Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - bcookatpcsd

#1
Our DoS friends are of course back.. still working with the provider to get things in place on their end..

OpnSense interfaces used to throw errors.. latest versions they have not been.. (which is great)

in /var/log/gateways/ and Systems > Gateway > Log Files

is basically the same information but parsed differently for the UI..

is Monit the only way to get system/service alerts?

Screenshot attached.. not sure why 50k pps would be such a thing.. the box is certainly responsive and not breaking a sweat..

https://blog.cloudflare.com/ddos-threat-report-2023-q4
( DNS floods and amplification attacks )

12:10:36 -> 12:10:41 is about 11MB of txt uncompressed..

awk '{print $3}' ddos-dns-flood | sort -u | wc -l
64754

anyway.. is the Monit subsystem the best/only way to get such emails?

Thank you in advance..
#2
Thank you.. greatly appreciate the acknowledgement.

fwiw, I'm not doing ssl-bump

configs for https://meta.wikimedia.org/wiki/Cunningham%27s_Law..


root@OPNsense:/usr/local/etc/squid # cat squid.conf
#
# Automatic generated configuration for Squid.
# Do not edit this file manually.
#



# Setup regular listeners configuration
http_port 10.20.245.10:3129


acl ftp proto FTP
http_access allow ftp


# Setup ftp proxy

# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
# Default allow for local-link and private networks
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# ACL - Allow localhost for PURGE cache if enabled

# ACL lists

# ACL - Allow Subnets - User defined (subnets)
acl subnets src 10.120.56.0/22
acl subnets src 10.120.60.0/22
acl subnets src 10.20.48.0/20
acl subnets src 10.120.49.0/24
acl subnets src 10.120.50.0/24
acl subnets src 10.120.51.0/24
acl subnets src 10.120.52.0/24
acl subnets src 10.121.48.0/22
acl subnets src 10.20.245.8/29
acl subnets src 10.20.112.200/32
acl subnets src 10.120.48.0/24

# ACL - Remote fetched Blacklist (remoteblacklist)

# ACL - Block browser/user-agent - User defined (browser)

# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
acl SSL_ports port 82 # unknown
acl SSL_ports port 8080 # unknown
acl SSL_ports port 443 # https
acl SSL_ports port 5228-5230 # unknown

# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
# ACL - Safe_ports
acl Safe_ports port 82 # unknown
acl Safe_ports port 8080 # unknown
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 5228-5230 # unknown
acl CONNECT method CONNECT

# ICAP SETTINGS
# disable icap
icap_enable off

# Pre-auth plugins
include /usr/local/etc/squid/pre-auth/*.conf

# Authentication Settings








# Google Suite Filter

# YouTube Filter
request_header_add YouTube-Restrict moderate

# Deny requests to certain unsafe ports

http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost


# Auth plugins
include /usr/local/etc/squid/auth/*.conf

#
# Access Permission configuration:
#
# Deny request from unauthorized clients

#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
http_access allow localnet

# ACL - localhost
http_access allow localhost

# ACL list (Allow) subnets
http_access allow subnets

# Deny all other access to this proxy
http_access deny all
# Post-auth plugins
include /usr/local/etc/squid/post-auth/*.conf

# Caching settings
cache_mem 4096 MB
maximum_object_size 32 MB
cache_replacement_policy heap LFUDA
maximum_object_size_in_memory 2048 KB

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#


refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# Squid Options
pinger_enable off
access_log stdio:/var/log/squid/access.log squid
# Disable cache store log
cache_store_log none
dns_nameservers 172.16.48.247
# Suppress http version string (default=off)
httpd_suppress_version_string on
# URI handling with Whitespaces (default=strip)
uri_whitespace strip
# X-Forwarded header handling (default=on)
forwarded_for on
# Disable squid logfile rotate to use system defaults
logfile_rotate 0
# Define visible hostname
visible_hostname proxy.at.bldg.name

