Messages

[dual homed VM]

It's just that now that I added a dual homed VM to the same proxmox host (attached to two of the bridges Opnsense uses),I notice somehow Opnsense *also* deals with packets that shouldn't be processed, so I get tons of drops.
I get drops for intra VLAN activity (from/to the same local subnet).

And it seems it's like return traffic only (like it's all ACKs, never a SYN).
Obviously Opnsense drops these as invalid state/default deny.

In case anyone has a clue that would be much appreciated.

This sounds a lot like like A-Symmetric Routing ?!

Could also be a faulty port on the switch or on your firewall

Since I had this happen on two totally different Switches from two different brands I am suspecting it might be the case here too...

or bad NIC support if Realtek NICs are in use.

igc = always Intel AFAIK ?!

1) I am using a Cat6 cable factory made

Is this just UTP or some Shielded version ?

There are some Switches that do not like Shielded cables out there !!

3) Setting both sides to autonegotiate, I only get 100meg
4) Setting both sides to 1000baseT Full, no connection at all.

- Automatic Negotiation is the best way to detect issues, so avoid using Manual Settings !!
- What happens when you "wiggle" the connector of the cable in the port ?
The LED of the port could show changes in the operating speed while you do this.

I do have many other devices on the switch that are indeed connected at 1000baseT.

Could you swap ports to make sure it's not the NIC Port of your OPNsense having issues ?

Perhaps a switch incompatibility?

Don't think so... Very rare anyway...

What switches are folks using that you know work?

Any decent brand should work and if it doesn't then it's probably a cable or port issue IMHO :)

The recent talk about a "Favorites" feature is pretty much all I need so far :)

I would then create sub-folders for each Network/VLAN and add the corresponding settings into each of them.

there is no real USG whether its EOL or not is not the point.

There is a point if it's unsupported as of version x.y.z of the UniFi Controller and might not show any statistics at all because of that even tho it's not the actual device !! ;)

I would suggest emulating something recent like the https://eu.store.ui.com/eu/en/category/cloud-gateways-compact/products/ucg-ultra since it's very likely that it's going to be supported for a long time in the future.

You are aware of https://docs.opnsense.org/manual/diagnostics_interfaces.html#trace-route or not ?

You can create a "Traceroute Job" there too.

https://docs.opnsense.org/manual/kea.html#prefix-delegation-ia-pd still lists that "Kea supports prefix delegation with static prefixes." and that "Dynamic prefixes common with most residential ISPs are not supported.".

Since most ISPs I have read about so far assign Dynamic IPv6 Prefixes which more or less stay Static or completely Static it's not a big deal IMHO.

And if the Prefix changes from time to time anyway... well... then that's too bad and I will just have to deal with it once in a while :)

Does 26.1 offer this functionality (either in dnsmasq or Kea) or do I need to remain on ISC DHCPv6 for this feature?

AFAIK that's what DNSmasqd is for with the small drawback that it can't delegate a IPv6 Prefix to another Router/Server unlike KEA so that's something to keep in mind too in case you need that functionality.

This is system has run very well for around 2+ years and I kept it up to date weekly.

What's the status on the cooling of the system :
- Dust free ?
- Cooling paste not too old ?

Just a thought since I don't see anything about the type of Server Hardware you are using :)

There is also nothing quite like the whole ports ecosystem where you can build the whole system reproducibly and declaratively from source.

Another thing that's really annoying in Linux : Distro Release X leaves you stuck with Application Release Y

While in FreeBSD I can simply do my own thing via the Ports and install a newer version :)

I also do not miss systemd in the slightest to be honest. :D

Another weird thing :
- The Linux distro uses SystemD.
- But it does not use it's networking component and uses NetworkManager instead for example.

Result : Sometimes the whole timing between the Network Interfaces coming UP and services bound to a specific IP Address like OpenSSH Server getting started miss their timing and things go horribly wrong...

There is a SysCtl workaround for this, but still... What the heck ?!?! :(

Podman is just an alternative to Docker and something I don't feel like maintaining either :)

That's the beauty of it: you don't manage anything.  It manages itself, including updates.  You don't touch a thing on the OS.  From the user perspective it's just an app installer.  You run it.  It installs UOS.  Done.

That wasn't the case in the past.  You needed to install and maintain Docker yourself, as well as each container (MongoDB, Network) and their connections.

It's the same crap like with Docker : https://github.com/containers/podman/blob/main/docs/tutorials/basic_networking.md

I don't need those additional Network Interfaces on my Host ;)

No, no Docker needed.

