Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - deviantintegral

Pages: [1]

23.7 Legacy Series / Setting a static IPv6 client address

« on: December 24, 2023, 03:35:54 am »

I'm in the process of setting up a Proxmox server, which needs a static IP assigned for both IPv4 and IPv6.

In the world of IPv4, the way I've normally set it up is:

1. Set DHCP to not issue addresses in a range. For example, only assign addresses 192.168.20.51-192.168.20.254.
2. Set static IPs in that range of the first 50 addresses.

With IPv6, I obtain an address from my ISP over DHCPv6, and have the LAN interface set to track it. I get a /56 from the ISP, and it looks like a /64 is used for LAN clients. Is there anything I need to do to ensure I don't get address conflicts if I just choose a random address in that /64 range? Or does duplicate address detection handle that, and the autoconfigured LAN clients will just generate another address if needed?

I did poke around in the router advertisements settings when enabled, but didn't see anything that would obviously let me narrow the /64 to a different range to reserve other addresses.

Thanks,

23.7 Legacy Series / Issues connecting with Wireguard

« on: August 23, 2023, 04:06:15 pm »

I've been having an odd issue with my Wireguard setup, both on 23.1 and 23.7. When I connect from my iPhone or Mac running the official wireguard client, many times handshakes will not pass. Sometimes, the "Data sent" counter will go up by tens of MB a second, which is impossible given the network speed, and normal traffic doesn't actually work. If I reconnect the tunnel several times, it will eventually connect fine with no issues. There's no obvious errors in the logs that I see. tcpdump shows the wireguard server responding to the connection.

I also have Wireguard set up on a linux host, and the same two clients never have a problem connecting.

Any suggestions on troubleshooting this?

19.1 Legacy Series / Network performance and latency issues with haproxy

« on: April 28, 2019, 05:44:21 pm »

First, I'm quite impressed by the HAProxy and Let's Encrypt plugins, and how they work together.

I'm running opnsense on an APU2 board, and I'm noticing:

Slow transfer rates with high CPU usage
Latency spikes for unrelated network traffic when HAProxy is under load

For example, the backend web server (a basic Apache setup) can saturate the 1Gb network connection with no issues. If I do a straight HTTP proxy through HAProxy in opnsense (no SSL offloading), performance caps out at about 200Mbit. I expected closer to 300 or 400 Mbits. During a transfer, the HAProxy process is using close to 100% of a CPU core (the board has 4 cores) with 50% system CPU usage. If I ping a host during the speed test from opnsense, latency goes up significantly for all connections going through the firewall.

So far, I noticed that at http://www.haproxy.org it's mentioned that pf causes quite a performance hit compared to Linux, but it's not clear how recent that note is.

Any ideas on how to solve the latency issues? I can live with slower transfer performance, but lag spikes will be a deal breaker for me.

18.7 Legacy Series / Stale WAN IP used for SIP NAT mapping (Dynamic state reset)

« on: November 23, 2018, 07:27:30 pm »

OPNSense is connected via DSL / pppoe for it's WAN connection. I have an OBiHAI SIP bridge for VoIP access. If the WAN IP changes, the old NAT mapping are still used, causing packets to be sent with the wrong source IP address. This breaks WAN connectivity until the states are killed.

In the firewall states dump, I filter on port 5060 to see the inbound and outbound mappings.
Note your current WAN IP, and click "reload" at the WAN interface in the overview to force a new connection.
After the IP has renewed, reload the states dump and note the outbound IP address is the old IP address and not the new one.
Killing the states restores WAN connectivity to the SIP bridge.

I've verified the wrong source IP is being sent from a packet capture of the pppoe interface. What's surprising to me is that nothing else other than this one mapping appears to be affected by this.

In the firewall advanced options, I found "Dynamic state reset" which was not enabled. Turning that on fixed the stale mappings. Is there any reason why that option shouldn't be on by default?

This could be related to switching ISPs from one that used DHCP to DSL and PPPoE. Is this a setting normally set during the setup wizard, which would be missed if you manually changed WAN settings after the initial install?

