Messages

1

24.7 Production Series / Re: Unbound DNS slow website loading and finally stucking

« on: November 02, 2024, 05:34:25 pm »

I think the reason for the slow website access is definitely not an OPNsense issue. Neither unbound DNS, Dnsmasq DNS nor OPNsense in general.

I have made several times a ping at the problematic website/domail ifun.de.
The response time generally was (very?) high, with regular dropouts on some devices, not always. But slow loading or stucking website.

However, since I also have the same problem with another ISP (my workplace has a dedicated line afaik), for example with an LTE/4G Fritzbox 6820v3 router, I assume that the problem is either on the side of the destination URL/domain or basically with Deutsche Telekom (all ISPs are probably Deutsche Telekom).

Using 4G/LTE Fritzbox 6820v3:

Code: [Select]

$ ping ifun.de
PING ifun.de (172.67.179.129): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
64 bytes from 172.67.179.129: icmp_seq=3 ttl=50 time=133.068 ms
64 bytes from 172.67.179.129: icmp_seq=4 ttl=50 time=121.438 ms
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
64 bytes from 172.67.179.129: icmp_seq=9 ttl=50 time=154.368 ms
Request timeout for icmp_seq 10
64 bytes from 172.67.179.129: icmp_seq=11 ttl=50 time=141.843 ms
64 bytes from 172.67.179.129: icmp_seq=12 ttl=50 time=115.333 ms
^C
--- ifun.de ping statistics ---
13 packets transmitted, 5 packets received, 61.5% packet loss
round-trip min/avg/max/stddev = 115.333/133.210/154.368/14.003 ms
Using iPhone hotspot:

Code: [Select]

$ ping ifun.de     
PING ifun.de (172.67.179.129): 56 data bytes
64 bytes from 172.67.179.129: icmp_seq=0 ttl=50 time=173.035 ms
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
64 bytes from 172.67.179.129: icmp_seq=5 ttl=50 time=146.799 ms
64 bytes from 172.67.179.129: icmp_seq=6 ttl=50 time=123.930 ms
64 bytes from 172.67.179.129: icmp_seq=7 ttl=50 time=139.072 ms
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
64 bytes from 172.67.179.129: icmp_seq=10 ttl=50 time=165.231 ms
64 bytes from 172.67.179.129: icmp_seq=11 ttl=50 time=136.977 ms
^C
--- ifun.de ping statistics ---
12 packets transmitted, 6 packets received, 50.0% packet loss
round-trip min/avg/max/stddev = 123.930/147.507/173.035/16.853 ms

Code: [Select]

$ traceroute ifun.de
traceroute: Warning: ifun.de has multiple addresses; using 172.67.179.129
traceroute to ifun.de (172.67.179.129), 64 hops max, 40 byte packets
 1  fritz.box (192.168.178.1)  5.899 ms  3.192 ms  3.158 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  80.156.5.67 (80.156.5.67)  83.004 ms  59.682 ms  25.632 ms
 9  h-sb1-i.h.de.net.dtag.de (62.154.49.197)  39.279 ms  52.426 ms  38.748 ms
10  d-sb1-i.d.de.net.dtag.de (62.154.3.61)  141.174 ms  122.424 ms  163.809 ms
11  ams-sb6-i.ams.nl.net.dtag.de (217.239.60.109)  125.050 ms
    217.239.42.113 (217.239.42.113)  138.399 ms  122.960 ms
12  if-ae-0-2.tcore3.njy-newark.as6453.net (216.6.90.14)  138.540 ms  126.983 ms  133.358 ms
13  66.198.70.2 (66.198.70.2)  138.530 ms  150.004 ms *
14  162.158.61.105 (162.158.61.105)  143.686 ms *
    162.158.61.101 (162.158.61.101)  173.196 ms
15  172.67.179.129 (172.67.179.129)  118.694 ms * *

2

24.7 Production Series / Re: Unbound DNS slow website loading and finally stucking

« on: October 30, 2024, 05:57:13 pm »

Hello,
i have the exact same problem like you described.

...

But maybe the reason is just that:

I think Telekom has some serious Peering problems with everyone who is not willing to do peering at their own locations and wants to get paid for that. For example Cloudflare has not a great backbone connection to Telekom. O2 or 1und1 has good open peering at DE-CIX. its like a walled garden, and the customers are the ones suffering. The problem is not always present, only when their network is more congested. You can try to use a vpn when there is slow loading, and suddenly the internet feels fast again.

Hello @b1ggi,
thanks for your feedback. Yesterday evening I again had bad slow loading times and set up OPNsense in a Proxmox VM to check for a hardware defect of my PCEngines APU4.

