Messages

I'm running opnsense in a virtualized env and was aware about the problems that the vtnet driver had. Now that this is fixed in freebsd core and the patches have found their way into opnsense since 25.7.8, I'm not sure, why hw.vtnet.csum_disable="1" is still present in loader.conf. Shouldn't this go away now?

I'm still waiting on a word if they copied it from another BSD? ;)

strings if_pppoe.ko and googling the messages give a hint ;)

I agree with these widespread MS AD Setups, but: MS is considering on-prem AD as legacy and urges people to get rid of it and moving to entra id. So in the next years, this scenario is going away and businesses need an answer for that. While dynamic registration is not so much relevant in normal usage, it is when doing debugging. In Entra ID case, the hostname is well defined, because the device is managed by intune. So the admin can see the proper reverse dns name while running i.e. a tcpdump. Depending on the size of the business, there are various options like commercial ones like fortigate, unifi or opensource solutions with optional commercial support like opnsense. I'm sure that opnsense is considered often, but if the set up is not so straight forward anymore, it could be the case that an admin who isn't so much "in the game" as many users here, will consider another solution which "just works".

Regarding dnsmasq: Dnsmasq is IMHO fine when there is no need for a real recursive DNS server. But many people are running unbound for various reasons and do not want to use an upstream recursive DNS. Now there are 2 options, either bind unbound or dnsmasq to port 53 and forward either everything or just specific zones, depending which server is running on 53. Both work, but both have their caveats and are more a workaround than a proper solution.

The ISC solution with the script that feeds unbound with the dynamic leases has been a proper solution for the last years. It just worked, there haven't been much complaints. So why re-inventing the wheel here when we just could do the same with KEA?

There have already been efforts to have dynamic registration in unbound for KEA DHCP leases: https://github.com/opnsense/core/issues/7475

Unfortunately opnsense has closed this without any reason. Maybe the opnsense team can think again about this, because this whole KEA/dnsmasq/ISC situation is kind of frustrating and introduces more confusion than clarification both for long time and new users. IMO the standard should be KEA as the ISC successor, including dynamic host registration and dnsmasq should be optional as it always was.

How can I trigger the WAN DHCP "reload" from the CLI?

configctl interface reconfigure wan does the trick.

Just seen, that there already have been 3rd party efforts, but as the issue is closed with state "unplanned" it seems that the opnsense team has no interest in implementing it: https://github.com/opnsense/core/issues/7475
So I'll stick with ISC as long as it will be in plugins and hope that opnsense team will decide to add dynamic lease registering on opnsense at some point.

I believe KEA has dns registration for static hosts now?

Static wouldn't be my problem, I also could add them to unbound manually. I meant dynamic leases.

You can stick with KEA if you dont need any of the dnsmasq features.

I've seen that the competition released a new version that has KEA with hostname registration in unbound. Is that also planned for opnsense? I ask because it feels wrong to have 2 DNS servers running at the same time just for DHCP hostname registration, which would be the case with dnsmasq.

Laptops and mobile devices - why bother naming them at all?

Because it's easier to debug. If I see "Foo's iPhone" in the tcpdump, I directly know what device it is. If I just see an ip address, I have to grep in the dhcp leases, what device it is.

it has nothing to to with disk. It's part of iflib(4): https://man.freebsd.org/cgi/man.cgi?query=iflib&sektion=4&manpath=freebsd-release-ports
It's probably a driver/fw issue as already stated. I'd install linux on the box and virtualize opnsense with kvm. If it runs well then, it's driver issue.

Hi,

when I want to aquire a different WAN IP, my ISP requires a DHCPRELEASE packet. If there is none, I always get the same IP address.
Unfortunately, FreeBSD's early fork of openbsd's dhclient implementation doesn't have the '-r' option for that. So I installed isc-dhclient via FreeBSD package. I just need it to send that packet. Now I made the following shell script:

killall -9 dhclient
/usr/local/sbin/dhclient -4 -d -r vtnet3 -lf /var/db/dhclient.leases.vtnet3 -cf /var/etc/dhclient_wan.conf -sf /usr/local/sbin/dhclient-script
rm -f /var/db/dhclient.leases.vtnet3

After that, I click on "reload" at the opnsense Interfaces:Overview page.
My question is if it's possible to execute a custom script when clicking on the "reload" button. If that's not possible: How can I trigger the WAN DHCP "reload" from the CLI? Then I would just add that to my shell script.


The best would IMHO be to have this directly implemented in opnsense. After searching for it, I've seen that there was a PR already for that, but got never implemented: https://github.com/opnsense/core/pull/3275
So I guess this is not wanted.

Hi Kju,

ich habe exakt das selbe Problem (auch mit ner FB dazwischen) und hatte mir damals auch ein ähnliches script gebaut, was aber irgenwann nicht mehr funktioniert hat (vermutlich wegen configctl) und ich dann keine Lust mehr hatte und wieder v6 deaktivierte. Da ich aber mittlerweile nicht mehr auf v6 verzichten möchte, hatte ich gesucht und den Thread hier gefunden. Fährst du dein Script mit der aktuellsten opnsense Version immer noch so oder hast du was verändert?
Edit: Seems to work :)

Hier noch mein altes Script:

Code Select Expand


#!/bin/sh
wan_ip="$(ifconfig igb0 | grep inet6 | grep 2003 | grep -v deprecated | awk '{print $2}')"
lan_ip="$(ifconfig igb1 | grep inet6 | grep 2003 | grep -v deprecated | awk '{print $2}')"

#check if tmpfile exists

if [ ! -f "/tmp/v6addr" ]; then ifconfig igb0 | grep inet6 | grep 2003 | grep -v deprecated | awk '{print $2
}' >/tmp/v6addr ; fi

old_ip="$(cat /tmp/v6addr)"

[ -z $old_ip ] && old_ip="-"

if [ $wan_ip != $old_ip ]

then
echo "ip changed!!" >> /tmp/v6addr.log
/usr/local/sbin/configctl interface reconfigure && ifconfig igb0 | grep inet6 | grep 2003 | grep -v deprecated | awk '{print $2}' >/tmp/v6addr && sleep 3 && pkill -9 unbound && pluginctl dns
else
echo "ip did not change" >>/tmp/v6addr.log
exit 0
fi


Ok, will open an issue :)

I know, it is against the RFCs, but radvd itself allows it not to advertise DNS Servers. There can be some conditions where such a behaviour is desired. I just found out, that pfsense already implemented this:
https://redmine.pfsense.org/issues/9302
https://github.com/pfsense/pfsense/commit/e26ad76e8fd9b947f2ad97195d2153da14d8c594

It would be great to have this as well in opnsene!
If you do not plan to add that feature: Is it possible to maintain an self written radvd.conf without getting it overwritten by the system?