Messages

if you have static IPs do they all have fqdns and acme certs? If you are using your isp's static IP, maybe try and match their domain to yours and use dnsmasq with their servers if you have no need of nginx?


Sent from my iPhone using Tapatalk

Are you behind isp gateway? Is DHCP enabled? Are you getting arp from WAN side entities?


Sent from my iPhone using Tapatalk

Maybe check out DHCP on WAN, try the top command to see if something is using too much cpu or check if your traffic inspector or ids is up to date or has certs and if they are trusted by endpoints. Maybe also delete endpoint expired certs.


Sent from my iPhone using Tapatalk

https://docs.opnsense.org/releases/CE_24.7.html


Sent from my iPhone using Tapatalk

Really though, it is an all-in-one piece of garbage.

Could also be the ISP sending IEEE 1905.1 frames. And maybe spanning tree protocol. Supposedly it invisibly negotiates QoS with interrupts and routes bluetooth and WiFi around ISP meshes.  🤮 not okay if you are traffic shaping yourself.

"Scope
This standard defines an abstraction layer for multiple home network technologies. The abstraction layer provides a common data and control service access point to the heterogeneous home network technologies described in the following specifications: IEEE Std 1901(TM)-2010, IEEE Std 802.11(TM)-2012,IEEE Std 802.3(R)-2008, and MoCA(R) 1.1.1, 2 Other network technologies are supported by an extensible mechanism using an IEEE OUI and an XML-formatted document.
Purpose
The abstraction layer's common interface allows applications and upper layer protocols to be agnostic to the underlying network technologies. The purpose of this standard is to facilitate the integration of IEEE 1901 with other home network technologies. Additionally, the purpose of this standard is to define an abstraction layer that allows the following: -- Common network setup among heterogeneous network technologies -- Providing the same user experience in the process of adding a device to the network and the same user experience while setting an encryption key -- Intelligent network interface selection for delivery of packets that provides improved coverage performance, improved data rate on the poorest link, improved network capacity, improved network reliability and QoS, and support for end-to-end QoS for different traffic classes -- Seamless/transparent interface switching -- Real-time mapping of connection links and interfaces for each traffic class/stream -- Green energy management"



Or have devices that don't use that protocol and have special ed ethernet ports that are also USB polling and connected to an HDMI adapter (ie a Nintendo)

ISP may be sending spanning tree at you too.

To be honest, my dumb ISP's router can't identify devices sometimes over LAN. But with the help of an external Chinese WAP mac addresses started being correctly identified by the router. (one of the reasons to use a freebsd router anyways)

And maybe the netgate ssd is optimized for zfs and OPNsense is ufs. I have reformatted home lab ssds as xfs and tried zfs before. And it worked but maybe broke things.

I will try that!

I am using a PPPoE connection which requires a Vlan tag 6 for internet.
My MTU is set @ 1508 so the calculated PPP MTU is 1500.

Here are some more possible issues:
Maybe Netgate specific related-

mbuf exhaustion

msix
RSS

Intel Management Engine bios firmware and mitigations (sometimes my AMD PSP chips may be to blame for issues with multi-operating systems)

Intel Quick Assist incompatibility

Not exactly netgate related-
Improper dscp between ISP and firewall
IPv6 bugging out
DNS

ECN settings
(maybe) rx and tx file descriptors (some people say to set rx twice the tx)

Auto interframe spacing intel drivers (and other drivers) not correctly working between OS and hardware

Not perfect ifconfig settings. Have you tried
ifconfig ifdisabled
or disabling ipv6?
A tcpdump?

Some people say lowering the quantum setting to 300 in opnsense makes a huge difference. Others say to set the quantum to the mtu.

If you can do forensics on device specific TCP connections, SYN proxies on a LAN interface, as opposed to squid proxy, sometimes works well. Allow the firewall to do the TCP.


Sent from my iPhone using Tapatalk

There is a system tunable called ECN max retries. I can't find it from my phone. It is generally set to two by default. I like to set it to zero. Seems to help some legacy stuff. You can always run fq codel without ECN too.


Sent from my iPhone using Tapatalk

It may be a wpad error too. Do you have a pcap? Or mdns being sent to regular dns.

In system tunables there are byte limits for dummynet pipes.

As in, I think there are byte queues instead of packet queues. No idea if this setting is part of byte queues in the dummynet sysctls or if it is referring to a quantum setting


Sent from my iPhone using Tapatalk

Also, apologies for using the wrong thread. My phone's forum manager is weird. I guess it could apply here though as I have used squid with traffic shaping before.


Sent from my iPhone using Tapatalk

I found this manual from my ISP who implements fq_queueing with their vyatta routers. VyOS

They use a similar queue limit with their drop tail (I think), but where in

OPNsense is the fair queue queue limit. See below it says "a queue is not permitted to exceed 127 packets" for the fq part.

In system tunables there are byte limits for dummynet pipes.

They probably don't implement codel with fq as far as I can tell but maybe finding that packet queue setting abd trying to conform with it can prevent errors when I bridge or double NAT with them or even when I traffic shape my VPNs

There is probably a company called Genuine that manufactures Intel cards though [emoji1787]


Sent from my iPhone using Tapatalk