"
Dear franco,
Thanks for the fix.
I can confirm that the problem is solved.
Thanks for the fix.
I can confirm that the problem is solved.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
25.1, 25.4 Production Series / No Live View of firewall log
April 16, 2025, 09:11:58 PM
I am trying to setup a new VPN connecting and want to see how the firewall is behaving in de log.
However the webinterface is showing me nothing eventhough I have rules enabled to be logged.
In the Backend log I get these errors when i try to view the logs.
Has somebody any suggestions on how to fix this?
However the webinterface is showing me nothing eventhough I have rules enabled to be logged.
In the Backend log I get these errors when i try to view the logs.
Code Select
2025-04-16T21:06:52 Error configd.py [b77a5230-2a2a-44ff-82b0-6322d482dba2] Script action failed with Command '/usr/local/opnsense/scripts/filter/read_log.py /limit '1000' /digest ''' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 78, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 413, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/filter/read_log.py /limit '1000' /digest ''' returned non-zero exit status 1.
2025-04-16T21:06:52 Notice configd.py [b77a5230-2a2a-44ff-82b0-6322d482dba2] request filter log output
2025-04-16T21:06:51 Error configd.py [ea9623b7-2099-4bdf-a351-b0614a176364] Script action failed with Command '/usr/local/opnsense/scripts/filter/read_log.py /limit '1000' /digest ''' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 78, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 413, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/filter/read_log.py /limit '1000' /digest ''' returned non-zero exit status 1.
2025-04-16T21:06:51 Notice configd.py [ea9623b7-2099-4bdf-a351-b0614a176364] request filter log outputHas somebody any suggestions on how to fix this?
#3
25.1, 25.4 Production Series / Re: Intel NIC set to 100Mbit Full Duplex still negotiates to 100Mbit Half Duplex
April 01, 2025, 08:52:41 AM
Forgot to mention. The below the current version.
Versions
OPNsense 25.1.4_1-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16
Updates
Click to check for updates.
Uptime
11 days, 11:58:56
Load average
0.53, 0.54, 0.52
Current date/time
Tue Apr 1 8:51:34 CEST 2025
Last configuration change
Mon Mar 31 12:33:52 CEST 2025
Versions
OPNsense 25.1.4_1-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16
Updates
Click to check for updates.
Uptime
11 days, 11:58:56
Load average
0.53, 0.54, 0.52
Current date/time
Tue Apr 1 8:51:34 CEST 2025
Last configuration change
Mon Mar 31 12:33:52 CEST 2025
#4
25.1, 25.4 Production Series / Re: Intel NIC set to 100Mbit Full Duplex still negotiates to 100Mbit Half Duplex
March 31, 2025, 04:50:22 PM
@franco,
Might this be de cause what i am running in to?
https://reviews.freebsd.org/rGbceec3d80a3caf9249e24247fb937674bf5b46b5
The description of this change assumes the other side has auto negotiation enabled.
But in my case and the default behavior of may different types of network equipment is that if auto negotiation fails, it will fall back to Half Duplex.
I my case if I select 100Mbit full duplex because that is what the ISP has told me by phone/e-mail (negotiated wit me).
Might this be de cause what i am running in to?
https://reviews.freebsd.org/rGbceec3d80a3caf9249e24247fb937674bf5b46b5
The description of this change assumes the other side has auto negotiation enabled.
But in my case and the default behavior of may different types of network equipment is that if auto negotiation fails, it will fall back to Half Duplex.
I my case if I select 100Mbit full duplex because that is what the ISP has told me by phone/e-mail (negotiated wit me).
#5
25.1, 25.4 Production Series / Intel NIC set to 100Mbit Full Duplex still negotiates to 100Mbit Half Duplex
March 31, 2025, 01:10:22 PM
Recently I noticed the upload speed was way down to a couple of Mbit instead of the 100Mbit we have available from our ISP.
Connecting a laptop and setting it to 100Mbit Full Duplex, i am able to get the maximum speeds. (ISP requested this to rule out problems on their side)
Divng in to the Firewall, I found that there are a lot of send-errors and collisions:
[WAN] (igb1) / xx:xx:xx:xx:xx:xx
name: igb1
flags: 0x8843
mtu: 1500
network: <Link#2>
address xx:xx:xx:xx:xx:xx
received-packets: 661199209
received-errors: 7864642
dropped-packets: 0
received-bytes: 285018281085
sent-packets: 1126089150
send-errors: 8085228
sent-bytes: 1554259770561
collisions: 34849771
This indicates that the WAN interface is running in Half Duplex even tough it is configured to 100Mbit Full Duplex.
