Messages

So ever since i updated to 25.7.2, my opnsense router (link to pcpartpicker page for the router build - AM4 motherboard, 256GB nvme drive and 5600GT) just stops responding or doing anything every few hours, needing a hard reboot. I was able to grab some logs, that i'm attaching. Just to time things - the issue happened a couple of times to my memory: 28-Aug 17:30ish local time and 29-aug sometime before 09:00 local time. (I removed the 'notice' and 'information' lines to keep is small enough to upload here).

I was able to get an alternate opnsense box i had with an older version and am currently running 25.1, but I'd really like to figure out what happened if possible. Unfortunately, the opnsense box that had this issue is no longer recoverable (while attempting to solve the issue, i seem to have wiped the hard drive somehow), but I'm now afraid to upgrade past 25.1

It's unrelated to this particular issue.

Oh, Really? My bad then, unfortunately  the below was the only error i saw in the audit logs, everytime i needed a hard reboot.

Code Select Expand

Script action failed with Command '/usr/local/opnsense/scripts/filter/pftablecount.py ''' returned non-zero exit status 1

So, my router has been randomly disconnecting or basically not doing any of it's jobs. Happens a couple of times a day. OP Error is the only error I could find in the logs.

I applied the patches. It was ok for a bit but now it's not even rebooting at all. Something completely nuked the drive i had (The router was using a AM4 motherboard with a 5700 processor and a 256GB nvme drive). I reverted to the dec750 i had which had a muchh older (24.1) version running for now. I'm not sure what went wrong or when I can update, but now i'm scared to update.

I did try that. As you suspected, it didn't really make much of a difference. The odd thing is, getting **to** the firewall i can hit line speeds. And i watched all the cores during the speedtest and there were only a few brief peaks of no more than 50% each CPU.

[however]

i was able to return the 10gtek module and get one from fs.com. Thank you. It is working a lot better. CRS309 is actually the one i'm using as my main switch (it then connects downstream to a netgear switch via sfp+ for Wifi and IOT stuff).

I do have a new problem though: When connecting the fs.com SFP-10G-T and cable from my ISP box directly to my computer i am fully able to saturate the 8Gbps speeds from my ISP via a speedtest. I am also able to get near 10Gbps, and about 6Gbps to DEC740 using iperf3. however I cannot for the life of me go above 6Gbps or so on speedtest through the DEC740 to the internet. Just to re-iterate:

1. Internet connected directly to Desktop using RJ45 cable and SFP-10G-T from fs.com = 8Gbps
2. iperf3 test to router from desktop using DAC cable = 9.5Gbps
3. Internet connected to DEC740 which in turn is connected to router using DAC cable (same as #2) = 6Gbps

why is #3 so low? The oddest thing is #2 is high as i'd expect, meaning the actual connection to the router is perfectly fine. The specs said that DEC740 is able to do upto 8.5Gbps,and aside from 4 NAT rules and Adguard home, i'm not running anything else. And CPU usage never goes above 50% either way.

Unless the firewall portion doesn't get hit when I do the iperf test to the dec740 itself and that device is actually not capable of 8Gbps speeds with my settings? I tried just connecting a cat7 cable, and although i was able to get a bit higher (actually hitting 6 and 6.1), still not able to reach the 8Gbps speeds i saw when directly connected.

[only]

Tl;DR is, my ISP's "handoff" involves an XGSPON box that only has an "RJ45" jack that is wired for 10GbE. Idk what is the best way to connect. So far my options are:

• 10GBASE-T SFP+ module: I tried the 10gtek one with really bad results (unreliable speeds in one direction - it would go down to double digit Mbps). I'm also worried about heat and power usage as the DEC740 is an embedded appliance and is fanless.


• Media converter


• Unmanaged switch: qnap qsw-308-1c includes a 10gb combo port.
• Managed switch: by far the most expensive option

I like the SFP+ module option, as an extra switch and/or converter is one more point of possible failure, but I'm worried about the heat and power usage on an appliance device like DEC740.

I would like, if possible to get reliable speeds with as low latency as possible. The RJ45 cable I'll be using is cat6 of about 13m.

[XGSPON]

 First off, my internet speed is 4Gbps both ways and i have a DEC740 (the older model)

For a start here's what my network diagram looks like:

XGSPON <---Cat5/5e cable (yea i know)---> QNAP QSW308-1c <---10Gtek DAC cable --> ax1 port on DEC740

ax0 port on DEC740 <---10gtek SFP+ module---- fs.com OM3 cable--- 10gtek sfp+ module---> miktrotik crs305 <--- Intel x520 card  on desktop.