I meant that I used to use Docker for hosting the legacy Network controller but it was a bit cumbersome, especially under Proxmox. 

With UOS you just run the installer and it sets up its own environment with podman, which it installs from the OS repo.

Podman is just an alternative to Docker and something I don't feel like maintaining either :)

https://ui.com/download/software/unifi-os-server

has an arm64 build, which installs on raspiberry pi without AXV, obviously.

That's not how it works my guy :)

where is the AVX is required? maybe for x86?

100% This =>

For MongoDB since version 5.0:  https://www.mongodb.com/docs/manual/administration/production-notes/

And for ARM you need at least ARMv8.2-A.

This change effectively rendered both my Intel NUC7PJYH (J5005) and RPi 3B+ incapable of running the Network controller with any still-supported version of Mongo.  Neither can my OPNsense box (N5105).

You can cheat it all for a while (I have got the UniFi Controller 9.x.x running on an old Intel Atom NUC 2820 FYKH) but one day you will have to upgrade to something newer !!

For now I am leaning towards some AARCH64 product with A55 Cores like the Odroid C4 Series.

AVX2 was 2013, haswell, so even that isn't really a concern at this point.

You want something that is Intel Atom/Celeron/Pentium like and the price of the models with AVX/AVX2 is still pretty high compared to older models...

i have no love for unifi and its lottery / gamble of software updates

100% Agree! :)

but this thread seems like it has a lot of misinformation in it

So far I haven't seen anything that isn't true in the sense that it's a total lie ?!

Yes, I was only talking about x64 as VM, which seems like the obvious choice for self-hosting.

Not always the case :)

I know you can use a Raspberry, yet I found it to have a high power envelope for what it can do

The Raspberry Pi models were compared against each other at the time when the Raspberry Pi 3B+ was released and it turned out that the Pi 2B and 3B had the best Power to Performance ratio of all models !! ;)

Sadly the specific Blog article was removed by the Raspberry Pi Foundation on their website so I can't give you a link to it.
In the Pi 4B and 5B years there were also no new articles with similar tests so I can't say anything about those models in this regard.

That AVX requirement on x64 platforms is mostly irrelevant anyway, because even an N100 has AVX2. Any fairly modern x64 CPU should have it.

Intel Atom/Celeron/Pentium NUCs and all similar models have gone up in price a lot over the years so a Odroid with A55 Cores or Raspberry Pi with A76 Cores could be the better alternative for some people...

I use an old unifi cloud key gen2

The problem with those things is that once they are declared EOL you can't use them for anything else...

Or at least so far I have not read about it anyway.

and then i dont have think about it and move on with my life and not make homelab a 2nd full time job.

It's a hobby, not a job for me :)

i assume either that is arm64 is 8.2+ or unifi will figure it out, one way or the other.

Yeah, they will figure it out for you by making you buy a new one! LOL! ^_^

Why do you want the USG in your UniFi Controller while all USG models are declared EOL officially and should be avoided since about 1 year ago ?!

I have replaced mine with OPNsense and I don't really miss it to be honest :)



_{But then again pfSense/OPNsense or the USG or simply use my xDSL Modem/Router from DrayTek with GlassFiber too was something I considered a long time ago anyway so you could say I am a bit biased...}

Heh: Did they ever fix their one-VLAN limitation?

When I see all of this : https://www.ipfire.org/about

It sounds like a Licensing thing that you are talking about and not a limitation inside the underlying Linux distro ??

Also I know people who simply grabbed a Minimal Debian install and built their own DIY Router on top of that with IPTables/NFTables and some SystemD Networking Services ;)

[/EDIT :]

I lose opnsense access when error popup and can not connect to it after.

So you have logging to RAM enabled ?

Maybe temporarily disable it for troubleshooting purposes ?

Storage is good and used for 2 years now.

Maybe there is something wrong with the microSDXC card anyway ?

I am using ZFS because N100 is not work well with UFS. Dont know if this fixed yet.

First time I have heard of that... weird...

/EDIT :
Oww... never mind... I see it's solved now :

*** I just found that there are 26.1.2 iso available. I use this iso for new installation and everything went well now.

:)

After upgrading to OPNsense 26.1.6

Are you from the future ?

;)



/Could not resist... ^_^

I wish I knew where I read that KEA was deprecated, as I got the impression it was the whole module, not just an API.

KEA and the now EOL declared ISC are made by the same people so maybe you mixed up something there ?

The reason that ISC is now a plug-in for OPNsense is that KEA has replaced it so it would be weird to declare KEA deprecated ;)