In Full Duplex mode a collision is not possible and therefore the counter should be 0.
This remindes me of an earlier problem:
The Intel network card cannot work in full-duplex mode. In half-duplex mode
For some reason an interface set to a fixed Duplex mode and speed, was still doing auto negotiation (which fails as the other network switch is also configured to fixed 100Mbit Full Duplex and auto negotiation is disabled and falls back to Half Duplex.)
My provider will not budge to enable auto negotiation and they use this to limit our maximum speed.
Did somebody push again for enabling auto negotiation for all speeds and not 1Gbit and higher?
Connecting a laptop and setting it to 100Mbit Full Duplex, i am able to get the maximum speeds. (ISP requested this to rule out problems on their side)
Divng in to the Firewall, I found that there are a lot of send-errors and collisions:
[WAN] (igb1) / xx:xx:xx:xx:xx:xx
name: igb1
flags: 0x8843
mtu: 1500
network: <Link#2>
address xx:xx:xx:xx:xx:xx
received-packets: 661199209
received-errors: 7864642
dropped-packets: 0
received-bytes: 285018281085
sent-packets: 1126089150
send-errors: 8085228
sent-bytes: 1554259770561
collisions: 34849771
This indicates that the WAN interface is running in Half Duplex even tough it is configured to 100Mbit Full Duplex.
In Full Duplex mode a collision is not possible and therefore the counter should be 0.
This remindes me of an earlier problem:
The Intel network card cannot work in full-duplex mode. In half-duplex mode
For some reason an interface set to a fixed Duplex mode and speed, was still doing auto negotiation (which fails as the other network switch is also configured to fixed 100Mbit Full Duplex and auto negotiation is disabled and falls back to Half Duplex.)
My provider will not budge to enable auto negotiation and they use this to limit our maximum speed.
Did somebody push again for enabling auto negotiation for all speeds and not 1Gbit and higher?
#6
24.7, 24.10 Legacy Series / Re: OpenVPN + TOTP + LDAP does not work after upgrading to 24.7.10_1
December 04, 2024, 10:10:56 AM
Hi Franco,
I can also confirm that the patch solves the issue.
My colleague is able to login again with TOTP.
Thank you for the quick support and we look forward to the hotfix.
I can also confirm that the patch solves the issue.
My colleague is able to login again with TOTP.
Thank you for the quick support and we look forward to the hotfix.
#7
24.7, 24.10 Legacy Series / Re: OpenVPN + TOTP + LDAP does not work after upgrading to 24.7.10_1
December 04, 2024, 08:03:03 AM
Hey Franco,
Thank you for the quick response.
I have changed the file mentoned in the github commit.
Tested, but was unable to authenticate.
Restarted the firewall. Maybe the php file was already loaded in a service for example.
Tested agian, stull unable to authenticate.
Reverted the change and restarted againg to make sure I am back in the original state.
Have to run now to bring kids to school.
Thank you for the quick response.
I have changed the file mentoned in the github commit.
Tested, but was unable to authenticate.
Restarted the firewall. Maybe the php file was already loaded in a service for example.
Tested agian, stull unable to authenticate.
Reverted the change and restarted againg to make sure I am back in the original state.
Have to run now to bring kids to school.
#8
24.7, 24.10 Legacy Series / OpenVPN + TOTP + LDAP does not work after upgrading to 24.7.10_1
December 03, 2024, 09:05:01 PM
We have an OpenVPN server running for years now, using TOTP + LDAP authentication. This evening I have run an update on the firewall out of office hours to reduce the impact of the necessary restart.
The system is now updated to the following version:
Type opnsense
Version 24.7.10_1
Architecture amd64
Commit 426002340
Mirror https://pkg.opnsense.org/FreeBSD:14:amd64/24.7
Repositories OPNsense (Priority: 11)
Updated on Tue Dec 3 18:35:06 CET 2024
Checked on Tue Dec 3 20:20:42 CET 2024
After the update I tried to login via OpenVPN with the TOTP and LDAP user account. This failed.
Looking in the logfiles of Open VPN a ran in to this error:
2024-12-03T20:18:51 Warning openvpn user 'username_here' could not authenticate.
2024-12-03T20:18:51 Error openvpn LDAP bind error [80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials]
I assumed there was a problem between the firewall and the LDAP server.