I upgraded to multi-gig and thus connected ax1 for the first time yesterday. Once I had everything connected, in fact I can get 3800/3800 or more, and have gotten it more than once. However, the issue is, more often than not, the upload speed for speedtest goes down to 200Mbps or even lower. If i do 10 tests 1 or 2 will give 3500+ each way the other will give like 3700/150. I initally had RSS enabled which was causing other issues so I have since removed that.

As for settings, except for an extra vlans on LAN side and adguard, both of which i've been using from the get go without any issues: everything else is standard DEC740 config.

Some notes:

• prior to upgrading to 4Gbps i had a 1Gbps plan, at that point i was using the cat5 cable directly connected to a 1Gbe port on the DEC740 and could consistently get 950+ both ways. This all started yesterday when I connected the ax1 port for the first time (prior to this I had never used that port).
  
• i have tested with iperf3 from the router to my desktop and I do in fact get 9Gbps one way and 6Gbps the other way - I suspect the issue with that latter is because the router isn't able to write to disk fast enough to download over 6Gbps to the disk, which is fine and both are over the 4Gb i'm expecting, at any rate
• I had tested a 10Gbase-T module on ax1, and ended up having the same issues, without changing anything else my upload speeds were suddenly very slow.
• i have connected cable directly from XGSPON to my computer, entirely  bypassing the DEC740 with absolutely no issues.

so far I've settled on ax1 being broken, possibly. Because everything else seems to work, and I have no other explanation.

ETA: I finally figured out how to physically  connect the router directly to my PC via the problematic ax1 port, and assign it to LAN. I did an iperf test to the router (router is iperf server), I generally don't expect to see more than 6Gbps. The big issue was traffic coming out of ax1 rather than going in, which should be the reverse option (ie my computer recving data) right? i was able to get 6Gbit, or more, which is far more than the <200Mbps i see in that direction to the internet.

So, i have no idea what's going on.

so my mikrotik is setup like this:
Vlan Tab:
Trunk (to opnsense): Vlan Mode=Enable, Vlan Recv=Any, Default VLAN ID=1, Force Vlan ID=disable. Member of vlans: 1,3
Access (to computer): Vlan Mode=Enable, Vlan Recv=Any, Default VLAN ID=1, Force Vlan ID=disable [the computer should be on vlan1 as well]., member of vlans: 1 only.

I followed their guide for this, and there seems to be no other way to actually label something as a "Trunk port" just make sure it's a member of all the relevant vlans.

Right now the trunk works, it carries both tagged vlan03 traffic and untagged traffic (that is intended for Subnet01).

The problem is, i think, this line from CRS's docs:  Default VLAN ID must be specified for access ports since it will be used to tag ingress traffic and untag egress traffic for the certain port.

How does the Switch know which is an access port and which is a trunk port? Is it just untagging "all egress traffic" for PVID (i.e. vlan1) for that port? there doesn't seem to be a way to tell the switch "this is a trunk port don't untag egress traffic". or shd i just assign a random PVID so it only untags that VLAN ID and leaves the vlan ID 1 alone?

The port to the router is configured as such: allows tagged (vlan01 and vlan03)&untagged traffic. and whatever this means:

Default VLAN ID [(Specified as vlan01)] must be specified for access ports since it will be used to tag ingress traffic and untag egress traffic for the certain port.

which should work, as it is working without the vlan01 tagging. (note: mikrotik switch)

1. Yes. Using mixed tagged / untagged is not recommended because of FreeBSD limitations.
2. Create the VLAN, then switch the 'LAN' assignment from the parent to the new VLAN.
3. No need. Rules are bound to the lan / wan / optx names, not to the actual interfaces / VLANs.

Cheers
Maurice

well i tried that, and vlan01 went completely down. THankfully i was able to restore previous config using console cable. That sounded like a good idea but there's clearly a step missing?

When I first ventured into vlans, obviously I didn't know much and was experimenting (I still am very new). I just created vlan03 for my iot stuff. It's worked fine so far. My question is, the switch and my WiFi AP expects vlan01 to be tagged as such but In opnsense, there is no vlan01. The port on the switch to opnsense just tags untagged incoming as vlan01, IE opnsense is on a hybrid access/trunk port. Two questions:

1. Should I change this. Is there any good reason to do so?
2. Regardless of the above answer, what's the best way if I wanted to anyway? The vlan01 IP addresses are already assigned to the parent interface, so I can't just put them on vlan01 and turn it on, so I'd have to connect via serial and then disable the DHCP on parent then turn on vlan01? Or assign another temp address etc.
3. Is there an easy way to copy all nat and firewall rules over from parent?

I have just the defaults. drill and drill -T gives the correct responses when used vvia command line for e.g. facebook.com results in a response of 0.0.0.0