Messages

I changed my Azure B2s_v2 to an D2s_v5 and enabled Accelerated Networking. But even after several reboots i still see VLAN_HWCSUM, VXLAN_HWCSUM and VXLAN_HWTSO on the hn1 device 😭

[ifconfig hn1]

Hi all,

I am running OPNsense 26.1.6 on an Azure VM and I am trying to use Zenarmor.
However, the Zenarmor engine stops shortly after startup with this error:

netmap_register_if: hn1: failed to disable offloads for interface

I already disabled the usual hardware offloading options under System > Settings > Networking and also enabled interface-level hardware override on the LAN interface.
The following options are disabled:

Disable hardware checksum offload

Disable hardware TCP segmentation offload

Disable hardware large receive offload

Disable VLAN hardware filtering

I rebooted the firewall after applying the changes.
I also tested both native and emulated netmap modes in Zenarmor, but the result is the same.

The problem is that ifconfig hn1 still shows offload-related capabilities after reboot, including:

VLAN_HWCSUM, VXLAN_HWCSUM, VXLAN_HWTSO

MTU is 1500, so that does not seem to be the issue.

My question is:
Has anyone successfully run Zenarmor on OPNsense inside an Azure VM / Hyper-V hn interface and found a way to fully disable the remaining offloads so that netmap can start correctly?

I would especially like to know:

• whether there is an additional OPNsense tunable or loader/sysctl setting required for hn interfaces
• whether this is a limitation of the Azure/Hyper-V network driver
• whether anyone has a working Azure VM configuration for Zenarmor with hn interfaces

Any advice or working example would be greatly appreciated.

Thanks!

I understand I should configure at least the two allow rules to divert traffic to suricata but what happens with the block rule? I do nothing?

If it is already blocked by the FW rule, it does not need to be diverted further.

Did you solve it?

Thank you for the hint 👍

I have the same issue after. (pppoe)

Hallo zusammen,

Ich habe an meiner OPNsense 22.1.4 insgesamt 3 WAN angeschlossen. 1x Starlink direkt für Hauptlast ohne den Atarlink Router. 1x 6MBit ADSL2+ Telekom PPPoE an Drytek Vigor 165. 1x 5-15MBit LTE per Mikrotik LTE Modem.

IPv6 und PPPoE laufen ja derzeit unter 22.x nicht so rund, außerdem habe ich mit PPPoE ein zusätzliches Problem dass seit Providerwechsel/Neueinrichten des PPPoE Device mein PPPoE Log nicht mehr angezeigt wird.

Man liest oft das man die PPPoE Einwahl und das setzen der VLAN ID 7 unbedingt durch die OPNsense machen lassen soll für "stabileren Betrieb". Aber eben auch ab und zu Beiträge das einige doch das Modem einwählen lassen und es funktioniert.

Ein Vorteil von OPNsense PPPoE und VLAN ID 7 ist, dass nur 1 Kabel zum Vigor benötigt wird um trotzdem auf dei Oberfläche zugreifen zu können.
Ein Nachteil von obiger Konfiguration ist (temporär) die derzeitigen Probleme bei IPv6 over PPPoE.

Was sind weitere Vorteile und Nachteile wenn ich OPNsense PPPoE/VLAN ID überlasse vs. Vigor 165 Modem einwählen lasse und die IPv4/IPv6 direkt am WAN Port anliegen habe.

Grüße

Manuel

Problem still persists even after four days and two reboots.

Hi,

today i had a provider change back to Telekom. With that the VLAN ID changed from 132 to 7. So i needed to delete the PPPOE device due to recreate/change of the VLAN device.
I created a new VLAN 7 (named VLAN01 now) interface and recreated PPPOE and assigned to WAN_DSL.
PPPOE is up and running. But the PPPOE Log file kept the old content from old PPPOE device with VLAN 132 interface. So i selected "Clear log". The log disappeared.

But now the Point-to-Point -> Log File section keeps being empty. (also after 2 reboots). No more recreation of log file.

How can i fix / recreate this pppoe log file?

Hi,

in 22.1.2_1 the option to enable debug output in DHCPv6 interface config is no longer present.
My already working configuration of running IPv6 on Starlink WAN adapter (and refreshing it by rtsol) stopped working. I do not receive any IPv6 configuration any more on this WAN port.
Even after several reboots of Startlink and OPNsense did not resolve the issue. Still only a IPv4 address on this WAN port. IPv4+IPv6 on WAN for LTE and WAN for DSL are still received.

Tried lowering the prefix hint from 56 to 64 (and back again to 56), toggled all 8 possibilities of Request only an IPv6 prefix / Send IPv6 prefix hint / Use IPv4 connectivity. No success.

I want to look into DHCPv6 communication on Starlink WAN port why it no longer receives a valid IPv6 address / prefix. How to do this without the debug setting? Only way of Packet Capture / tpcdump?

Hi,

included in 21.7.8 there was also an updated version of maltrail with version 0.40 updating from 0.37
I do not see any memory leak mentioned in release notes of maltrail since 0.37.

Did already someone try the new 0.40? Is the memory leak still persistent?

Best regards

Manuel

Every time when i try to run with 6.0.4 i see
<Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
then some warnings about unknown class types in emerging rules (also present in 6.0.3 log) and ~2 minutes later a
[101573] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:ix0-2/R failed: Cannot allocate memory

On the 6.0.3 run at this point i would see all messages from opened netmap on my devices like:
[100831] <Notice> -- opened netmap:igb6/R from igb6: 0x1d272dfc000
[100831] <Notice> -- opened netmap:igb6^ from igb6^: 0x1d272dfc300
[100879] <Notice> -- opened netmap:igb6^ from igb6^: 0x1d275b03000
[100879] <Notice> -- opened netmap:igb6/T from igb6: 0x1d275b03300
[100882] <Notice> -- opened netmap:igb1/R from igb1: 0x1d277d86000
etc etc
[101552] <Notice> -- all 12 packet processing threads, 4 management threads initialized, engine started.
[101552] <Notice> -- rule reload starting

So on 6.0.4 i'm missing all this messages above as it crashes with out of memory before.

I have 16GB of RAM in this machine and ruleset / out of memory with Suricata was no problem until 6.0.4.
System is a dedicated 12 core Ryzen with 16GB RAM.

With 6.0.4 it crashes within 2-5 minutes. With 6.0.3 with same ruleset / same policy it runs weeks without issues and RAM usage is currently ~3,8GB of total 16GB for all services running (with Suricata 6.0.3 active). Im using OPNsense since 19.1.x

There is one main policies rule and 34 rule adjustments active. Using ET Telemetry (44 of 50), ET Open (8 of 8 ) and Abuse.ch (5 of 5) Rulesets. A total of 94400 rules are reported by system.

Since upgrade to 21.7.6 (from 21.7.5_2) Suricata process 6.0.4 crashes regularely. In logfile I see error e.g.:

suricata[70864]   [101573] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:ix0-2/R failed: Cannot allocate memory

After that Suricata needs to be restarted. Memory usage of system during that crash was: 35 % ( 5732/16270 MB ), so plenty of space free...

A rollback to Suricata 6.0.3 via opnsense-revert -r 21.7.5 suricata resolves the issue with memory.

I created a custom configd action like recommended. And it works. Thank you for your fast replies.

https://docs.opnsense.org/development/backend/configd.html