With the same result. The same pages always load extremely slowly without coming to an end. Embedded images on the website remain half loaded, at the bottom of the browser only a white page. No timeouts, no 404 error, whatever...

My OPNsense setup is also really really really basic. No VPN, no VLAN, no super special configurations, firewall rules etc. Just Telekom VDSL, IPv4 LAN with DHCP, Unbound-DNS.

The thought that it could also be due to the Telekom/routing/peering... etc. was also on my mind. Because: It's always the same pages that don't load (or only load from time to time). Not random global network problems on various pages.

3

24.7 Production Series / Re: Unbound DNS slow website loading and finally stucking

« on: October 29, 2024, 09:00:38 am »

Did some testing in the meantime. Seems to be a DNS related problem in general on my system, not related to (just) OPNsense.
As first mentioned that switching to Dnsmasq-DNS on OPNsense will fix slow website loading I have to add now that this was not the solution. Same behaviour, regardless of using Unbound-DNS or Dnsmasq-DNS.

Even with a public DNS ( e.g 8.8.8.8 ) manually set on my playing/working device same result. It's always the same pages that do not load or stuck while loading.

Examples:
https://ifun.de
https://www.jeffgeerling.com/

Set up OPNsense from scratch, same results.

Some info about my system:

• OPNsense on APU4 (default setup (no special setup like VLAN, firewall rules, etc.), IPv4 DHCP, IPv6 disabled,Unbound-DNS)
  
• german Telekom VDSL 250/40
• Vigor 165 VDSL modem
• Unifi 24-port POE switch
• Unifi U6-LR AP
• Unifi Network Controller running self-hosted on Raspberry Pi
• pi-hole (broadcasted as DNS by DHCP running on Raspberry Pi, pihole is disabled for now

Did a dns-cache flush on my devices as my last action. Everything seems to run much more smoother right now. Will watching it.

4

24.7 Production Series / Re: Unbound DNS slow website loading and finally stucking

« on: October 27, 2024, 10:40:22 pm »

Hmm, I don't really know how or where to start to get rid of the error.

Unfortunately, I don't have the technical background, but what I can't explain is why the pages with Unbound DNS simply don't continue to load. It is just a DNS request, either it is resolved or not. So why are images on websites only half loaded? On different computers. No error logs. Just websites stucking while the (should) load.
Using Dnsmasq-DNS everything works like a charm.

That makes no sense.
I'm confused to the max... 

5

24.7 Production Series / Unbound DNS slow website loading and finally stucking

« on: October 27, 2024, 09:53:46 pm »

I have noticed a website loading performance problem when I use Unbound DNS. I only noticed this problem in the last few days, websites sporadically load very slowly and finally stuck. I blamed it on my playing computer running Ubuntu.

Today, however, I also noticed the performance problem on my main computer runnming macOS and I think I have been able to locate the source of the error in my OPNsense firewall after gradually decommissioning all devices one after another.

I can't say whether this was caused by an OPNsense update or has been the case for some time.

Unfortunately, I don't have the technical Linux/BSD background to be able to provide detailed diagnostics or logs.

I think I have localised the problem with OPNsense, because when I switch to Dnsmasq DNS instead of Unbound DNS I no longer have any website performance problems.

My system

OPNsense 24.7.7-amd64
FreeBSD 14.1-RELEASE-p5
OpenSSL 3.0.15

Under System > Settings > General the option "Allow DHCP/PPP to overwrite DNS server list on WAN" is disabled as long as I am using Unbound DNS. If I understand this correctly, the upstream/root DNS servers are then queried for Unbound DNS. I had to reactivate this option when using Dnsmasq DNS, as otherwise there was no DNS resolving in the WAN.

Is this a known problem?

6

German - Deutsch / Re: Frage zu „Erlaube das Überschreiben der DNS Serverliste durch DHCP/PPP auf WAN“

« on: February 23, 2021, 12:29:10 pm »

Ich habe mal etwas herum probiert und aktiviert

• „Do not use the local DNS service as a nameserver for this system“
• „Erlaube das Überschreiben der DNS Serverliste durch DHCP/PPP auf WAN“

und dann in der Shell der OPNsense ein nslookup (genau genommen drill unter FreeBSD ) gemacht (vorher die Dienste mal neu durchgestartet) und siehe da, es wird eine externe IP verwendet (rootserver?). Mache ich o.g. Optionen wieder aus, wird per localhost 127.0.0.1 aufgelöst. Ich nehme an somit per Unbound?

