Messages

oh, I absolutely do not need it. I probably have enabled this trying to troubleshoot some arp issue in the past and forgot to disable it again afterwards.

The fact the ISC setting a/ remains active after ISC has been disabled (which is documented) and b/ has a totally different impact when Kea is used instead of ISC, is what threw me off. Just wanted to share this.

Just posting this here in case it's helpful for anyone. I just spent 2 frustrating hours because of this.

I had "enable static ARP entries" enabled in the ISC settings, dynamic ARP entries were working fine, all good.

Then I disabled ISC.

First gotcha: you can't do this per interface, you got to disable ISC on all interfaces.

Second gotcha: After migrating to Kea, dynamic ARP entries became impossible, only static was possible, which basically breaks all IPv4 connectivity.

It is visible using "ifconfig <interface>": it returns "STATICARP" in the list of flags. For example:

Code Select Expand

flags=1088843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,STATICARP,LOWER_UP> metric 0 mtu 1500
It took me a while to figure this out, I suspected some firewall alias not being updated for a while. Disabling the setting in the GUI under ISC IPv4 was also not sufficient, I had to enter "ifconfig <intf> -staticarp" to get rid of it. Connectivity was instantly reestablished.

Just putting this out there, for anyone researching how to migrate to ISC.

I still do not fully understand how this "enable static ARP entries" setting works and why it has a different effect if ISC is disabled.

Thanks for that, I also felt it was surprisingly difficult.

So far these are my initial candidates (only the last 2 are FOSS):

• Splunk Enterprise Free License – I struggle to understand if this will support netflow or not, as "Splunk Stream" seems to be additionally required to ingest it.
• ElastiFlow – the free tier supports up to 25 netflow sources, that would be enough in my case.
• openobserve + goflow2
• Akvorado

ah that's netflow, good to know, thanks. Yes actually, I am investigating what options exist to outsource netflow. If you have FOSS recommendations, I am interested.

"flowd_aggregate.py" is also the biggest CPU consumer for my case, it just was already like that before the upgrade.

I can't make out if it's flowd_aggregate.py which is now consuming even more CPU or if it's something else that went up. For example, I have 3 "php-cgi" processes regularly at the top of the processes consuming CPU. Unbound's logger.py also seems to consume some CPU.

Overall htop doesn't allow me to find a clear culprit, everything goes up and down.

I have noticed a significant CPU consumption rise in 25.7.

I already had such an increase back with 24.7.11 (it never went back down), it's worrying me a bit on the long term, the DEC695 is now reaching 50% CPU usage on a regular basis with less than a Mbps traffic going over it.

Just putting this out there to hear if anyone has seen a similar increase.

When the server reboots, time is kept, but on power outage (5min), it looses time.

This is problematic for me because I have DNS over HTTPS setup, and when the router boots up thinking it's 2022 instead of 2025, all TLS handshakes fail, hence no DNS. And because NTP tries to reach "de.pool.org", it needs DNS. Catch 22.

I have added a couple of IPs to my NTP servers to prevent this from happening again, but I feel the router shouldn't lose the time within 5min, some battery is empty or defective.

Is this issue expected and if not, is there a guide on how to replace the defective battery?

>That's not what I said. 25.1.11 has a bad SQLite build as per FreeBSD ports mistake that we unfortunately caught. 25.1.12 fixes that issue.

The confusing part is that this thread is called "25.1.12 broke my OPNsense". You reply make it sound like the issue is still present in this release.

Not panicking, just wanting to get some clarity on this point before attempting the upgrade. Thank you for confirming.

This means however we are a bit off-topic here, the issue of the original poster is a different one.

I am a bit confused now: I was holding off on 25.1.11 because of this, but you are saying it is NOT fixed in 25.1.12?

Or is it a "dormant" issue that _may_ be already present in some routers in previous versions and will cause an issue when upgrading to anything 21.5.11 or later anyway (if that dormant issue is present)?

Ah, thanks, now I see what the issue is. Interesting.

The reservation is for a Raspberry Pi 4 which is connected both over Wi-Fi and LAN. It is the same DUID on both interfaces, but different IPv6 are assigned for each interface, presumably due to the IAID.

Now the interesting part is that ISC DHCPv6 erroneously assigns the **same** IPv6 on both interfaces, leading to IP conflicts (Raspberry Pi not happy). Kea on the other hand correctly tells apart the two interfaces are provides it two different IPv6.

The problem of Kea is of course for creating reservations in such a scenario, since it only checks for DUID and not IAID.

Is there a way to delete a lease? I could manually delete it, and add the reservation.

The volume of such occurrences in my case is low, hence that would be manageable for now.

This is the feature request for DHCPv4 as far as I can tell, although it does not explicitly say IPv4, it mentions MAC:

https://github.com/opnsense/core/issues/7950

Im curious what exactly fails when creating a reservation with the same DUID as an existing lease, does KEA crash or something? Or logs it that its ignored?

Upon clicking "save", the DUID field becomes circled with red, and a red text appears on the right of the DUID field, stating: "Duplicate entry exists"

When the DUID appears truncated, you can still copy the entire DUID. Just double click the DUID to the entire cell becomes highlighted/selected and press ctrl-C. It will copy the entire DUID, including the part which is hidden.

I believe this is called a CSS text overflow ellipsis, this is not specific to the opnsense web interface.

ISC had a button that allowed this conversion, this does not seem to exist in Kea, at least not for DHCPv6.

Attempting to create a static reservation fails, because the DUID already exists (as a dynamic lease).