Messages

Hi,

Glad to see these updated fancy devices in stock > DEC675 / DEC695 !

Are they run coreboot and if not which one and how to get bios updates ?

I really miss the information and or documentation regarding the Bios part especially in the business section.

Thx & Best

This year in particular we seem to have nobody running development versions who could report on these issues that have been there for weeks up front. It's unfortunate but it's our reality as much as everyone else's.

We decided some major versions ago that we would bundle changes in development systems for at least one release cycle or more so consumers of the development version could report issues if they arise.

The PPPoE IPv6 issue in 22.1.4 was on development version, the Unbound migration was there too. Nobody saw it and we do have A LOT of active installations out in the wild...

Cheers,
Franco

I am not really aware of dev. versions and I think it is pretty intrasparent also to find them upfront especially for new users because it seems not to be write anywhere really.

The dev. versions are just available for already installed versions of Opnsense, right ?
There are no dev. iso images upfront or daily snapshots like pfsense did ?

Form my understanding and based on your strategy the current version was always considered as community edition which may could make issues due it's beeing ....and for more critical setups the business edition ?

1) I wasn't able to run a fresh install as it kept freezing at the same point (the only image able to be launched was

I had similar issues once, The issue was related to the sense image and or the usb stick...So i downloaded the image again, verified it + used a different usb stick !

Hello Folks,

First of all great work & respect for 22.1  !!

Performs pretty well here, just found one little gui drop down glitch issue in Ipsec phase 1 tunnel subnet menu with Firefox...except this all runs super smooth !

In terms of design decisions I am just curious why is there no clear position or info regarding the offloading settings, It looks like CRC makes super sense ;) to enable per default if you're not using realtek nics or IPS or vm environments and TSO & LRO seem to be always disabled on firewalls, right ?

If this not wrong,  why u're not drop TSO & LRO options from the gui and make them disabled per default as turnable and make CRC enabled by default in the gui (incl. the info for realt. & vms cases) ?

Further I would like to know if you're consider removing the web proxy, dyn masq dns and opendns from core to plugins and put wireguard into core?

Best & Thx !

Hallelujah - ya, ok  ::) seems to be a new feature, isn't it ?

Hello,

Since r1 and still on rc2 there are no logs in the WebGui...
For testing purposes I enabled log level 5 + log queries still no logs.

Just to let ya know.

Ok. I ran memtest to double check the memory - all good.
Also I redownloaded Opnsense and reimaged it to a different stick and reinstalled Opnsense and all issues as I reported yesterday where gone, super strange... I guess the image or the stick was somehow faulty.

No issues so far !

Hello,

First of all, pretty cool and I am looking forward to 22.1!

Tdy. I was able to clean install the rc1 on my apu2 and noticed a few issues and want to report them.

1. Zfs
I received the following error '─Error: sysctl'
'sysctl: unknown oid 'vfs.zfs.min_auto_ashift'
1.1 tried a few things including guided and manual zfs install options but I always received the same error but UFS worked.

2. Console
2.1 The following msg. appears: 
'HTTPS: ld-elf.so.1: /lib/libcrypto.so.111: Unsupported relocation type 572213003 in non-PLT relocations'
2.2 Point 10 - Firewall log does not work

3. Services
I do not receive an ip via dhcp on Lan - Configured the lan manually (client side) which worked to get acces to the sense, so I ran the wizard and tried again to get an ip via dhcp but nope.

3.1 I just changed 2 settings (enable forwarding and hide version) and after save and apply unbound crashed and stopped unbound without any logs (gui) + I was not possible to start unbound again via gui + still no logs.

I didn't investigated it deeper just to let u know my few things which might help.

Best & Greets!

Hi,

It's pretty strange, because sometimes it works and sometimes it doesn't but I cannot get what it triggers this behavior.
Eg. trivial wg. roadie setup with no surricata or complex rules tries to ping the fw. which sometimes works and sometimes not. I created a Interface rule indeed and I also created for testing purposes a rule on the new Wireguard group (since 1.9)  Interface to allow all traffic arriving on this interface from any to lan network (any also does not work) The firewall live logs shows the icmp but gets blocked so this tells me my fw. rules does not apply correctly, right ?

I also notice such behaviors with ipsec site2sites.

All ideas and feedback is highly appreciated

haha ok. which one or doesn't matter, just to trigger the generation of the default one ?

For testing purposes I decided to delete all my asssigned interfaces to test my setup and fw. rulesets only via the default Wireguard tab BUT this is now gone, why ? It was always present and unused....restartet wg and the Opnsense as well  :( still gone.

What do I miss here  ?

