Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - holunde

Pages: [1] 2

24.7 Production Series / Re: NTP-problem in 24.7?

« on: July 30, 2024, 11:08:09 am »

Hi Seimus

Yeah, it's me being ignorant here, I guess.
I just noticed, that I got quite a few messages from hosts on the network, that I'm managing today.
Messages about time-drifts. And these machines synchronize with the OPNSense-box in question.
So I investigated, and this ntpd-status inopnsense seemed strange.
But of course you are right, that these entries are not resolving to real ip's, since they are pools.
Why the have chosen to show them in the status as failing/pending is a design choice, I guess.
Why these hosts of mine are complaining must me some kind of coincidence, that I will investigate further.
Thanks for your help and attention

Hans Otto

24.7 Production Series / Re: NTP-problem in 24.7?

« on: July 30, 2024, 09:41:40 am »

Absolutely.
It's very basic. And apart from the page in the attachment, everything is default settings, as far as I know.
Hans Otto

24.7 Production Series / Re: NTP-problem in 24.7?

« on: July 30, 2024, 08:41:38 am »

I just want to add that

ntpdate 0.opnsense.pool.ntp.org
0 Jul 08:39:30 ntpdate[1280402]: adjust time server 192.53.103.108 offset +0.000235 sec

from the same network works just fine. So it's not that these time-sources are down or something...

24.7 Production Series / NTP-problem in 24.7?

« on: July 30, 2024, 08:35:22 am »

I just noticed, that the ntp-server in 24.7 seems to have a problem getting time from the configured servers.
And this seems to be the case with all of the four instances, that I take care of.
Below all of the 4 configured time-sources say Unreach/Pending..
Does anybody have a clue about this?

Unreach/Pending    0.dk.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Unreach/Pending    1.dk.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Unreach/Pending    0.opnsense.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Unreach/Pending    0.debian.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Active Peer       194.45.79.110    185.181.223.169    2    u    23    64    177    10.386    -0.403    0.087
Unreach/Pending    217.116.227.3    149.117.239.139    2    u    23    64    177    5.703    -0.526    0.212
Unreach/Pending    193.200.91.90    192.38.7.240    2    u    16    64    167    3.396    -0.775    0.057
Unreach/Pending    5.186.56.205    217.198.219.102    2    u    19    64    177    1.912    -0.054    1.106
Unreach/Pending    213.32.246.229    22.75.108.217    3    u    19    64    177    8.765    -0.594    2.588
Unreach/Pending    185.197.135.6    131.188.3.220    2    u    14    64    177    19.042    -9.833    8.598
Unreach/Pending    213.5.39.34    123.19.30.227    2    u    17    64    177    2.459    -0.334    0.230
Unreach/Pending    162.159.200.1    10.65.8.14    3    u    10    64    177    4.502    -0.927    0.036

24.7 Production Series / Unproblematic upgrade to 24.7 and afterwards 24.7_5

« on: July 26, 2024, 10:33:54 am »

Just upgraded 4 systems without ANY issues. Two of them are absolutely critical.
I try not to have any hairy plugins, so it's basically IPV4 only + Wireguard and a varying number of interfaces + os-net-snmp and cicada. I'm not sure about my opinion on the new dashboard. It sure is pretty, but if it more useful than the old one, I'm not sure.
Thanks to the team for what seems to be a great job with this HUGE upgrade.
More power to them...

24.7 Production Series / Re: Development versions: Alpha, Beta and Release Candidate explained

« on: June 24, 2024, 04:48:11 pm »

I absolutely understand how much work, that would require.
It was just a thought on Franco's remarks regarding Netgates involvement in FreeBSD-development.

24.7 Production Series / Re: Development versions: Alpha, Beta and Release Candidate explained

« on: June 24, 2024, 12:54:40 pm »

Hi
I don't want to interfere with your discussion, but just mention that I use OPNSense in production at several locations and has been VERY pleased with it for several years.
Not just the software, but also the friendliness I've encountered in my quite few interactions with the company.
I came from PfSense for these systems but got really annoyed because of the way PfSense behaved when they screwed up their WireGuard VPN implementation.
This company does not operate in a way, that I can stand behind. They are close to being complete a**holes, to be frank.
So the budget-money I have for these routers goes to OPNSense.

By the way. I have a CRAZY question for you, Franco:
Have you EVER considered moving the OPNSense-project over to run on top of a Linux-kernel?
Or is this simply too big a change to contemplate at all?
It would cut some ties to this malevolent FreeBSD sponsor, though...

summer greetings from Denmark

General Discussion / Re: Unbound DNS not working anymore

« on: February 19, 2024, 09:35:18 pm »

Hi

I've encountered the same problem.
I'll get back to you when I have investigated further..

