Messages

Looking at iostat in the console, I am seeing high disk writes, too.

Code Select Expand

root@OPNsense:~ # iostat -x
                        extended device statistics
device       r/s     w/s     kr/s     kw/s  ms/r  ms/w  ms/o  ms/t qlen  %b
ada0           1     107     42.0   2570.7     1     1     0     1    0   8
You can see the instantaneous rate by issuing

Code Select Expand

iostat -x 2.  When I disable Automatic Discovery, the instantaneous writes drop back to near zero.

This is on a small home network.  I have disabled the feature for now.

You say it's 1G. Should it be different?

No, the OP said his links only worked at 100M, and my response was simply that mine are working at a higher speed than that.  On an old wifi N laptop I'm getting about 160 Mbps, and the amber LEDs on the ports themselves indicate 1 Gbps connections.  (The user manual for my board says if the connection were 100 Mbps, the LEDs would be green.)

I have what is probably a similar board - Supermicro X10SBA, J1900 with 2 Intel 210 NICs. I just did the upgrade to 25.7.2, and my NICs are both showing connection at 1 Gbps (the link indicator LEDs are glowing amber, which the user's manual says means 1 Gbps), and I am getting well over 100 Mbps even over an old wifi N connection. So I don't think there's anything inherent about the upgrade that would cause your issue.  I'd look at configuration issues (start with factory defaults and see if that gets you full speed?) and maybe even a bad ethernet cable (I had one of those recently tie me to 100 Mbps).  Good luck with your troubleshooting...

I run Firefox on Xubuntu, display 1920x1200.  I find if I shrink my browser's rendering (ctrl-scroll down) to 90%, the typeface is easier to read. 

Have you tried installing from USB to the SD card?

Yes, that's what I did to get ZFS on the SD card.  SD card in the slot on the APU motherboard, serial installer USB stick in one of the rear panel USB ports.  Boot from the USB stick, install onto the SD card.

Glad doktornotor's feedback helped you get started.  Just remember, the nano image uses UFS on the SD card.  If you want ZFS, you'll need to boot from the serial installer USB stick and install from there onto your SD card. 

The nano image is UFS.  When you write the image onto an SD card, it is written as UFS.  As far as I know, ZFS isn't an option with the nano image.

I tried installing with ZFS onto an SD card using the serial install image.  It is working great.

To reduce unnecessary writes to the card, during install I set swap to 0 GB (a trick that was mentioned by one of the Netgate developers).  I also minimize logging and set /var and /tmp to run in RAM. 

I have been watching the writes to disk by SSH'ing into the console and issuing 'iostat -x'.  As I type this, kr/s (kB written per second since boot) sits at 6.1.  (It started high right after boot and has been dropping since.)  Assuming a reasonable sized SD card (say 32 GB) of high quality (Samsung Pro Endurance uses good MLC flash chips), I've calculated that the card should last many many years (decades).

[Edit - mistyped the kr/s - corrected to 6.1.  It keeps coming down over time, indicating there's little writing going on once the system is booted and running.]

For installation on an SD card, I think it may be better to use the nano version - it's an image file you deploy directly onto an SD card (using any one of several disk image writers like rufus (on Windows)).   It uses UFS (not ZFS), so I'm not sure this answers the OP's question.

If the OP wants to experiment with ZFS on an SD card, then yes, he should use the serial installer, and try installing to the SD card from that.  (I have installed pfSense onto an SD card using their serial installer, using UFS and no swap to minimize disk writes.  It worked fine.  I did not try ZFS on the SD card.) 

One question about ZFS - does it do more writes to the disk than UFS, and would it wear the SD card out faster?

Mine does that (it shows all "N/A") for a second, then the counters fill in.  Not sure why the display you're seeing seems to get stuck halfway.

I see, hmmm, was better the previous way IMHO. 

I can see the delete button now, but was overlapped with text.

New way isn't as clear to me, but hey ho, I wont stand in the way of progress....

I saw the delete (trash can) button, but it doesn't delete anything.  I get the red "Remove configuration backup" popup, I click on 'yes', and nothing gets deleted.  Same result on two different boxes, with different browsers.  (I only keep 5 backups so it's easy to see if anything's been deleted.)

The text overlaps the buttons, too, making the trash can a bit tricky to hit with the mouse.  So I figure this particular change is still a bit 'work in progress'.

Update:  When I looked in the /conf/backup/ directory, the backup files actually do get deleted.  It's the drop-down list in the UI that still shows them.  If I log out and log back in, the drop down no longer shows them, so it's a browser caching issue.

Looks like with todays update the unbound reporting tool is broken. "No results found!" for me.

