Messages

1

High availability / Re: LAG issue

« on: December 02, 2024, 10:54:12 am »

FS-switches tent to have a lot of weird behavior for LAGG + LACP in the past, you can find it on their forum or reddit.

Did you try the LAGG with LACP fast disabled on both ends and bounce the LAGG on the switch side?
Are you running the latest OS for that switch?
Did you try to reboot the switch?
Did you possible check for know bugs for the switch?

One can argue that cause it works on PFsense and it doesn't on OPNsense, that is the issue of OPNsense. However I run LAGGs with LACP on OPNsense towards a Zyxel GS1900-24E switch and I do not have such issues.

Regards,
S.

2

High availability / Re: LAG issue

« on: November 29, 2024, 10:20:59 am »

If you can,

provide output from your CISCO switch

show etherchannel summary

Also provide output of the lagg port configuration and the physical port configuration of the ports belonging to the LAGG on switch side.

Regards,
S.

3

24.7 Production Series / Re: ISP hacked OPNSense Router

« on: November 28, 2024, 01:12:52 pm »

I think the most common misconceptions about IPS systems are about TLS and the "Plug & Play". A lot of time we can see people just complain that is not "just working" or speculate about TLS inspection...


@Patrick

- do monitor what is happening around your network, use an NMS like Observium, NtopNG, some Elastic based solution like pfELK - "The number of times an uninteresting thing occurs is an interesting thing." (Marcus Ranum, IIRC, on firewall-wizards).

Which from these you use may you/care you share some experience or insights?

Regards,
S.

4

Hardware and Performance / Re: Is this a good device for Opnsense?

« on: November 28, 2024, 10:59:52 am »

Yop and that's why I said "usually".

The fins are not the only problem, lot of time there is a GAP between the CPU and the heat-sink itself, basically bad contact that causes bad temps.

Sadly even if you see a picture on the seller site, its not 100% guaranteed you will get the device visually reflecting the pics.

I did as well forgot to mention. NVME you need such drive that can keep temps lower, if that's even possible... Because those in these chassis even in the bigger ones tent to have pretty high temps. I have the smaller N100 chassis (I think it was the 1st iteration) and all my NVMEs have extra heat-sinks.
AXAGON CLR-M2 ALU

Preferable as you said its better to get a unit with larger/taller fins/chassis.

Regards,
S.

5

Hardware and Performance / Re: Is this a good device for Opnsense?

« on: November 28, 2024, 10:28:45 am »

I am just wondering if anyone has used this device or has an opinion on this device, as to weather it is a good device for Opnsense?

https://www.aliexpress.us/item/3256807641761893.html

This looks fishy, avoid it.

I usually buy/recommend - N100 i226 noRAm no Storage
https://www.aliexpress.us/item/3256804173757529.html?spm=a2g0o.store_pc_home.promoteWysiwyg_502209384.1005004360072281&gatewayAdapt=glo2usa4itemAdapt

Delivery is usually within two weeks. A pal from my bought exactly this one it came like in 7-10days

And buy RAM and storage locally which I recommend using
RAM :
Crucial SO-DIMM 16GB DDR5 4800MHz CL40  (CT16G48C40S5 )

Storage:
Lexar SSD NM790 512GB ( LNM790X512G-RNNNG)
Samsung 980 500GB ( MZ-V8V500BW)

NVME heat-sink:
AXAGON CLR-M2 ALU

However is crucial to keep few things in mind.
A. Quality of the cooling solution may vary, but luckily usually temp issue can be fixed just by re-pasting the heat-sink and CPU
B. There is literary no BIOS support. The only company that provides BIOS is CWWK, so if you can get a device from them there is a high chance you will find a BIOS for upgrade on their official pages.

Regards,
S.

6

Tutorials and FAQs / Re: [HOWTO] OpnSense under virtualisation (Proxmox et.al.)

« on: November 24, 2024, 05:35:43 pm »

An Idea here, maybe its stupid maybe not but...

What if this is included into the Official OPNsense docs?

Currently the docs do not have any Guide how to deploy OPNsense into Proxmox. Its easy to spin off OPNsense in Proxmox but "best practices" are another thing.

Would it be beneficial for the people to have something like that in the Official docs?

Regards,
S.

