1
Hardware and Performance / Re: PC Engines APU2 1Gbit traffic not achievable
« on: May 31, 2022, 07:59:27 pm »
Does anyone know if the upcoming FreeBSD 13.1 (coming in OPNsense 22.7) brings some single core network improvements?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
22.1 Legacy Series / Re: vlan issues - in combination with IPS (IDS works)
« on: May 31, 2022, 07:57:34 pm »
still the same with 22.1.8_1
3
22.1 Legacy Series / Re: vlan issues - in combination with IPS (IDS works)
« on: April 04, 2022, 10:35:36 pm »
The issue with IPS remains with 22.1.4_1
4
Virtual private networks / Re: DNS on OpenVPN not working anymore with 22.1
« on: February 17, 2022, 08:00:44 pm »
I have no clue, what went wrong here, but I got it to work now, again.
I had to select the OpenVPN interface in unbound and now DNS is working again as before.
But I am quite sure it must have been selected before the upgrade.
And because the Update made it stop working, I had played around with the separate interface I have had assigned under interfaces to the OpenVPN interface and eventually had removed it.
Assumingly that removed it from Unbound as well.
So the issue probably was that I had manually assigned an interface to the OpenVPN interface in the past instead of just leaving it as it gets created by the OpenVPN package.
I had to select the OpenVPN interface in unbound and now DNS is working again as before.
But I am quite sure it must have been selected before the upgrade.
And because the Update made it stop working, I had played around with the separate interface I have had assigned under interfaces to the OpenVPN interface and eventually had removed it.
Assumingly that removed it from Unbound as well.
So the issue probably was that I had manually assigned an interface to the OpenVPN interface in the past instead of just leaving it as it gets created by the OpenVPN package.
5
Virtual private networks / [solved] DNS on OpenVPN not working anymore with 22.1
« on: February 12, 2022, 08:54:11 pm »
Since the OPNsense upgrade to 22.1, DNS is not working anymore on my VPN CLients.
My VPN network is 192.168.20.0/24 and i push 192.168.20.1 as DNS Server to the Clients.
I just created a test rule in the OpenVPN firewall section
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 * 192.168.20.0/24 * * * * * Allow all
When I however run nmap -53 192.168.20.1 on the client, it states port 53 is filtered.
So I am wondering, if unbound is not serving this subnet anymore.
I have not had any issues prior to OPNsense 22.1.
My VPN network is 192.168.20.0/24 and i push 192.168.20.1 as DNS Server to the Clients.
I just created a test rule in the OpenVPN firewall section
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 * 192.168.20.0/24 * * * * * Allow all
When I however run nmap -53 192.168.20.1 on the client, it states port 53 is filtered.
So I am wondering, if unbound is not serving this subnet anymore.
I have not had any issues prior to OPNsense 22.1.
6
22.1 Legacy Series / Re: vlan issues - in combination with IPS (IDS works)
« on: February 07, 2022, 10:27:36 pm »Don't run IPS in VLAN interfaces. Emulated mode didn't work prior to 22.1 in kernel and now it does but it's buggy as hell as per upstream.Thanks Franco, but I did only activate IPS on physical interfaces and not on the vlans.
Or does it mean, that we must not activate it on vlan parent interfaces either?
However I am also wondering, if IDS/IPS does work at all this way (sitting on the parent interface).
7
22.1 Legacy Series / Re: vlan issues - in combination with IDS/IPS
« on: January 31, 2022, 06:57:42 pm »
I finally found time to look into this:
I cleared all lists and started in IDS only mode.
All is working fine, even after 30 minutes.
However as soon as I enable IPS, the described issue is present again.
I assume it could have sth. to do with the "Promiscuous mode" setting, that needs to be enabled for IPS.
However it seems not to cause any issues with active promiscuous mode and IDS.
I cleared all lists and started in IDS only mode.
All is working fine, even after 30 minutes.
However as soon as I enable IPS, the described issue is present again.