# Set error directory language
error_directory /usr/local/etc/squid/errors/local



# cat auth/local.conf
shutdown_lifetime 0 seconds

acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6
http_access deny to_ipv6
http_access deny from_ipv6

positive_dns_ttl 5 minutes

client_db off
memory_pools off

pinger_enable off

read_timeout 5 minute # default 15
write_timeout 5 minutes # default 15

max_filedescriptors 204800
digest_generation off

ipcache_size 4096
workers 1

accept_filter httpready
accept_filter dataready

collapsed_forwarding on
half_closed_clients off
pipeline_prefetch 6 # default 0

## timeouts
forward_timeout 1 minute # default 4
connect_timeout 1 minute # default 1
request_timeout 1 minute # default 5
client_lifetime 2 hours # default 24


# quick_abort_min 0 KB
# quick_abort_max 0 KB
# we recommend first tuning the read_timeout,
#       request_timeout, persistent_request_timeout and quick_abort values.

happy_eyeballs_connect_timeout 30 # default 250
pconn_lifetime 60 seconds  # default 0


# kldstat | grep 'http\|data'
4    1 0xffffffff823ea000     2828 accf_data.ko
6    1 0xffffffff823f2000     2e38 accf_http.ko

cat /boot/loader.conf.local
cc_htcp_load="YES"

accf_http_load="YES"
accf_data_load="YES"
accf_dns_load="YES"

machdep.hyperthreading_intr_allowed=1
# net.inet.tcp.tso=0
kern.ipc.nmbclusters=2048000
kern.ipc.nmbjumbop=524288


it seems to say it core'd but then something does start..

find / -name \*.core | xargs ls -al
-rw-------  1 root   squid   16470016 Feb  7 13:26 /usr/local/etc/squid/squid.core
-rw-------  1 root   wheel     704512 Nov  9 23:04 /usr/local/opnsense/service/php.core
-rw-------  1 root   wheel  176029696 Nov 29 09:01 /usr/local/opnsense/service/python3.9.core
-rw-------  1 root   wheel   11051008 Oct 25 23:12 /usr/local/www/pfctl.core
-rw-------  1 root   wheel   33144832 Jul 31  2023 /var/db/syslog-ng.core
-rwxr-x---  1 squid  squid  639852544 Feb  7 13:25 /var/squid/cache/squid.core
-rwxr-x---  1 squid  squid   16470016 Feb  7 13:36 /var/squid/squid.core
#3
root@OPNsense:/var/log/squid # ps auxwww | grep squid
squid           56643   0.0  0.1  149112  19228  -  Is   13:28       0:00.00 /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
squid           57516   0.0  0.3  292964  52924  -  S    13:28       0:00.17 (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid)
root            69827   0.0  0.0   12720   2392  1  S+   13:35       0:00.00 grep squid
root@OPNsense:/var/log/squid # grep pid /usr/local/etc/squid/squid.conf
root@OPNsense:/var/log/squid # grep pid /usr/local/etc/squid/squid.conf.
squid.conf.documented  squid.conf.sample
root@OPNsense:/var/log/squid # grep pid /usr/local/etc/squid/squid.conf.documented
#       <pid>'.
#  TAG: pid_filename
#       Note: If you change this setting, you need to set squid_pidfile
# pid_filename /var/run/squid/squid.pid
root@OPNsense:/var/log/squid # cat /var/run/squid/squid.pid
56643
root@OPNsense:/var/log/squid # kill -9 56643 57516
root@OPNsense:/var/log/squid # ps auxwww | grep squid
root            80421   0.0  0.0   12720   2388  1  S+   13:36       0:00.00 grep squid
root@OPNsense:/var/log/squid # rm /var/run/squid/squid.pid


root@OPNsense:/var/log/squid # /usr/local/etc/rc.d/squid start
Segmentation fault
Starting squid.
Segmentation fault (core dumped)
/usr/local/etc/rc.d/squid: WARNING: failed to start squid
root@OPNsense:/var/log/squid # ps auxwww | grep squid
squid           67739   1.4  0.3  292964  52868  -  S    13:36       0:00.14 (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid)
squid           66736   0.6  0.1  149112  19228  -  Ss   13:36       0:00.00 /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
root            93375   0.0  0.0   12720   2384  1  S+   13:36       0:00.00 grep squid
root@OPNsense:/var/log/squid # cat /var/run/squid/squid.pid
66736
root@OPNsense:/var/log/squid #


:o
#4
I pulled down gost from github.. there is no rust-shadowsocks freebsd port ..

