Messages

136

Hardware and Performance / Re: Vmware Path through Network Cards Hardware CRC TSO LRO Question

« on: July 01, 2021, 03:25:22 pm »

TSO and LRO are actually not recommended for a router. They an interfere with the packet forwarding work that OPNsense is already trying to do.

Checksum offload may have a small benefit. I've personally never been able to measure the difference. By default, OPNsense has all of these disabled on a fresh install.

137

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 08:20:18 pm »

At this point you'll need to check the logs and see if there are more details.

To enable ipv6 debug logging: Interfaces/Settings/IPv6DHCP and change the log level drop down menu to 'debug'

138

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 03:25:53 pm »

That last screenshot actually doesn't show a prefix being delegated to the LAN interface. That interface is only showing a link-local address space.

At this point I would enable ipv6 debug logging and see if that gives any clues. However, I think the main source is the use of the Rogers supplied router.

To enable ipv6 debug logging: Interfaces/Settings/IPv6DHCP and change the log level drop down menu to 'debug'

You could also try some of the settings listed here, use the pfSense recommended settings. It appears that quite a few Rogers customers had issues with IPv6 stability. https://communityforums.rogers.com/t5/Internet/Rogers-IPv6-Status/m-p/373238/highlight/true#M36710

139

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 04:48:50 am »

Within the UI, if you screenshot the output of Interfaces/Overview/LAN, does the LAN interface also show an ipv6 address?

140

21.1 Legacy Series / Re: High CPU usage with flowd_aggregate.py ... IPv6 is disabled ... any ideas?

« on: June 29, 2021, 04:46:54 am »

Hmm, the way I'm reading the output, i think python3 is the parent process. Unfortunately that doesn't tell us exactly which UI setting actually cause it to launch. But the path for the .py script gives a lot of hints.

Perhaps a 'ps -aux | grep python3' would show more? The process with the highest CPU time would be the culprit in that output.

141

21.1 Legacy Series / Re: High CPU usage with flowd_aggregate.py ... IPv6 is disabled ... any ideas?

« on: June 29, 2021, 04:18:18 am »

A few things that would be worth mentioning.

1) If PowerD is not enabled, that doesn't necessarily mean your CPU is clocking to the highest speed. BSD has some pretty odd hardware support so I would actually recommend enabling PowerD and see if this allows the processor to turbo boost during high load, single thread scenarios like what we have here. The HiAdaptive profile is very good at these use cases.

2) The FlowD script that uses CPU on my OPNsense install is not due to RRD graphing, but the Netflow collection used for the 'Insight' page under the Reporting section of the OPNsense UI. I've seen where sometimes I have disabled the services (deselect all interfaces, uncheck local logging) and just hitting "apply" doesn't always completely disable it. I've had to reboot to fully get it stopped after I've de-selected all the interfaces on the Netflow config page. So if you haven't already, I would do a reboot after you've done this just to ensure it's fully off.

3) If you want to identify what is launching the process, a quick and dirty way to check is to watch the output of 'top -aSCHIP' in an SSH session. This will show you the full path that is launching the process, and will sort the highest CPU consuming processes on the top. Watch and wait for the flowd process to climb up the list and take a screenshot. It will look something like the screenshot I've posted here (which is a temporary CPU blip that I commonly see with FlowD in my environment, a small spike to 99% and then it drops back down after a few seconds).

142

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 02:57:43 am »

Hmm, it seems odd that there is a /128 and a /64 assigned to WAN.

Can you post a screenshot of the Interfaces/WAN configuration page? Specifically the Generic Configuration section and the DHCPv6 Client Config section on that page.

143

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 02:26:40 am »

Also, as noted above, https://test-ipv6.com/ only works for ipv6 when the opnsense box is taken out of the equation.

The upstream box, is my ISP's router.  It connects directly to the opnsense box.

As mentioned above, the only reference to an ipv6 on the ISP router's windows is the one that says that is working in dual mode (i.e. supporting both ipv4 and ipv6).

I have now reconnected my computer to the opnsense box.  So ISP router > opnsense box > my computer.