7

German - Deutsch / Frage zu „Erlaube das Überschreiben der DNS Serverliste durch DHCP/PPP auf WAN“

« on: February 23, 2021, 09:45:56 am »

Hallo,

ich bin etwas verunsichert ob der DNS Einstellungen meiner OPNsense. Netzwerktechnisch auch eher Anfänger versuche ich die Option zu verstehen.

Mein Setup ist kurz zusammengefasst wiefolgt:

• Unbound läuft ohne Forwarder
• DHCP auf LAN läuft und vergibt als DNS die IP meines Pi-hole
• Upstream in Pi-hole ist meine OPNsense

DNS Anfragen verstehe ich nun so, dass ein Client Pi-hole anfragt (dort wird entsprechend der Blocklist gefiltert) und dann Anfrage an OPNsense Unbound. Unbound guckt bei den Rootservern. Und alles ist gut…

Was macht bzw. würde die Funktion „Erlaube das Überschreiben der DNS Serverliste durch DHCP/PPP auf WAN“ unter den allgemeinen Einstellungen machen? Ist aktuell ausgeschaltet, afair aber Default an?

8

German - Deutsch / Re: WAN: iPhone als LTE Modem || iPhone USB Tethering

« on: October 11, 2020, 07:27:52 pm »

Hello,

if you have successfully set up both optimizations, then you also have an Ethernet USB device which you assign to the WAN adapter. IP on this adapter set to DHCP (IPv6 according to DHCPv6).
Unfortunately the iOS 14 tethering seems to be broken, so there are currently problems. With iOS 13.x everything was fine. 

9

Hardware and Performance / OPNsense 20.x and Compex WLE600VX WiFi

« on: September 15, 2020, 10:10:57 pm »

Hello,

sorry for double post on the same topic in the german section of the forum. 

I own a Compex WLE600VX WiFi card. According to some information on the net, it should be supported by FreeBSD 12. I have the Compex WLE600VX WiFi card on my APU 2C4 board with OPNsense 20.1.2, but unfortunately the device does not show up. Since OPNsense is based on HardenedBSD 12.1, is there any experience with using the Compex WLE600VX WiFi card with OPNsense 20.x?   

10

German - Deutsch / Re: FreeBSD 12 Udapte zu OPNsense > Compex WLE600VX

« on: September 14, 2020, 08:40:15 pm »

Huhu,

gibt es schon Erfahrungsberichte, hat schon jemand die Karte Compex WLE600VX zum Laufen bekommen? Wo ja nun 20.1 basierend auf FreeBSD 12 schon eine Weile veröffentlicht wurde…

Ich hab die Karte auf meinem APU 2C4 mit OPNsense 20.1.2, doch per default wird die Karte erstmal nicht erkannt…

11

18.1 Legacy Series / WAN DHCP IP with tethered iPhone || renew WAN DHCP IP automatical

« on: July 09, 2018, 06:30:24 pm »

Sorry for the double post and the reference to my thread in the german speaking area but I would like to try it here as well in the hope that someone who only speaks english will read along. 

See https://forum.opnsense.org/index.php?topic=6383.msg40831#msg40831

For using my iPhone as tethered WAN device I made two Tuneables under System > Settings > Tunables. One tunable is if_ipheth_load="YES", the second tunable loads hw.usb.quirk.0="0x05ac 0x12a8 0 0xffff UQ_CFG_INDEX_3".

So far, anytime I plugin my iPhone to OPNsense firewall, the message "Trust this Computer?" shows up in my iPhone display and after confirming/trusting my iPhone will be recognized as an ethernet interface that has been assigned to my WAN interface. The poor thing is that after my iPhone has been de-attached and then re-attached to OPNsense it won't get any DHCP WAN IP until I restart all services from ssh shell.

How can I fix this? How can I make the WAN interfaces get a new WAN DHCP IP without start all services manually?

12

German - Deutsch / Re: WAN: iPhone als LTE Modem || iPhone USB Tethering

« on: July 09, 2018, 06:06:33 pm »

Hab nun eine fast komplettes und komfortables Setup hinbekommen per System > Einstellungen > Optimierungen, dort habe ich 2 Optimierungen hinzugefügt:

• if_ipheth_load mit dem Wert YES
• hw.usb.quirk.0 mit dem Wert 0x05ac 0x12a8 0 0xffff UQ_CFG_INDEX_3

1. lädt den iPhone Tethering Treiber in den Kernel,
2. sorgt dafür, dass usbconfig -u 4 -a 2 set_config 3 jedes Mal ausgeführt wird wenn das iPhone erneut per USB an meine Firewall angeschlossen wurde.

Ich muss dann lediglich im Display des iPhones dem verbundenen Computer (meine Firewall) vertrauen und die Hotspotfunktion in der Einstellung des iPhones anschalten.

