Messages

Just keep in mind any devices currently with IPs from ISC won't request a new IP until their current lease expires, and if you have a long lease time set, then DNSmasq won't appear to hand out any IPs for several days. An easy way to test is to make sure ISC is disabled and DNSmasq is enabled, and then manually release and renew an IP on a device.

It might be easier to instead configure OPNsense to get the certificates with its acme.sh implementation, and then use the automation features to push it out to other machines on your network. It can all be done via the GUI, no shell usage needed.

Makes me wonder how it would fare on my B550 board on a chipset 3.0 slot.

I've seen the 8127ATF SFP+ NICs and I wonder if they work any better than the 4.0 1x BaseT cards. I've also noticed they're all 4x, so they're presumably PCIe 3.0 only. If they are, putting them in a 1x slot wouldn't get a full 10 gigabits, but it would still be 7.5 gigabits which ehhh... close enough.

Yeah, I had been hoping for something PCIe 4.0 that I could use in a 1x slot on my B550 with my Linux desktop. Guess I'll just stick with the SolarFlare in a 4x slot for now.

Good thing you posted this, I had been considering one (specifically the SFP+ variant on AliExpress) to replace a SolarFlare SFC9020 SFP+ NIC in my desktop. What do we think of Aquantia AQC113 as an alternative?

For what it's worth, the i5-8500 in my Optiplex 3060 I use for OPNsense easily handles my 2100/200 connection. I usually peak at around 2.40 for CPU usage when downloading. Now granted I'm not doing any sort of IDS, but hopefully that should give you a good idea of what to pick.

Sounds like you made the same mistake I did, and forgot to tell Unbound about dnsmasq being the authoritative DNS server for your local domain. Make sure to follow the OPNsense hosted guide for setting up dnsmasq

Personally I use TP Link's Omada APs. They're quite good and can do fast roaming and mesh very easily, if you set up the Controller, which can run on any Windows/Linux machine, or you can use a dedicated hardware controller.

I don't understand, there's lots of mirrors right on the download page?

DHCP should be set to authoritative unless there is another DHCP server on the network. It won't fix it, but it should be set anyway so that new devices don't have to be known to get an IP address.
What do the firewall logs show?

@DEC670airp414user. Is there a downside to DNSSEC? From google:
"DNSSEC as securing the message content (authenticity)"
"DoT as securing the envelope (privacy/confidentiality)."
Both of these seem like it would be a benefit.

@Stormscape. I do not think your answer is accurate. I use kea for DHCP and unbound.
IPv4 LAN does get local name resolution.
IPv6 LAN gets resolution when a reservation is added after a restart of the unbound service.

Well Kea isn't dnsmasq, now is it?

screen shot 3.  i would turn off DNS within dnsmasq. change listen port to 0.      you also do not need dnssec enabled if using quad 9

i use unbound and it works 100% reliable.

i setup dns over tls for quad 9 or similar products though. 

Important caveat: You will NOT get name resolution for local DHCP clients if the dnsmasq DNS server is turned off, as Unbound will not read the dnsmasq DHCP client list automatically.

Like all software, best to assume it's safe to use unless and until you hear about a CVE.

I'd enable both (that is, EIST and ASPM) unless ASPM is known to cause issues on your specific system. As a comparison, I have both powerd and speedstep running on my box, which is an Optiplex 3060.