Messages

Being virtualized, did you turn off all the hardware checksum offloading in OPNsense?

This is an Intel nick that's been running great for quite a few years.  Didn't have this particular issue back in the summer and folks are correct, about the last update is when I started noticing the issue.
I'm continuing to look at logs when it happens to see if I can sort out what is going on, but so far nothing stands out.

After some more observations and testing, this issue that is discussed does not seem to apply to my Intel setup.  I'm pretty sure my ISP did something; not sure what but will keep an eye out if the issue persists.

So far, I'm stable. 

This is an Intel nick that's been running great for quite a few years.  Didn't have this particular issue back in the summer and folks are correct, about the last update is when I started noticing the issue.
I'm continuing to look at logs when it happens to see if I can sort out what is going on, but so far nothing stands out.

Ok maybe I'm not losing my mind.

I've seen the same errors, but can't remember when it started.  I tought at first it was my ISP dropping.

What I noticed is no more arp, no route... just out of the blue.   I have to down the interface and bring it back up, and it's fine.

Reboot of the firewall fixes it as well, and a power cycle of the ONT fixes it.  I don't think your card is going bad... I think something odd is definitely going on.

[Allow PCP/NAT-PMP Port Mapping]

Disabling Allow PCP/NAT-PMP Port Mapping setting doesn't help. I can still see duplicate entries and the client reads them incorrectly.

Confirmed.  I thought at first it was working, but nah, back to a bunch of duplicate entries.

Reporting -> Settings

Under "Unbound DNS reporting"

"Reset DNS Data"

I had to do something similar.

I'm seeing this too.  Do you happen to have NAT-PMP checked as well in your UPnP settings?

I did have that turned on.   I've disabled it for now, not sure it would matter, but here's hoping!

It is not the job of the recursive DNS server to append search domains. The resolver library on the client does that.

Oh I know, however it appears KEA doesn't quite use the default system one as ISC did.  Most likely just some missing options right now.  Not a showstopper, just a minor annoyance. :)

System : Settings : General

I set this on my install, but still having issues pinging just by host name internally, unless I'm missing something else.

After reading this I check and I'm seeing the same growing list happening.  Not sure it's causing any issues, but it's concerning for sure.

I have a rule that contains IPs, Aliases, etc. for internal machines that I do not want to have specific internet access when a VPN tunnel goes down.

I tag those as "BLOCKINET" and then in my WAN OUTBOUND Rules I have a match set for BLOCKINET and anything with that tag set and matches, I set it to 'block' so they cannot route out the WAN interface if the VPN tunnel goes down.

release then renew WAN

Is that because your modem assigns a private address if it has no upstream connection? Cable modems typically do that (192.168.100.1 is their standardized IPv4 address).

That's exactly what the "Reject Leases From" feature is for (in the WAN interface's DHCP client configuration).

Cheers
Maurice

This is exactly what my modem does, so I set it to reject those leases.  Works like a charm until the cable modem is back up and functioning.

You're welcome!

Most likely what is happening is when you enable wireguard your Local endpoint config in OPNsense is overwriting the default routes.

You can try going into the Local endpoint config and select "Disable Routes"

That should stop it from adding it's own routes into the table.

Your question is extremely broad and vague at the same time.

What benefits are you looking for?

If you took on this project, you should be able to give us a bit more detail of what YOU'RE looking for in a firewall and your plans for the implementation.