17.1 Legacy Series / How is netflow data supposed to be rotated?

« on: June 27, 2017, 02:26:35 am »

I re-enabled netflow about a month ago, and ever since it's been slowly growing in disk use. This is on a home connection, so it's not /that/ much traffic to log. flowd and flowd_aggregate are both running:

root@blackbox:/var # service flowd status
flowd is running as pid 36517 36532.
root@blackbox:/var # service flowd_aggregate status
flowd_aggregate is running as pid 42215.
root@blackbox:/var # du -sh log/flowd* netflow
3.6G   log/flowd.log
11M   log/flowd.log.000001
11M   log/flowd.log.000002
11M   log/flowd.log.000003
11M   log/flowd.log.000004
12M   log/flowd.log.000005
11M   log/flowd.log.000006
11M   log/flowd.log.000007
11M   log/flowd.log.000008
11M   log/flowd.log.000009
11M   log/flowd.log.000010
5.3G   netflow

I'm going to have to reset the data manually as I'm almost out of disk space. My understanding is simply running flowd_aggregate should be enough here. Is there anything else to check?

17.1 Legacy Series / Are backups of "volatile" files required on reboots for non-nano installs?

« on: May 21, 2017, 02:35:43 am »

I have OPNsense installed on a 16GB SSD. I noticed that reboots were taking a long time. It turns out the culprit was the netflow database; gzip'ing was taking 5-10 minutes, blocking a reboot. This commit illustrates the code fairly well. Any reason I can't just comment them out?

17.1 Legacy Series / [SOLVED] collectd network plugin is missing encryption support

« on: May 10, 2017, 07:40:51 pm »

collectd has been broken for the past week, as the network plugin is no longer linked to libgcrypt and libgpg-error.

Code: [Select]

May 10 13:22:32 blackbox collectd[32863]: network plugin: Option `SecurityLevel' is not allowed here.
May 10 13:22:32 blackbox collectd[32863]: network plugin: Option `Username' is not allowed here.
May 10 13:22:32 blackbox collectd[32863]: network plugin: Option `Password' is not allowed here.

I manually installed collectd 5.7.0 from 16.7 as I couldn't find prior builds for 17.1. That version has:

Code: [Select]

root@blackbox:/tmp # ldd /usr/local/lib/collectd/network.so
/usr/local/lib/collectd/network.so:
	libgcrypt.so.20 => /usr/local/lib/libgcrypt.so.20 (0x3482980b000)
	libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0 (0x34829b1d000)
	libc.so.7 => /lib/libc.so.7 (0x34828dfa000)

And in the latest 5.7.1 release:

Code: [Select]

root@blackbox:/usr/local/etc # ldd /usr/local/lib/collectd/network.so
/usr/local/lib/collectd/network.so:
	libc.so.7 => /lib/libc.so.7 (0x205546c4000)

For now, I've locked the older package, though if there's prior builds actually against 17.1 I can install that would be better. Or, is there a way to simply blacklist the specific release of collectd, so when a new (presumably fixed) version is out it will be upgraded to automatically?

17.1 Legacy Series / Starting flowd_aggregate: eval: -repeater_opnsense_bootup_run: not found

« on: April 04, 2017, 08:39:06 pm »

On bootup, I get the following:

Starting flowd_aggregate.
eval: -repeater_opnsense_bootup_run: not found

And, if I manually start flowd_aggregate, I get this in system.log:

Apr 4 14:37:27 blackbox flowd_aggregate.py: flowd aggregate died with message Traceback (most recent call last): File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 148, in run aggregate_flowd(do_vacuum) File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 67, in aggregate_flowd for flow_record in parse_flow(prev_recv): File "/usr/local/opnsense/scripts/netflow/lib/parse.py", line 92, in parse_flow for flow in flog: ValueError: Unsupported version

Of course, this left me running out of disk space and my router crashing various processes.

Is there a way to limit the flowd.log file, even if flowd_aggregate isn't running?

17.1 Legacy Series / dhclient exits on WAN IP renewal

« on: March 03, 2017, 02:26:43 am »

I'm running OPNsense 17.1.2 with a cable modem for the WAN, and I've run into issues when the modem does a fresh boot.

I imagine the way the modem (a Thomson DCM476) works is pretty common. On first boot, it issues a private IP, such as 192.168.100.1. That way, you can easily get to the status pages in case there's trouble getting modem sync. Once sync is detected, it passes DHCP through to the ISP. The initial lease has a 30 second expiry.

