Messages

Name: modulename_load
Value: YES

You replied while I was busy updating my post with the results of my testing that. :D

Well, this is sort of self-documenting in /boot/loader.conf:

https://github.com/opnsense/core/blob/0adece8d3e165acc0ba3bb2e1d8f0e6593dd8c41/src/etc/rc.loader.d/00-banner#L1-L6

Cheers,
Franco

I do have the appropriate line in /boot/loader.conf.local and up until 24.7 it's always worked.  When I look at /boot/loader.conf I don't see the mlx load line.

I went into system tuneables and added a new tuneable with a tuneable of mlx4en_load and a value of YES.  Upon saving that and applying changes the mlx4en_load line showed up in the tuneables section of /boot/loader.conf  Upon reboot, the module was loaded and my interfaces came up correctly.

It appears that the mechanism to process /boot/loader.conf.local was broken in the changes from 24.1 to 24.7.  I'm guessing that the step importing it into the main file got accidentally removed or commented out, but until I have a chance to dig through the code, I can't know for sure.

I've been running ConnectX cards for a while now and they've worked pretty well once you add the load command to the boot config.

https://www.routerperformance.net/opnsense/mellanox-connecx-management-in-opnsense/

After updating to 24.7 this doesn't seem to work anymore.  I have to manually log into the box and issue the mlx4en load command and then force an interface reload before it starts working.  This works until I reboot at which point I have to repeat the process.

I've checked and I still have the load command set to yes but it's not properly starting the card.  Any suggestions for what to check?

I've finally managed to get my hands on a backup connection to help deal with the flakiness of my main connection.  Therefore I will be joining everyone in the fun adventure that is multiple WAN. :)

The documentation is straightforward but seems to assume that I only have WAN, WAN2, and LAN.  Unfortunately, my network is a lot more complicated with DMZ, IOT, etc interfaces.

Any advice or recommendations for someone entering into the world of gateway groups?  What pitfalls should I make sure to watch out for?  I'd like to avoid having to rebuild everything from scratch just yet.

Thanks for the info @Praxis.  I've decided to just do 10G LAGG for the time being.  Maybe I'll eventually move up to 25G, not sure.

@Greg_E I currently don't have any hardware planned.  I'm just mulling around different network layouts.  If my existing hardware ends up being insufficient, I'll upgrade it.  No point in attempting to overbuild until I run into an issue.

Is there any reason I want to use forwarders vs root servers?  I can understand forwarders would be necessary if I wanted to use a filtering service like OpenDNS, but failing that aren't all DNS servers designed to use root hints?

Designed to use root is different from whether or not you should use root.  If everyone used the root servers it would overwhelm them.  That's why caching forwarders exist.

In your case, Unbound is attempting to contact IPv6 root servers and that's why you're having resolution failures.

What do you have under DNS server options on the General page?

Under system > settings > general > DNS servers I have 1.1.1.1 and 8.8.8.8.

Not DNS servers.  DNS server options.  The section below where the DNS servers are entered.

Nothing checked there.

That's what I figured.  Right now you have Unbound operating in resolve mode which hits the root servers.  I assume you want it to be working in forwarding mode and using 1.1.1.1 and 8.8.8.8.

On Services: Unbound DNS: Query Forwarding check the Use System Nameservers checkbox.  If you prefer to use DoT, you can set that instead but then I'd recommend removing the entries from the General tab.

Hi,
I have had the same problems since a few updates ago.
I'm on  OPNsense 24.1.3_1-amd64

IPv6 Is disabled overall, I'm using 8.8.8.8 or 1.1.1.1 as default DNS on opnsense, with no override on LANs.
In unbound I don't have DNSSEC and I don't have query forwarding ON.
Every now and then I get SERVFAIL for exceeded maximum requests, I have up to 8000 contemporary requests at specific times of the day.
With dnsqmasq I have no problems

You have a different issue.  Please start a new thread.

What do you have under DNS server options on the General page?

Under system > settings > general > DNS servers I have 1.1.1.1 and 8.8.8.8.

Not DNS servers.  DNS server options.  The section below where the DNS servers are entered.

Keep in mind that depending on the amount of traffic and rules you have that enabling logging for all of them can cause problems, such as filling up your drive and possibly slowing down your network.

OPNsense does not allow DNS by default.  You have to add a rule to allow it.

When making VLANs, don't put tagged and untagged traffic on the same NIC.  The easiest setup is to have WAN, LAN, and a third NIC for all of your VLANs only.

If you have enough ports, you can do all of this without VLANs.

N5105 is capable to run 2.5G throughput on single core, servethehome tested this in a Proxmox setup and he had absolutely no problem. I have a N5105 but a baremetal, and I have absolutely no whats so ever problem with this, I would even go so far and say its a bit overkill for 500/30 Internet connections and 2G LAN interVLAN communication with a lot of additional features the OPN provides + IPS/IDS on it.

Interesting.  What kind of cpu usage are you seeing?  What IDS/IPS setup are you using?

What do you mean when you say you want "them on a dedicated device"?

Running OPNsense in a VM adds complexity to the setup and ties your entire network into the VM host.

What is your overall goal?  To replace your old Xeon?  To introduce OPNsense on your network?  Something else?

Post screenshots of what you're referring to.

What version are you on?

What do you have under the VPN: OpenVPN selections?

Is IPv6 disabled on your WAN?
What do you have for your DNS settings on System: Settings: General?
Do you have any entries under Services: Unbound DNS: Query Forwarding or Services: Unbound DNS: DNS over TLS?


As a side note, enabling IPv6 just for unbound can be handy as resolvers return both v4 and v6 records.  It's the only v6 traffic I currently have on my network.

Yes IPv6 is completely disabled on all interfaces.

Under system > settings > general > DNS servers I have 1.1.1.1 and 8.8.8.8.

Nothing under Unbound DNS > Query Forwarding or DNS over TLS

What do you have under DNS server options on the General page?