But using System: Access: Tester. the LDAP server responded that everything is OK and access is granted.
Reading to the release notes a found that for version 24.7.9 a hotfix is released 24.7.9_1 to tackle an issue with TOTP + local accounts.
This triggered me and tested the following. I disabled temporarily the TOTP requirement on the OpenVPN server and only use LDAP for verification. This allowed me to log in successfully. Disabling TOTP is not a solution as this compromises security.
Might there also be an issue with TOTP + LDAP similar to what is already fixed with TOTP + local?
Is there a way to roll back to version 24.7.8 or 24.7.7 to get it operational again as all employees are unable to work from home / in the field.
Thank you upfront for reading through my issues :)
The system is now updated to the following version:
Type opnsense
Version 24.7.10_1
Architecture amd64
Commit 426002340
Mirror https://pkg.opnsense.org/FreeBSD:14:amd64/24.7
Repositories OPNsense (Priority: 11)
Updated on Tue Dec 3 18:35:06 CET 2024
Checked on Tue Dec 3 20:20:42 CET 2024
After the update I tried to login via OpenVPN with the TOTP and LDAP user account. This failed.
Looking in the logfiles of Open VPN a ran in to this error:
2024-12-03T20:18:51 Warning openvpn user 'username_here' could not authenticate.
2024-12-03T20:18:51 Error openvpn LDAP bind error [80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials]
I assumed there was a problem between the firewall and the LDAP server.
But using System: Access: Tester. the LDAP server responded that everything is OK and access is granted.
Reading to the release notes a found that for version 24.7.9 a hotfix is released 24.7.9_1 to tackle an issue with TOTP + local accounts.
This triggered me and tested the following. I disabled temporarily the TOTP requirement on the OpenVPN server and only use LDAP for verification. This allowed me to log in successfully. Disabling TOTP is not a solution as this compromises security.
Might there also be an issue with TOTP + LDAP similar to what is already fixed with TOTP + local?
Is there a way to roll back to version 24.7.8 or 24.7.7 to get it operational again as all employees are unable to work from home / in the field.
Thank you upfront for reading through my issues :)
#9
23.7 Legacy Series / Unbound DNS, Host Overrides, Aliases not showing in the interface
February 14, 2024, 09:34:18 AM
Dear Forum Members,
I got a colleague at my desk telling me that things are working, but according to the configuration in OPNsense, it shouldn't.
In our office we have a server running multiple dockers hosting several services for the company. As these services are all available on the same IP address on the network we have given them names to access them easily.
In Unbound you can configure host overrides so for the server we have created the main entry with its IP address and created Aliases for all dockers running on the same machine. (This configuration is create years ago).
Software running currently:
OPNsense 23.7.12_5-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w
Now when we look in the configuration web interface, we see that the Aliases list is empty.
We checked the /conf/config.xml file, we see the following configuration for Unbound. I have anonymized the configuration. I tried to leave the links between the servers and the aliases as clear as possible. I am human so i may have made a mistake.
In the Log File of Unbound DNS a lot of entries are shown for all the aliases. Below on of the entries.
What could be the issue that it is not shown? Also, if we create a new alias, will we loose the other aliases?
Looking forward to elaborate on this issue.
Jeroen
I got a colleague at my desk telling me that things are working, but according to the configuration in OPNsense, it shouldn't.
In our office we have a server running multiple dockers hosting several services for the company. As these services are all available on the same IP address on the network we have given them names to access them easily.
In Unbound you can configure host overrides so for the server we have created the main entry with its IP address and created Aliases for all dockers running on the same machine. (This configuration is create years ago).
Software running currently:
OPNsense 23.7.12_5-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w
Now when we look in the configuration web interface, we see that the Aliases list is empty.
We checked the /conf/config.xml file, we see the following configuration for Unbound. I have anonymized the configuration. I tried to leave the links between the servers and the aliases as clear as possible. I am human so i may have made a mistake.
