Messages

Okay I ended up removing 1 VLAN interface of server, change Firewall rules on OPNSense. Fiddling with various bridge_modes of docker vlan networks didn't fix lack of network isolation neither did adding IPtables rules. So simplified stuff on hindsight having server on LAN segment did little sense for only convenience of SMB. Case closed.

I did a Packet Capture both LAN and IOT vlans and opened dumps in Wireshark. It goes beyond my knowledge how to interpret this huge branches of data in packets. At some point Wireshark packets colored in red. I'm not comfortable with interpreting these pcap-files. I've put them on links down below;

Pack Capture Segment IOT with host running Docker Container

Pack Capture Segment LAN Network

EDIT:

I've also checked and tweaked routing setting for vlan isolation on Linux host machine running docker macvlans. It doesn't make any difference.

Does that host in the IoT segment have a second interface?

Host machine has 3 VLANs defined. Docker container in question runs on one of the 2 defined macvlans. One host VLAN is purely for LAN segment. No docker containers running on these. So I had to do some Unbound custom zones for proper name resolving. But I believe it's out of scope for this issue.

Untagged? OPNSense [igc1] interface is not assigned. OPNSense internal segments only have VLANs.

Both pass and block entries have same VLAN (igc1_vlan130)  in above logging snippet. So I don't understand untagged traffic.

Hi,

I'm facing a weird issue with Firewall rules. It concerns traffic from LAN segment to host in IoT segment. I setup an allow rule. But the Firewall log I see traffic gets both blocked and passed. The pass entry shows the Description of Pass Rule but deny entry shows generic "Default deny / state violation rule".

Pass rule: Pass on LAN Interface a IPv4/TCP any from LAN Net to a host (in IOT segment) at port 9000. Firewall rules are like at blocks or it passes right? I've got a case of mwehhh let's flip a coin. I reckon that's why docker container running Portainer on host(-net) feels sluggish.

Here a snippet of my firewall plain log;

Code Select Expand

2025-10-13T17:13:43    Informational    filterlog     10,,,02f4bab031b57d1e30553ce08e0ec131,igc1_vlan130,match,block,in,4,0x0,,64,0,0,DF,6,tcp,1045,192.168.130.135,192.168.132.2,52266,9000,993,PA,3670106294:3670107287,2916009586,2048,,nop;nop;TS
2025-10-13T17:13:40    Informational    filterlog     10,,,02f4bab031b57d1e30553ce08e0ec131,igc1_vlan130,match,block,in,4,0x0,,64,0,0,DF,6,tcp,1045,192.168.130.135,192.168.132.2,52266,9000,993,PA,3670106294:3670107287,2916009586,2048,,nop;nop;TS
2025-10-13T17:13:37    Informational    filterlog     10,,,02f4bab031b57d1e30553ce08e0ec131,igc1_vlan130,match,block,in,4,0x0,,64,0,0,DF,6,tcp,1045,192.168.130.135,192.168.132.2,52266,9000,993,PA,3670106294:3670107287,2916009586,2048,,nop;nop;TS
2025-10-13T17:13:36    Informational    filterlog     115,,,7c0eac9da28d053d5496835ca6b1a5bc,igc1_vlan130,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.130.135,192.168.132.2,52281,9000,0,S,4177888861,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
2025-10-13T17:13:36    Informational    filterlog     115,,,7c0eac9da28d053d5496835ca6b1a5bc,igc1_vlan130,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.130.135,192.168.132.2,52280,9000,0,S,3532974004,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
2025-10-13T17:13:36    Informational    filterlog     115,,,7c0eac9da28d053d5496835ca6b1a5bc,igc1_vlan130,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.130.135,192.168.132.2,52279,9000,0,S,1485386341,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
2025-10-13T17:13:35    Informational    filterlog     115,,,7c0eac9da28d053d5496835ca6b1a5bc,igc1_vlan130,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.130.135,192.168.132.2,52278,9000,0,S,1097104973,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
2025-10-13T17:13:35    Informational    filterlog     115,,,7c0eac9da28d053d5496835ca6b1a5bc,igc1_vlan130,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.130.135,192.168.132.2,52277,9000,0,S,4212048164,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
2025-10-13T17:13:33    Informational    filterlog     10,,,02f4bab031b57d1e30553ce08e0ec131,igc1_vlan130,match,block,in,4,0x0,,64,0,0,DF,6,tcp,52,192.168.130.135,192.168.132.2,52264,9000,0,A,,3169677142,2591,,nop;nop;TS
2025-10-13T17:13:33    Informational    filterlog     10,,,02f4bab031b57d1e30553ce08e0ec131,igc1_vlan130,match,block,in,4,0x0,,64,0,0,DF,6,tcp,52,192.168.130.135,192.168.132.2,52261,9000,0,A,,513305460,2048,,nop;nop;TS
2025-10-13T17:13:33    Informational    filterlog     10,,,02f4bab031b57d1e30553ce08e0ec131,igc1_vlan130,match,block,in,4,0x0,,64,0,0,DF,6,tcp,52,192.168.130.135,192.168.132.2,52263,9000,0,A,,2990894775,2071,,nop;nop;TS
2025-10-13T17:13:33    Informational    filterlog     10,,,02f4bab031b57d1e30553ce08e0ec131,igc1_vlan130,match,block,in,4,0x0,,64,0,0,DF,6,tcp,52,192.168.130.135,192.168.132.2,52265,9000,0,A,,808996891,2048,,nop;nop;TS
2025-10-13T17:13:33    Informational    filterlog     10,,,02f4bab031b57d1e30553ce08e0ec131,igc1_vlan130,match,block,in,4,0x0,,64,0,0,DF,6,tcp,52,192.168.130.135,192.168.132.2,52262,9000,0,A,,3823069798,2048,,nop;nop;TS
2025-10-13T17:13:33    Informational    filterlog     10,,,02f4bab031b57d1e30553ce08e0ec131,igc1_vlan130,match,block,in,4,0x0,,64,0,0,DF,6,tcp,52,192.168.130.135,192.168.132.2,52266,9000,0,A,,2916009586,2048,,nop;nop;TS

