Messages

Hi all,

seeing this again with 24.7.12.

Your link to the shaper rules was pretty helpful to get mine sorted out !  ;) ;)
Thanks!

Hi,

How long until the fix will be available in OPNsense officially?

Thanks.

Hi,

Just a head's up, i am seeing the same issue.
After the update completed the symptom is no DNS resolution.

I had not have time to investigate more deeply yet... and rolled back to 24.1.10_8
My DNS settings that i am running on my system (pretty sure this has something to do with the issue, below works with 24.1.10)

1. No DNS entries under System/Settings/General
2. Unbound disabled
3. Adguard Home set as Primary DNS and is enabled, yaml set to listen on port: 53

I am assuming that after the upgrade the system is missing the DNS entries due to above setup maybe...

Regards

I think I may have found the cause to this, and that being setting the FQ-CoDel limit on the pipe too low, which, from the looks of it, the message it's spamming is (possibly) the number of packets it's unable to process because the queue is full.

Reading this document (posted elsewhere on the forum) https://datatracker.ietf.org/doc/html/rfc8290 showed me a number of the common recommendations are just, well, wrong.

FQ-CoDel quantum should be set at your WAN MTU (in my case, 1514 bytes)
FQ-CoDel limit doesn't really need messed with, this setting defines the maximum number of packets that CAN be queued.  The default is 10240.  Most recommendations are to drop this value significantly, thus, causing the console flood messages.  For me, on my download pipe, I left this at the default of 10240.  For my upload pipe (with a max speed of 40Mbps) I halved it to 5120.  No real reason to, but my uploads will never saturate it.

Since changing these things, I have zero issues.  I can post my complete config if anyone's interested.
https://www.waveform.com/tools/bufferbloat?test-id=d11e32d1-02df-45d8-b5e9-2628fbbcd78c

i would like to see your pipe configs.
Thank you.

Got some anecdotal evidence on my system for a similar issue, i think the code displayed was different.

I had this happen only once after the upgrade from 23 to release 24.
What i did was re-visit some of my shaper settings, in particular under pipes/advanced lowered my FQ-codel quantum from 2700 to 2400 for the download pipe. The upload pipe i did not change it has default value for that setting.
A Bufferbloat benchmark with 2700 setting behaved strange performance wise with release 24 (was good on release 23)and after lowering the number the benchmark results were much better.
Since that time i have not seen the flooded message again.

Hi,

not a 100% answer to your question but more of a alternate solution for this scenario you got there.
Btw. i don't have DNS in Settings/General/ populated.

1. Enable unbound
2. Forward DNS requests to your RPI by adding your RPI IP and port into the menu Unbound/Query Forwarding (new port needed since 53 is already used by unbound e.g. use 5353, RPI needs to listen on that port also)
3. In DHCP server you give out the IP of OPNsense as LAN DNS (but unbound will send those requests to RPI in your network automatically)
This way you should not have a leak and your PI-hole with adblock is working, don't know if you need the aforementioned firewall rules anyways.

In my case when OPNsense is using unbound then DNS resolution works for WG clients.
But when OPNsense runs only Adguard as DNS server and unbound is disabled then DNS resolution does not work for WG clients.

Hi,

i have noticed an issue which i tried to describe below:

Scenario1

WG client (windows)
WG tunnel DNS setting points to local(LAN) DNS server address  10.1.1.10

OPNsense (10.1.1.10) is running unbound

-> WG client has working DNS resolution


Scenario2

WG client (windows)
WG tunnel DNS setting points to local(LAN) DNS server address 10.1.1.10

OPNsense (10.1.1.10) has unbound disabled, OPNsense is running Adguard (enabled and set as primary DNS) as DNS server

-> WG client has no working DNS resolution

Scenario3

WG client (windows)
WG tunnel DNS setting points to local(LAN) DNS server address 10.1.1.18 (not on OPNsense)

OPNsense (10.1.1.10) has unbound disabled, Another machine (10.1.1.18) in the LAN has Adguard running as DNS server

-> WG client has no working DNS resolution


What could be the issue here?

Thank you.

Br.

I guess that answers my question. Thank you.

Hi,

i guess you can just use the alternate format list from the same site that works with unbound.
https://oisd.nl/setup

NEW below (seems to work with unbound):
https://big.oisd.nl/domainswild2 (domains wildcards, alternate syntax)

regards.

Hi,

i wanted to ask about what exactly you will get when enabling DNS over TLS/HTTPS on unbound or adguard "without" using SSL certificates.
In adguard there is a section to add the certificates in order to enable "encryption".
OK!
But, i am able to configure the local DNS server (unbound or adguard) using lets say DNS over TLS.
Isn't that already "encryption" when using the TLS protocol?? (I assume that the local DNS server establishes encryption (TLS) to the specified remote DNS provider e.g. 9.9.9.9 and you are dependent on the DNS provider if they honor privacy).
Is this correct?
If you had SSL certificates on the local DNS server enables encryption also...

Hi,

just saw this for the first time and so far only once.
Things i did recently:
updated to latest 23.7.3 few days ago.
added Wireguard interface to network interfaces and activated Wireguard.
I have WAN,LAN, OPT1 and WG1 network interfaces.

Check with XFinity or your cable modem web interface if your cable modem has bonded correctly with all 32 the download channels.

I am running opense on proxmox with XFinity gigabit service and no issues with download or upload speed.
I do use 2.5 Gbit/s from cable modem to dual channel 10Gbit SFP card in proxmox/opnsense.

The solution for B550 chipset and above system is to disable HDA audio in the BIOS to avoid the Kernel panic.