Messages

Schrieb ich doch: "beispielsweise auf der OpnSense selbst". Natürlich mache ich das so. In größeren Unternehmensnetzwerken kann das auch ein "echter" Zeitserver sein, der z.B. eine Funkuhr nutzt.

[die]

die Reihenfolge der NTP-Server

Was? Plural?

Ich glaube, Du machst da was falsch...

Klar nutzt man als Zeitquelle mehrere NTP-Server, falls welche nicht erreichbar sind oder vollkommenen Blödsinn liefern. Nur: das tut man irgendwo zentral - beispielsweise auf der OpnSense selbst unter "Services: Chrony: General" oder "Services: Network Time: General".

Per DHCP verteilt man dann die (eine!) IP des zentralen Zeitservers. Ich überlasse es doch nicht den Clients, sich jeweils aus einer Liste einen NTP-Server auszusuchen und damit potentiell unterschiedliche Auffassungen davon zu haben, wie spät es gerade ist. Dann kannst Du übrigens eine einzige IP für alle Subnetze verwenden, wenn Deine Firewall-Regeln der Zugriff auf Port 113 von jedem VLAN aus erlauben.

Manche gehen sogar so weit, per Port-Forwarding jeden ausgehenden Request auf Port 113 auf die OpnSense umzubiegen, um genau das zu verhindern, wenn ein Client sich die NTP-Server gar nicht per DHCP holt. Hinweis: Bei Dual-Stack muss man das aber auch für IPv6 tun und da funktioniert als Ziel weder ::1 noch eine Link-Local-Adresse.

Read #12 on why the "cheap X550" adapters are bad: They use the revision 1 of the chipset, which cannot do NBase-T. I know that the link you are pointing to says otherwise, but I am 99% sure that they do not know the difference or do not know that their X550 are in fact based on old batches or refurbished cards. From the looks of it, I would guess this is a chinese clone.

I fell for the same mistake. Like many people, I looked up the specs and never noticed that NBase-T support depends on firmware and chip revision with these adapters.

Also, X550 take 8 Watts for one port, up to 11 Watts for two. The AQC113C ist at ~3 Watts for one port. Also, it costs 63€ only and can work with PCIe 4.0 x1, where the X550 needs more more PCIe 3.0 lanes.

Wenn Du Subnetze aus 192.168.0.0/16 (CIDR-Notation für "Class B") nimmst, beachte folgendes: https://forum.opnsense.org/index.php?topic=47099

Ja, Du legst einfach Subnetze mit /24 an. Die Zuordnung erfolgt schlicht anhand der Subnetzdefinitionen der entsprechenden Interfaces, d.h. wenn Du 192.168.7.0/16 als Bereich definierst, würde dieser am Internet VLAN7 genutzt, wenn dort 192.168.7.1/24 (oder iregendeine andere IP aus dem Bereich) als Interface-Adresse eingestellt ist.

Choose your poison: https://docs.opnsense.org/manual/dhcp.html

The X710-T2 is still at ~235€. I think that is a little steep when a full mainboard costs less. The XG-C100C can be had for 63€ shipped.

Yes, I tried. But it actually is a catch-22: Without the driver (which does not load because of the PCI ID) you cannot use the flash tool. And you need the flash tool to change the PCI ID. The only way to make it work it to use the standalone UEFI flat tool aqflash.efi.

Aquantia themselves once had these tools, but they discontinued it. The only way to get them is from Asus, because they had these chips on some motherboards. But their site was down over the weekend.

After all, the AQC107 uses much more power than the newer AQC113C and I will get one this week...

See #14. I have contacted Asrock tech support about this, but for what I am reading about both B550 and X570, PCIe problems are reported all over the internet. Those chipsets are themselves problematic, as it seems.

Maybe it is time for a better system - this would involve buying DDR5, though. So, at current prices, I will make do with the new NIC first.

[gen: 3 speed: 8 GT/s lanes: 1]

Interesting, actually, the RTL8126 is a PCIe 3.0 card - and it runs like that on your board:

    v: 10.016.00 modules: r8169 pcie: gen: 3 speed: 8 GT/s lanes: 1 port: e000

So it seems the instability is with PCIe 3.0 as well with my X570 board.

I use apps and games that are only available on Windows. Besides, this is a hardware issue.

1. What was hacked seems to be your Windows 11 PC, not OpnSense. Why? Because it does not even make sense to install a .bat file there. Which hacker in his right mind would try to install a payload for a Windows PC on a FreeBSD box?

2. How do you know what the way of intrusion was? "Hacked through 2.4G wifi" can mean anything. I would argue that you surfed the wrong websites and the infection was via a browser exploit.

Nothing of this is inherently linked to OpnSense, so the thread title is misleading. Unless, of course, you expect OpnSense to protect your end devices from OSI layer 8 problems... ;-)

I think that is a misconception. Realtek advertises those AT variants as being either PCIe 4.0 x1 or PCIe 3.0 x2, but that is only to show its capability to support the full needed bandwitdh with PCIe 3.0 mainboards (provided that they have at least 2 free lanes).

Matter-of-fact, the cards will train at the highest speed they can find. That is just how PCIe works.

So, if you put them into a PCIe 4.0-capable system, they will use PCIe 4.0 x1, regardless. he only only you have on a PCIe 4.0-capable system is to limit the slot to PCIe 3.0 only. Givingg the card more lanes is not gonna cut it.

As it turns out, these Realtek adapters are on the edge of the PCIe 4.0 specification and the X570 chipset is known to be finicky as well. You may have better luck with other mainboard chipsets.

I am already on the second but last one and considering the risk for my system and the restoration time I would be looking at, I am not willing to take that risk any more.

Actually, I had quite a zoo of these adapters over time, which do not help my situation at all.
This is because the cabling in my flat is so bad that I need 5 Gbps NBase-T to work reliably.

I actually got two Intel adapters when they came out at half price - AFAIR, they were $800 each at regular price. Those were even full cards.

Then, I used X540. but those can do only 1/10 Gbps.

After that came a Buffalo LGY-PCI-MG, which is an AQC107. This never worked quite right. I also cannot load either newer Aqantia driver nor update the firmware, because Buffalo used an exotic PCI ID. It is a catch-22.

I also had an older ASUS XG-C100C with the AQC107.

Now I have a X550-T1, which I bought a few years ago, only to learn now that there are several variants (AT, AT2, BT2). I was able to flash to the newest firmware, but that does not help, because my specimen, like many other china ones, is a revision 1, which physically cannot do N-Base-T. With 10 Gbps, these things get so hot that they start to drop packets when the are under load and they take a boatload of power (~8 Watts). For NBase-T, you need both a revision 2 and current firmware.

My experiments with the newer Realteks RTL8126 and RTL8127 are now documented above. Maybe it would be wise to get an RTL8127AT, which can use more than one PCIe lane, but I think that in a PCIe 4.0 x4 slot, they will prefer PCIe 4.0 x1 over PCIe 3.0 x2 (they can do both) and cause the same problems.

And just now I have ordered a new Asus XG-C100C V3, which uses the AQC113C and finally should do the trick... mind you, that is only for Windows, not for FreeBSD, as it appears.

I do that primarily because of performance on all VMs, but it may help in high-load scenarios as well.