Code Select
<unboundplus version="1.0.8">
<general>
<enabled>1</enabled>
<port>53</port>
<stats>1</stats>
<active_interface/>
<dnssec>0</dnssec>
<dns64>0</dns64>
<dns64prefix>64:ff9b::/96</dns64prefix>
<noarecords>0</noarecords>
<regdhcp>1</regdhcp>
<regdhcpdomain/>
<regdhcpstatic>0</regdhcpstatic>
<noreglladdr6>0</noreglladdr6>
<noregrecords>0</noregrecords>
<txtsupport>0</txtsupport>
<cacheflush>0</cacheflush>
<local_zone_type>transparent</local_zone_type>
<outgoing_interface/>
<enable_wpad>0</enable_wpad>
</general>
<advanced>
<hideidentity>0</hideidentity>
<hideversion>0</hideversion>
<prefetch>0</prefetch>
<prefetchkey>0</prefetchkey>
<dnssecstripped>0</dnssecstripped>
<serveexpired>0</serveexpired>
<serveexpiredreplyttl/>
<serveexpiredttl/>
<serveexpiredttlreset>0</serveexpiredttlreset>
<serveexpiredclienttimeout/>
<qnameminstrict>0</qnameminstrict>
<extendedstatistics>0</extendedstatistics>
<logqueries>0</logqueries>
<logreplies>0</logreplies>
<logtagqueryreply>0</logtagqueryreply>
<logservfail>0</logservfail>
<loglocalactions>0</loglocalactions>
<logverbosity>1</logverbosity>
<valloglevel>0</valloglevel>
<privatedomain/>
<privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
<insecuredomain/>
<msgcachesize/>
<rrsetcachesize/>
<outgoingnumtcp/>
<incomingnumtcp/>
<numqueriesperthread/>
<outgoingrange/>
<jostletimeout/>
<cachemaxttl/>
<cachemaxnegativettl/>
<cacheminttl/>
<infrahostttl/>
<infrakeepprobing>0</infrakeepprobing>
<infracachenumhosts/>
<unwantedreplythreshold/>
</advanced>
<acls>
<default_action>allow</default_action>
<acl uuid="68592565-3f29-4495-a72a-3f0a7bd96df6">
<enabled>1</enabled>
<name>VPN</name>
<action>allow</action>
<networks>xxx.xx.xx.0/29</networks>
<description>xxx.xx.xx.0/29</description>
</acl>
</acls>
<dnsbl>
<enabled>0</enabled>
<safesearch>0</safesearch>
<type/>
<lists/>
<whitelists/>
<blocklists/>
<wildcards/>
<address/>
<nxdomain>0</nxdomain>
</dnsbl>
<forwarding>
<enabled>0</enabled>
</forwarding>
<dots/>
<hosts>
<host uuid="8da0b498-2c6b-4346-83be-bdf2c33a7c4a">
<enabled>1</enabled>
<hostname>Server1</hostname>
<domain>xyz</domain>
<rr>A</rr>
<mxprio/>
<mx/>
<server>xxx.xxx.xxx.6</server>
<description>Server number 1</description>
</host>
<host uuid="3b33854b-b603-46f0-89c3-675ad92f53e9">
<enabled>1</enabled>
<hostname>Server2</hostname>
<domain>xyz</domain>
<rr>A</rr>
<mxprio/>
<mx/>
<server>xxx.xxx.xxx.7</server>
<description>Server number 2</description>
</host>
<host uuid="37446fd9-d446-45e5-8915-6c0928de4f30">
<enabled>1</enabled>
<hostname>Server3</hostname>
<domain>xyz</domain>
<rr>A</rr>
<mxprio/>
<mx/>
<server>xxx.xxx.xxx.8</server>
<description>Server number 3</description>
</host>
<host uuid="86f9388b-4012-412d-b975-22184b6782e6">
<enabled>1</enabled>
<hostname>Server4</hostname>
<domain>xyz</domain>
<rr>A</rr>
<mxprio/>
<mx/>
<server>xxx.xxx.xxx.9</server>
<description>Server number 4</description>
</host>
<host uuid="3ce5fc46-9524-46e9-9ccc-2af6e8e3d21e">
<enabled>1</enabled>
<hostname>Server5</hostname>
<domain>xyz</domain>
<rr>A</rr>
<mxprio/>
<mx/>
<server>xxx.xx.x.4</server>
<description>Server number 5</description>
</host>
<host uuid="2809c99f-6d65-48a6-ac8d-ebe98e9d6faa">
<enabled>1</enabled>
<hostname>Server 6</hostname>
<domain>xyz</domain>
<rr>A</rr>
<mxprio/>
<mx/>
<server>xxx.xxx.xxx.10</server>
<description>Server number 6</description>
</host>
<host uuid="c9b41479-e080-4a15-ad00-1d221fcd06ee">
<enabled>1</enabled>
<hostname>Server7</hostname>
<domain>xyz</domain>
<rr>A</rr>
<mxprio/>
<mx/>
<server>xxx.xxx.xxx.11</server>
<description>Server number 7</description>
</host>
</hosts>
<aliases>
<alias uuid="a6d376d7-ea98-4974-9223-eb28595e0238">
<enabled>1</enabled>
<host>3b33854b-b603-46f0-89c3-675ad92f53e9</host>
<hostname>Ohtername1Server2</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="425ac57f-d4c8-4455-a5ae-3b68f5e05c63">
<enabled>1</enabled>
<host>3b33854b-b603-46f0-89c3-675ad92f53e9</host>
<hostname>Ohtername2Server2</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="805de89c-4009-48ad-a43b-87883bef6ef0">
<enabled>1</enabled>
<host>37446fd9-d446-45e5-8915-6c0928de4f30</host>