I assume it could have sth. to do with the "Promiscuous mode" setting, that needs to be enabled for IPS.
However it seems not to cause any issues with active promiscuous mode and IDS.
8
Hardware and Performance / Re: PC Engines APU2 1Gbit traffic not achievable
« on: January 31, 2022, 04:50:00 pm »
Most of the suggested tunables are not supported any more in 22.1.
I have however not yet tested network performance in 22.1 yet.
Tunables dev.igb.0.fc, dev.igb.1.fc,... are still shown as valid tunables.
These are shown as unsupported:
dev.igb.0.eee_disabled, dev.igb.1.eee_disabled, ...
hint.acpi_perf.0.disabled
hint.acpi_throttle.0.disabled
hint.p4tcc.0.disabled
hw.igb.0.fc, hw.igb.1.fc, ...
hw.igb.num_queues
hw.igb.rx_process_limit
hw.igb.tx_process_limit
legal.intel_igb.license_ack
I have removed the flow control tunables, as the network speed was minimally faster.
I got 350/210 MBit/s with ipferf in both directions (including the use of vlans) and IDS/IPS off.
One way got me 390 MBit/s.
With IDS (no IPS, because that is broken for me in 22.1):
one way: 300 MBit/s
I have however not yet tested network performance in 22.1 yet.
Tunables dev.igb.0.fc, dev.igb.1.fc,... are still shown as valid tunables.
These are shown as unsupported:
dev.igb.0.eee_disabled, dev.igb.1.eee_disabled, ...
hint.acpi_perf.0.disabled
hint.acpi_throttle.0.disabled
hint.p4tcc.0.disabled
hw.igb.0.fc, hw.igb.1.fc, ...
hw.igb.num_queues
hw.igb.rx_process_limit
hw.igb.tx_process_limit
legal.intel_igb.license_ack
I have removed the flow control tunables, as the network speed was minimally faster.
I got 350/210 MBit/s with ipferf in both directions (including the use of vlans) and IDS/IPS off.
One way got me 390 MBit/s.
With IDS (no IPS, because that is broken for me in 22.1):
one way: 300 MBit/s
9
22.1 Legacy Series / vlan issues - in combination with IPS (IDS works)
« on: January 28, 2022, 10:47:48 pm »
First of all, I would like to thank everyone, involved in any way, for this wonderful firewall appliance!
I just upgraded to 22.1.
When booted up, all is normally working for around 3 minutes.
Then on the console, I can On the console I see these messages:
Here is a little description of my systems and network:
OPNsense runs on a pcengines apu4d4:
igb0 is the wan port -> all is fine here
igb2 is bridged with the LAN interface and I get DHCP and network access to the OPNsense box and the internet as expected.
The parent interface for igb1 + igb3 are not used.
Instead 3 vlans for 3 subnets (LAN, GUEST, DMZ) are used.
vlan1 and vlan11 are bridged to the LAN interface; vlan 40 is bridged into GUEST and vlan 30 into DMZ. All 3 subnets have DHCP.
There is a vlan capable switch connected to both igb1 and igb3, which then taggs the vlans do different ports on the switch, so I can connect devices and have them in the respective subnet, where I want them to be.
All was working fine for at least 2 years with this setup.
What is also interesting is, that it shows (in addition to igb1, igb3) the following unassigned interfaces under interfaces -> overview
lo0, enc0, pfsync0, pflog0
and ovpns2, ovpns3 (I only have one OpenVPN server running and interestingly ovpn3 shows up)
I also have "Hardware CRC", "Hardware TSO" and "Hardware LRO" disabled.
I can also see that there are some tunables, which seem not to be supported anymore:
Does anyone have an idea, which changes might have caused issues here?
edit: I have removed all the unsupported tunables and restarted, but the issue remained.
and the full general log from within the GUI:
edit2: by checking the boot messages, I found these suspect messages:
edit3: I had IDS and IPS turned on. After disabling IDS completely, I can see on the console, that the vlans go down and up again. Then all is working normally again. I will investigate further what is wrong with IDS/IPS and if it only is one of them or if it is the blocklist that needs to be re applied.