Leider bekommt mein WAN nach wie vor keine IP per DHCP nach iPhone Trennung und Neuverbindung und ich starte die Dienste per ssh Login neu.

13

German - Deutsch / Re: WAN: iPhone als LTE Modem || iPhone USB Tethering

« on: June 29, 2018, 11:49:34 pm »

Ich bin nun etwas weitergekommen. Meine grundsätzlich funktionierende Konfiguration ist wiefolgt:

• ich habe ein Script unter /usr/local/etc/rc.syshook.d/ mit Namen iphone_hotspot.start erstellt
  Inhalt des Scripts:
  #!/bin/sh
  kldload if_ipheth
  usbconfig -u 0 -a 3 set_config 3
  (die Parameter für -u und -a müssen per # usbconfig in Erfahrung gebracht werden)
• das Script per # chmod +x iphone_hotspot.start ausführbar gemacht, es wird somit beim Systemstart mitgeladen
• unter Schnittstellen:Zuweisungen erscheint dann die Schnittstelle ue0 (das ist das iPhone)
• WAN wird die Schnittstelle ue0 zugewiesen, IPv4 Konfigurationstyp DHCP
• am iPhone muss ich (sobald dieses physikalisch per USB an der Firewall verbunden wird) bestätigen, diesem Gerät zu vertrauen
• der Hotspot muss dann am iPhone manuell (re)aktiviert werden und dort wird auch sofort der Hotspot aktiv angezeigt (blauer Balken im iPhone Display am oberen Rand)
• OPNsense muss nun alle Dienste neu starten, damit WAN sich eine DHCP IP besorgt (ich hab das bisher mit der Option gemacht, die man bei der ssh Verbindung hat => 11 - reload all service (?, sitze gerade nicht vor'm Rechner@home)

Das ganze mit dem iPhone als LTE-Modem funktioniert soweit echt gut und auch wesentlich performanter als meine Erfahrungen mit dem Sierra MC7304 LTE pci-e mini card Modem.

Die Probleme, die ich nun mit eurem Expertenwissen zu lösen hoffe, sind folgende:

Da ich das iPhone auch als Handy benutze, nehme ich diese auch mit außer Haus und entferne es folgedessen auch von OPNsense. 

Wenn es dann wieder per USB mit OPNsense verbunden wird, muss ich

• den Befehl # usbconfig -u 0 -a 3 set_config 3 erneut ausführen, damit das iPhone wieder als ue0 Schnittstelle auftaucht
• WAN muss sich eine neue DHCP IP beziehen, damit Clients über OPNsense ins Internet kommen

Diese beiden Schritte würde ich gerne vermeiden.

Wie kann ich permanent/automatisch dafür sorgen, dass

• # usbconfig -u 0 -a 3 set_config 3
• WAN DHCP IP Aktualisierung

ausgeführt wird?

14

18.1 Legacy Series / VM performance passed through USB LTE modem/stick

« on: May 10, 2018, 02:57:11 pm »

I have a problem with the performance of a USB LTE modem stick. I virtualized OPNsense and passed through the USB LTE modem into the VM as a USB 2.0 device. The device runs, however, the performance is rather poor. If I connect the USB LTE modem directly to my APU2C4, which also runs OPNsense, the performance is much better.

Are there ways to improve the performance of a USB device passing through into the VM? Are there optimization possibilities for network adapters in the VM?

 

15

18.1 Legacy Series / Re: Netgear 4G/LTE Modem - How to get it recognised at OPNsense Boot

« on: April 12, 2018, 10:09:40 pm »

You do it from the OPNsense webpage. Need version 18.1.5 or later as specified by Franco.

Goto ...

System | Settings | Tunables

.... and add a new tunable. Worked for me! Let me know how you go.

Cheers

Craig

Okay, fine, so I finally found these setting. I make a new tunable hw.usb.quirk.0 but where do I get the right value from I have to enter, too?

FreeBSD man says that USB_QUIRKS need VendorId, ProductId, LowRevision and HighRevision 16 bits numbers which can be decimal or hexadecimal based.

Using # usbconfig -u 4 -a 2 dump_device_desc (ugen4.2 = my USB iPhone device) tells me idVendor and idProduct and some other values so I made a tunable = hw.usb.quirk.0 and value =  0x05ac 0x12a8 0 0xffff UQ_CFG_INDEX_3 but it doesn't work.

What is still working and has worked via shell:
 
# kldload if_ipheth
# usbconfig -u 4 -a 2 set_config 3


I'd like to have these two commands loaded when OPNsense starts up without entering them via shell
Can you help me??