Tried to reset DNS Data, tried a reboot... Doesn't work.

When mine rebooted after this latest upgrade, the reporting tool showed no numbers, but after a second reboot, it seems to be working well.  (The startup beep sequence also seemed slow the first time, but had its normal cadence on the second reboot.  I've heard that slow beep sequence occasionally on previous upgrades - I'm not sure what it means, but when I hear it, I typically reboot again, "just in case".)

Make it a difference, if I activate in "Services/Router Advertisements/LAN" the DNS option "Use the DNS configuration of the DHCPv6 server" instead of enter the IPv6 of the Adguard DNS Server?

Honestly, I have wondered the same thing. It isn't obvious (to me, anyway) what the "Use the DNS configuration of the DHCPv6 server" setting does.  So I usually just do both - enter the address of my PiHole as the DNS server that gets advertised, and check the "Use the DNS configuration of the DHCPv6 server".  It wouldn't be hard to experiment and find out if there's a difference - I just haven't bothered to try it out.

I found the issue on my system that was causing one network segment to get both predefined IPv6 DNS addresses (Cloudflare 2606:4700:4700::1111 / ::1001) and my router's LAN address as a DNS server - on that LAN segment, I had inadvertently left Services/Router Advertisements/Router Advertisements (the first drop down) set to "Disabled".  When I set it to "Assisted", the router stopped sending out the LAN address as a DNS server, and only advertised the Cloudflare addresses I entered into the DNS Servers field.  So maybe that helps you, opns-sc0?

opns-sc0 - You said your router is still handing out its own IPv6 LAN address as one of the DNS servers.  Have you looked at the  DNS options under "Router Advertisements"?  I don't have the answer - time to experiment?

[Edit] I actually have multiple LAN segments (hanging off an APU), some configured with Cloudflare and some configured with my pihole, and I just noticed that the ones with Cloudflare show my router's LAN address as the primary DNS (Cloudflare as secondary).  The ones with the pihole show only the pihole.  As far as I can tell every other setting with these segments is the same, so I have some digging to do.  If I find something I'll let you know.

lilsense - I haven't looked into using the DUID to create the address.  For me, using ULA/SLAAC to create a static address for the pi "just worked", and I stopped looking for other approaches.  But yours is an interesting idea I'll take a look at - thanks for suggesting it.

I do this with a PiHole.  You need to use Unique Local Addressing - ULA - (not link local) for your local IPv6 addressing.

- Under "Interfaces/Virtual IPs/Settings". assign a ULA to your LAN port, something like FDB1:ABCD:ABCD:ABCD::1/64. (You will want to randomize the address - it should start with FC or FD (I use FD), but the rest of the characters should be randomly selected from 0-9/A-F.)

- Under "Services/DHCPv6/LAN" check the "Enable DCHPv6 server" box, and enter the ULA prefix (in this example, FDB1:ABCD:ABCD:ABCD::  ) in the "From" and "To" fields of the "Prefix Delegation Range", and set the "Prefix Delegation Size" to 64

- Save

- Under "Services/Router Advertisements/LAN", set "Router Advertisements" to Assisted (this is important)

- Save

Then your Adguard box should pick up a full ULA IPv6 address (via SLAAC), something that will look like FDB1:ABCD:ABCD:ABCD:xxxx:xxxx:xxxx:xxxx. (To see what address my pihole gets, I log into my pi and issue "ifconfig" - that gives me a list of the addresses my box has, and one of those is the full ULA.)

That full ULA is what you use as the DNS server advertised by your router.

- Under "Services/DHCPv6/LAN", set the DNS server to the full ULA of your Adguard DNS server, Save

- Under "Services/Router Advertisements/LAN", set the DNS server to the full ULA of your Adguard DNS server, Save

(Yes, set it in two places.  By setting it in Router Advertisements, your computers will receive it as the IPv6 address of the DNS server, and all IPv6 DNS queries will go directly to your Adguard box)

When I was getting started with OPNsense it took me a while to figure it out.  That first step - assigning a virtual IP to the LAN port - is essential.

Good luck!

[Edit]
I forgot to mention, I also use a static IPv4 address for my pihole (set in /etc/dhcpcd.conf on the pihole server).  On OPNsense, under Services/DHCPv4/LAN/RANGE, I set a limited range of IPv4 addresses to be assigned to my clients, and then set the pi's static address outside that range.  Then I put the pi's static IPv4 address in the Services/DHCPv4/LAN/DNS Server field.

This way, I basically have static addresses for both IPv6 and IPv4, and these get sent to my devices either by DHCP (IPv4) or Router Advertisements (IPv6).

Thanks, Franco.