Messages

incase anyone else is trying to figure this one out the tunable is here:

net.inet.ip.dummynet.pie.max_burst: 150000
        The default maximum period   of microseconds   that pie AQM does not
        drop/mark packets.    The value must   be in the range   1..10000000.


ref: https://www.freebsd.org/cgi/man.cgi?ipfw(8)

when using fq_codel and PIE on a queue, are any of these parameters in this image tunable?

just curious what max_burst 150ms is and what it impacts... is there a related property?

I'm interested in adding a few (one or more) 'watch' systems that allow me to grade long distance route metrics using something simple like we have for gateway monitoring.

Is there a way to leverage existing gateway setup / RRD graphing for this?  I don't want to add bogus gateways to do this though, but if there's an option there that permits adding some that will never be used for this purpose is it possible?

Not sure where you're seeing ntop 4.2.210309 (0).  .

apology in response delay.. been very busy w/ work.

this is the version that is reported directly in ntopng > help > about pages.

3.4.0 is apparently the reported nDPI version within ntopng package

question regrading update for | firewall: use tables in the shaper to avoid breaking ipfw with too many addresses

I previously had to break rules down due to too many CIDR addresses in a single rule, will this allow me to consolidate those rules and if so, what system parameters for tables should I keep an eye on or prepare to expand to handle large CIDR sets?

Yep, to apply from console:

# opnsense-patch 7316071


Cheers,
Franco

confirmed as resolved.  i closed the ntopng issue.  thanks you all!!!

hi, i made the report over  on ntopng about it... not sure they are able to address this.  regardless, i'm interested in a workaround too and though perhaps a service ordering for shutdown might work as ntopng has that dependency on redis.

i have no clue how to make that happen though

is it possible to update ntopng directly from their repo in CLI?  I have no experience on how to do so, but very hesitant because I fear it will break... a lot.

current version in their repo:
ntopng-4.3.210331.txz

current version as of OPNsense 21.1.3_3-amd64:
4.2.210309 (0) - Community Edition

OpenWrt does have the aforementioned NDP proxy.
Not sure what Asus is doing, probably the same.

I noticed there is ndproxy(4) in freebsd?

https://www.freebsd.org/cgi/man.cgi?query=ndproxy&apropos=0&sektion=4&manpath=FreeBSD+11-current&format=html


This is getting beyond my capability to follow very easily...  but I'm willing to learn/figure out.

Asus routers have an IPv6 configuration called Passthrough. Maybe Opnsense should get something like that.

Those also have an option called FLET'S IPv6 Service.

If you know Asuswrt Merlin, you may ask Merlin how to do it, he develops third-party firmwares for Asus routers.

Interesting, seems that OpenWRT has something similar:
https://www.reddit.com/r/tmobileisp/comments/luslbf/how_are_you_getting_around_the_lack_of_ipv6/gpuuim4/?utm_source=share&utm_medium=web2x&context=3

This has nothing to do with DHCPv6 in the OPNsense LAN (which you don't even need). The issue is the 5G router being unable to "see" the hosts in the OPNsense LAN. You only have a single /64 which is used for the 5G router's LAN. The 5G router has no way of knowing that there are hosts using the same /64 in the OPNsense LAN. As mentioned, this would require an NDP proxy which OPNsense doesn't have.

There is no great solution here. Options are:
- Get a "better" Internet connection with more than just a single /64. I understand this is not available everywhere.
- Use a firewall with an integrated 5G modem. Still limits you to a single LAN and I don't know if T-Mobile allows "bring your own modem".
- Use a firewall which has an NDP proxy. Still limits you to a single LAN.
- Use a VPN tunnel. Might have a performance impact.
- Run OPNsense as a transparent filtering bridge. Severely limits its functionality and only allows a single LAN.
- Use ULAs and IPv6 NAT. Results in IPv6 almost never being used.

This is a common problem so if anyone has a better solution, I would be happy to hear about it.

Is there a possibility to get lan segment DHCPv6 requests through the WAN to the modem?  If the modem is capable of providing them (which it does do, cause i get them if I connect say directly to the modem on wifi.. it has it's own segment and provides both ipv4 and ipv6 addressing)

Did you reboot the opnsense?  It seems to have to do a reboot with the UPS plugged in to detect it.  Then it is using the USBHID as UPS type.

It works for me on my CyberPower CST135XLU which is about 3 years old, so don't know why it wouldn't work for you.  The key is even on pfsense it requires a reboot.

I did reboot.  I'm getting errors in the system log as well.  When I get back home I'll post up my syslog errors.

Sent from my IN2025 using Tapatalk

I have a couple at this at home i use and could not get it working with opnsense, if you figure this out i would be very interested in how.

My ISP (5G wireless home internet / T-mobile) gives us a dumb modem that does not allow 'bridge mode' the ISP themselves doesn't do IPv6 prefix delegation. Looking for help fixing issues with http://ipv6-test.com/ and http://test-ipv6.com/ as they fail....

/snip

same boat as you are, I tried to get this to work *without* going the static IPv6 on LAN and fell flat on my face...  I thought that perhaps instead of using DHCPv6 on LAN, to use relay instead, but nope... would not *relay* anything.. atleast it didn't seem to, and I have no clue what to put in as the destination server.. i used the Nokia access points' fbb.home IPv6 address, which seemed to sorta work.. but ya, no.

Yeah, this unfortunately won't work. There was another user with a similar setup just recently. Might actually be the same device: https://forum.opnsense.org/index.php?topic=21795.0

In that thread you'll also find a "dirty trick" which allows you to get some limited IPv6 in the OPNsense LAN, although I still don't recommend that.

I see, ok.. thank you for pointing that out.  I'll take a look there, I appreciate it.

What exactly is your WAN connection? You mention cellular, are you tethering OPNsense to a phone / mobile hotspot? That won't work.
Or are you using a USB modem? Or something else?

This is actually a new service (well.. new as in it has been in beta for a bit).. it is TMobile Home Internet 4G LTE / 5G service.

They provide a cellular modem, similar to the Nokia Fastmile, but OEM variant.. called Nokia 5G21 which support 4G LTE (b2,b4,b12,b66) and 5G (n41 n71).

The device has two LAN ports and offers 802.11/ax, which i essentially just use it as a modem.  Its been surprisingly good, which fairly reasonable bandwidth and (usually) good latency.

I setup opnsense as my home firewall/gateway  (yes CGNAT).  I've been strictly using IPv4 since November, and it has been decent.  Unforuntately, the modem does not permit much in the way of administrative controls (other than turning wifi channels on/off)...  and it feeds both an IPv4 address (NAT) and IPv6.