7

Tutorials and FAQs / Re: [HOWTO] OpnSense under virtualisation (Proxmox et.al.)

« on: November 21, 2024, 12:23:13 pm »

Many thanks for these "best practices".

I plan to deploy 2nd OPNsense on Proxmox it will be helpful.

Regards,
S.

8

General Discussion / Re: Static IP addresses vs DHCP for IoTs

« on: November 21, 2024, 09:55:02 am »

Well no wonder you had such problems with only a one L3 network. Lot of those devices you mentioned like to "talk" or as I like to call it "spam the network". IoT devices and SmarTVs are notorious for flooding Broadcast traffic, what you basically have or had is a "Broadcast storm".

Thats one of the reasons VLANs should be used.


Also a lot of L2 managed switches have a function for controlling BUM traffic (Broadcast, Multicast, Unknown Unicast) on a per port level called "Storm control". You can set a threshold to rate limit BUM traffic and excess BUM traffic would be dropped per port. This is something you maybe could investigate more for you scenario, as you could potentially control BUM traffic closest to the source. This feature is usually used for endpoints (anything that is not a NW device such as Servers, Phones, PCs, IoT, etc.)

Regards,
S.

9

General Discussion / Re: Static IP addresses vs DHCP for IoTs

« on: November 20, 2024, 11:38:52 am »

I would as well like to know what congestion you are talking about.

Static DHCP mappings based on MAC are normal thing. I Do it like that, if I see new device in the system it will get DHCP IP and than I just bind it to an IP allocating an IP from the Pool.

Regards,
S.

10

Hardware and Performance / Re: Ierrs & Oerrs are way off on ax0

« on: November 20, 2024, 11:30:18 am »

Yes it does,

This is one of the most common problems that it causes if you have parent interface assigned.

https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html#add-vlan-interfaces
Go to Interfaces ‣ Assignments and assign the new VLAN interfaces. The parent interface should stay unassigned. In rare cases, the parent interface can be assigned without a network configuration, to allow manual link speed overrides.

Regards,
S.

11

Hardware and Performance / Re: Ierrs & Oerrs are way off on ax0

« on: November 20, 2024, 09:47:06 am »

Is that interface a parent to, VLAN, LAGG or any overlay?

Regards,
S.

12

24.7 Production Series / Re: BAD STATE

« on: November 18, 2024, 03:13:44 pm »

No worries,

multi-homed setup is not unusual. You just need to make sure all is configured well from perspective of the routing.

As mentioned in your case, more specific routes will take precedence, if they are equal than Administrative distance play a huge role. Directly connected has better AD than a static route.

See >

Route Source                                                                                                      Default Distance Values
Connected interface                                                                                                        0
Static route                                                                                                                        1
Enhanced Interior Gateway Routing Protocol (EIGRP) summary route                                5
External Border Gateway Protocol (BGP)                                                                       20
Internal EIGRP                                                                                                               90
Interior Gateway Routing Protocol (IGRP)                                                                      100
Open Shortest Path First (OSPF                                                                                        110
Intermediate System-to-Intermediate System (IS-IS)                                                      115
Routing Information Protocol (RIP)                                                                                      120
Exterior Gateway Protocol (EGP)                                                                                      140
On Demand Routing (ODR)                                                                                              160
External EIGRP                                                                                                              170
Internal BGP                                                                                                                      200
Unknown*                                                                                                                      255

13

General Discussion / Re: Minecraft - Behind OPNSense

« on: November 18, 2024, 11:50:23 am »

Because that's how networking works.

If the application doesn't specify what source port it uses it most likely will be random port generated by the application on the source.

Usually game servers specify only the Destination port that needs to be set by the source, the source port is generated randomly from the 49152–65535 range.


Regards,
S.

14

General Discussion / Re: crowdsec & DNSBL

« on: November 18, 2024, 11:40:52 am »

Same here,

If you want more robust and granular blocking with this sub, use the HaGeZi's block list for the DNS he has on Github. Those are constantly updated and each list is explained.

Regards,
S.

15

24.7 Production Series / Re: [Solved] Wireguard - No handshake

« on: November 18, 2024, 11:32:06 am »

Hehe no worries this happens often. Is always good to keep watch on what "debug" message you get like the

required key missing

Anyway glad you fixed it. Please mark your Topic with [SOLVED].

Regards,
S.