The only reason to assign Interfaces with OpenVPN or WireGuard are for using VPN providers like Mullvad. Usually no business needs to assign them in any way. We have OpenVPN for remote users and WireGuard for mobile. We also have customers with nearly 100 branches connected via OpenVPN, no assigning needed.

Both can coexist without assigning for sure.

Just curious reading your post in ref. to not using interfaces for wg instances while there are a plenty of good reasons for assigning interfaces eg. form the opsense doku.

Code Select Expand

Step 5(a) - Assign an interface to WireGuard (recommended)

Hint

This step is not strictly necessary in any circumstances for a road warrior setup. However, it is useful to implement, for several reasons:

First, it generates an alias for the tunnel subnet(s) that can be used in firewall rules. Otherwise you will need to define your own alias or at least manually specify the subnet(s)

Second, it automatically adds an IPv4 outbound NAT rule, which will allow the tunnel to access IPv4 IPs outside of the local network (if that is desired), without needing to manually add a rule

Finally, it allows separation of the firewall rules of each WireGuard instance (each wgX device). Otherwise they all need to be configured on the default WireGuard group that OPNsense creates. This is more an organisational aesthetic, rather than an issue of substance


For what reason do you recommend not assigning WG interfaces?

Whats wrong with my ipsec settings or is it to much for the apu2?

Ipsec

Code Select Expand

phase1:
128 bit AES-GCM with 128 bit ICV + AESXCBC + DH Group 14

phase2:
aes128gcm16 + AES-XCBC + off



./iperf3 -c 192.168.12.12 -P 2
Connecting to host 192.168.12.12, port 5201
[  4] local 192.168.1.100 port 56513 connected to 192.168.12.12 port 5201
[  6] local 192.168.1.100 port 56514 connected to 192.168.12.12 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec   128 KBytes  1.04 Mbits/sec                 
[  6]   0.00-1.00   sec   128 KBytes  1.04 Mbits/sec                 
[SUM]   0.00-1.00   sec   256 KBytes  2.09 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   1.00-2.00   sec   371 KBytes  3.05 Mbits/sec                 
[  6]   1.00-2.00   sec   416 KBytes  3.43 Mbits/sec                 
[SUM]   1.00-2.00   sec   788 KBytes  6.48 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   2.00-3.00   sec   325 KBytes  2.66 Mbits/sec                 
[  6]   2.00-3.00   sec   372 KBytes  3.05 Mbits/sec                 
[SUM]   2.00-3.00   sec   697 KBytes  5.71 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   3.00-4.00   sec   468 KBytes  3.83 Mbits/sec                 
[  6]   3.00-4.00   sec   514 KBytes  4.21 Mbits/sec                 
[SUM]   3.00-4.00   sec   981 KBytes  8.04 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   4.00-5.00   sec   386 KBytes  3.16 Mbits/sec                 
[  6]   4.00-5.00   sec   425 KBytes  3.48 Mbits/sec                 
[SUM]   4.00-5.00   sec   811 KBytes  6.64 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   5.00-6.00   sec   504 KBytes  4.13 Mbits/sec                 
[  6]   5.00-6.00   sec   549 KBytes  4.50 Mbits/sec                 
[SUM]   5.00-6.00   sec  1.03 MBytes  8.63 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   6.00-7.00   sec   368 KBytes  3.01 Mbits/sec                 
[  6]   6.00-7.00   sec   421 KBytes  3.45 Mbits/sec                 
[SUM]   6.00-7.00   sec   789 KBytes  6.46 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   7.00-8.00   sec   480 KBytes  3.94 Mbits/sec                 
[  6]   7.00-8.00   sec   514 KBytes  4.21 Mbits/sec                 
[SUM]   7.00-8.00   sec   994 KBytes  8.15 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   8.00-9.00   sec   360 KBytes  2.94 Mbits/sec                 
[  6]   8.00-9.00   sec   375 KBytes  3.07 Mbits/sec                 
[SUM]   8.00-9.00   sec   734 KBytes  6.01 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   9.00-10.00  sec   516 KBytes  4.23 Mbits/sec                 
[  6]   9.00-10.00  sec   521 KBytes  4.27 Mbits/sec                 
[SUM]   9.00-10.00  sec  1.01 MBytes  8.50 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  3.81 MBytes  3.20 Mbits/sec                  sender
[  4]   0.00-10.00  sec  3.70 MBytes  3.11 Mbits/sec                  receiver
[  6]   0.00-10.00  sec  4.14 MBytes  3.47 Mbits/sec                  sender
[  6]   0.00-10.00  sec  4.02 MBytes  3.37 Mbits/sec                  receiver
[SUM]   0.00-10.00  sec  7.95 MBytes  6.67 Mbits/sec                  sender
[SUM]   0.00-10.00  sec  7.73 MBytes  6.48 Mbits/sec                  receiver