I just upgraded to 22.1.
When booted up, all is normally working for around 3 minutes.
Then on the console, I can On the console I see these messages:
Code: [Select]
099.460195 [ 849] iflib_netmap_config txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
igb1: link state changed to DOWN
igb1_vlan40: link state changed to DOWN
igb1_vlan11: link state changed to DOWN
igb1_vlan30: link state changed to DOWN
100.203318 [ 849] iflib_netmap_config txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
100.510787 [ 849] iflib_netmap_config txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
100.830802 [ 849] iflib_netmap_config txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
igb3: link state changed to DOWN
igb3_vlan1: link state changed to DOWN
igb3_vlan40: link state changed to DOWN
igb3_vlan30: link state changed to DOWN
101.016024 [ 849] iflib_netmap_config txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
101.349329 [ 849] iflib_netmap_config txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
igb1: link state changed to UP
igb1_vlan40: link state changed to UP
igb1_vlan11: link state changed to UP
igb1_vlan30: link state changed to UP
igb3: link state changed to UP
igb3_vlan1: link state changed to UP
igb3_vlan40: link state changed to UP
igb3_vlan30: link state changed to UPAfterwards there s no network connection possible anymore via the vlan and dhcp also doesn#t work anymore.Here is a little description of my systems and network:
OPNsense runs on a pcengines apu4d4:
igb0 is the wan port -> all is fine here
igb2 is bridged with the LAN interface and I get DHCP and network access to the OPNsense box and the internet as expected.
The parent interface for igb1 + igb3 are not used.
Instead 3 vlans for 3 subnets (LAN, GUEST, DMZ) are used.
vlan1 and vlan11 are bridged to the LAN interface; vlan 40 is bridged into GUEST and vlan 30 into DMZ. All 3 subnets have DHCP.
There is a vlan capable switch connected to both igb1 and igb3, which then taggs the vlans do different ports on the switch, so I can connect devices and have them in the respective subnet, where I want them to be.
All was working fine for at least 2 years with this setup.
What is also interesting is, that it shows (in addition to igb1, igb3) the following unassigned interfaces under interfaces -> overview
lo0, enc0, pfsync0, pflog0
and ovpns2, ovpns3 (I only have one OpenVPN server running and interestingly ovpn3 shows up)
I also have "Hardware CRC", "Hardware TSO" and "Hardware LRO" disabled.
I can also see that there are some tunables, which seem not to be supported anymore:
Code: [Select]
debug.pfftpproxy Disable the pf ftp proxy handler. unsupported unknown
dev.igb.0.eee_disabled Disable Energy Efficiency unsupported 1
dev.igb.1.eee_disabled Disable Energy Efficiency unsupported 1
dev.igb.2.eee_disabled Disable Energy Efficiency unsupported 1
dev.igb.3.eee_disabled Disable Energy Efficiency unsupported 1
hint.acpi_perf.0.disabled [fireburner] tuning CPU boost unsupported 0
hint.acpi_throttle.0.disabled [fireburner] tuning CPU boost unsupported 0
hint.p4tcc.0.disabled [fireburner] tuning CPU boost unsupported 0
hw.igb.0.fc disable flow control unsupported 0
hw.igb.1.fc disable flow control unsupported 0
hw.igb.2.fc disable flow control unsupported 0
hw.igb.3.fc disable flow control unsupported 0
hw.igb.num_queues Set number of queues to number of cores divided by number of ports, 0 lets FreeBSD decide (should be default) unsupported 0
hw.igb.rx_process_limit [fireburner] tuning net bandw unsupported -1
hw.igb.tx_process_limit [fireburner] tuning net bandw unsupported -1
legal.intel_igb.license_ack [fireburner] tuning net bandw unsupported 1 Does anyone have an idea, which changes might have caused issues here?
edit: I have removed all the unsupported tunables and restarted, but the issue remained.
and the full general log from within the GUI:
Code: [Select]
2022-01-28T23:02:16 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 3_VLAN_DMZ[opt4]
2022-01-28T23:02:16 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 3_VLAN_DMZ[opt4]) (real interface: igb3_vlan30).
