Messages

I'm currently running opnSense 22.1.10 - there is a message under Services -> Dynamic DNS (legacy) to 'Please make sure to upgrade to 'os-ddclient' before 22.7 is released'... OK, I've tried installing that plugin (os-ddclient) and got the following error:

***GOT REQUEST TO INSTALL***
Currently running OPNsense 22.1.10 (amd64/OpenSSL) at Fri Sep 23 15:39:48 PDT 2022
Installation out of date. The update to opnsense-22.1.10_4 is required.
***DONE***

chicken or the egg?

I recently noticed my wifi connection was oddly slow/sluggish. After some time rebooting/upgrading my WAP, I found that at pfsense the link speed was running at 100Mb. This used to be running at "Unknown" (2.5Gb) and was quite speedy.
Somewhere along the way something either broke (on the NIC itself) or a driver got updated in whatever BSD base this is running on 22.1.7.
For now, I am trying to get BSD to show me what it think the media capabilities are for the interface.
Running this command:

Code Select Expand

ifconfig ix1 media
by all accounts should show me, but instead this is what I get:

Code Select Expand

root@OPNsense:~ # ifconfig ix1 media
ifconfig: 'media' requires argument

Am I missing something here?

I too found this after an upgrade from 22.1 to 22.1.1-1... After the initial reboot nothing outside of my LAN would load (as if the firewall or dns wasn't working correctly)... I reloaded pf service and got partial working behavior, but 'some' things were extremely slow. An additional reboot cleared everything up.

I have 6rd w/ my ISP and I completely gave up on getting it to work with this release; DHCP6 and RA don't behave as expected and routing with subnets/VLANs seems very broken when enabled.

I'm seeing a smattering of the following:

RA
PA
FPA

I only ask about these because there are certain apps on my phone that don't seem to be working and there seems to be a correspondence with these block entries.

It seems to be randomly affecting all my interfaces, more examples:

Rules for my WIFIIOT firewall interface:



Edit: looks like the 'img' tag isn't working: https://ibb.co/717M4p6

Entry in the firewall log showing it blocking for some reason:



Image of blocking: https://ibb.co/0MY3g4s

I feel like I'm taking crazy pills!

For my VLAN firewall rules, I found I had to remove the 'gateway' associated with the 'allow any' rule for traffic to correctly flow outside my network from said VLAN.

I've been seeing very random firewall enforcement with 22.1 of the 'default deny all' rule when it surely should not be.

The 'default deny all' rule is the auto-generated one, that (according to the UI) should be evaluated 'last', therefore any rule tagged as 'evaluate first' should win over it.

I have an interface called LanSecondary, that has as a floating rule the default, 'deny all' rule (as is usual). I also have the 'allow all' rule such that:

Code Select Expand

IPv4 * LANSecondary net * * * * *


This states that any traffic with a source of something on the LanSecondary network should be allowed to pass 'wherever', am I correct in that assumption?


I'm seeing occasional firewall entries as such:

Code Select Expand

LANSecondary 2022-01-27T17:45:42-08:00 192.168.2.53:41968 142.251.33.74:443 tcp Default deny rule

Which is blocking traffic that is on the LanSecondary interface, with a *source* of a client on the LANSecondary network, going to 'wherever'. Am I crazy or is this explicitly the condition that should be PASSED due to the defined rule on the LANSecondary interface?

I've just finished setting up 22.1R2 from scratch and here are my findings:

- Kernel panic that completely crashed the host (dump sent to devs)
- Incomplete/broken 'automatic rule' creation for IPv6 -> I had to go in and un-check & then re-check the "enable IPv6" checkbox, then re-save for the rule to properly get created (spent a good couple hours trying to figure that one out; randomly stumbled on a forum post from 2018/19 I believe where someone figured that one out)
- broken dynamic DNS by way of ddclient; I use no-ip and it simply doesn't work (had to revert to the old dyndns client)
- Firewall rules that, previously one would have to specify a gateway on to allow WAN traffic (e.g. when setting up VLANs) no longer works that way; gateways should be all set to 'default' now apparently for these rules

All told I spent a good ~8 hours troubleshooting very, very random issues. Aside from that performance is snappy!

@AdSchellevis pointed out the place in the source code where this call is used. legacy_interfaces_details function is used quite widely, so i don't think that not using a couple of widgets can completely get rid of the problem

I can confirm removing the 'interface status' widget eliminates the issue.

We were hoping FreeBSD 13 would behave better but now we're putting our workaround back for 22.1. The problem is this is either a hardware or driver issue. Generally, we don't recommend the Intel ixgbe-driver based cards at all.


Cheers,
Franco

Unfortunately there aren't a lot of options for multi-gigabit ethernet-based cards :/

It appears if I don't have the dashboard page open the spikes don't happen either... I guess that works lol

For future setups if possible I would prefer an Intel x700 series card (ixl) as these have been proven to be stable in our experience.

given I can buy x520-da2 or x540-t2 for about us$70, wheras an x710-t2 is about us$600 I don't think this is a viable 'fix'

anyone running the 22.x beta able to confirm if the issue is present on freebsd13? ( update - just saw your comment on github that it is indeed better on 22/freebsd13 - sounds like that is a the proper 'fix' )

I've ran into this on 22.1RC1 ( https://forum.opnsense.org/index.php?topic=26478.0 ) and it is indeed still an issue...

Ok, so it looks like it IS a known issue, and 22.1 isn't a fix at all. I'll downgrade to 21.7.5 and verify that fixes the issue (I also updated the firmware on my NIC and that didn't help at all either).

OK, I've re-created this condition. Executing `ifconfig -m -v` lists available interfaces, and seems to hitch on the ix interfaces (I'm assuming this is causing the CPU spike). I would guess an issue with the ix driver used in this version? Removing VLANs from the interfaces has the same problem, so it's not that.

I was able to capture this:

Code Select Expand

last pid: 14419;  load averages:  0.83,  0.73,  0.52                                                                                                                                       up 1+15:00:13  09:56:33
131 threads:   4 running, 113 sleeping, 14 waiting
CPU:  3.3% user,  0.0% nice, 16.4% system,  1.5% interrupt, 78.8% idle
Mem: 71M Active, 90M Inact, 979M Wired, 700M Buf, 6679M Free
Swap: 8192M Total, 8192M Free

   THR USERNAME    PRI NICE   SIZE    RES STATE    C   TIME     CPU COMMAND
100004 root        155 ki31     0B    32K RUN      1  38.6H  91.68% [idle{idle: cpu1}]
100003 root        155 ki31     0B    32K RUN      0  38.0H  66.52% [idle{idle: cpu0}]
100391 root         20    0    13M  2932K CPU0     0   0:00  25.40% /sbin/ifconfig -m -v


However the bsd ifconfig manpage doesn't seem to list those shorthand params? Possibly something to do with VLAN mode changes?