.20.30.254
        forward-addr: 10.20.30.22
        forward-addr: 10.20.50.5
        forward-addr: 10.20.50.6


python:
python-script: dnsbl_module.py

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem
root@opnsense01:~ #


But it works on the primary HA partner...

Code Select Expand


root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ #


Eieieiei, I am starting to loose my trust...

And the template system looks broken as well...

Code Select Expand


root@opnsense02:~ # configctl template reload custom/Unbound
OK
root@opnsense02:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense02:~ # configctl unbound restart
OK
root@opnsense02:~ # cat /var/unbound/etc/custom_server_options.conf
cat: /var/unbound/etc/custom_server_options.conf: No such file or directory
root@opnsense02:~ #


A restart of Unbound just deletes the custom config file...

What the heck...
...first time I see the template system...
Instead of Custom options in the gui lets complicate the process and do not allow syncing to the HA partner automatically...

Looks like a step down to me...

In case you haven't heard of Contoso yet...
https://de.wikipedia.org/wiki/Contoso
I use that to replace our own organisations URLs...

The problem is surely the test tld and the handling of unbound of it. But I doubt that OPNsense will allow free text user customisations of it...

So, no, it does not work.

Windows nslookup does not know how to use a different port than 53...

Using Linux it shows...

Code Select Expand


admin@linux:~$ nslookup -port=53 m.s.test 10.20.30.254
Server:         10.20.30.254
Address:        10.20.30.254#53

m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

admin@linux:~$ nslookup -port=53 m.s.test 10.20.30.1
Server:         10.20.30.1
Address:        10.20.30.1#53

m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

admin@linux:~$ nslookup -port=54 m.s.test 10.20.30.1
Server:         10.20.30.1
Address:        10.20.30.1#54

** server can't find m.s.test: NXDOMAIN

admin@linux:~$


...a NXDOMAIN for unbound where on bind9 and dnsmasq on the same host I get the expected reply.