<hostname>Othername1Server3</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="c3e606f0-c52b-409e-855a-18857e2a1112">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername1Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="c28c91af-26cc-4c4f-aa23-4bec97a0cc62">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername2Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="8dce8e47-3286-4cf2-adb2-e953cb8a0d6e">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername3Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="c8cf1015-d7ed-4ff1-947c-6ef01d159b91">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername4Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="ad039ccd-8b0b-4bef-b2c0-7166bc2bb573">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername5Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="f4776e15-bb9a-4bdf-be5e-73d95e1c56da">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername6Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="bd23ecae-924b-4045-93d7-79377e144d32">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername7Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="a7f0d6ab-7704-42ad-9d33-54651a0e32a7">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername8Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="0edc5d41-c7cd-43d9-ac29-d3ec247f8fed">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername9Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="12769bf8-6da2-459a-8b07-58562acd9853">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername10Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
<alias uuid="67db3a27-c4c9-49d7-965a-b2058cb760a9">
<enabled>1</enabled>
<host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
<hostname>Othername11Server7</hostname>
<domain>xyz</domain>
<description/>
</alias>
</aliases>
<domains>
<domain uuid="d2af4c71-4c90-4864-92d7-85e3d2a30031">
<enabled>1</enabled>
<domain>xyz.local</domain>
<server>xxx.xxx.xxx.2</server>
<forward_tcp_upstream>0</forward_tcp_upstream>
<description>xyz domain</description>
</domain>
</domains>
</unboundplus>In the Log File of Unbound DNS a lot of entries are shown for all the aliases. Below on of the entries.
Code Select
2024-01-19T22:31:03 Warning unbound PTR record already exists for othername6server7.xyz(xxx.xxx.xxx.11)What could be the issue that it is not shown? Also, if we create a new alias, will we loose the other aliases?
Looking forward to elaborate on this issue.
Jeroen
#10
22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode
November 14, 2022, 01:35:04 PM
This weekend i have updated the firewalls to 2.7.7 including the kernel. It seems to work normally now.
However a reboot is required to get from 100Mbit to auto negotiation again. I am not sure if this was the case beforehand, but every thing seems to be back to normal again.
Thank you for the support!
However a reboot is required to get from 100Mbit to auto negotiation again. I am not sure if this was the case beforehand, but every thing seems to be back to normal again.
Thank you for the support!
#11
22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode
October 12, 2022, 04:00:01 PM
Hey Franco,
I see that they have reverted the changes today. So hopefully it will not be in 13.2 /14.
Does this mean we have to stick with the 22.7.5-e1000 kernel till 22.7.7 is released?
(I am not really into the release schedules.... still a bit new here and trying to learn)
I see that they have reverted the changes today. So hopefully it will not be in 13.2 /14.
Does this mean we have to stick with the 22.7.5-e1000 kernel till 22.7.7 is released?
(I am not really into the release schedules.... still a bit new here and trying to learn)
#12
22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode
October 11, 2022, 11:28:00 AM
I have updated the kernel to the 22.7.5-e1000 version. Now the link is immediately up and solves the problem with the intel network cards. Thank you Franco and csutcliff for pointing in the right direction.
Looking through the diff here https://reviews.freebsd.org/D34449 it seems that something is implemented to comply with a standard, which has changed after millions of network switches and devices are not doing auto negotiation when they are set fixed to 10 or 100 Mbit, half or full duplex.
The problem with changing this is that the device on the other side must be changed as well. Often this is outside of the control of the person implementing this change.