./gost-freebsd-amd64-2.11.5 -L=10.20.245.10:3128

I changed squid to run on 3129 for the time being..

for anyone else interested..

netstat -an | grep 3128 | wc -l
    12706

things are at least moving again..
#5
OPNsense 24.1.1-amd64

no updates.. available.. squid migrated to package

# pkg info | grep squid
os-squid-1.0                   Squid is a caching proxy for the web
squid-6.6                      HTTP Caching Proxy
squid-langpack-7.0.0.20230225  Language-specific error documents for Squid web cache

machine up 6 days..

6 days 16:03:55

tried to enable logging to work through a problem with someone..

squid won't restart..

here's another machine with the same issue..

2024/02/07 13:12:46| Processing: error_directory /usr/local/etc/squid/errors/local
2024/02/07 13:12:46| Requiring client certificates.
Segmentation fault (core dumped)
root@OPNsense:~ # uptime
1:15PM  up 6 days,  8:11, 1 user, load averages: 0.36, 0.54, 0.56
root@OPNsense:~ # ps auxwww | grep squid
squid   19995   1.9 11.9 2310112 1974192  -  S    Thu05     245:03.09 (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid)
squid   18901   0.0  0.1  148980   18124  -  Is   Thu05       0:00.00 /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
root    78055   0.0  0.0   12720    2388  0  S+   13:15       0:00.00 grep squid

anyone else?

can you run a 'squid -k parse'?

Thanks in advance..
#6
Quote from: doktornotor on December 20, 2023, 07:52:15 PM
Hopeless apparently. Said that there's nothing to fix at perimeter FW about 5 times already. And there we are with absurd suggestions such as blocking ICMP.

Sigh.

absurd (adjective) impossible to take seriously


Quote from: doktornotor
Which HW errors? So you are getting single errors (error is e.g. a malformed packet or out of buffer space) under DDoS? Sounds perfectly expected to me.

Does it matter if it's maformed *OR* out of buffer space? Are those the same? Would they appear the same? Where would that be?

Please generate some traffic, send them at whatever speed you would like, across the Interweb, not just local.. pass them through a bunch of devices and different carrier equipment.. and then malform 'one' (or any number) you would like, so that they reach their destination.. not all off them, just a few.

Have the last mile carrier limit the traffic sent out of the (unknown number 200k/pps) they are going to send you (known 50k/pps).  Send them to a 2.5Gb capable nic with whatever the buffer space is (another unknown number), and then turn off or on hardware CRC, and turn off or on hardware TSO, and then then off or on hardware LRO.

Don't worry about putting any of that into an equation to try and solve for all the unknown variables, don't even factor in any OS settings.. or any of the equipment along the route, or any people and their education or network knowledge, or anyone and their ability to write drivers, etc, any of that.. Don't take any of that into account..

Another variable is time.. Companies pay people to provision links, people want to sell you DDoS services, everyone wants to sh*t on open source solutions and just assume you missed a check box that says, ".. really I'm not lazy."


For the computer science and math teachers .. is your answer reasonable?

"Sounds perfectly expected to me."

I hope someday I can solve all all of the above without having to show work or ask any questions.

Asking questions, shows your interested; my 0.02..

Unfortunately the CCNP questions I had were nothing like that; but that was a while ago.. haven't seen any in the 401 refresh.. maybe when I get to the 410.. I don't know anyone who has their CCDE.. maybe that's where you get those questions.. and learn how to answer them; still not sure how FreeBSD and OpnSense would factor in though, let alone local hardware decisions.. never mind any of that..

But apparently there still is hope, or is it "Hopeless apparently"

The absurd action of rejecting icmp sweeps.. and causing a change in my local situation; inconceivable

That word.. I do not think it means what you think it means..

https://imgur.com/a/EVXP9zK
#7
@imx

Thank you for the response..

