Messages

ifconfig:

Code Select Expand

root@DEC3850:~ # ifconfig -m ax0
ax0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: ax0hw (opt12)
        options=4e503bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        capabilities=4f503bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether f4:90:ea:00:64:37
        media: Ethernet 10GBase-KR (10GBase-SFI <full-duplex,rxpause,txpause>)
        status: active
        supported media:
                media autoselect
                media 100M-SGMII
                media 100baseTX
                media 1000Base-SGMII
                media 1000baseT
                media 1000baseSX
                media 1000baseLX
                media 1000baseCX
                media 1000Base-KX
                media 10GBase-SFI
                media 10Gbase-T
                media 10GBase-KR
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root@DEC3850:~ # ifconfig ax0 media 10GBase-KR
root@DEC3850:~ #
no error ;-)

[after the log dump]

Hi Cedrik,

thank you for the fast reply.

Yes, I have removed my "personal" (old) tunings, but that might have been after the log dump I posted.

However, did not make a difference after reboot.

The system is not a new install. It runs since a couple years. Only change this weekend was installing a new switch on the location in order to upgrade to 10G. The DEC3850 itself has been running 10G previously fine in another location, but this has been some years ago - so many Opnsense / FreeBSD releases back in time.

Hi everyone,

I have a very strange issue with a recent Opnsense setup. In short:

The AX0 10G interface will not come up after a reboot, throwing an error. When I enter the interface settings and press "apply", the interface comes up.

Hardware Setup:

- Router: DEC3850, Opnsense 26.1.2_5
- Switch: Zyxel XGS2210-52HP
- Client: Mellanox CX311A @ Debian Host, Intel I5-7800 CPU, 8GTx4 link speed
- connected via 10G DAC cables

(For testing purposes, I eliminated the switch and plugged the client directly into the router. Same issue.)

(1) Connectivity

Connectivity / driver selection: I can only get the DEC3850 link 10G to the switch by selecting "10GBASE-KR" in Opnsense as speed/duplex model. Twinax DAC is not available.

In the system log right after boot, there is one obvious error:

Code Select Expand

2026-02-22T17:52:15 Error opnsense /usr/local/etc/rc.bootup: The command </sbin/ifconfig 'ax0' media '10GBase-KR'> returned exit code 1 and the output was "ifconfig: SIOCSIFMEDIA (media): Invalid argument"
(2) Performance once up

The issue might be linked. Even when up, I mostly get only about 1.5 Gbit/s throughput testing with iperf3 running ON the Opnsense box. It MAY spike up to 4 Gbit/s. It may even spike up to 7 Gbit/s.

This is vague since iperf3 is running on the router itself, but on other opnsense boxes I usually get 5-7 GBit/s even when running iperf3 on the router. Unfortunately, I did not have the chance of testing THROUGH the router due to the lack of addition 10G hardware on this specific location.

However, WAN speed also seems to be decreased to around 700Mbit (1G Cable downlink)

To sum it all up

This is strange. My primary suspects are:

(1) The DAC cable?

(2) Drivers in Opnsense?

It would be great if anyone has an idea of what to look at next. I never had such a strange problem with 10G networking. I am happy to provide more information.

Best & thanks,
Stefan


Attachments:

- syslog
- HWProbe at https://bsd-hardware.info/?probe=c67f01f83f

(edit: attached system.log)

+1

I use it.

However, the ddclient plugin provides the "nsupdate" method. According to do the documentation at https://ddclient.net/protocols.html that should do it, but might require editing ddclients config files? Never tried.

I like the os-rfc2136 plugin because it works out of the box and I can set TTLs.

[Thanks for a fresh look]

first of all: Thanks for a fresh look :)

I know how much work this is.

Just a few personal notes for desktop view, some already repeated:

- Readability is not great. Body (article) Text sizing indeed needs improvement.
- Is it really a good idea to have body (article) text on a grey background? Despite the size, that degrades readability.
- The type face runs pretty wide by nature. That also does not improve readability.

All that being said, in my personal opinion the official OPNsense documentation - which uses the same type face - is much more readable.

Just my 2 cents :)

So I understand this problem is technical / development related and can not be changed.

It was just an idea from a pure users perspective to eliminate those ahead numberings and not knowing which product is based on what without reading notes. Maybe one day.

Sorry for noise guys :)

We can't have the same numbers.