It's during this second phase that dhclient fails. Here's the logs from /tmp/igb1*:

==> igb1_output <==
dhclient: PREINIT
dhclient: Starting delete_old_states()
dhclient: Comparing IPs: Old: XXX.XXX.XXX.XXX New:
dhclient: Removing states from old IP 'XXX.XXX.XXX.XXX' (new IP '')
0 states cleared
killed 0 src nodes from 1 sources and 0 destinations
DHCPREQUEST on igb1 to 255.255.255.255 port 67
DHCPNAK from 192.168.100.1
DHCPDISCOVER on igb1 to 255.255.255.255 port 67 interval 1
DHCPOFFER from 192.168.100.1
DHCPREQUEST on igb1 to 255.255.255.255 port 67
DHCPACK from 192.168.100.1

==> igb1_router <==
192.168.100.1

==> igb1_output <==
bound to 192.168.100.10 -- renewal in 30 seconds.

==> igb1_router <==
XXX.XXX.XXX.XXX

==> igb1_output <==
dhclient already running, pid: 83190.
exiting.

And in syslog:

opnsense: /usr/local/etc/rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf igb1 > /tmp/igb1_output 2> /tmp/igb1_error_output' returned exit code '1', the output was ''

The interface ends up marked as completely down.

If I manually renew the IP from the interfaces UI, or just run dhclient, everything works fine. Likewise, if I simply pull the ethernet cable, it renews correctly - it's only when the modem has lost sync and issues a private IP things fail.

Any suggestions?

16.7 Legacy Series / How to set up fq_codel for QoS traffic shaping

« on: January 02, 2017, 09:07:25 pm »

I'm trying to get a reasonable QoS setup for my 25/2 cable internet connection. There's great docs for setting up regular QoS rules, but since DSCP support was removed I think I need something more robust for my needs. And, I love the idea of never having to tweak the rules for specific apps

For reference, an unshaped result from flent rrul -p all_scaled -l 60:

I then set up:

A downstream pipe with a cap of 20600Kbps, a source mask, the FlowQueue-Codel scheduler, Codel enabled,no ECN as I read that's detrimental at under an upstream of 4Mbits.
An upstream pipe set to 1500Kbps, with a destination mask, and the same queue and Codel settings
No queues as my understanding from the help text is those are automatic when masks are set.
Two rules with source and destination networks to associate traffic with each pipe.

Latency is vastly improved, though I'm curious about the spike I'm getting at the very end. What I'm more concerned about are the gaps in the upload graph. I expected with setting the pipes significantly lower than my actual connection I wouldn't see any missing traffic. They're still there even with lower caps on the pipes. I haven't seen any similar results from others, so I'm not sure how to interpret this. Any ideas?

General Discussion / Serial console character settings

« on: December 24, 2016, 03:11:45 am »

What terminal type / character settings should I use with the serial console? I've tried:

screen under OS X and Linux
minicom under OS X and Linux
The OS X Terminal app and iTerm2
Serial on OS X
Putty on Windows

The APU2 BIOS and the regular shell prompt after an install seem OK. I've tried a variety of UTF / ISO character settings, TERM=ansi, vt100, xterm. No matter what, I always get misrepresented characters in the installer menus. Putty + UTF-8 + TERM=xterm seems to be the closest, but still has some mismapped characters.

Thanks!

17.1 Legacy Series / Unable to boot with USB 3 on APU2

« on: December 24, 2016, 01:45:12 am »

I have an APU2 running the apu2_160307 BIOS (I don't need PXE boot so I haven't bothered to upgrade). I'm unable to boot either 16.7 or 17.1 with a USB 3 stick (I've tried two separate ones). If I use a USB 2 stick in the USB 3 ports, it's fine. I am able to boot pfsense, though it throws a small number of similar CAM status errors. I thought set kern.cam.boot_delay was supposed to work around this, but it isn't for me. I've attached the boot logs. Since I haven't actually set up the router yet, if there's anything I can test out the next few days are best. Though, this totally seems like a FreeBSD and not opnsense issue.

(da0:umass-sim0:0:0:0): WRITE(10). CDB: 2a 00 00 00 00 10 00 00 10 00
(da0:umass-sim0:0:0:0): CAM status: CCB request completed with an error
(da0:umass-sim0:0:0:0): Retrying command

https://forum.opnsense.org/index.php?topic=3960.msg14176
https://forum.opnsense.org/index.php?topic=2327.msg7438

Pages: [1]