Messages

https://github.com/SeimusS/Pihole-HA

I always feel like this :

Subnet:    192.168.1.0/24
PRIMARY:   192.168.1.1/24
SECONDARY: 192.168.1.2/24
VIP:       192.168.1.3/24

Should be :

Subnet:    192.168.1.0/24
PRIMARY:   192.168.1.2/24
SECONDARY: 192.168.1.3/24
VIP:       192.168.1.1/24

But maybe I am just weird :)

Thanks for posting exactly what I was talking about though! Nicely done! ;)

Setting kern.ipc.maxsockbuf=8388608 seems to fix the failure.

What was the default value ?!

Does anyone know why unbound is asking for more buffer space than OPNSense is configured by default to give?

It looks like this issue : https://docs.pi-hole.net/guides/dns/unbound/#fix-so-rcvbuf-warning-in-unbound

What is the size of your network ?
How many Clients ?

I have two Pi-holes and want to group them into one virtual IP.

You can do that by running VRRP for your Pi-Hole DNS Servers :)

Take a look at some of the topics @ https://discourse.pi-hole.net/ like this one for example : https://discourse.pi-hole.net/t/clustered-pihole-ive-done-it/12716
But keep in mind that was for Pi-Hole v5.x.x and not Pi-Hole v6.x.x so you might want to find more recent solutions for some parts of the setup !!

my isp only supports ipv4

What's your WAN IP at the moment : A real IPv4 Address or a CG-NAT one ?

A lot of online services start tripping out when they see huge amounts of traffic coming from the same IP address and if you are logged in to one of those you will also see verification stuff starting to pop-up all the time !!


YouTube and all other Google stuff can be seriously annoying in general so maybe you shouldn't worry about it too much to be honest... :)

I am more curious as to why the vendors do not have readily available updates for download.

There maybe a mix/match issue with driver vs nvm, but a newer nvm should be a-ok to run with "not the latest driver", which usually means kernel build.

Agreed! :)

I am curious :
Did you contact Protectli first and tried to get the update from them directly ?
If so : What did they say ?

I didn't ask them.

Thank you! :)

Stuff related to Gaming Online should only need 1:1 Port Mapping in your NAT a.k.a. Static-Port in OPNsense Outbound NAT Rules : https://docs.opnsense.org/manual/nat.html#outbound

Only when you want to Host Servers you will need to actually Port Forward some ports, but I am guessing that's not your problem :)


Even NAT-behind-NAT should not be an issue, but I don't know what kind of stuff your other Router does with the connection so you will have to figure that out on your own...

Realtek NICs aren't, either. And see how well they work.

IMHO that's a totally different category of hardware :
RealTek = Consumer Level
Mellanox = Workstation/Server/Enterprise Level

Basically, anything apart from Intel hardware could be called "exotic".

Hmm... OK... but Broadcom a.k.a. LSI a.k.a. Marvell hardware isn't exactly a small part of the market either ?!

I can live with RealTek and Aquantia not being supported as they should be from the manufacturer in FreeBSD but the above stuff needs to 'Just work!' at all times...

But if it works fine under virtualisation according to your experience, then maybe you can help the OP?

Unfortunately my short VT-D experiments never got to meet any i226 NICs (or any earlier models from the same series) and were mostly done with LSI HBAs and the older Dual/Quad Port 1 Gbps Intel NICs :)

Can report success on a Protectli v1410! I downloaded the 1MB firmware from the BillyCurtis github page and extracted the freebsd nvmeupdate64e executable from a recent firmware update from the intel website (used intel 830 series firmware update package).

I am curious :

Did you contact Protectli first and tried to get the update from them directly ?
If so : What did they say ?

I currently have my management interface (igb0) connected with copper cat6 to my switch, this is also the parent interface of all my vlans.

You should split that up to two seperate interfaces :
- Management Interface
- Empty Interface with all VLANs on it.

I want to change this to run over sfp+ though, i.e. to use interface ax0 instead.
But what is the procedure to do this so that I don't completely lock myself out of the router if I change the management interface device from igb0 to ax0 and something doesn't work?

Think about what you need and what you are doing and you will probably come up with something like this : https://forum.opnsense.org/index.php?topic=51018.msg261070#msg261070

Is there any specific reason why you want to pass the adapters thru?

To not have to mess around with VMBR stuff is a very good one :)

IMHO the more you can "VT-D through" the better!

That lays the burden of driving the adapters to FreeBSD, which traditionally is not particularly good at handling "exotic" hardware, all along on top of a virtualisation layer.

Mellanox 10 Gbps NICs are not that exotic ?!

[t]

I have been coming to the realisation that not every user has tablets and phones/computers that can show a CP login page.

Sometimes you can install additional "Helper Software" so to speak to connect those devices so you could also look at those for your specific Clients :)

needs to be at least an Atom 3000 series

Have you seen this topic : https://forum.opnsense.org/index.php?topic=46431.0 ??

IIRC most of the units being sold on eBay were on your side of the world :)

disable => Allow DNS server list to be overridden by DHCP/PPP on WAN

Why not use that simply and allow the updates to go via your ISP's DNS Servers ?!

If possible you should avoid Reverse NAT a.k.a. NAT Loopback anyway, so maybe a good moment to consider moving away from it ?!

Why? Genuine question.

To be honest I can't remember the whole theory behind it anymore (It's been like 20 years or so... LOL!) but in the past it has always been considered as a possible security issue and something that shouldn't have ever existed in the first place and thus deprecated technology basically :)

If possible you should avoid Reverse NAT a.k.a. NAT Loopback anyway, so maybe a good moment to consider moving away from it ?!