Topics

I have a QOTOM J1900 box and it worked perfectly well with my 100/100 fiber connection.    I was able to peg DL/UL nicely.     I upgraded my 100/100 to 1000/1000 and am able to get 500/500'ish with the little box.      With this ISP I know 900+/UL-DL is achievable.

What I'm looking for is a recommendation for my next box here.     It doesn't really have to be silent and not really super small, just efficient and very fast ...... suggestions?

What I have:
-------------------------------------

pi-hole 4.0 and OPNsense 18.7.6


pi-hole (192.168.1.15/admin/settings.php) ...

Settings-->DNS

Upstream DNS Servers
Custom 1 (IPv4)
192.168.1.1

Advanced DNS settings
un-checked Never forward non-FQDNs
un-checked Never forward reverse lookups for private IP ranges
checked Use Conditional Forwarding
IP of your router 192.168.1.1
local domain name poonet

OPNsense (192.168.1.1) ...

System-->Settings-->General

Domain name poonet
DNS Servers are left blank, on purpose
checked Allow DNS server list to be overridden by DHCP/PPP on WAN
un-checked Do not use the local DNS service as a nameserver for this system
** my ISP provides excellent DNS servers and I'm happy to dynamically receive their IP addresses

Services-->DHCPv4-->[LAN]

DNS servers
192.168.1.15
192.168.1.1

All devices on my network are statically mapped in OPNsense DHCP.

------------------------------------------------------------------
Resolving public DNS:

Device contacts 192.168.1.15 for resolution.
192.168.1.15 then contacts 192.168.1.1 for resolution.
192.168.1.1 then contacts the dynamically supplied ISP servers for resolution.
pi-hole at 192.168.1.15 blocks querries for bad things or passes the resolved information to the requesting device.

This all works beautifully.
------------------------------------------------------------------

Resolving local host names:

Now, then, my problem ---  192.168.1.15 is trying to query 192.168.1.1 to resolve device host names and I can't figure out what I need to enable/configure in OPNsense to get pi-hole the resolved host names?

No rush ---- if anyone can "resolve" this I'd be eternally grateful <smile>


*** Fiber connected to my local ISP .. 100/100.    I could get 1000/1000, but what would I do with THAT?    Extra $25 a month -- might try it sometime just for kicks. ***

3953 MB RAM capacity.

18.7.4 RAM use was around 908 MB.

18.7.5 was applied and my RAM use jumped up to 3772.

18.7.5_1 was applied and high use of RAM continues ,  97% used.
Swap file 99% used.   tmpfs at 99%

After a short time the box locks up.    After a hard reset OPNsense takes about five minutes to come up then locks up again after a short time.

I get little time to troubleshoot ... any pointers would be appreciated, thanks?


UPDATE:    Here is what worked for me ....
I reset OPNsense to factory settings -- then I restored the configuration saved previously.
After the restoration I had to attend to another issue and about 30 minutes later returned.   Success!
It all works and my memory use is at 696 MB (17%), 0% swap use., 1% tmpfs

Wish I knew what was eating all the memory?   But reset/restore worked like a champ!   Me So Happy!

Affecting 17.7.*, then 18.1_1 after the upgrade.

My Traffic Graph widget and the Traffic Graph, under reporting, have the same odd thing wherein they both show inbound traffic but never outbound traffic.    How odd?

I do remember 17.7.{early versions} showing the outbound traffic and then it just stopped showing it.   I never said anything because I figured the 18.1 upgrade would likely take care of it -- but nah, didn't.

For me, this isn't a deal breaker, just a little bump in the road.    I'm all up for sharing my config xml or whatever.    I thought about saving my config and doing a clean install, then restore my config ... which probably would just end up right where it is anyway.
Any thoughts on this matter?    Thanks in advance.

17.7.11-amd64
Intel Celeron J1900 1.99GHz (4 cores)

---> What works well:

Intrusion Detection settings:

Enabled                      X
IPS mode                    X
Promiscuous mode       x
Enable syslog
Pattern matcher          Hyperscan     
Interfaces                  WAN LAN
Home networks          192.168.0.0/16
default packet size
Rotate log                  Daily     
Save logs                   7
Log package payload

Intrusion Detection Rulesets enabled and configured to DROP:

abuse.ch/Dyre SSL IPBL
abuse.ch/Feodo Tracker
abuse.ch/SSL Fingerprint Blacklist
abuse.ch/SSL IP Blacklist
ET open/botcc
ET open/botcc.portgrouped
ET open/compromised
ET open/drop
ET open/dshield
ET open/emerging-dos
ET open/emerging-exploit
ET open/emerging-malware
ET open/emerging-scan


--->  Adding this causes a HUGE problem:

User Defined:

Enabled                   X
SSL/Fingerprint
GeoIP/Country         United States (not)
GeoIP/Direction       Both
Action                     Drop
Description

------------------------------------------------

I live in the United States and the intent is that only traffic from and to the United States be allowed on either the WAN or LAN interfaces.
Once the GeoIP item is enabled I lose control of the router.   I'm unable to use the Web UI to access the router.    I'm unable to access the router with SSH.     No traffic is flowing in any direction on any interface.
The only thing I can do is connect a local keyboard and monitor and log in that way ... It then becomes apparent the only thing I can do is reset to defaults and import my configuration ---- without the GeoIP User Defined item!!!!   Then I'm back in business.      Something about that User Defined GeoIP item hates me <frown> ...

Any thoughts on what I'm doing wrong?

I love OPNsense --converted from pfSense about 4 weeks ago.

The only odd thing I encountered was my Zoom modem loaning the WAN interface a 192.168.100.10 address in lieu of the public address I was used to seeing when using pfSense.     A little closer look at the OPNsense WAN interface "DHCP client configuration" I found the handy-dandy "Reject Leases From" --- used 192.168.100.1 and I'm Golden now.

I find aliases extremely useful and would like to see more use throughout OPNsense, such as the "Reject Leases From" I mentioned in my little story above.    While the hard coded address works perfect I'd be even MORE happy if I could use an alias ---

The more I can use aliases, everywhere, the better.    This lets me have a really central place for as much IP configuration as I can get away with in one place.

Please expand use of aliases ......... if it happens great ... if it doesn't happen, great, I'll still be happy using a kick-butt product anyway!!