Messages

The setting alters the way the incoming packets (which are signaled via interrupts) are handled, namely directly or deferred, by putting it into a queue to handle multiple packets more effiently in one go rather than immediately. There are some more tuneables in net.isr to limit how long the queue can get and others:

Code Select Expand

net.isr.numthreads
net.isr.maxprot
net.isr.defaultqlimit
net.isr.maxqlimit
net.isr.bindthreads
net.isr.maxthreads
net.isr.dispatch

See this discussion: https://github.com/opnsense/core/issues/5415 and many others about the neccessity of this setting (i.e. either deferred or hybrid) for ppp-type links.

The general recommendation for PPPoE on WAN is to use:

Code Select Expand

net.isr.dispatch: deferred or hybrid
net.isr.maxthreads: -1
net.isr.bindthreads: 1

However, different NIC types also have different handling. Some NICs coalesce multiple packets into only one interrupt in hardware already, so a hardware switch can make things different.

Bei MAC-Adressen können auch dynamische IPv6 Aliase anders lauten.

What do you mean by "pointed at the OPNsense"? The problem with modern browsers is that they do not use the system DNS, but DoH, thus circumventing your Unbound instance.

You cannot even divert DoH by NAT, but only block. Essentially, to prevent DNS leaks completely (well, not really), you need to block DoT, block DoH to known DoH IPs only (because otherwise, you block any https traffic) and use a NAT rule to divert port 53 to your local Unbound (with some caveats).

Und damit stehe ich nicht allein ;-)

Rischtisch. Ich denke, ungeachtet von Kea vs. DNSmasq ist das Hauptproblem bei DHCPv6 mit dynamischen Adressen in jedem Fall, dass DHCP eben ein Pull-Ansatz ist: Bevor der Client nicht selbst fragt, bekommt er keine neue IPv6-Adresse, auch, wenn er sie aufgrund des geänderten Präfixes bräuchte. Bis zum Ablauf des Lease ist er dann offline.

Deswegen setze ich im IPv6-HOWTO auf SLAAC, wo der neue Präfix gepusht wird, sowie er sich ändert.

That is the whole point here:

1. The best / most secure way to do it is to create a client configuration on the client itself. You need the server ip, port, public key and optionally, the shared secret for that. Then you would have to import the client's public key into the server and use that as the key (not the other way around). If you do that, the peer generator does not help, either way.

2. If you trust OpnSense to create a private key, you can use the peer generator and import the generated secrets - including the private key - into your client. That works best with the QR code, which you can directly scan from the screen if your device supports it. You can also copy & paste the text and transfer it some other way to your client. However, since you probably lack a secure way to do that, it is debatable if you should. If there was a way to download the config directly, many people would not notice what security problem they are about to create just now.

3. Lastly, if you want to use the peer generator regardless - do not complain that you cannot export the client configuration after the fact. Actually, it is a sign of security that the client's private key is not stored on the server. Also, if you need to export the peer config later on, you can always delete that peer configuration and create a new config with a new key instead - it will work just as well and nobody has the old key, anyway - this being the very reason why you need that config again.

You are theoretically correct, alas, it suffices to have "some" sites checking with the same DNS entries that the ads use and making those fail.

And by using a PC blocker, the use can always selectively disable the blocker for sites that do not work and that he needs to work (even with ads) - this granular control is what you miss by using a DNS blocker on your firewall.

On Youtube, not only are no ads showing up on the page - the videos are not interrupted by ads, either.

Man muss bei den Alder Lake-Systemen ein paar Dinge beachten, sind hier unter Punkt 23 beschrieben. Insbesondere die Tuneables im dort verlinkten Post sind wichtig.

Darüber hinaus gibt es oft noch zwei Probleme:

1. Die Fertigungsqualität ist oft nicht die beste, weil die CPU nicht gut am Gehäuse anliegt oder die Wärmeleitpaste schlecht sitzt.
Außerdem wäre ein passiv gekühlter N3xx wohl zu viel des Guten, speziell, wenn noch die Abwärme der 10G-Ports hinzukommt

2. Die Hersteller (auch CWWK) betreiben die Nxxx CPUs meist am oberen Limit Ihrer möglichen TDP, beispielsweise beim N100 statt mit 6W mit 25 Watt, und oft genug kommt man im BIOS an diese Einstellungen nicht ohne weiteres heran.

Habe ich alles schonmal hier erzählt - aber Du hast ja einen mit Lüfter, da wiegt das nicht so schwer.

By using a mechanism that "always" blocks known ad distributing sites, you will automatically trigger blocks on sites that rely on such ads. The only way of having the best of both worlds is to use ad-blocking mechanisms that fake the ads being displayed. Such mechanisms are available for many browsers, think of uBlock Origin.

A prominent example of a site that does not tolerate ad-blocking is Youtube.

On devices where those tools are not available, you can still use DNS-based ad blockers, e.g. by identifying your smartphones and using AdGuard DNS rules only for those devices.

I did not see that one coming, nice one, Cedrik! There goes your next USA trip... ;-)

This is a tutorial topic. For an individual setup, please start a new thread.

Das ist ja wenigstens Traffic, der die OpnSense durchläuft. Kann schon mal passieren, dass Pakete im falschen Zustand ankommen und geblockt werden, z.B. wenn TCP-Verbindungen stale werden.

Yup, as I said, the moment you connect via HTTP/2 to Zoraxy with OpnSense as the backend, it does not work any more.

There must be something that is special on the backend when that happens which OpnSense does not like. However, I have found no way of setting or deleting HTTP headers on the frontend not could I find a setting within Zoraxy to change it. I used many combinations of advanced settings, like deleting headers that pertain to HTTP/2, to no avail.

The only approach I can think of is to dump all request data on the HTTPS backend - but that is not easy, since you cannot easily use tcpdump for that, you will need to have the web server (or Zoraxy as the client) do it. Zoraxy itself is relatively fresh - there is a bug open for this problem and there are no means to log requests, either (that is a feature request).

Das sieht allerdings seltsam aus, weil die beiden IPs mumaßlich im selben Subnetz 10.20.1.0/24 und offenbar auch auf dem selben Interface liegen. Ich nehme außerdem an, dass die Interface-Gruppe local_vlans das vlan20 enthält. Dann ist es allerdings so, dass dieser Traffic die OpnSense nicht passieren dürfte.

Du schriebst allerdings eingangs etwas von /16, das passt ja nicht so ganz.

Only a minor observation, but I could access at least the / URI with curl - IFF I call "curl -vk --http1.1". You cannot try this on any modern browser, since you cannot force HTTP/1.1 any more with TLS/ALPN.

Also, I tried modifying HTTP headers to no avail. There seems to be something way off with the way Zoraxy translates frontend calls to backend.
Other reverse proxies do this just fine, like HAproxy or Caddy.

You do not have to set an upstream DNS server for Unbound at all, because it can resolve on its own.

Try leaving the DNS servers empty in System:Settings:General and uncheck both "DNS server options" on that page.