2022-01-28T23:02:16 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb3_vlan30'
2022-01-28T23:02:16 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt4(igb3_vlan30)
2022-01-28T23:02:15 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 3_VLAN_GUEST[opt1]
2022-01-28T23:02:15 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 3_VLAN_GUEST[opt1]) (real interface: igb3_vlan40).
2022-01-28T23:02:15 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb3_vlan40'
2022-01-28T23:02:14 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt1(igb3_vlan40)
2022-01-28T23:02:14 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 3_VLAN_LAN[opt2]
2022-01-28T23:02:14 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 3_VLAN_LAN[opt2]) (real interface: igb3_vlan1).
2022-01-28T23:02:14 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb3_vlan1'
2022-01-28T23:02:13 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt2(igb3_vlan1)
2022-01-28T23:02:11 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 1_VLAN_DMZ[opt8]
2022-01-28T23:02:11 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 1_VLAN_DMZ[opt8]) (real interface: igb1_vlan30).
2022-01-28T23:02:11 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1_vlan30'
2022-01-28T23:02:11 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt8(igb1_vlan30)
2022-01-28T23:02:10 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 1_VLAN_LAN[opt7]
2022-01-28T23:02:10 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 1_VLAN_LAN[opt7]) (real interface: igb1_vlan11).
2022-01-28T23:02:10 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1_vlan11'
2022-01-28T23:02:10 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt7(igb1_vlan11)
2022-01-28T23:02:09 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 1_VLAN_GUEST[opt9]
2022-01-28T23:02:09 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 1_VLAN_GUEST[opt9]) (real interface: igb1_vlan40).
2022-01-28T23:02:09 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1_vlan40'
2022-01-28T23:02:08 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt9(igb1_vlan40)
2022-01-28T23:02:07 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt4(igb3_vlan30)
2022-01-28T23:02:06 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt1(igb3_vlan40)
2022-01-28T23:02:05 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt2(igb3_vlan1)
2022-01-28T23:02:02 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt8(igb1_vlan30)
2022-01-28T23:02:01 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt7(igb1_vlan11)
2022-01-28T23:02:00 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt9(igb1_vlan40)edit2: by checking the boot messages, I found these suspect messages:
Code: [Select]
igb0: link state changed to UP
debugnet_any_ifnet_update: Bad dn_init result from igb0 (ifp 0xfffff800035c8800), ignoring.
igb1: link state changed to UP
debugnet_any_ifnet_update: Bad dn_init result from igb1 (ifp 0xfffff800034b8000), ignoring.
igb2: link state changed to UP
debugnet_any_ifnet_update: Bad dn_init result from igb2 (ifp 0xfffff800037fe000), ignoring.
igb3: link state changed to UP
debugnet_any_ifnet_update: Bad dn_init result from igb3 (ifp 0xfffff80003609800), ignoring.edit3: I had IDS and IPS turned on. After disabling IDS completely, I can see on the console, that the vlans go down and up again. Then all is working normally again. I will investigate further what is wrong with IDS/IPS and if it only is one of them or if it is the blocklist that needs to be re applied.
10
Hardware and Performance / Re: Boot screen issue with OPNsense 20.1 on APU4D4
« on: July 31, 2020, 12:37:05 pm »11
Hardware and Performance / Boot screen issue with OPNsense 20.1 on APU4D4
« on: June 08, 2020, 08:24:48 pm »
Hi all,
i switched my hardware last week from a low performance Fujitsu Futro S550-2 to an APU4D4.
When booting the installer the boot screen is shown properly and installation went fine.
The serila connection afterwards works fine for the whole boot process except the boot screen, which is totally distorted and so nothing can be selected:
For now this is not a huge problem, but who knows. A future upgrade might need me to manually adjust the boot parameters. Does anyone have an idea why this screen is broken in the installed version, but not when booting then serial installer?