No incoming services.. never was; and yes this is a new block to me.. but obviously used.  So no 1723 incoming..

Provider showing 1.5Gb to 2Gb coming to them (at peak) but I'm a 500 symmetrical, not sure how they are decided which part of the 1.5 to send me..

As this has been going on a week plus, I've tried various things, dropping, rejecting.. What I changed yesterday actually seemed to change today's event..

I was dropping src 53 tcp/udp, dst 1723 tcp and all that did was seem to get the traffic 'resent' also setting reject (rst) instead of drop also kept them coming..

But the big change was not allowing icmp to the range except from the provider and a few other hosts..

Possibly a ping sweep to see if things are still alive.. not sure

Maybe tomorrow will be different.. but today we didn't get anything.

Currently rejecting icmp and rejecting those services.. and waiting for tomorrow.

But yes those 60MB was all DNS when it would happen no outbound was possible and the interface would just start registering 'errors' which aren't logged within opnsense anywhere that I could find.. so going to netstat was the best way that I could see the 'system' errors and rule them out as 'application' errors..

dmesg would show:

[zone: pf frag entries] PF frag entries limit reached

pfctl -sa

LIMITS:
states        hard limit  1621000
src-nodes     hard limit  1621000
frags         hard limit   204800
table-entries hard limit  1000000


  pfctl -sa | grep ESTAB | wc -l
   20285

so currently some 20k states on this device.

No current way to edit tcp timeouts in pf on opnsense.. but for the incoming lan side where the proxy is I've reduced the tcp timeout.. never could find what the frags where/are..

again, thanks for the response.
#8
Thank you for the response..

I am not running/allow dns..

they are sending the responses back to me.. hence the DDoS..

I am the 111.222.333.444 address.. and I'm not running a pptp server either..

I'm assuming you also have no idea what the hardware errors would be..
#9
23.7 Legacy Series / DDoS on External.. errors on line?
December 19, 2023, 03:38:57 PM
Getting a wonderful DDoS on one circuit daily.. was able to get a tcpdump and see that it's a DNS amplification to a PPTP port..

Guess this block of IPs is a problem.. anyway..


DDoS starts when the errors start..


/usr/bin/netstat -i -b -n -I igc1 1

           input           igc2           output
   packets  errs idrops      bytes    packets  errs      bytes colls
     18832     0     0   23961931      19142     0    2056571     0
     20732     0     0   26692436      21197     0    2246518     0
     18420     0     0   23084666      18980     0    1939937     0
     17791     0     0   22109171      18277     0    2206791     0
     15123     0     0   18495639      15479     0    1704420     0
     20523     0     0   25776829      20787     0    3209901     0
      9622     0     0   10348462       9872     0    1743120     0
     12389     0     0   14020727      12975     0    2070747     0
     10903     0     0   12418180      11251     0    1902214     0
     16921     0     0   21012711      17189     0    2412258     0
     17918     0     0   22356183      18418     0    2024011     0
     20811     0     0   26971250      21166     0    2231476     0
     21643     0     0   27830204      21867     0    2555701     0
     12362     0     0   14710851      12806     0    1664004     0
      6961     0     0    6636610       7218     0    1299675     0
     12274     0     0   14071152      12703     0    1757263     0
     30882     1     0   39894920       8935     0    3341910     0
     46458     0     0   62128264       4893     0    3045759     0
     46478     1     0   62121562       4900     0    2750044     0
     46438     1     0   62133530       5133     0    2723948     0
     46599     1     0   62123711       5206     0    2504516     0
            input           igc2           output
   packets  errs idrops      bytes    packets  errs      bytes colls
     46493     0     0   62124955       5224     0    2187363     0
     46617     1     0   62129957       5418     0    2452033     0
     46596     1     0   62132498       5122     0    2913734     0
     46650     1     0   62113622       5109     0    2384515     0
     46714     1     0   62127545       5357     0    2296607     0
     46584     3     0   62126785       5081     0    2390958     0
     46612     0     0   62118032       5144     0    2270248     0
     46739     1     0   62130613       5681     0    3326115     0
     46514     0     0   62125384       5159     0    2275629     0
     46653     0     0   62130561       5433     0    2302723     0
     46600     0     0   62121725       5158     0    2322515     0
     46792     1     0   62120351       5220     0    2617294     0
     46811     0     0   62124396       5280     0    2484596     0
     46597     0     0   62126038       5131     0    2381244     0
     46725     1     0   62127029       5429     0    2406458     0
     46595     0     0   62125301       5437     0    2592203     0
     46661     3     0   62125865       5419     0    2400710     0
     46650     1     0   62124639       5248     0    2519844     0
     46610     0     0   62122192       5254     0    2346030     0
     46676     0     0   62130274       5459     0    2687552     0
     46898     0     0   62119543       5806     0    3204420     0
.. etc


Approximately 3 minutes worth..

Quote
08:36:35.176685 IP 42.62.176.70 > 111.222.333.444: ip-proto-17
08:36:35.176688 IP 42.62.176.70.53 > 111.222.333.444.1723: 1| 33/0/0 RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, TXT "google-site-verification=yuAuTV0V218aUY-z4yyaeBY0B-icA3PcEFNCd72ZKk4", TXT "apple-domain-verification=ivyxTJSvycL1rKet", TXT "v=spf1 a mx include:spfa.renault.com include:spfb.renault.com include:spfc.renault.com include:spfd.renault.com exists:%{i}.spf.hc1506-8.eu.iphmx.com -all", TXT "3nnqAmrH2geG0012FzpfPzCbY+qeghGXlr0K+LYPlNZ04rbgRysxD+XwBO/kYhyrhm+O6pU0naULPJY0gHPjRQ==", TXT "zoho-verification=zb90149015.zmverify.zoho.com", TXT "mongodb-site-verification=hWhMU7S6paGXSMiTRzdhFYFc0NckzLdF", RRSIG[|domain]
08:36:35.176689 IP 36.91.138.130.53 > 111.222.333.444.1723: 1 6/13/1 RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG (1472)
08:36:35.176707 IP 111.222.333.444 > 36.91.138.130: ICMP 111.222.333.444 udp port 1723 unreachable, length 576
08:36:35.176715 IP 111.70.2.171.53 > 111.222.333.444.1723: 1 13/2/0 RRSIG, MX mx1.hc1506-8.eu.iphmx.com. 10, MX smtp2.renault.fr. 30, MX smtp.renault.fr. 20, MX mx2.hc1506-8.eu.iphmx.com. 10, RRSIG, RRSIG, SOA, RRSIG, RRSIG, NS anna.renault.fr., RRSIG, NS xenia.renault.fr. (1304)
08:36:35.176726 IP 111.222.333.444 > 111.70.2.171: ICMP 111.222.333.444 udp port 1723 unreachable, length 576
08:36:35.176749 IP 180.190.200.192.53 > 111.222.333.444.1723: 1| 32/0/0 DNSKEY, RRSIG, RRSIG, RRSIG, TXT "mongodb-site-verification=hWhMU7S6paGXSMiTRzdhFYFc0NckzLdF", TXT "3nnqAmrH2geG0012FzpfPzCbY+qeghGXlr0K+LYPlNZ04rbgRysxD+XwBO/kYhyrhm+O6pU0naULPJY0gHPjRQ==", TXT "2ml7l54tncj0sfz85z19bhy6kmbvhf40", TXT "onetrust-domain-verification=fc8a2586b8b247a28c56053c67dcd418", RRSIG, RRSIG, RRSIG[|domain]
08:36:35.176804 IP 178.205.90.201 > 111.222.333.444: ICMP 178.205.90.201 udp port 53 unreachable, length 65
08:36:35.176810 IP 189.3.74.18.53 > 111.222.333.444.1723: 1| 32/0/0 TXT "mt-24773710", TXT "docusign=c3a18a16-788c-484b-968b-6b4982433a67", TXT "amazonses:uINC55vCnY508CUO8Je4gL6XWtPX3btBCtcQjz2Vwjs=", TXT "3nnqAmrH2geG0012FzpfPzCbY+qeghGXlr0K+LYPlNZ04rbgRysxD+XwBO/kYhyrhm+O6pU0naULPJY0gHPjRQ==", TXT "facebook-domain-verification=8s50q3dhwvfs01uvnrwm8h29rpcntw", TXT "4l1SWsiprbXNsfRUEAfWklXtaSbfXsRaotj7HOf01kNe5wyIUw6dDiBNfAUjk8M/Dj9Gc8PzowuISHPOgAW83w==", TXT "tmes=281fb1a4ecc0f16f779e7a637e2df968", TXT "zoho-verification=zb90149015.zmverify.zoho.com", TXT "apple-domain-verification=ivyxTJSvycL1rKet", TXT "autodesk-domain-verification=4zOZypex_sR1HLFsXs7E", TXT "onetrust-domain-verification=811456c061094fd787edfbea1f50e0c2", TXT "google-site-verification=yuAuTV0V218aUY-z4yyaeBY0B-icA3PcEFNCd72ZKk4", TXT "apple-domain-verification=71mEATCbpJsvgxSj", RRSIG, RRSIG, RRSIG[|domain]
08:36:35.176814 IP 201.184.117.60.53 > 111.222.333.444.1723: 1| 41/0/0 SOA, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG[|domain]
08:36:35.176818 IP 201.184.117.60 > 111.222.333.444: ip-proto-17
08:36:35.176819 IP 197.91.174.102.53 > 111.222.333.444.1723: 1| 37/0/0 RRSIG, RRSIG, MX smtp2.renault.fr. 30, MX smtp.renault.fr. 20, SOA, DS, DNSKEY, RRSIG, RRSIG, A 35.71.164.53, A 52.223.12.199, RRSIG, RRSIG, RRSIG[|domain]



