Messages

I see the same. My blocklist in Unbound is disabled yet in the reporting view it says the size of the blocklist is over 45k domains.

I'm a bit worried you are in over your head before you'd even started. Why did you purchase them (are they for remote access needs, webserver hosting, a VPN, etc)?

Should be as simple as configuring their provided gateway address under System > Gateways > Configuration. Then assign one of your static IPs to an external-facing interface under Interfaces > <interface name>. Likely called WAN, or WAN1. I highly suggest configuring and testing a WAN2 interface if you have spare ports on your hardware, and set it up to request DHCP from your ISP. Just in case you bork the first attempt saving the new configuration for WAN1 with the static, you can just connect WAN2 and be back online to do more web searching for troubleshooting.

I held out on migrating from ISC to KEA during the 24.1 train up until now, and have completed the migration successfully. Admittedly I do not have any fancy DHCP options setup such as pointing to a UniFi controller, its a pretty basic setup with a handful of reservations.

I understand OP's concerns but I haven't heard of the timeline for ISC to be officially cut from a release, so having at least a year to figure out your migration (even if it means migrating to an external DHCP server) is friendly enough IMO.

Regarding the change to how ISC updates restart the DNS service, I was doing that anyways. It definitely should not reload my DNS (thus flushing my cache) without me explicitly wanting to do so.

Glad to be on it prior to the major upgrade. Depending on how things shake out I will probably wait for 24.7.2 before upgrading, just to be on the safe side.

After taking about 2 weeks to wrap my head around WireGuard and get all my devices setup with it, I then found Tailscale and had all my devices switched over to it in less than 10 minutes.

Highly recommend it, be sure to read their thorough documentation.

Apologies for the phone screenshot. What are your RA settings under Services > Router Advertisements?

Edit: Imgur link with better screenshots from desktop. https://imgur.com/a/nPIQMfZ

I have no idea why you think a quantum of 2400 is good. (I am one of the authors of the fq_codel algorithm).

I started a project recently to try and collect all the complaints about fq_codel and shaping and see if they were a bug in the implementation or not. It was an outgrowth of the reddit thread here:
https://www.reddit.com/r/opnsense/comments/18z68ec/anyone_who_hasnt_configured_codel_limiters_do_it/

So far the openbsd implementation is proving out ok, but I have not had the time, money or chops, to get someone to rigorously test the freebsd (opnsense version) enough to prove to me that it is indeed implemented correctly. Anyone out there capable of running some serious flent tests? I outlined basic tests
to the openbsd person on the case here: https://marc.info/?l=openbsd-tech&m=170782792023898&w=2

I am perversely happy that a probable source of speed complaints about it is it doing too aggressive logging under stress, as reported on this bug here today.

The freebsd bug is being tracked here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276890

Until this is resolved should I disable my inbound shaping rule?

I have run a FW4B with 4GB/64GB on a 1Gb symmetrical connection with no issues. If you think you are going to run IDS/IPS, Zenarmor, or other heavy packages then I would consider more CPU/RAM/SSD to keep up. When I tried Zenarmor on this system it capped my speeds at about 300Mbps and dramatically increased the latency.

Perhaps system DNS is not working? I set my NTP servers to the Canadian governments (https://nrc.canada.ca/en/certifications-evaluations-standards/canadas-official-time/network-time-protocol-ntp) and they synced up right away.