Messages

1

Hardware and Performance / Re: New to OPNsense - improving power consumption

« on: September 09, 2023, 11:17:46 pm »

There are several forum threads on power consumption.

One in particular recommended using powerdxx and playing around with the C states. Try here: https://forum.opnsense.org/index.php?topic=28033.0

But generally speaking, a firewall is unlikely to reach high C states because it will invariably be woken up by incoming traffic (= interrupts). Plus, certain NICS or NIC settings will prevent high C states (example: Intel 1G NIC, an i219 IIRC, will prevent high C states if you enable jumbo frames).

2

Hardware and Performance / Re: FireWall speed

« on: August 30, 2023, 05:56:14 pm »

Try a CPU with less cores but higher per-core ooomph (higher IPC, higher CPU frequency, etc.)

And try it without using HyperThreading (SMT).

3

23.7 Production Series / Re: This close to giving up

« on: August 30, 2023, 05:49:53 pm »

Sounds more like an issue with getting internet connectivity to OPNsense than the routing/firewalling.

Just checking that you
- do not use USB NICs
- do not use Realtek NICs (or if you do, have installed the plugin drivers)
- do not use Intel i225 / i226 NICs ?
- do not run OPNsense virtualised
- have checked and re-done the cabling

4

Intrusion Detection and Prevention / Re: Suricata Not Finding Anything

« on: August 16, 2023, 03:41:40 pm »

I have enabled "OPNsense-App-detect/test" with suricata in IDS Mode. Opnsense 23.7.1_3. Suricata listening on LAN and VLAN interfaces (not WAN).

Testing eicar download via HTTP wget/curl triggers the alert. Using a browser doesn't because the browser/website switches to HTTPS automatically.

5

23.7 Production Series / Re: DHCP Friendly Name (without static IP)

« on: August 03, 2023, 10:10:01 am »

That is probably because the device got a DHCP dynamic address while being unnamed and you subsequently "named" it. It should fall into one item on next DHCP release or at least next reboot.

6

General Discussion / Re: [FIXED] opn-arp service startup issue

« on: July 26, 2023, 09:48:40 pm »

Thanks - just ran into the same issue.

It certainly can be fixed, but would need to be done by @mimugmail as maintainer of the OPNsense community repo.

I've posted a bug at https://github.com/mimugmail/opn-repo/issues/173

7

23.1 Legacy Series / Re: Occasionally drops WAN briefly

« on: July 09, 2023, 09:42:45 am »

It could also be the Realtek NICs acting flaky. Have you installed the newer driver from the plugins?

8

23.1 Legacy Series / Re: ddclient with opnsense backend doesn't start

« on: May 04, 2023, 10:30:36 am »

I could not get the OPNsense backend to work with a CloudFlare token using only v4. It would generate this error:

Account XXX [cloudflare - XXX ddns] error receiving ZoneID [[{"code": 6003, "message": "Invalid request headers", "error_chain": [{"code": 6102, "message": "Invalid format for X-Auth-Email header"}, {"code": 6103, "message": "Invalid format for X-Auth-Key header"}]}]]

I think that "Invalid format for X-Auth-Email header" indicates that you are not using Cloudflare "token" service (if token auth is used, it would read something like "bearer authentication").

You need to use username "token" (literally "token"!) or leave it empty to use the token authorisation. DO NOT USE YOUR CLOUDFLARE EMAIL / USERNAME!

9

23.1 Legacy Series / Re: Secure NTP

« on: May 04, 2023, 10:05:59 am »

Running adguard and chrony and never had an issue between those two.

I assume you have disabled the regular NTP server service? (Services -> Network Time -> General -> "Time Servers" empty and "Client Mode" ticked)

And another wild shot in the dark: You have disabled the rate limit in Adguard Home (Settings -> DNS Settings -> Rate Limit set to "0")?

10

23.1 Legacy Series / Re: Secure NTP

« on: April 27, 2023, 10:44:27 pm »

you can install Chrony and use NTS.

Yep. Here's a list of NTS servers:
- https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
- https://gitlab.com/-/snippets/2481323

I use:
time.cloudflare.com,ptbtime1.ptb.de,ptbtime2.ptb.de,ptbtime3.ptb.de,ntp2.glypnod.com,nts.sth1.ntp.se,nts.sth2.ntp.se,ntp.3eck.net,ntp.trifence.ch,ntp.zeitgitter.net,nts1.adopo.net,www.jabber-germany.de,www.masters-of-cloud.de,ntppool1.time.nl,ntppool2.time.nl,ptbtime4.ptb.de,paris.time.system76.com,ntp3.fau.de

11

23.1 Legacy Series / Re: Firewall: Diagnostics: Aliases / add address / remove address works for 30 secon

« on: April 20, 2023, 01:12:29 pm »

1. Create an IP alias with a NOT ("!") setting, e.g. "!1.2.3.4".
2. Create an alias that combines your IP list and the not-IP-alias
3. Use the new combined alias.
4. Done.

12

23.1 Legacy Series / Re: LetsEncrypt issues after v23.1 upgrades? (likely just mine)

« on: April 06, 2023, 09:26:37 am »

No help here, but I also had some issues a few weeks back where renewals would no longer work.

I *think* it was failing the DNS challenge...?

I ended up deleting and newly creating my acme/letsencrypt config. 

That was end of February.

13

Hardware and Performance / Re: Lenovo M920q NIC and RAM recommendation

« on: April 01, 2023, 08:25:07 pm »

Re: fake i350:

https://forums.servethehome.com/index.php?threads/comparison-intel-i350-t4-genuine-vs-fake.6917/

https://www.hardwareluxx.de/index.php/news/hardware/netzwerk/58048-gefaelschte-netzwerkkarten-von-intel-bei-namhaften-deutschen-shops.html

14

22.1 Legacy Series / Re: os-ddclient

« on: April 01, 2023, 08:19:49 pm »

Username should be either empty or just use the word "token". That tells ddclient to use the API token bearer mechanics. You then put your (newly generated) API token into the password field.

Note: The API token is NOT the same as your Global API Key. See https://developers.cloudflare.com/fundamentals/api/get-started/create-token/. Your token needs both DNS Read and DNS Write permissions. Lots of tutorials on the interweb.

Do NOT use any kind of individual username (such as Zone ID, account ID, email, etc.) - if you do, only your Global API Key works.

Also note this is for OPNsense 23.1 -- not sure if it already works for 22.1 legacy series.

15

Hardware and Performance / Re: Lenovo M920q NIC and RAM recommendation

« on: March 25, 2023, 12:44:57 pm »

Intel i350. Beware fake Intel cards on eBay though.

RAM - 8GB are plenty for Opnsense. More could be required only if you need a lot of additional services.  Have a look at your current RAM usage to check.

Incidentally, I'll be moving to an m720q 8500T or 9400T soon, too ;-)