Messages

So this may seem slightly bizzare, but what DNS servers is your OPNsense server configured to check? I've noticed if my forward lookup DNS servers are slightly on the slow side (such as the root nameservers), I'll get the occasional DNS timeout like you're experiencing. Have you tried one with good anycast and response times like Cloudflare (1.1.1.1) or Google (8.8.8.8)?

Additional: Your ISP router is in bridge mode, right? You're not doing double NAT? Not really related to DNS issues (usually), but worth making sure.

I pay 12 cents Canadian per kWh (8 cents USD, 7 Eurocents, 6 pence) so my router would have to be using a truly biblical amount of power before I'd consider changing it to something else.

Personally I use an Optiplex 3060 I picked up rather cheaply for my OPNsense router. Sure it's not exactly small or anything, but it works for me. It's also massive overkill with an i5-8500 and 12GB of RAM, but it was around $150 or so.

Here's the secret: OPNsense has an API that can be called programmatically by shell scripts. I have another computer run this shell script when it shuts down for UPS to shut down my OPNsense. Avoids NUT nonsense. You might want to edit it a bit but it works fine for me. This script as written requires OPNsense to have a valid SSL cert, though:

Code Select Expand

#!/usr/bin/env bash
set -Eeuo pipefail

OPNSENSE_HOSTS=("https://opnsense.example.com")   # add more for HA
API_KEY="<API KEY HERE>"
API_SECRET="<API SECRET HERE>"
ENDPOINT="/api/core/firmware/poweroff"

CONNECT_TIMEOUT=3
MAX_TIME=10
RETRIES=3
RETRY_DELAY=2

log(){ logger -t ppb-opnsense -- "$*"; echo "[$(date -Is)] $*"; }

call_shutdown() {
  local url="${1%/}${ENDPOINT}"
  local args=(
    --silent --show-error
    --header "Content-Type: application/json"
    --user "${API_KEY}:${API_SECRET}"
    --data '{}'
    --connect-timeout "$CONNECT_TIMEOUT"
    --max-time "$MAX_TIME"
    --write-out "HTTP_CODE=%{http_code}\n"
    --output /dev/null
  )
  # With LE, system trust store is fine; no -k used.

  local out rc code
  for ((i=1;i<=RETRIES;i++)); do
    set +e
    out=$(curl -X POST "${args[@]}" "$url" 2>&1); rc=$?
    set -e
    code=""; [[ "$out" =~ HTTP_CODE=([0-9]{3}) ]] && code="${BASH_REMATCH[1]}"

    if [[ "$code" =~ ^2..$ || "$code" == "000" ]]; then
      log "Accepted by $url (HTTP:${code:-none})."
      return 0
    fi
    log "Attempt $i failed (rc:$rc HTTP:${code:-none}). Out: $out"
    (( i < RETRIES )) && sleep "$RETRY_DELAY"
  done
  return 1
}

main(){
  command -v curl >/dev/null || { log "ERROR: curl not found"; exit 2; }
  local fail=0
  for h in "${OPNSENSE_HOSTS[@]}"; do
    log "Requesting shutdown: $h"
    call_shutdown "$h" || { log "ERROR: $h did not acknowledge"; ((fail++)); }
  done
  (( fail==0 )) && { log "All shutdown calls issued."; exit 0; } || exit 1
}
main "$@"


Just keep in mind any devices currently with IPs from ISC won't request a new IP until their current lease expires, and if you have a long lease time set, then DNSmasq won't appear to hand out any IPs for several days. An easy way to test is to make sure ISC is disabled and DNSmasq is enabled, and then manually release and renew an IP on a device.

It might be easier to instead configure OPNsense to get the certificates with its acme.sh implementation, and then use the automation features to push it out to other machines on your network. It can all be done via the GUI, no shell usage needed.

Makes me wonder how it would fare on my B550 board on a chipset 3.0 slot.

I've seen the 8127ATF SFP+ NICs and I wonder if they work any better than the 4.0 1x BaseT cards. I've also noticed they're all 4x, so they're presumably PCIe 3.0 only. If they are, putting them in a 1x slot wouldn't get a full 10 gigabits, but it would still be 7.5 gigabits which ehhh... close enough.

Yeah, I had been hoping for something PCIe 4.0 that I could use in a 1x slot on my B550 with my Linux desktop. Guess I'll just stick with the SolarFlare in a 4x slot for now.

Good thing you posted this, I had been considering one (specifically the SFP+ variant on AliExpress) to replace a SolarFlare SFC9020 SFP+ NIC in my desktop. What do we think of Aquantia AQC113 as an alternative?

For what it's worth, the i5-8500 in my Optiplex 3060 I use for OPNsense easily handles my 2100/200 connection. I usually peak at around 2.40 for CPU usage when downloading. Now granted I'm not doing any sort of IDS, but hopefully that should give you a good idea of what to pick.

Sounds like you made the same mistake I did, and forgot to tell Unbound about dnsmasq being the authoritative DNS server for your local domain. Make sure to follow the OPNsense hosted guide for setting up dnsmasq

Personally I use TP Link's Omada APs. They're quite good and can do fast roaming and mesh very easily, if you set up the Controller, which can run on any Windows/Linux machine, or you can use a dedicated hardware controller.

I don't understand, there's lots of mirrors right on the download page?

DHCP should be set to authoritative unless there is another DHCP server on the network. It won't fix it, but it should be set anyway so that new devices don't have to be known to get an IP address.
What do the firewall logs show?