Messages

Hi Seimus

Yeah, it's me being ignorant here, I guess.
I just noticed, that I got quite a few messages from hosts on the network, that I'm managing today.
Messages about time-drifts. And these machines synchronize with the OPNSense-box in question.
So I investigated, and this ntpd-status inopnsense seemed strange.
But of course you are right, that these entries are not resolving to real ip's, since they are pools.
Why the have chosen to show them in the status as failing/pending is a design choice, I guess.
Why these hosts of mine are complaining must me some kind of coincidence, that I will investigate further.
Thanks for your help and attention  :)
Hans Otto

Absolutely.
It's very basic. And apart from the page in the attachment, everything is default settings, as far as I know.
Hans Otto

I just want to add that

ntpdate 0.opnsense.pool.ntp.org
0 Jul 08:39:30 ntpdate[1280402]: adjust time server 192.53.103.108 offset +0.000235 sec

from the same network works just fine. So it's not that these time-sources are down or something...

I just noticed, that the ntp-server in 24.7 seems to have a problem getting time from the configured servers.
And this seems to be the case with all of the four instances, that I take care of.
Below all of the 4 configured time-sources say Unreach/Pending..
Does anybody have  a clue about this?

Unreach/Pending    0.dk.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Unreach/Pending    1.dk.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Unreach/Pending    0.opnsense.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Unreach/Pending    0.debian.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Active Peer       194.45.79.110    185.181.223.169    2    u    23    64    177    10.386    -0.403    0.087
Unreach/Pending    217.116.227.3    149.117.239.139    2    u    23    64    177    5.703    -0.526    0.212
Unreach/Pending    193.200.91.90    192.38.7.240    2    u    16    64    167    3.396    -0.775    0.057
Unreach/Pending    5.186.56.205    217.198.219.102    2    u    19    64    177    1.912    -0.054    1.106
Unreach/Pending    213.32.246.229    22.75.108.217    3    u    19    64    177    8.765    -0.594    2.588
Unreach/Pending    185.197.135.6    131.188.3.220    2    u    14    64    177    19.042    -9.833    8.598
Unreach/Pending    213.5.39.34    123.19.30.227    2    u    17    64    177    2.459    -0.334    0.230
Unreach/Pending    162.159.200.1    10.65.8.14    3    u    10    64    177    4.502    -0.927    0.036

Just upgraded 4 systems without ANY issues. Two of them are absolutely critical.
I try not to have any hairy plugins, so it's basically IPV4 only + Wireguard and a varying number of interfaces + os-net-snmp and cicada. I'm not sure about my opinion on the new dashboard. It sure is pretty, but if it more useful than the old one, I'm not sure.
Thanks to the team for what seems to be a great job with this HUGE upgrade.
More power to them... :)

I absolutely understand how much work, that would require.
It was just a thought on Franco's remarks regarding Netgates involvement in FreeBSD-development.

Hi
I don't want to interfere with your discussion, but just mention that I use OPNSense in production at several locations and has been VERY pleased with it for several years.
Not just the software, but also the friendliness I've encountered in my quite few interactions with the company.
I came from PfSense for these systems but got really annoyed because of the way PfSense behaved when they screwed up their WireGuard VPN implementation.
This company does not operate in a way, that I can stand behind. They are close to being complete a**holes, to be frank.
So the budget-money I have for these routers goes to OPNSense.

By the way. I have a CRAZY question for you, Franco:
Have you EVER considered moving the OPNSense-project over to run on top of a Linux-kernel?
Or is this simply too big a change to contemplate at all?
It would cut some ties to this malevolent FreeBSD sponsor, though... :)
summer greetings from Denmark

Hi

I've encountered the same problem.
I'll get back to you when I have investigated further..

Hi
I have experienced just about the exact same symptoms today - also with quad9.
I'll look into it tomorrow and get back to you about my results...

Hi Franco

No, the squid-plugin is not installed, so I guess the error-message was just related to a dependency for the squid-package, if there is such a thing. But now I checked and nothing squid-related seems to be installed on any of the 4 routers.
The only plugins I have installed is os-net-snmp and the cicada-theme.
Hmmm, maybe I don't recall this correctly. But I did see the error-message.
Anyway, it all seems to run absolutely great on all 4 systems.
Thanks for your feedback.

