Messages

1

24.7 Production Series / ax driver reports impossible number of errors

« on: November 13, 2024, 04:59:40 pm »

Code: [Select]

feld@gw:~ $ netstat -I ax0
Name    Mtu Network        Address                             Ipkts                 Ierrs                 Idrop       Opkts                 Oerrs                  Coll
ax0    1500 <Link#5>       f4:90:ea:00:62:2d                  382472  18446744073709551610                     0  1703087022                     0                     0
ax0       - fe80::%ax0/64  fe80::f690:eaff:fe00:622d%ax0           0                     -                     -           0                     -                     -


this is impossible

2

24.1 Legacy Series / Re: Locate server mgmt. interface by mDNS/bonjour name

« on: May 20, 2024, 08:07:35 pm »

It needs to have avahi installed and configured for this to work, but it's not currently available as a plugin/package in OpnSense

3

24.1 Legacy Series / Re: OPNsense in a jail on a FreeBSD host?

« on: April 29, 2024, 10:51:39 pm »

There are changes to the OpnSense kernel that are not going to be in your FreeBSD kernel. Whether or not they are important is a different discussion, but it may cause issues.

If you really want to run this on the same hardware it should be run in a bhyve VM.

4

24.1 Legacy Series / Re: SNMP interface indexing bug(?)

« on: April 29, 2024, 10:39:47 pm »

I've witnessed this happening again so now I'm doubting the previous diagnosis. I think there's something wrong with the accounting of packets and octets for the ax driver on the DEC840. It doesn't seem to provide correct values for the ax1 interface.


edit: I wonder if these bogus errors are part of the problem too?

5

24.1 Legacy Series / SNMP interface indexing bug(?)

« on: April 29, 2024, 09:38:22 pm »

I've been adding additional monitoring to a network with OpnSense as the firewall and noticed a curious problem with the data I was receiving. The internet uplink / WAN is on interface ax1 and I was running network tests which should have shown multi-gigabit data transfer rates with my SNMP graphing and monitoring. However, it was not showing me this in the results. The correct data rates were found on the ax0 interface instead which is not possible because that interface is only gigabit.

I believe this situation was caused by my removal of the igb1 interface which was no longer being used. The igb interfaces are earlier in the SNMP IF-MIB::ifDescr table than the ax interfaces so this seems to make sense. My problem was resolved after restarting the snmpd service and running additional tests.

I think the correct solution here is to require a restart of the snmpd service every time an interface is created or destroyed to ensure the data being served is correct. However, this may produce interesting challenges for systems that only "walk" to learn the SNMP information periodically which I recall being the behavior of Observium/Librenms. I don't know if there's a good solution for that other than recommending that admins are aware they should manually run the SNMP discovery mechanism after interface changes on OpnSense to ensure their monitoring and graphing stays consistent with reality.

6

24.1 Legacy Series / Re: SNMPv3 not working

« on: February 05, 2024, 05:39:20 pm »

If I attempt to login and manually create the user I get the following error, so it's a compile-time issue with net-snmp

Code: [Select]

# net-snmp-config --create-snmpv3-user
Enter a SNMPv3 user name to create:
snmpro
Enter authentication pass-phrase:
REDACTED
Enter encryption pass-phrase:
  [press return to reuse the authentication pass-phrase]
REDACTED
adding the following line to /var/net-snmp/snmpd.conf:
   createUser snmpro MD5 "REDACTED" DES "REDACTED"
adding the following line to /share/snmp/snmpd.conf:
   rwuser snmpro
touch: /share/snmp/snmpd.conf: No such file or directory
/usr/local/bin/net-snmp-create-v3-user: cannot create /share/snmp/snmpd.conf: No such file or directory


7

24.1 Legacy Series / SNMPv3 not working

« on: February 05, 2024, 05:31:09 pm »

Hello,

After upgrading to 24.1 my SNMPv3 user no longer works. If I add in a community and try to snmpbulkwalk with v2 it works fine, but with SNMPv3 it always gives me an error.

Code: [Select]

Error in packet.
Reason: authorizationError (access denied to that object)
Failed object:

I've checked multiple times and the username, SHA, and AES settings are all correct. They just don't work.

8

23.7 Legacy Series / os-frr configuration is very limited

« on: December 31, 2023, 01:07:44 am »

Please expand the configuration options for os-frr or allow us to edit the config file as there is a ton of missing functionality. I really want to use peer groups so I can connect peers/neighbors and accept announcements from any address in a given subnet which is a fairly normal deployment option but this is not possible due to the severely limited configuration.

9

22.1 Legacy Series / Re: Second Wireguard "Local" non-functional after boot

« on: May 26, 2023, 04:00:46 pm »

Sorry about the late reply, but this problem has been resolved for a while. I'm not sure which Opnsense update fixed it, but it did.

I was experiencing this with both wireguard-kmod and wireguard-go

10

23.1 Legacy Series / Re: 23.1.8: axgbe driver unstable, link flapping

« on: May 26, 2023, 03:42:19 pm »

there may be some VLAN 0 voodoo going on?

I have confirmed there is vlan0, if anyone is curious

Code: [Select]

13:41:09.525982 a0:f3:e4:63:0b:7b > f4:90:ea:00:62:2e, ethertype 802.1Q (0x8100), length 70: vlan 0, p 0, ethertype IPv4, 78.192.134.61.13103 > 75.13.68.65.13000: Flags [R.], seq 1, ack 59, win 509, options [nop,nop,TS val 3436954555 ecr 1177160148], length 0
13:41:09.553622 a0:f3:e4:63:0b:7b > f4:90:ea:00:62:2e, ethertype 802.1Q (0x8100), length 60: vlan 0, p 0, ethertype IPv4, 94.102.61.38.50380 > 75.13.68.70.5004: Flags [S], seq 794064754, win 65535, length 0
13:41:09.605744 a0:f3:e4:63:0b:7b > f4:90:ea:00:62:2e, ethertype 802.1Q (0x8100), length 180: vlan 0, p 0, ethertype IPv4, 205.251.197.161.53 > 172.13.126.189.32944: 2930 NXDomain*-$ 0/1/1 (134)


11

23.1 Legacy Series / Re: 23.1.8: axgbe driver unstable, link flapping

« on: May 26, 2023, 03:39:57 pm »

To limit the exposure of the previous patches perhaps this can help? https://github.com/opnsense/src/commit/fb81510bd

To install...

# opnsense-update -zkr 23.1.8_1

This kernel is working. The interface is not flapping now.

12

23.1 Legacy Series / Re: 23.1.8: axgbe driver unstable, link flapping

« on: May 26, 2023, 03:32:20 pm »

The SFP+ module is SFP-10G-T from FS.com that is Juniper coded

https://www.fs.com/products/73107.html?attribute=27&id=425

13

23.1 Legacy Series / Re: 23.1.8: axgbe driver unstable, link flapping

« on: May 26, 2023, 05:16:17 am »

No netmap, no VLANs on that interface. That's my A&TT upstream interface and I know I had to turn off hardware vlan filtering because I'm bypassing their CPE hardware and there may be some VLAN 0 voodoo going on? I may have to capture some packets and see what they look like.

I will get you the exact model of the SFP+ module tomorrow

14

23.1 Legacy Series / 23.1.8: axgbe driver unstable, link flapping

« on: May 25, 2023, 06:28:09 pm »

The changelog says:

Code: [Select]

src: axgbe: fix link issues for gigabit external SFP PHYs and 100/1000 fiber modules
src: axgbe: apply RRC to miibus attached PHYs and add support for variable bitrate 25G SFP+ DACs
src: axgbe: properly release resource in error case

My dmesg with this kernel shows one of my links constantly flapping:

Code: [Select]

ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN

Booting into the previous kernel fixes it.

My hardware is the official DEC840

15

23.1 Legacy Series / Unbound: allow configuring cache-max-negative-ttl

« on: April 14, 2023, 10:02:06 pm »

Dropping the negative cache TTL as low as possible is really useful.

e.g., I try to resolve a host that's been offline for a while, then boot up the machine. It gets an IP from DHCP, sets its hostname, and now Unbound should know about it. But it doesn't return any results because there's a negative cache entry still there.