Messages

+1

Without the DNS option in the config file, WireGuard will not touch your DNS settings. So in your case, it will continue to use your local DNS server which does not know about your home network names.

I need to react to both these events.

Why? Maybe we can help you better if you tell us why that should matter.


IMHO a changing PE IPv6 should never matter. And AFIK, OPNsense does not get a PE IPv6 on the WAN interface, even when SLAAC is used.

I am not quiet sure if I understand what you iperf or why you even have UDM and OPNsense. I would go with either one of them.
I also don't quiet get you setup or network topology, nor what speed exactly is your problem. And I can't give you good advise on why your Minisforum performs that bad. So I can just give you some general advise that applies to anyone. Maybe that helps.

- iperf3 is by default single core. Look into the multithread option
- make sure you have power savings disabled. I had mine on hiadaptive, got 5GB/s for the first thest, and when I ran the second test shortly after, I got my 9GBit/s because the CPU could not enter power saving yet. Disabling PowerD got me always 9GBit/s.
- Even my old 4-core i3-8100 is fast enough for 9GBit/s. But I don't run Zenarmor or Suricata, only Crowdsec.

While I agree that empty RAM == wasted RAM, OP is asking about the increased RAM usage.
And since ARC is only the small, green part of that picture, my guess is he/she is not asking about the increased ARC usage, but the RAM usage.

And since OP is asking why the RAM usage got smaller, I would guess either something got better (IDK blocklist of unbound compressed or something like that?) or he/she changed something in the settings.

Might be a naive question and I am not an IPv6 expert, but why use ULA at all and bother with NAT66?

Why not use either LL because it does not have to be routed, or use GUA and block the static prefix you got to block inter VLAN communication?

my bad, I just assumed OP is only using RA

True. But I assume that the clients only get link lokal from RA?

Link local IPv6s fe80::/64 don't need blocking, since they won't be routed anyway.


However, I did add my static /48 prefix I got from my ISP to my "local Network" alias, so that traffic to other VLANs is blocked.

Als "Fritzbox Umsteiger" habe ich so meine Probleme mit KEA. OK statische IPs bei unbound eintragen geht ist aber mühsam.

Brauchst du aber auch nicht unbedingt, ausser für overrides. Du kannst ja die Geräte auch per domain name erreichen z.B.   hostnameBackofen.home.arpa

Die Lease Liste zeigt den Rest an aber host name ändern geht nur wenn ich reserviere.

Natürlich. Siehe weiter unten.

Wieso sind in der Lease DHCPV4 zwei Einträge ohne Mac Adr. und Lease time 86400?

Das kann ich dir leider nicht sagen, vielleicht reserviert und darum in den leases weg, oder einfach nur ein bug? 86400 ist einfach die default lease Gültigkeit.

Wieso kann man aus Lease List nichts rauslöschen oder sehe ich das nur nicht?

ICE hat das gemacht, war aber eigentlich schon immer doof.
Nehmen wir an dein iPhone bekommt den lease 192.168.1.100.
Nun setzt reservierst du die IP auf 192.168.1.2.
Du löscht den lease in ICE. Nun sieht es auf der webGUI aus, als ob ein iPhone mit 100 nicht existiert und du eine offline Reservation auf 2 hast. Erst wenn der lease abläuft und das Gerät nach einem neuen lease gefragt hat, bekommt es 2 und es entspricht tatsächlich wieder der Realität.

KEA lässt dich also nicht löschen, sobald dein iPhone aber nach einen lease gefragt hat und die 2 bekommen hat, wird die 100 gelöscht.

I think I had the same issue, despite me not even running monit.


I can't finde anything in the logs.

I could not let it be and migrated to KEA, by disabling ICE.

There is at least for the static leases the option to export a csv and reimport it into KEA.

Ahh cheers, I did not know that. Did I overlook that in the docs? I left it enabled for the other vlan interfaces, and tried to enable it only for VLAN60.

I think I am gonna postpone my migration and hope for some kind of migration path tool, like with the new firewall rules.

For whatever reason, I can't get my VM to get any IP. Neither for KEA nor dnsmasq. Works fine with ISC.

For Kea I did:
Subnet: 10.0.60.0/24
Pools: 10.0.60.2-10.0.60.200
Interface is listening on vlan60.
Service is running, restart does nothing, no errors in logs.

For dnsmasq, I can get the service is running, but as soon as I try to add the DHCP range onto the VLAN60 interface by using start 10.0.60.2 and end 10.0.60.200, the service crashes with no logs.

If you get a static /48 from your ISP why don't you configure all internal interfaces statically?

You severely underestimate my laziness! :) /s

But you are right, I could set them statically. Even when I move eventually, my ISP let me keep my static prefix if I ask for it.


How about the other two points?

- enable dnsmasq as DHCPv4 server
- Either use RA or dnsmasq for RA and stateless SLAAC

I like to follow defaults, so I should probably use radvd and not RA form dnsmasq, right?

No. Dynamically assigning a /64 prefix to an interface is done by dhcp6c (via the Track Interface / Identity Association feature) and unrelated to downstream prefix delegation.

Ahhh that makes sense. Cheers for that.

Humble brag: My ISP is not an idiot and sticks with RIPE recommendations, so I get a static /48 prefix.
DHCPv6 I don't need.
So I could switch to Identity Association for the interfaces, KEA for DHCPv4 and RA for stateless SLAAC, I guess?

But since the DNS registration is not supported by KEA, I should go with dnsmasq, if I want the same as with ICE?

For that I would have to:
- change the interface to Identity Association
- enable dnsmasq as DHCPv4 server
- Either use RA or dnsmasq for RA and stateless SLAAC