Hi

I just want to acknowledge the team for doing a great job with this HUGE update.
The 4  routers mentioned do not have a very complicated setup, but two of them are a bit complex.
We use Wireguard on all of them and are VERY pleased with it.
Only other thing to mention is, that we try to stay away from third-party plugins etc.
The only glitch I can think of during the update is these two message:

'squid is missing a required shared library: libssl.so.11
squid is missing a required shared library: libcrypto.so.11'

We do not use squid although it is installed, so this is not really important at all. Just reinstalled squid to get rid of the error-message.

Thanks to the team for a smooth upgrade and a great product.

Hans Otto Lunde

Hi
I want to change from Dnsmasq to Unbound for different reasons(security mostly) and I have a question about Unbound overrides and Dns MX-records.
The problem is on an installation with a number of different subnets, but the issue has to do with an email-server on a DMZ-area.
I've been running Dnsmasq until now and on the DMZ-area, there are different hosts, some web-servers, an email-server etc.
So when clients on the LAN need to access one of these web-servers they need to use the internal DMZ-ip instead of going out through the WAN first.
So with Dnsmasq I have just entered some overrides for these webserver like this

www.somedomain.dk       192.168.0.4
www.newdom.dk           192.168.0.4
www.somedomain2.dk      192.168.0.5

which works fine. The email-server in question is on 192.168.0.3, and it is receiving emails from different systems on the lan and forwarding them to an email-server out on the internet.
So it is allowed to "relay" for these systems. This works fine with Dnsmasq - but NOT with unbound.
There is NO override for this email-server on Dnsmasq, so when I do a nslookup FROM the email-server I get the correct answer, because Dnsmasq just asks out on the DNS-internet and gets the correct answer (192.168.0.1 is OPNSENSE)

nslookup -type=MX newdom.dk
Server:      192.168.0.1
Address:   192.168.0.1#53

Non-authoritative answer:
newdom.dk   mail exchanger = 10 aspmx2.googlemail.com.
newdom.dk   mail exchanger = 10 aspmx3.googlemail.com.
newdom.dk   mail exchanger = 1 aspmx.l.google.com.
newdom.dk   mail exchanger = 5 alt1.aspmx.l.google.com.
newdom.dk   mail exchanger = 5 alt2.aspmx.l.google.com.

BUT when I do the same with Unbound running and the exact same overrides in Unbound as I had in Dnsmasq get

root@ns2:~# nslookup -type=MX newdom.dk
Server:      192.168.0.1
Address:   192.168.0.1#53

*** Can't find newdom.dk: No answer

Which is a showstopper for me.
Unbound does have the option of doing overrides for MX-records, but since I specifically do NOT want that, I haven't entered any.
Just A-records for web-servers.
Has anyone come across this problem?

Hi opnfwb

Thanks for your answer
Yes, I have already experimented with some of the low-level settings and right now I have

dev.igb.X.fc=0
dev.igb.X.eee_disabled=1

set for all 6 ports on the device.
But in my experiments I have never seen any of them have any effect.
And this also goes for some other more powerfull routers I run OPNSense on. This model actually, https://teklager.se/en/products/routers/tlsense-i7-7500U.
But what DOES absolutely have an immediate effect on network performance on these Intel-based routers is to enable PowerD and set the power-mode to maximum in System->Settings->Miscellaneous->Power savings.
Without this the SG-4860 will not route at gigabit-speed.
There are settings like this that is being discussed from time to time, but much of it seems like guess-work. It would be nice with some authoritative guide on this for Intel chip-sets for example.
I've done a lot of tests and there is no doubt. For some reason this device has a slow-down when it comes to the situations, I have described.

I have OPNSense installed on a Netgate SG-4860 unit.
There is nothing special about the installation, except that I have the wireguard kernel-module installed.
There are no problems with stability or anything like that and the unit can route at my full internet-speed, which is 1Gbit/s, so in quiet times I see up and download speeds using fx speedtest.net at bit over 900 mbits/s in both directions meassured using my home computer.
But I experienced assymmetric speeds connecting to my workplace using using a site to site Wireguard-connection.
Not that it is a problem because the speed is fine, but it puzzles me, what the cause is. Here are the wireguard speeds meassured against between my home-pc and my workstation at work(!) using iperf3. Both pc's run Linux Mint.

