Messages

It appears that wireguard connection logging is not existent by design.  see https://forum.opnsense.org/index.php?topic=43997.0

But I would think that some type of basic connection/handshake logging would be possible from within OPNsense because the GUI is able to show the connection status and the last handshake age.

I'm no expert and I'm curious as to why your performance is poor in just one direction.  With OPNsense 25.1.1 on a DEC850 with 10G ports, I'm getting around 2Gbps both Up/Dn single threaded.  I've tried higher -P values, but the results are about the same even though I have applied some RSS tweaks.  Here's a screen shot using my Windows PC with WireGuard activated through the firewall to an iperf instance on my NAS server (all 10G path).



My configuration is dual stack (IPv4/IPv6) and also I use a lower WireGaurd MTU of 1360 because my phone is cellular CGNAT even though my test result above is from my PC which is not using cellular:





I also have a firewall normalization entry:

Code Select Expand

root@OPNsense:~ # netstat -Q
Configuration:
Setting                        Current        Limit
Thread count                         8            8
Default queue limit                256        10240
Dispatch policy                 direct          n/a
Threads bound to CPUs          enabled          n/a

Protocols:
Name   Proto QLimit Policy Dispatch Flags
ip         1   4096    cpu   hybrid   C--
igmp       2    256 source  default   ---
rtsock     3    256 source  default   ---
arp        4    256 source  default   ---
ether      5    256    cpu   direct   C--
ip6        6   1000    cpu   hybrid   C--
ip_direct     9    256    cpu   hybrid   C--
ip6_direct    10    256    cpu   hybrid   C--


Instead of trying to change the MTU on the interfaces, try changing the MTU in the WireGuard instance configuration.  (toggle 'advanced mode' to see the MTU setting).  I have found that I need to set it to 1360 for my road warrior devices.

This is easily reproduceable by hitting the up-arrow key twice at the console login prompt.  Then press enter twice.
The username will be shown in the audit log like you've stated.

[System / Gateways / Configuration / WAN1_DHCP6:]

I'm still a newbie here on 24.1.8, but I haven't upgraded to 24.1.9 yet in fear of this issue.  Can the anyone with this particular DHCP6 symptom reply what their settings are for:

System / Gateways / Configuration / WAN1_DHCP6:

   Upstream Gateway [mine is checked]
   Disable Gateway Monitoring [mine is unchecked]

On 24.1.8, I experienced something similar when the 'Upstream Gateway' was [unchecked] and my LAN was set to tack interface.

If you haven't already, check out the following video closely to see if something in it might help you trouble-shoot your situation:
https://www.youtube.com/watch?v=Yb7JdIFriKI&t=901s

very interesting.  We followed a very similar path.  My instance had the same symptoms last week.  I was pulling my hair out trying to solve it.

Anyhow, everything has been working flawlessly for a week now, but unfortunately, I don't know exactly what the fix was.  The last thing that I did to get it working was to click the WAN reload button on the Interfaces/Overview page not just once, but several times.  It might be a coincidence, but the results were strange as I saw it sometimes not provide an IPv6 address to the LAN network.  I clicked it slowly maybe 5 times total until I saw it provide an address again.  It's been working ever since.  Disclaimer: there's definitely a chance that it was some other setting that I changed beforehand, but I'm getting too old to remember and too lazy to look through the config history.

[How to list all DNS entries in Unbound?]