I see, this gets confusing here. I simply don't have the background to understand why you can't have the same numbers :)

Example thought with some initial release dates in mind:

Would it be a problem to release 24.7 Business Edition in October based on 24.7 Community Edition released in July?

Any drawback on this?

[future]

@Franco: I do know all the facts, that's why this is my idea for mid term future release cycles.

Take the forum itself: There 24.7 prod series board is now labeled 24.7, 24.10 although no 24.10. CE is not even out yet. Confiusing already, but what as soon as 24.10 CE comes out ;-)?

I guess you get my point:

For example, labeling the BE on it's actual CE BASE would be more consistent and intuitive to users.

LTE releases of software do that too, they are not ahead of something.

As said, that's just an idea and I'm sure you have more thoughts and logic behind this.

[7]

Hi folks,

I don't know if this is the right place to ask, but anyway:

It's really hard to easily distinguish between business and community edition releases. For example right now, CE is currently at 24.7x while BE is at 24.10x

This indicates to the user that BE is ahead in development and features, which is not the case.

Since BE is a toughly tested product based on a CE release, it is clear and logical that it must by nature be behind the CE release which it is based on.

I think this confuses many users, including myself sometimes. Yes, I do know about the release cycles and I read the release notes of the BE series which indicate the CE base. But not everyone does, especially not new users.

Could there be a cleaner an more intuitive way - maybe starting with the 25.x series?

best & thanks,
Stefan

PS: I personally use both. I happily pay for 2 BE subscriptions because I like the idea of supporting the project, although I sometimes even switch to CE on the BE "licensed" machines because there is a feature "I want now" :)

[can]

https://forum.opnsense.org/index.php?topic=30962.0

P.S. There's been some discussion recently about state tracking for ping. It's fairly loose... so stopping ping and starting another one between the same hosts can continue to use a session established by the first ping.

so the behavior seems to be ping host OS / implementation specific?

Tested right now on a Mac everything works fine: Toggling on/off a block rule is reflected right away as long as ping is restarted between:

Code Select Expand

for ((;;)) { ping -c 1 -t 1 9.9.9.9 | grep "0 packets\|from" ; sleep 1 ; } }

# note: zsh, ping / grep command notation for MacOS

Off Topic: Very nice idea for a widget. I would definitely enable that too  :)

[without disabling it first]

Just checked on a OPNsense VM. Setup of this VM: Pure LAN client (other box on this network advertises stateless)

Two findings, not to mix up:

(1) VTNET (parent) interface enabled and assigned, both IPv6 and IPv6 config types set to "none": Interface does not receive a IPv6, only link-local

(2) unassigning the interface without disabling it first: status active, full IPv6 assigned (nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>).

After rebooting, everything is fine (if down, no IPv6). So it seems changes to not properly reflect right away. That might indeed be worth a bug report but should be double checked by someone running a recent version (older install on this VM here).

Edit1: Additionally, I think this whole thing would be more clear if interfaces->overview would have 4 colored "plug" icons for the 4 displayed states (up, up disabled, down, down disabled) - which are currently only visible while hovering with the mouse - so not on a tablet.

Edit2: checked across reboots

[hardware interface settings:]

VLAN: You don't have to disable the parent interface. Indeed in all my use cases I have it enabled (HW settings etc).

Example config for VLANs:

hardware interface settings:

(1) enable the interface

(2) set both IPv4 and IPv6 Configuration Type "none" *)

(3) adjust hardware settings as needed

VLAN setting:

(4) create your VLANs

(5) assign your hardware interface as parent

Assignments:

(6) assign / add the VLAN interfaces


*) note: The interface will still have a link-local IPv6. That's correct.

[You need Router Advertisements.]

Thank's - my Details looks different

This is not very helpful - can you post a screenshot?

For now - I got the problem that the radvd crashes.

You need Router Advertisements. Without at least one router delivering RAs (radvd), a IPv6 network cannot run properly.

Two short reads on it:

https://networkengineering.stackexchange.com/questions/82652/is-possible-to-use-dhcpv6-without-slaac

and with some more detail:

https://blogs.infoblox.com/ipv6-coe/why-you-must-use-icmpv6-router-advertisements-ras/

It would have been very helpful to know in the first place that your RA daemon is broken  ;)

---

Bottom line:

(1) get Router Advertisements working on both of your interfaces (LAN networks)

(2) start with RA default settings, try RA mode "stateless" (I don't know that OPNsenses default setting is) and walk your way up from there as needed.

forgot to ask: what is your router advertisement mode setting on your client (LAN) interfaces?