edit:
With some googling I found more info on block rule at "Firewall/Diagnostics/Statistics/rules"

Code Select Expand

@10 block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
17:
34:58 2025
evaluations: 5445
packets: 1207
bytes: 300083
states:0
inserted: uid 0 pid 76129
state_creations: 0
time: mon oct 13


I don't know by the way what rule_id 10 is reffering to. I can't open it (from Live View). Who can make sense of this weird behaviour?

I'll close up this topic as solved. System is running for almost 7 days without any problem. Was it update (from F2) to BIOS F3 or manually configuring OPNSense? I'll never know but never the less I'm happy.

Currently system is running 24hours. I've updated system with latest BIOS F3 from Changwang website (link above). Also reconfigured entire system through GUI. VLAN with IPS in Promiscious mode works. Only can't get Acme Client to work but it's offtopic. So far so good...

I'm wondering the same. Can't find info on how to add DNS-provider, which is available on Acme Github, to OPNsense. I would like to add DNSExit https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_dnsexit.sh

I believe I found a link to BIOS which isn't dead (as we speak); https://pan.x86pi.cn/BIOS%E6%9B%B4%E6%96%B0/1.Intel%E8%BF%B7%E4%BD%A0%E4%B8%BB%E6%9C%BA%E7%B3%BB%E5%88%97BIOS

Before you download X86-XP2 be aware of different versions. J4125 seems to be other file than N4000/J4105. I'm going to try if this BIOS solves something.

Nope! Next try (when summer conditions will disappear) will be reconfiguring new system from GUI 1 by 1 instead of copy-pasting XML.

Helllloooo... anybody....heeerreee? :)

@pmhausen do you think it would be that simple? Would be nice one. I'm using a quality Seasonic Power supply. Used it for years without any problems because I wouldn't have problems. Also did the stress testing CPU with it in Manjaro system hit 70 degrees temp max. I believe it's than throttled by Firmware.

I'll search for some other PSU laying around but think that one is an El Cheapo though. See if thermal throttling can be upped or disabled. Passive radiator casing doesn't get really warm though.
EDIT

El Cheapo PSU and original Seasonic PSU no difference. Only booting is now new issue;

All buffer synced...
Uptime XYZ

Did it crash?

Hi,

Few months ago I bought a X86-P2 mini system at Loksing https://www.loksing.com.cn/products/x86-p2-software-route-n4000-j4105-j4125-mini-host-6w-low-power-consumption-quad-core-quad-thread-intelligent-hardware-fanless-energy-saving-microcomputer-computer. I believe this thing is sold by various other companies under different names. Anyways....


This piece of equipment keeps shutting down. It shows script "beep" and script "freebsd" out of the blue and shuts down. Initially I manually changed NIC's in config.xml from old system to correspond to new igc driver and installed with installer. Shut down within dozen minutes or so. Then new install and started to modify config.xml functionality by functionality. So first vlan, then dhcp, then firewall rules and NAT and so on. Also updated system to latest 23.1.8 version but systems shuts down after 1.5hours to 4 hours.

Because I read various topics about I226-V problems I also created a loader.conf.local;

Code Select Expand


hw.acpi.cpu.cx_lowest="C1"
hw.ibrs_disable="1"
hw.igc.rx_process_limit="-1"
hw.igc.max_interrupt_rate="8000"
hw.igc.eee_setting="1"
hw.igc.sbp="1"
hw.igc.smart_pwr_down="0"
hw.igc.rx_abs_int_delay="66"
hw.igc.tx_abs_int_delay="66"
hw.igc.rx_int_delay="0"
hw.igc.tx_int_delay="66"
hw.igc.disable_crc_stripping="0"


The piece of @#%#$ keeps shutting down. And Yep all settings related to hardware offloading and VLAN filtering have been disabled through GUI. System runs ZFS file system without swap. I've tested Memory with Memtest 86+=4 days 0 errors, used Stress for CPU, Mem and IO through Manjaro USB stick= 2 days no problems. So seems to me not hardware related.

How can I log or see what the culprit is?

I've got same problem. I bought a Loksing X86-P2 mini PC 5; CPU Intel J4125 with NICS Intel I226-V with Samsung NVME running (latest) OPNsense 23.1.5_4. I've configured VLAN, IPS in Promiscious Mode.

Monitor just goes blank or see a shutdown with various services shutting down and even speaker beep. It happens after 10 minutes, 3 hours or within couple of seconds.

As suggested I've done a rollback to previous kernel. It doesn't make any difference.

Thanks a lot for your edit. It took me several hours to figure out. Your comments got it up and running within 1 minute. Thanks!