First from the home-pc(192.168.254.6) towards the work-pc(10.0.5.1)

ho@hohome:~$ iperf3 -c 10.0.5.1
Connecting to host 10.0.5.1, port 5201
[  5] local 192.168.254.6 port 59292 connected to 10.0.5.1 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  65.5 MBytes   549 Mbits/sec   82   1.61 MBytes       
[  5]   1.00-2.00   sec  68.8 MBytes   577 Mbits/sec    0   1.76 MBytes       
[  5]   2.00-3.00   sec  67.5 MBytes   566 Mbits/sec    0   1.89 MBytes       
[  5]   3.00-4.00   sec  68.8 MBytes   577 Mbits/sec    0   1.99 MBytes       
[  5]   4.00-5.00   sec  67.5 MBytes   566 Mbits/sec    0   2.06 MBytes       

Now from the work-pc towards the home-pc

ho@hohome:~$ iperf3 -c 10.0.5.1 -R
Connecting to host 10.0.5.1, port 5201
Reverse mode, remote host 10.0.5.1 is sending
[  5] local 192.168.254.6 port 59302 connected to 10.0.5.1 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  79.2 MBytes   664 Mbits/sec                 
[  5]   1.00-2.00   sec  87.7 MBytes   735 Mbits/sec                 
[  5]   2.00-3.00   sec  88.6 MBytes   744 Mbits/sec                 
[  5]   3.00-4.00   sec  91.0 MBytes   764 Mbits/sec                 
[  5]   4.00-5.00   sec  79.2 MBytes   664 Mbits/sec                 

In the second mesurement the speed varies quite a lot, but it is definitively faster
So I got curious and mesured the speed from the home-pc directly against the lan-port on the OPNSense-router, the SG-4860, using iperf3 from the console on the router(192.168.254.1)

First from the home-pc towards the OPNSense-lan-port

ho@hohome:~$ iperf3 -c 192.168.254.1
Connecting to host 192.168.254.1, port 5201
[  5] local 192.168.254.6 port 42940 connected to 192.168.254.1 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  81.0 MBytes   679 Mbits/sec    0    484 KBytes       
[  5]   1.00-2.00   sec  77.6 MBytes   651 Mbits/sec    0    484 KBytes       
[  5]   2.00-3.00   sec  78.7 MBytes   660 Mbits/sec    0    484 KBytes       
[  5]   3.00-4.00   sec  79.6 MBytes   668 Mbits/sec    0    484 KBytes       
[  5]   4.00-5.00   sec  78.5 MBytes   658 Mbits/sec    0    484 KBytes       

And now the other way

ho@hohome:~$ iperf3 -c 192.168.254.1 -R
Connecting to host 192.168.254.1, port 5201
Reverse mode, remote host 192.168.254.1 is sending
[  5] local 192.168.254.6 port 42944 connected to 192.168.254.1 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   112 MBytes   940 Mbits/sec                 
[  5]   1.00-2.00   sec   112 MBytes   941 Mbits/sec                 
[  5]   2.00-3.00   sec   112 MBytes   942 Mbits/sec                 
[  5]   3.00-4.00   sec   112 MBytes   941 Mbits/sec                 
[  5]   4.00-5.00   sec   112 MBytes   942 Mbits/sec                 

I've repeated these tests and the behaviour seems absolutely consistent.
The pattern seems to be that traffic going IN to the lan-port of the router is slower than in the other direction.
I'm new to OPNsense, having beeen a pfSense user for years until the latest Wireguard-scandal, so there might be
something that I'm not aware of in the configuration of the OPNSense-system.
But then again, it is odd that there seems to be no assymmetric behaviour when testing with speedtest.net from the home-pc, at least not anything significant.

Does anyone have an idea of what is going on here?

Thanks for your reply.
Since my question I've had the chance to play with a OpnSense installation and it's handling of keys is indeed as flexible as you point out. So I guess it wont really be a problem.
I'm looking forward to test Wireguard on OpnSense, also the kernel-module.