General Discussion / Re: Unbound, DNSSEC, and Resolution Weirdness

« on: February 19, 2024, 09:33:35 pm »

Hi
I have experienced just about the exact same symptoms today - also with quad9.
I'll look into it tomorrow and get back to you about my results...

24.1 Legacy Series / Re: NO PROBLEMO - Upgraded 4 production routers from 23.7 series to 24.1_1

« on: February 01, 2024, 09:52:26 am »

Hi Franco

No, the squid-plugin is not installed, so I guess the error-message was just related to a dependency for the squid-package, if there is such a thing. But now I checked and nothing squid-related seems to be installed on any of the 4 routers.
The only plugins I have installed is os-net-snmp and the cicada-theme.
Hmmm, maybe I don't recall this correctly. But I did see the error-message.
Anyway, it all seems to run absolutely great on all 4 systems.
Thanks for your feedback.

24.1 Legacy Series / NO PROBLEMO - Upgraded 4 production routers from 23.7 series to 24.1_1

« on: January 31, 2024, 02:50:04 pm »

Hi

I just want to acknowledge the team for doing a great job with this HUGE update.
The 4 routers mentioned do not have a very complicated setup, but two of them are a bit complex.
We use Wireguard on all of them and are VERY pleased with it.
Only other thing to mention is, that we try to stay away from third-party plugins etc.
The only glitch I can think of during the update is these two message:

'squid is missing a required shared library: libssl.so.11
squid is missing a required shared library: libcrypto.so.11'

We do not use squid although it is installed, so this is not really important at all. Just reinstalled squid to get rid of the error-message.

Thanks to the team for a smooth upgrade and a great product.

Hans Otto Lunde

23.1 Legacy Series / Trouble with Unbound and MX-records

« on: June 12, 2023, 08:21:23 am »

Hi
I want to change from Dnsmasq to Unbound for different reasons(security mostly) and I have a question about Unbound overrides and Dns MX-records.
The problem is on an installation with a number of different subnets, but the issue has to do with an email-server on a DMZ-area.
I've been running Dnsmasq until now and on the DMZ-area, there are different hosts, some web-servers, an email-server etc.
So when clients on the LAN need to access one of these web-servers they need to use the internal DMZ-ip instead of going out through the WAN first.
So with Dnsmasq I have just entered some overrides for these webserver like this

www.somedomain.dk 192.168.0.4
www.newdom.dk 192.168.0.4
www.somedomain2.dk 192.168.0.5

which works fine. The email-server in question is on 192.168.0.3, and it is receiving emails from different systems on the lan and forwarding them to an email-server out on the internet.
So it is allowed to "relay" for these systems. This works fine with Dnsmasq - but NOT with unbound.
There is NO override for this email-server on Dnsmasq, so when I do a nslookup FROM the email-server I get the correct answer, because Dnsmasq just asks out on the DNS-internet and gets the correct answer (192.168.0.1 is OPNSENSE)

nslookup -type=MX newdom.dk
Server:      192.168.0.1
Address:   192.168.0.1#53

Non-authoritative answer:
newdom.dk   mail exchanger = 10 aspmx2.googlemail.com.
newdom.dk   mail exchanger = 10 aspmx3.googlemail.com.
newdom.dk   mail exchanger = 1 aspmx.l.google.com.
newdom.dk   mail exchanger = 5 alt1.aspmx.l.google.com.
newdom.dk   mail exchanger = 5 alt2.aspmx.l.google.com.

BUT when I do the same with Unbound running and the exact same overrides in Unbound as I had in Dnsmasq get

root@ns2:~# nslookup -type=MX newdom.dk
Server:      192.168.0.1
Address:   192.168.0.1#53

*** Can't find newdom.dk: No answer

Which is a showstopper for me.
Unbound does have the option of doing overrides for MX-records, but since I specifically do NOT want that, I haven't entered any.
Just A-records for web-servers.
Has anyone come across this problem?

Hardware and Performance / Re: Puzzling assymmetric network speeds

« on: May 15, 2021, 10:15:49 am »

Hi opnfwb

Thanks for your answer
Yes, I have already experimented with some of the low-level settings and right now I have

dev.igb.X.fc=0
dev.igb.X.eee_disabled=1

set for all 6 ports on the device.
But in my experiments I have never seen any of them have any effect.
And this also goes for some other more powerfull routers I run OPNSense on. This model actually, https://teklager.se/en/products/routers/tlsense-i7-7500U.
But what DOES absolutely have an immediate effect on network performance on these Intel-based routers is to enable PowerD and set the power-mode to maximum in System->Settings->Miscellaneous->Power savings.
Without this the SG-4860 will not route at gigabit-speed.
There are settings like this that is being discussed from time to time, but much of it seems like guess-work. It would be nice with some authoritative guide on this for Intel chip-sets for example.
I've done a lot of tests and there is no doubt. For some reason this device has a slow-down when it comes to the situations, I have described.