WG

Code Select Expand

/iperf3 -c 192.168.12.12 -P 2
Connecting to host 192.168.12.12, port 5201
[  4] local 192.168.1.100 port 56480 connected to 192.168.12.12 port 5201
[  6] local 192.168.1.100 port 56481 connected to 192.168.12.12 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  2.96 MBytes  24.8 Mbits/sec                 
[  6]   0.00-1.00   sec  2.40 MBytes  20.1 Mbits/sec                 
[SUM]   0.00-1.00   sec  5.36 MBytes  44.9 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   1.00-2.00   sec  2.55 MBytes  21.3 Mbits/sec                 
[  6]   1.00-2.00   sec  2.68 MBytes  22.5 Mbits/sec                 
[SUM]   1.00-2.00   sec  5.23 MBytes  43.9 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   2.00-3.00   sec  2.97 MBytes  24.9 Mbits/sec                 
[  6]   2.00-3.00   sec  3.15 MBytes  26.5 Mbits/sec                 
[SUM]   2.00-3.00   sec  6.12 MBytes  51.4 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   3.00-4.00   sec  2.74 MBytes  23.0 Mbits/sec                 
[  6]   3.00-4.00   sec  2.82 MBytes  23.7 Mbits/sec                 
[SUM]   3.00-4.00   sec  5.57 MBytes  46.7 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   4.00-5.00   sec  2.98 MBytes  25.0 Mbits/sec                 
[  6]   4.00-5.00   sec  2.67 MBytes  22.4 Mbits/sec                 
[SUM]   4.00-5.00   sec  5.65 MBytes  47.4 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   5.00-6.00   sec  3.13 MBytes  26.2 Mbits/sec                 
[  6]   5.00-6.00   sec  2.36 MBytes  19.8 Mbits/sec                 
[SUM]   5.00-6.00   sec  5.49 MBytes  46.0 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   6.00-7.00   sec  2.48 MBytes  20.8 Mbits/sec                 
[  6]   6.00-7.00   sec  2.13 MBytes  17.9 Mbits/sec                 
[SUM]   6.00-7.00   sec  4.61 MBytes  38.7 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   7.00-8.00   sec  2.26 MBytes  19.0 Mbits/sec                 
[  6]   7.00-8.00   sec  2.17 MBytes  18.2 Mbits/sec                 
[SUM]   7.00-8.00   sec  4.43 MBytes  37.2 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   8.00-9.00   sec  1.80 MBytes  15.1 Mbits/sec                 
[  6]   8.00-9.00   sec  2.14 MBytes  18.0 Mbits/sec                 
[SUM]   8.00-9.00   sec  3.94 MBytes  33.1 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   9.00-10.00  sec  1.78 MBytes  14.9 Mbits/sec                 
[  6]   9.00-10.00  sec  2.78 MBytes  23.3 Mbits/sec                 
[SUM]   9.00-10.00  sec  4.57 MBytes  38.3 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  25.6 MBytes  21.5 Mbits/sec                  sender
[  4]   0.00-10.00  sec  25.6 MBytes  21.4 Mbits/sec                  receiver
[  6]   0.00-10.00  sec  25.3 MBytes  21.2 Mbits/sec                  sender
[  6]   0.00-10.00  sec  25.2 MBytes  21.1 Mbits/sec                  receiver
[SUM]   0.00-10.00  sec  51.0 MBytes  42.7 Mbits/sec                  sender
[SUM]   0.00-10.00  sec  50.7 MBytes  42.5 Mbits/sec                  receiver

Hello,

Are there know issues when using the Wireguard plugin with assigned Interfaces ?
Because eg. In particular I was able to reproduce two exotic behaviors:

setup:
Two Wg instances (site2site & roadies) on two Opnsense21.7.5  hw boxes.
Both instances are assigned to an Interface each.
Site2site works and the roadies work as well.

It seem that Wg. releated Firewall Rules do not apply correct to Wg. assigned interfaces and or work randomly or just work after a reboot?
See attached two screenshots - Just applied after a reboot !?

Further it is quiet often necessary to manually reload unbound to get it to work for wg roadies (...) ?

All ideas and knowledge will be appreciated !

Hello Opnsense team,

Tdy. I tried to show how great Opnsense is, We started with a fresh installation via serial which worked as already known perfectly great but the update process with all default settings worked not well at all > stucked with dots ............forever without any error or information at all. Did tried several things including bios settings and a reinstall without success. Finally I tried to manually change the mirror to something else and it worked as expected, hallelujah !

So either your default mirror is under attack or under super heavy load,  Anyway It would be cool to implement a solution for such situations to be able to deal with it.

Thanks and greets !