In our case the ISP has configured a network switch to 100Mbit Full duplex and will not change there procedures as it is identical for all their customers. And this is difficult to change as it will require actual negotiation between people to reconfigure both devices at the same time to auto negotiation in order to keep the connection up with minimum downtime as possible.
I will keep an eye on the reddit threats and the freeBSD diff to see when it will be fixed in the next mainstream release.
I have suggested to the ISP that instead they set their interfaces to 100Mbit Full duplex to enable auto negotiation but only advertise 100Mbit full duplex. This is much easier for their customers as they do not have to configure their device and if the customer upgrades to 1Gbit in the future, they just advertise the 1Gbit as well.
But it is difficult to migrate to this solution, as it will require al their current customers to switch from fixed 100Mbit Full Duplex to auto negotiation. So i doubt they will implement this.
Looking through the diff here https://reviews.freebsd.org/D34449 it seems that something is implemented to comply with a standard, which has changed after millions of network switches and devices are not doing auto negotiation when they are set fixed to 10 or 100 Mbit, half or full duplex.
The problem with changing this is that the device on the other side must be changed as well. Often this is outside of the control of the person implementing this change.
In our case the ISP has configured a network switch to 100Mbit Full duplex and will not change there procedures as it is identical for all their customers. And this is difficult to change as it will require actual negotiation between people to reconfigure both devices at the same time to auto negotiation in order to keep the connection up with minimum downtime as possible.
I will keep an eye on the reddit threats and the freeBSD diff to see when it will be fixed in the next mainstream release.
I have suggested to the ISP that instead they set their interfaces to 100Mbit Full duplex to enable auto negotiation but only advertise 100Mbit full duplex. This is much easier for their customers as they do not have to configure their device and if the customer upgrades to 1Gbit in the future, they just advertise the 1Gbit as well.
But it is difficult to migrate to this solution, as it will require al their current customers to switch from fixed 100Mbit Full Duplex to auto negotiation. So i doubt they will implement this.
#13
22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode
October 10, 2022, 10:44:34 AM
That is great news franco.
Do you need the test kernel to be tested on our platform? Is this something i can help with? as i assume it may take some time for the new kernel to be released?
I found the answers in the Reddit page.
https://www.reddit.com/r/opnsense/comments/xw4oiz/comment/ir4qdc8/
This week i will try the update at my firewall at home. If it works i will patch the firewall in the office. and remove the network switch, which is currently converting 100Mbit full duplex fixed to auto negotiation.
Do you need the test kernel to be tested on our platform? Is this something i can help with? as i assume it may take some time for the new kernel to be released?
I found the answers in the Reddit page.
https://www.reddit.com/r/opnsense/comments/xw4oiz/comment/ir4qdc8/
This week i will try the update at my firewall at home. If it works i will patch the firewall in the office. and remove the network switch, which is currently converting 100Mbit full duplex fixed to auto negotiation.
#14
22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode
October 10, 2022, 08:40:08 AM
@lilsense, if both interfaces are set to auto then it works fine.
I have been out of the office for work, but i will check if they are genuine Intel cards as well as have a look at the bug.
If it is the case I will join Reddit as well to get some more attention to this problem.
Many thanks for the support so far.
I have been out of the office for work, but i will check if they are genuine Intel cards as well as have a look at the bug.
If it is the case I will join Reddit as well to get some more attention to this problem.
Many thanks for the support so far.
#15
22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode
October 03, 2022, 02:16:19 AM
Hi lilsense,
Thank you for helping.
While doing the tests I had both sides configured the same way. Otherwise one of the devices will drop packets.
The thing is when both network switch and firewall to 100Mbit Full Duplex the link does not come up. If I configure my laptop interface to 100Mbit full duplex and connect to the switch the link works. But if I connect the laptop to the interface of the firewall the link is down.
I did not have this problem with 21.1 but occurred while upgrading to 21.7. did it from home at a time no body was in the office. Afterwards I had to go to the office because internet was down.
Thank you for helping.
While doing the tests I had both sides configured the same way. Otherwise one of the devices will drop packets.
The thing is when both network switch and firewall to 100Mbit Full Duplex the link does not come up. If I configure my laptop interface to 100Mbit full duplex and connect to the switch the link works. But if I connect the laptop to the interface of the firewall the link is down.
I did not have this problem with 21.1 but occurred while upgrading to 21.7. did it from home at a time no body was in the office. Afterwards I had to go to the office because internet was down.