Hardware and Performance / Puzzling assymmetric network speeds

« on: May 09, 2021, 04:07:56 pm »

I have OPNSense installed on a Netgate SG-4860 unit.
There is nothing special about the installation, except that I have the wireguard kernel-module installed.
There are no problems with stability or anything like that and the unit can route at my full internet-speed, which is 1Gbit/s, so in quiet times I see up and download speeds using fx speedtest.net at bit over 900 mbits/s in both directions meassured using my home computer.
But I experienced assymmetric speeds connecting to my workplace using using a site to site Wireguard-connection.
Not that it is a problem because the speed is fine, but it puzzles me, what the cause is. Here are the wireguard speeds meassured against between my home-pc and my workstation at work(!) using iperf3. Both pc's run Linux Mint.

First from the home-pc(192.168.254.6) towards the work-pc(10.0.5.1)

ho@hohome:~$ iperf3 -c 10.0.5.1
Connecting to host 10.0.5.1, port 5201
[ 5] local 192.168.254.6 port 59292 connected to 10.0.5.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 65.5 MBytes 549 Mbits/sec 82 1.61 MBytes
[ 5] 1.00-2.00 sec 68.8 MBytes 577 Mbits/sec 0 1.76 MBytes
[ 5] 2.00-3.00 sec 67.5 MBytes 566 Mbits/sec 0 1.89 MBytes
[ 5] 3.00-4.00 sec 68.8 MBytes 577 Mbits/sec 0 1.99 MBytes
[ 5] 4.00-5.00 sec 67.5 MBytes 566 Mbits/sec 0 2.06 MBytes

Now from the work-pc towards the home-pc

ho@hohome:~$ iperf3 -c 10.0.5.1 -R
Connecting to host 10.0.5.1, port 5201
Reverse mode, remote host 10.0.5.1 is sending
[ 5] local 192.168.254.6 port 59302 connected to 10.0.5.1 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 79.2 MBytes 664 Mbits/sec
[ 5] 1.00-2.00 sec 87.7 MBytes 735 Mbits/sec
[ 5] 2.00-3.00 sec 88.6 MBytes 744 Mbits/sec
[ 5] 3.00-4.00 sec 91.0 MBytes 764 Mbits/sec
[ 5] 4.00-5.00 sec 79.2 MBytes 664 Mbits/sec

In the second mesurement the speed varies quite a lot, but it is definitively faster
So I got curious and mesured the speed from the home-pc directly against the lan-port on the OPNSense-router, the SG-4860, using iperf3 from the console on the router(192.168.254.1)

First from the home-pc towards the OPNSense-lan-port

ho@hohome:~$ iperf3 -c 192.168.254.1
Connecting to host 192.168.254.1, port 5201
[ 5] local 192.168.254.6 port 42940 connected to 192.168.254.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 81.0 MBytes 679 Mbits/sec 0 484 KBytes
[ 5] 1.00-2.00 sec 77.6 MBytes 651 Mbits/sec 0 484 KBytes
[ 5] 2.00-3.00 sec 78.7 MBytes 660 Mbits/sec 0 484 KBytes
[ 5] 3.00-4.00 sec 79.6 MBytes 668 Mbits/sec 0 484 KBytes
[ 5] 4.00-5.00 sec 78.5 MBytes 658 Mbits/sec 0 484 KBytes

And now the other way

ho@hohome:~$ iperf3 -c 192.168.254.1 -R
Connecting to host 192.168.254.1, port 5201
Reverse mode, remote host 192.168.254.1 is sending
[ 5] local 192.168.254.6 port 42944 connected to 192.168.254.1 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 112 MBytes 940 Mbits/sec
[ 5] 1.00-2.00 sec 112 MBytes 941 Mbits/sec
[ 5] 2.00-3.00 sec 112 MBytes 942 Mbits/sec
[ 5] 3.00-4.00 sec 112 MBytes 941 Mbits/sec
[ 5] 4.00-5.00 sec 112 MBytes 942 Mbits/sec

I've repeated these tests and the behaviour seems absolutely consistent.
The pattern seems to be that traffic going IN to the lan-port of the router is slower than in the other direction.
I'm new to OPNsense, having beeen a pfSense user for years until the latest Wireguard-scandal, so there might be
something that I'm not aware of in the configuration of the OPNSense-system.
But then again, it is odd that there seems to be no assymmetric behaviour when testing with speedtest.net from the home-pc, at least not anything significant.

Does anyone have an idea of what is going on here?

Virtual private networks / Re: Import Private/public key-pair

« on: April 07, 2021, 06:31:41 pm »

Thanks for your reply.
Since my question I've had the chance to play with a OpnSense installation and it's handling of keys is indeed as flexible as you point out. So I guess it wont really be a problem.
I'm looking forward to test Wireguard on OpnSense, also the kernel-module.

Pages: [1] 2