I'm new here.  My first post to future self, hoping that search engines find this subject.  There's another thread which is top ranked, but it is closed now and it doesn't provide a working solution:

   
• How to list all DNS entries in Unbound?  (Read 2634 times)
  https://forum.opnsense.org/index.php?topic=31871.0

The OPNsense 24.1.6 web interface still doesn't seem to have a way to list local DNS entries, but if you have access to the console port (or SSH) and appropriate privileges, you can execute the following command to list local DNS entries:

Code Select Expand

sudo unbound-control -c /var/unbound/unbound.conf list_local_data | more

Code Select Expand


Usage:  unbound-control [options] command
        Remote control utility for unbound server.
Options:
  -c file       config file, default is /usr/local/etc/unbound/unbound.conf
  -s ip[@port]  server address, if omitted config is used.
  -q            quiet (don't print anything if it works ok).
  -h            show this usage help.
Commands:
  start                         start server; runs unbound(8)
  stop                          stops the server
  reload                        reloads the server
                                (this flushes data, stats, requestlist)
  reload_keep_cache             reloads the server but tries to
                                keep the RRset and message cache
                                if (re)configuration allows for it.
                                That means the caches sizes and
                                the number of threads must not
                                change between reloads.
  stats                         print statistics
  stats_noreset                 peek at statistics
  stats_shm                     print statistics using shm
  status                        display status of server
  verbosity <number>            change logging detail
  log_reopen                    close and open the logfile
  local_zone <name> <type>      add new local zone
  local_zone_remove <name>      remove local zone and its contents
  local_data <RR data...>       add local data, for example
                                local_data www.example.com A 192.0.2.1
  local_data_remove <name>      remove local RR data from name
  local_zones, local_zones_remove, local_datas, local_datas_remove
                                same, but read list from stdin
                                (one entry per line).
  dump_cache                    print cache to stdout
  load_cache                    load cache from stdin
  lookup <name>                 print nameservers for name
  flush <name>                  flushes common types for name from cache
                                types:  A, AAAA, MX, PTR, NS,
                                        SOA, CNAME, DNAME, SRV, NAPTR
  flush_type <name> <type>      flush name, type from cache
  flush_zone <name>             flush everything at or under name
                                from rr and dnssec caches
  flush_bogus                   flush all bogus data
  flush_negative                flush all negative data
  flush_stats                   flush statistics, make zero
  flush_requestlist             drop queries that are worked on
  dump_requestlist              show what is worked on by first thread
  flush_infra [all | ip]        remove ping, edns for one IP or all
  dump_infra                    show ping and edns entries
  set_option opt: val           set option to value, no reload
  get_option opt                get option value
  list_stubs                    list stub-zones and root hints in use
  list_forwards                 list forward-zones in use
  list_insecure                 list domain-insecure zones
  list_local_zones              list local-zones in use
  list_local_data               list local-data RRs in use
  insecure_add zone             add domain-insecure zone
  insecure_remove zone          remove domain-insecure zone
  forward_add [+i] zone addr..  add forward-zone with servers
  forward_remove [+i] zone      remove forward zone
  stub_add [+ip] zone addr..    add stub-zone with servers
  stub_remove [+i] zone         remove stub zone
                +i              also do dnssec insecure point
                +p              set stub to use priming
  forward [off | addr ...]      without arg show forward setup
                                or off to turn off root forwarding
                                or give list of ip addresses
  ratelimit_list [+a]           list ratelimited domains
  ip_ratelimit_list [+a]        list ratelimited ip addresses
                +a              list all, also not ratelimited
  list_auth_zones               list auth zones (includes RPZ zones)
  auth_zone_reload zone         reload auth zone (or RPZ zone) from zonefile
  auth_zone_transfer zone       transfer auth zone (or RPZ zone) from master
  view_list_local_zones view    list local-zones in view
  view_list_local_data  view    list local-data RRs in view
  view_local_zone view name type        add local-zone in view
  view_local_zone_remove view name      remove local-zone in view
  view_local_data view RR...            add local-data in view
  view_local_datas view                 add list of local-data to view
                                        one entry per line read from stdin
  view_local_data_remove view name      remove local-data in view
  view_local_datas_remove view          remove list of local-data from view
                                        one entry per line read from stdin
  rpz_enable zone               Enable the RPZ zone if it had previously
                                been disabled
  rpz_disable zone              Disable the RPZ zone
Version 1.19.3
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues