Messages

I have no experience with the Aquara Hub.

... but, something I had to do for a Xiaomi Air Filter, was to add a NAT rule so that HomeAssistant (in another VLAN/subnet) appeared to be on the same local network as the Xiaomi (as it will only talk to/respond to devices in its local subnet).  Was a bit of a head-scratcher for a while.

Basically an egress NAT rule, so that Home Assistant appears to be the IoT firewall IP (on the IoT VLAN), when it tries to reach the Xiaomi (which has its own IP, on the IoT VLAN/subnet).  In my case, anyway.

It should be possible to work out if it's an mDNS problem, however:

- Connect a computer to the same VLAN as the device that needs to 'see' the announcement
- Run a mDNS debug tool on that VLAN
- See what it sees..

mDNS is just the announcement of where to find the announcing device, on what port, sometimes things like supported encryption, etc, however.  I'm not clear from your post, if you've allowed the actual communication ports between the device(s)?

On macOS, I've used the below (Discovery) a number of times for helping to troubleshoot (or, just to rule out mDNS as being at fault) similar problems:

https://apps.apple.com/gb/app/discovery-dns-sd-browser/id1381004916?mt=12

I've tried to put a floating rule to allow ALL traffic between both IoT and main network traffic to flow, but that still didn't work, so at the moment I'm kinda scratching my head.

For the NAT rule, any sample or suggestions how I'd do that?

Hi,

I've been trying to get matter to work on Home Assistant for my Aqara Hub.

The setup I have for my Opnsense is below:

Aqara Hub E1 - VLAN for IoT
Home Assistant - VLAN Main (for all other non IoT devices)

Below are my devices and setup in their relative VLAN

Apple TV - (VLAN Main)
iPhone - (VLAN Main)
Home Assistant Server - (VLAN Main)
Aqara Hub E1 - (VLAN IoT)

What rules/configuration I have for my Opnsense is below:

- mDNS repeater - On
- mDNS FW Rules to allow UDP 5353 traffic as a floating rule - On

So at the moment I am kinda running out of ideas how to troubleshoot this. Any guidance on this would be greatly appreciated.

ditto, latest version fixed the issue :D

Ditto, exact same issue :D. Looking forward to update :D

hi, if you can list how your network setup is, eg any VLANs, FW rules etc, that will give us an idea what is wrong.

Hi Franco,

Just installed the latest 23.1.5, and it seems to be awesome, no more weird netmap issues so far, thanks for the awesome work!

@franco, had a quick question, when do you think the netmap kernel fix will be introduced to opnsense 23.x , just curious, thanks!

Contact their support? I don't have much to go on.


Cheers,
Franco

sounds good, i'll do that, and thanks again for the hard work, at least my zenarmor/surcata is basically functional again

I believe this requires a reboot for Zenarmor to cope.


Cheers,
Franco

Hi Franco,

I've tried power cycling the system a few times and that didn't seem to help, any other ideas?

I got heavily side-tracked since 23.1.2 came out... the current build with the latest FreeBSD review state is:

# opnsense-update -zkr 23.1.2-netmap
# opnsense-shell reboot

Notes:

1. kernel-23.1.2-netmap2-amd64.txz never existed. You mean kernel-23.1.1-netmap2-amd64.txz perhaps, which is obviously older than the current kernel-23.1.2-netmap-amd64.txz one.
2. The patch does nothing for which interfaces land in netmap mode. That is solely GUI configuration.


Cheers,
Franco

After disabling vlan hw accelerating and changing to protect individual vlan to just the main igb0 interface zenarmor is working again.

the only thing is now i have lots of registered netmap devices:

024.325300 [ 321] generic_netmap_register   Emulated adapter for igb1_vlan16 activated
024.645563 [ 321] generic_netmap_register   Emulated adapter for igb1_vlan10 activated
025.677618 [ 321] generic_netmap_register   Emulated adapter for igb1_vlan4 activated
087.352077 [ 321] generic_netmap_register   Emulated adapter for igb1_vlan4 activated
542.812852 [ 321] generic_netmap_register   Emulated adapter for igb1_vlan16 activated
544.525316 [ 321] generic_netmap_register   Emulated adapter for igb1_vlan4 activated
620.148165 [ 321] generic_netmap_register   Emulated adapter for igb1_vlan10 activated

what would be the way to cleanup the above entries?

@kintaroju: You can use an older kernel without any issue, but I'll prep a new one tomorrow. The bridge support for netmap was updated so I need to adjust the branch this is built on.

@Phiolin: thanks for the update! the generic patch is still in flux it seems and I'm expecting a new version this week, but not entirely sure this will happen depending on the challenge of the stalls given at the moment.


Cheers,
Franco

Hi Franco,

Was going to downgrade the kernel today except I noticed the old kernel with your netmap kernel addition was missing. I did see the new 23.1.2-netmap version, tried it and unfortunately it produced different results where I am missing a netmap interface:

024.325300 [ 321] generic_netmap_register   Emulated adapter for igb1_vlan16 activated
024.645563 [ 321] generic_netmap_register   Emulated adapter for igb1_vlan10 activated
025.677618 [ 321] generic_netmap_register   Emulated adapter for igb1_vlan4 activated

there should also be one for vlan18. When i tried to exclude vlan18 from the zenarmor protected interfaces it still doesn't start up.

So if you need anything on my end to help with the debugging let me know.

@kintaroju: You can use an older kernel without any issue, but I'll prep a new one tomorrow. The bridge support for netmap was updated so I need to adjust the branch this is built on.

@Phiolin: thanks for the update! the generic patch is still in flux it seems and I'm expecting a new version this week, but not entirely sure this will happen depending on the challenge of the stalls given at the moment.


Cheers,
Franco

@Franco, thanks for the quick update on this, appreciate it. I'll keep a watchful eye for your new netmap kernel :D.

Hi Franco, just noticed that 23.1.2 just got released and I upgraded recently. Unfortunately now my zenarmor isn't starting again :(. Just wondering if you had a new kernel that includes the updated netmap stuff by chance?

Unrelated issue, you can check upper right corner for Firewall: Aliases... the indicator should be full.

If that's the case go to Firewall: Settings: Advanced and increase "Firewall Maximum Table Entries" until all your alias-generated entries fit into the memory.


Cheers,
Franco

Seems to be the case, as it only indicates 2% of the entries are used lol, thanks again

Hi Franco, thanks for that persistent work on this issue. I just upgraded my test router config, and mostly things work but on the UI I get an alert for this:

There were error(s) loading the rules: /tmp/rules.debug:63: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [63]: table <bogonsv6> persist file "/usr/local/etc/bogonsv6"

Not sure if it is related to the kernel upgrade, but I don't recall seeing this error message

Also thanks again for your hard work!!