What are the interface errors?

Why are there interface errors?

Quote
dmesg | grep igc2
igc2: <Intel(R) Ethernet Controller I225-V> mem 0x7fa00000-0x7fafffff,0x7fc00000-0x7fc03fff at device 0.0 on pci3
igc2: Using 1024 TX descriptors and 1024 RX descriptors
igc2: Using 4 RX queues 4 TX queues
igc2: Using MSI-X interrupts with 5 vectors
igc2: Ethernet address: 64:62:66:22:01:b1
igc2: netmap queues/slots: TX 4/1024, RX 4/1024


in the "tcpdump -i igc2 -n" output (as far as I can tell..) I was able to capture everything..

Thanks in advance..
#10
Looking for a way to:

ifconfig igc1 -rxcsum -txcsum -lro -tso -vlanhwtso

and see if it has an impact on my issue..

It seems I can run it, but then there is an 'configuration' process which puts things back..

Quote
root@OPNsense:~ # ifconfig igc1 -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso
root@OPNsense:~ # ifconfig igc1
igc1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: (wan)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
        ether 64:62:66:22:01:b0
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

root@OPNsense:~ # ifconfig igc1
igc1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: (wan)
        options=4e0272b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 64:62:66:22:01:b0
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>


root@OPNsense:~ # /usr/bin/netstat -i -b -n -I igc1
Name    Mtu Network       Address              Ipkts Ierrs Idrop     Ibytes    Opkts Oerrs     Obytes  Coll
igc1   1500 <Link#2>      64:62:66:22:01:b0 283335936   394     0 322961629169 237261049     0 39791670076     0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=265714

I'm trying to figure out why when these hit their 500Mb mark.. I get errors and lose connectivity..