Having done that, as requested I went to http://www.ipv6now.com.au/pingme.php and pinged google.com, here are the results:

The response for 'google.com' using IPv4 is:
PING google.com (172.217.5.110) 56(84) bytes of data.
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=1 ttl=121 time=1.34 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=2 ttl=121 time=1.41 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=3 ttl=121 time=1.44 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=4 ttl=121 time=1.40 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=5 ttl=121 time=1.50 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.342/1.422/1.503/0.062 ms

The response for 'google.com' using IPv6 is:
PING google.com(sfo03s18-in-x0e.1e100.net) 56 data bytes
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=1 ttl=121 time=1.49 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=2 ttl=121 time=1.50 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=3 ttl=121 time=1.58 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=4 ttl=121 time=1.50 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=5 ttl=121 time=1.53 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.495/1.523/1.587/0.060 ms

I'm confused by these two? I thought you said you plugged OPNsense back in and the PC behind OPNsense was able to ping both IPv4 and IPv6 addresses?

Can you login to OPNsense and navigate to Interfaces/Overview on the left hand side of the screen. Then expand the WAN and LAN interfaces. Do you see an IPv6 address listed on those interfaces?

144

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 01:07:58 am »

So right now it seems to be working so I would suggest just waiting and see if the service stays online.

However, if it goes back offline after some time, what I have seen in the past is that some configurations need to use an external IP to ping and keep the gateway status 'online'. If you find that this goes offline after some time, you can click the edit button on the DHCP6 gateway and specify a different ipv6 address as shown in the screenshot. I've found that this helps stabilize the status of the dhcp6 service and it's an easily reversible change if it doesn't end up working for your environment.

145

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 12:31:45 am »

That's a good sign, it looks like an ipv6 prefix is still being delegated to OPNsense, and that is being handed out to clients on the LAN side.

If you're still see a red status for the DHCPv6 server, it's likely due to the gateway monitoring not able to ping the upstream router that is assigning the prefix. Can you try setting a different ipv6 gateway monitor IP as shown in the screenshot and check if the dhcpv6 service will stay started?

146

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 28, 2021, 11:56:31 pm »

Ah, so there's another router upstream from OPNsense? Within the OPNsense UI, if you go to Interfaces/Overview, do you see IPv6 addresses present on the WAN and LAN interfaces?

If you do see IPv6 addresses listed, you can go to Interfaces/Diagnostics/Ping and try to run an ipv6 ping to an external source (youtube.com or some other ipv6 enabled domain). Verify that OPNsense can actually ping out on ipv6. If not, then it probably isn't getting an IPv6 address from that upstream router.

147

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 28, 2021, 11:29:00 pm »

If you try to start the service, does it stay running? Is IPv6 currently working on the network?

My network uses a delegated prefix from the ISP and I use a separate monitoring IP for the dhcpv6 "status" due to some weirdness with dhcp6c in BSD.

148

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 28, 2021, 11:05:54 pm »

Are you using a delegated prefix received from the ISP, or are you running a static DHCPv6 address range for the LAN clients?

149

21.1 Legacy Series / Re: Router is broken somewhat after 21.1.7_1 update: No ssh as user and update loop

« on: June 28, 2021, 11:02:47 pm »

I can't speak to the exact cause of the errors but I wanted to see if it was possible to run a health check audit from the firmware page?

150

21.1 Legacy Series / Re: Unbound DNS Locking Up

« on: June 25, 2021, 04:08:36 pm »

As best as I can tell unbound is stopping. There is little if anything in the log to indicate such, but the symptoms are pointing to it (lookups fail, but can still ping ip addresses) and restarting the service an/or opnsense fixes it.

When you login to OPNsense, does Unbound have a red icon here instead of a green one (see attached screenshot)? Red would indicate the service stopped and/or crashed. If it's still green and DNS is not working, that indicates either a config issue or an issue somewhere else on the network (route issue, provider issue, etc.)

I'm getting `status: REFUSED` DNS responses at times from Unbound according to dig lookups, with dig complaining about recursion not being available. Restarting Unbound "fixed" it at the moment but don't have confidence this will stay that way.

Code: [Select]

% dig example.com

; <<>> DiG 9.10.6 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55088
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 67 msec
;; SERVER: 2601:18d:xxxx:xxxx:xxx:xxxx:xxxx:xxxx#53(2601:18d:xxxx:xxxx:xxx:xxxx:xxxx:xxxx)
;; WHEN: Thu Jun 24 20:10:03 EDT 2021
;; MSG SIZE  rcvd: 12
To be clear, not using DoT or an external resolver, I'm letting Unbound perform recursion itself. Also don't see anything obvious in the logs.

This seems to be a different issue, potentially related to this maybe? https://github.com/NLnetLabs/unbound/issues/360

Also the IP listed in the dig command is IPv6. Is your network fully dual stack or would it have an issue resolving a DNS request to an IPv6 destination?