Topics

When my WAN fails over and fails back it doesn't clear firewall states so traffic still tries to use the WAN that was previously routing the traffic. This is most noticeable when my primary WAN comes back online and traffic still flows through my backup WAN because the states still exist and the network is still functional, so it's not like it's going to have any TCP RSTs or timeouts that push the traffic back to my primary WAN.

Is there a solution to this that I'm not aware of?

With pf and ipfw it's quite easy to write a single line rule that lets you define the allowed ICMP and ICMP6 types, but with OpnSense you have to create an individual rule for each type. Can this be refactored to allow selecting multiple types just like you can select multiple interfaces?

�

Code Select Expand


feld@gw:~ $ netstat -I ax0
Name    Mtu Network        Address                             Ipkts                 Ierrs                 Idrop       Opkts                 Oerrs                  Coll
ax0    1500 <Link#5>       f4:90:ea:00:62:2d                  382472  18446744073709551610                     0  1703087022                     0                     0
ax0       - fe80::%ax0/64  fe80::f690:eaff:fe00:622d%ax0           0                     -                     -           0                     -                     -



this is impossible :)

I've been adding additional monitoring to a network with OpnSense as the firewall and noticed a curious problem with the data I was receiving. The internet uplink / WAN is on interface ax1 and I was running network tests which should have shown multi-gigabit data transfer rates with my SNMP graphing and monitoring. However, it was not showing me this in the results. The correct data rates were found on the ax0 interface instead which is not possible because that interface is only gigabit.

I believe this situation was caused by my removal of the igb1 interface which was no longer being used. The igb interfaces are earlier in the SNMP IF-MIB::ifDescr table than the ax interfaces so this seems to make sense. My problem was resolved after restarting the snmpd service and running additional tests.

I think the correct solution here is to require a restart of the snmpd service every time an interface is created or destroyed to ensure the data being served is correct. However, this may produce interesting challenges for systems that only "walk" to learn the SNMP information periodically which I recall being the behavior of Observium/Librenms. I don't know if there's a good solution for that other than recommending that admins are aware they should manually run the SNMP discovery mechanism after interface changes on OpnSense to ensure their monitoring and graphing stays consistent with reality.

Hello,

After upgrading to 24.1 my SNMPv3 user no longer works. If I add in a community and try to snmpbulkwalk with v2 it works fine, but with SNMPv3 it always gives me an error.

Code Select Expand


Error in packet.
Reason: authorizationError (access denied to that object)
Failed object:


I've checked multiple times and the username, SHA, and AES settings are all correct. They just don't work.

Please expand the configuration options for os-frr or allow us to edit the config file as there is a ton of missing functionality. I really want to use peer groups so I can connect peers/neighbors and accept announcements from any address in a given subnet which is a fairly normal deployment option but this is not possible due to the severely limited configuration.

The changelog says:

Code Select Expand


src: axgbe: fix link issues for gigabit external SFP PHYs and 100/1000 fiber modules
src: axgbe: apply RRC to miibus attached PHYs and add support for variable bitrate 25G SFP+ DACs
src: axgbe: properly release resource in error case


My dmesg with this kernel shows one of my links constantly flapping:

Code Select Expand


ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN
ax1: Link is UP - 10Gbps/Full - flow control off
ax1: link state changed to UP
ax1: Link is DOWN
ax1: link state changed to DOWN


Booting into the previous kernel fixes it.

My hardware is the official DEC840

Dropping the negative cache TTL as low as possible is really useful.

e.g., I try to resolve a host that's been offline for a while, then boot up the machine. It gets an IP from DHCP, sets its hostname, and now Unbound should know about it. But it doesn't return any results because there's a negative cache entry still there.

Hello,

Here's a scenario that happens with Unbound

1. Your internet service goes down
2. Unbound tries to make queries
3. Unbound cannot query
4. Unbound puts the nameservers it tried to query on a blacklist for 900 seconds
5. Your internet service comes back up
6. Unbound still cannot service those queries as the nameservers are still on a blacklist


Being able to set infra-host-ttl to a lower value will limit the time a nameserver can be on this blacklist, and setting infra-keep-probing: yes will inform Unbound to test servers on the blacklist for reachability one at a time, but it takes 120 seconds for it to timeout and move on to the next one.

There is no option to disable this behavior in unbound. The only fix is to manually restart Unbound or run "unbound-control flush_infra all"

https://unbound-users.unbound.narkive.com/DjcIaXIy/unbound-stops-answering-after-adsl-line-bounce
https://github.com/NLnetLabs/unbound/blob/release-1.13.0/doc/Changelog#L90-L98



edit: it looks like **TTL for Host Cache entries** is infra-host-ttl. I wish the names of these items in the UI actually matched the config file options. So we just need control over infra-keep-probing. Changed post subject accordingly.

How can I reset the BIOS when there is no serial console output until the Opnsense/FreeBSD kernel loads? I believe this may be due to disabling the Legacy UART to get serial console working again.

If anyone else is reading this, what you probably need to do on this specific hardware is leave the BIOS alone and change the Serial Console to EFI in OpnSense.

I'm looking at the source of the axgbe driver and it appears it supports 10/100/1000/2500/10000 but interestingly enough 5000 is missing.

https://github.com/opnsense/src/blob/stable/23.1/sys/dev/axgbe/if_axgbe_pci.c#L2286-L2311


Is this a limitation of the hardware? With a few source changes could it work with e.g., this SFP+? https://www.fs.com/products/173216.html

I don't have a test env for this yet but I'm thinking of a scenario where I may want 5gbit support here (with AT&T fiber)

If you select multiple VLANs and try to delete them only one gets deleted

Renaming a VLAN seems to leave the old VLAN interface still in existence if you login to the console and check ifconfig

Hello,

I have two Wireguard "Local" configurations:

- one for clients to connect to my network
- one used as a site-to-site VPN

The second one never works after boot until I go in and disable that "Local" server, then re-enable it. Only after that will the traffic begin flowing again.


Thanks for your time!