Thanks in advance.
#11
https://hub.docker.com/r/kostyaesmukov/smtp_to_telegram

Seems to be maintained..

root@void-d51d87 ~# docker ps -a | grep telegram
2a9a2fb173a0   kostyaesmukov/smtp_to_telegram:latest   "/smtp_to_telegram"      2 weeks ago     Up 2 weeks                             smtp_to_telegram

docker run \
    --name smtp_to_telegram \
    --restart unless-stopped \
    -e TZ=America/New_York \
    -e ST_TELEGRAM_CHAT_IDS=xyz123abc456 \
    -e ST_TELEGRAM_BOT_TOKEN=8< SNIP >8 \
    -e ST_TELEGRAM_MESSAGE_TEMPLATE="Subject: {subject}\\n\\n{body}" \
    -d \
    --network host \
    kostyaesmukov/smtp_to_telegram


https://github.com/KostyaEsmukov/smtp_to_telegram

Looks to be a go program.. possibly could be made into a plugin
#12
There are many posts about asking to improve unbound.. and there are more solutions on the internet about people and their solutions.. but it's possible that it isn't clear what setting goes with which field.. or what is available to tweak in OpnSense unbound..

I came across this:

# pkg info unbound
unbound-1.19.0
Name           : unbound
Version        : 1.19.0
Installed on   : Thu Nov 23 23:09:22 2023 EST
Origin         : dns/unbound
Architecture   : FreeBSD:13:amd64
Prefix         : /usr/local
Categories     : dns
Licenses       : BSD3CLAUSE
Maintainer     : jaap@NLnetLabs.nl
WWW            : https://www.nlnetlabs.nl/projects/unbound
Comment        : Validating, recursive, and caching DNS resolver
Options        :
        DEP-RSA1024    : off
        DNSCRYPT       : on
        DNSTAP         : off
        DOCS           : off
        DOH            : on
        DYNLIB         : on
        ECDSA          : on
        EVAPI          : off
        FILTER_AAAA    : off
        GOST           : on
        HIREDIS        : off
        LIBEVENT       : on
        MUNIN_PLUGIN   : off
        PYTHON         : on
        SUBNET         : off
        TFOCL          : off
        TFOSE          : off
        THREADS        : on


which showed me why I could not get ecs going..

* which was great * saved me tons of time and I stopped trying to set something which was never going to work..

Possibly something like this might help:

(picture attached)

My 0.02
#13
https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

Wifi calling doesn't work through double nat..

So anyone with a consumer 'orbi', 'google', 'linksys', 'eero', etc. mesh setup who then for some reason wants to put a better router in front will then fall into the double nat issue.. and then have wifi calling issues; ie the phones will show vzw-wifi, att-wifi but won't actually be working (some androids seem to be better at this than others.. :dunno:)

having a transparent solution would resolve the double nat issue and all that comes with it..

(unless you had a three legged device.. usb eth adapter, wifi etc..)

Anyway.. having a console menu option like vlan, wan, lan, for creating this bridge.. etc.. might be a good idea.

My 0.02
#14
Thank you for that..

I was trying to get ECS going.. and could not confirm that it was working.. I couldn't find a way to find out what unbound was compiled with..

@maurice

If you don't use squid, then I agree it does not seem like a logical request.

if squid gets an AAAA entry it tries to process it, the dns_v4_first used to mitigate that..

modern squid seems to not respect that anymore..

This looks to be the squid answer:

(https://wiki.squid-cache.org/Features/IPv6)
Example creation in squid.conf:

acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6

(and then something like)
http_access deny to_ipv6

there doesn't seem to be a way to from the gui to get to the squid.conf for local additions..

dnscrypt-proxy can filter (and log) ipv6/AAAA being blocked..

Doing so reduced the squid lag tremendously..

at least in my case (as shown in the graphs..)

Not sure if that helps..
#15
squid no longer supports dns_v4_first.. which means that if squid gets an AAAA it will try to use it..

I enabled dnscrypt-proxy to filter out AAAA (made custom dns stamps as well..) records and it made a little bit of a difference in squid..

(not so much you could notice..)

Is there a way to get unbound to filter out AAAA (I know there used to be a python filter for it.. but that was a while ago..)

(the second image is a using the squid proxy to make the same query.. the red is trying to get the dns_v4_first working..)

Also.. any plans to update dnscrypt-proxy2?

Franks github says January 3, 2021 is when 2.0.45 came out..

Open to suggestions..

Thanks in advance..