Messages

os-isc-dhcp. It will auto-install on the actual upgrade to 26.1 when it's out.

Quick follow up question, for clarification: When updating to 26.1, does the os-isc-dhcp plugin auto-install also automatically configure from one's 25.x.x ISC settings?

Really love the WAF

Had to look that up.  The only thing that my mind came up with is "Wife Acceptance Factor".  A very important metric in my home.

It is early.  Time for some more coffee.

Or perhaps today's Cloudflare issue?

Not the original question, but the heat transfer of the china boxes are often abysmal and because of bad quality control, differs much from one specimen to the next.

See this for an example (in german, but with telling pictures). When the temps are really bad, I always change the thermal paste. Sometimes, there is not enough pressure between the board and the case.

I +1 for the poor thermal interface of the Chinese boxer.  I have a N5105 I picked up a few years ago.  A Topton, but they pretty much all come from the same manufacturers/suppliers.  Do almost anything and the CPU temps shot to 100C+.

I took it apart (I wasn't shipping back to China).  The heatsink pad where the die makes contact was scratched up, there were burrs around the mounting screw holes, and whatever compound they used was questionable.  I deburred the screw holes, carefully sanded/lapped the heatsink, added a very thin copper shim and put some fresh quality thermal compound on it.  Temps imediately got much better.

I do have a cheap USB powered 120mm fan I sit on top of it, blowing down onto the fins.  Plugs into a USB port for power, and has a switch for the fan speed.  I set it to low, and you can't even hear it.  I don't work the box very hard (home network) but sometime it gets put through its paces (1Gb WAN/2.5 Gb LAN) and temps never get much over 45C.

As others have said or implied, it depends on your use case.
Is this a mission critical network or your personal at home plaything?
A few users or many dozens of users?
Traffic from a few internal users or services for many external users?

The devil is always in the details.

With that said, I have been using a Topton N5105 with 4 2.5Gbe Intel nics for about 2 years.  I needed to clean, smooth and re-paste the heat sink on it, and still have a slow USB fan to keep it cool.  (May be overkill, as they will run hot without issues, but I prefer it cool.)  Network is my home and lab playground, move a lot of data around, a number of services running, several VLAN in network, cameras and home automation stuff, etc.  OPNsense runs on it bare metal, and I haven't had any issues and the system never seems to be overworked by what I ask of it.

If a needed to support it for someone else, I probably would use it in a home or few person office.  But for a larger or more mission critical application, I would step up to something better.

EricPerl is correct.  First thing I noticed in your post is that it looks as one of the devices has their NIC negotiating at 100Mb speed.  Check the cabling and reboot (power off/on) both devices.

Do you mean this?  It is in the Gateway config.

Interesting.  Nearly the same combination I've been running my server for the past 18 months without a single issue.

Without seeing the actual MCA errors it is impossible to start issuing blame.  Hardware not working as expected could have many root causes - CPU, motherboard, RAM, BIOS settings or BIOS code itself, the list could go on.

But sometimes it is best to move on to different hardware, especially if you don't have a compelling reason to stick with the one giving issues.

Early Ryzen CPUs (ZEN/ZEN+) had some issues running Linux OS, though it typically manifests as system lock up vs rebooting.  Later CPUs seem to work much better, as there are many data centers running the same processor die (EPYC).

Some immediately say "Disable C-States" but that is a very drastic solution, one of last resort.  It basically disables one of the best features of modern AMD CPUs - its power management.  Unless you have hundreds of active clients being routed on your bare metal system, you will appreciate the power savings over time.

The two things I've found to be effective on my Ryzen based servers (my OPNSense is on a Intel N5105) are:

-- In the BIOS, set Power Supply Idle Control to Typical Current Idle (or some equivalent wording in your particular BIOS)
--Don't use XMP or any overclocking timing for your DRAM.  Your 2400G is a 1st gen ZEN processor, so your memory speeds should be set to a much lower timing than the marketing "DDR4 3200" would make you think.  (See below)

I initially had issues running a 1st gen Ryzen 1500X in an Unraid server.  After changing these two parameters in my BIOS, that system has run flawlessly for a couple of years.

I picked up a cheap domain and use Cloudflare Tunnel in front of my reverse proxy (NPM).

Some additional benefits using free Cloudflare services are you can also do geo-blocking, get some threat/bot protection, and user authentication.

Routers and switches are technically two different things.  In a home network, what people commonly call a "Router" is actually a combined router, switch, basic firewall and wireless access point.

In the simplest terms/view:
A router connects different networks.
A switch connects devices on a single network, and directs packets to the addressed device.

OPNsense is more accurately a router and firewall.  It does have the ability to also handle LAN switching tasks, but it is more efficiently handled by use of dedicated switch hardware (as OPNsense needs to handle switching tasks by using CPU resources).

Another +1 for Telegram notifications.

People do not watch their email (unless sitting at a desk in their work environment) like the once did 15 years ago.  I use Telegram nearly exclusively for my network and server notifications, be it those generated by OS itself, applications running on servers, or even in my self generated bash scripts.  I use two different Telegram bots (one for system stuff, one for applications) that have different notification tones.  This is much more useful, as I can immediately know which are notifying me even before I take my phone out of my pocket.  With email, you get one ding, be it from your system or the third email about sales at Best Buy.

Thanks franco.  I tried again, but end up with the same result.  Working with ddclient as backend.  Not working with native.

I deleted all accounts then removed and reinstalled plugin.  Set a bogus IP address in the duckdns website for my testing domain.  Reinstalled plugin.  Set Backend = native (it defaults to ddclient).  Hit Apply and restarted service.  Created account, Save, Apply.  Result was failue message in log and no update recorded on duckdns website.

Next I deleted account, set backend = ddclient.  Hit Apply and restarted service.  Created account, Save, Apply.  Success message in log and updated IP address shown in duckdns website.

Very strange.  I understand where you were going with your last post, makes perfect sense.  But I guess I'll stay on the ddclient backed for now.  It isn't mission critical for my setup, as it is only used as an ISP/firewall watchdog (all of my true domains are managed via Cloudflare tunnels).

Sorry to have dropped off the radar for several days.  I had been reading your responses (and much appreciate them).  My work has me doing four 12 hour days, then followed by family emergency.

I tried what was suggested previously, none of it giving much success.  I have finally received a positive result from both my logs and duckdns, by doing the unexpected - I set the Backend to ddclient, not native.

I'm not one to argue with success, but I thought that native was developed specifically to work with OPNSense?

franco, CJ and newsense - Thank you all for your input.  I keep on learning with it all.  As for my flash drive collection, old habits die hard.  But still a good choice - portable, can usually get it to boot on any system, and lives in the desk drawer where my servers and network live, so I (usually) can find what I need.

CJ is right - Duckdns uses a token in the password field.  I cut/past it right from my duckdns.org account page.  What is interesting (and probably a good thing?) is while the string from the log is similar in format to my token, they are not the same.  (same 8-4-4-4-12 char cadence)

As I wrote earlier, I set things up based on a recent post from here.  Not really all that much to configure, so unsure if it is dumbness on my end or ...?  Screenshots attached.