Of course I use 115200 baud (with picocom from Linux via a serial - USB adapter)
i switched my hardware last week from a low performance Fujitsu Futro S550-2 to an APU4D4.
When booting the installer the boot screen is shown properly and installation went fine.
The serila connection afterwards works fine for the whole boot process except the boot screen, which is totally distorted and so nothing can be selected:
Code: [Select]
H ____________ __________ __________
H// ____ ||// ______ ||// ____ ||
H|| || || || ||____// || || || ||______ ______ __ ____ ______ _____
H|| || || || ______//|| || || // ____||// __ \\ ''__ \\// ____||// __ \
H|| ||____|| || || || || || \\_/__ \\ ____// || || \\____ \\ ___
H||__________//||__|| ||__|| //____||______//\\______||__|| ||__||______//\\_____|
H++HH=================H===================H++==========================================@@@@@@@@@@@@@@@@@@@@
H|| H|| H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
H||HH..HBBoooott MMuullttii UUsseerr [[EEnntteerr]]@ @@@@@@@@@@
H||HH..HBBoooott [[SS]]iinnggllee UUsseerr| H @@@@@@@@@@ @@@@@@@@@@
H||HH..H[[EEsscc]]aappee ttoo llooaaddeerr pprroommpptt@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@
H||HH..HRReebboooott H|| H \\\\\\\\\\ //////////
H|| H|| H)))))))))))))))))))))))) ((((((((((((((((((((((
H||HOOppttiioonnss:: H|| H ////////// \\\\\\\\\\
H||HH..HK]]eerrnneell:: kkeerrnneell ((11 ooff 22))@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@
H||HH..HCCoonnffiigguurree BBoooott [[OO]]ppttiioonnss......@@@@@ @@@@@@@@@@
H|| H|| H@@@@@@@@@@ @@@@@@@@@@
H|| H|| H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
H|| H|| H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
H++=======================================H++=======================================
H nnggffiisshheerr''''
/bboooott//kkeerrnneell//ccaarrpp..kkoo ssiizzee 00xxee224488 aatt 00xx22448866000000 00\\
8++00xx1199ccdd1188\\
/bboooott//kkeerrnneell//iiff__bbrriiddggee..kkoo ssiizzee 00xxee44ee88 aatt 00xx22449955000000
looaaddiinngg rreeqquuiirreedd mmoodduullee ''bbrriiddggeessttpp''
/bboooott//kkeerrnneell//bbrriiddggeessttpp..kkoo ssiizzee 00xx66ccbb00 aatt 00xx2244aa44000000
l//iifssiissiizzee 00xxdd559900 aatt 00xx225522bb000000 00
/bboooott//kkeerrnneell//iiff__eenncc..kkoo ssiizzee 00xx33225500 aatt 00xx2244aabb000000
Boooottiinngg...... ell//ppfflloogg..kkoo ssiizzee 00xx22aabb88 aatt 00xx22552288000000
/bboooott//kkeerrnneell//iiff__ggrree..kkoo ssiizzee 00xx66ee3300 aatt 00xx2244aaff000000
Afterwards everything is printed normally:Code: [Select]
KDB: debugger backends: ddbpffssyynncc..kkoo ||
KDB: current backend: ddb
Copyright (c) 2013-2018 The HardenedBSD Project.
Copyright (c) 1992-2018 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 11.2-RELEASE-p20-HBSD 07ef86ce9ca(stable/20.1) amd64
FreeBSD clang version 6.0.0 (tags/RELEASE_600/final 326565) (based on LLVM 6.0.0)
VT(vga): resolution 640x480
...For now this is not a huge problem, but who knows. A future upgrade might need me to manually adjust the boot parameters. Does anyone have an idea why this screen is broken in the installed version, but not when booting then serial installer?
Of course I use 115200 baud (with picocom from Linux via a serial - USB adapter)
Pages: [1]