Messages

Try putting a passive switch in between the WAN port and the Fritzbox, just as a test.

This is what I did first as my first suspect was the FritzBox. Similar issues are reported in the net with this device in combination with certain switches or NICs. But no change in combination with OPSsense standard settings I could see. As second test I replaced OPNsense box with an old home router. I did not recognize hanging or los of connection. But this device did not have the chance for ping monitoring. But for me this was the sign to continue searching on OPSsense or on Q335G4 side.


When I now connect the passive switch in between the WAN port as you mentioned I do not see further improvements.


But meanwhile after some time I can confirm that the settings from my first post improved the situation. There still are packets lost. But the duration the issues occurs is shorter and I haven't observed a complete link disconnection so far.

[NIC i211-AT]

Hello,

With OPNsense 18.7 I still have the issues on WAN port with increased PING time till packets lost and drop of WAN connection. The issue is a know issue related to igb driver or Intel NIC. In my case it is an Intel NIC i211-AT on a Qotom Q335G4. I see the issue only on WAN port that is connected to the cable modem AVM Fritz!Box 6490. On LAN ports connected to a Cisco switch all is fine (I always can reach OPNsense Web interface via these LAN ports). My first supect was the modem. But after this was getting exchanged the issue still is there.

The issue also is reported on pfsense forum and in this old post here
https://forum.opnsense.org/index.php?topic=5511.msg28687#msg28687

I tried out all recommended tuning parameters, but all without success. I believe I see an improvement but no solution.


/boot/loader.conf.local

Code Select Expand

kern.cam.boot_delay=10000
kern.ipc.nmbclusters=1000000
hw.igb.num_queues=1
legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1
hw.pci.enable_msix=0
hw.igb.enable_msix=0


in optimizatino parameters

Code Select Expand

dev.igb.0.eee_disabled=1
dev.igb.1.eee_disabled=1
dev.igb.2.eee_disabled=1
dev.igb.3.eee_disabled=1


Is there anyboy working on this topic?
Is there already a solution that helps?

Thank you

Password reset via installer solved my problem. SSH was not possible to use as it was switched of and console was not possible to use as password was set and not accepted.


Also HAproxy is running again. But I did not do any change and do not know why it was not running after update and now it is running again.

LADP connection also is used, but not for administration login. Here I always use root with local password. Order of servers us default.

Console I have. SSH I can enable over console. But as it is night in Europe this must wait till tomorrow.

Any hint that can help would br apreciated.
At keast I have  created a backup before update.

I just updated to 18.7. But now I cannot login any more with root and my local password. It is getting rejected with "wrong password".  :(


Network connection to internet is working. Servers on VLAN connection via HAproxy I also cannot reach.

there will probably be a Nextcloud backup feature in the near future so you can just upload the config files automatically.

This is a good idea. I like Nextcloud.

But why not put simple FTP or SFTP on the list of to-dos before implementing all availiable cloud services in this world? I assume with only FTP you can already reach a big target group.

[But is it also possible to bind HAproxy to one or more IPv6 addresses of the routed IPv6 subnet instead of GIF tunnel endpoint address?]

Hello,

is it possible to bind services from OPNsense to IPv6 address of a routed subnet?
Specifically, I am interested in HAProxy.

So far my OPNsense up is working fine. I have IPv4 WAN via PPPoP and IPv6 via a GIF tunnel with routed /48 subnet. Routing and filtering of IPv6 to the different internal networks with /64 subnets out of routed /48 subnet is working fine.

I have set up HAProxy as reverse proxy for several web services running behind OPNsense. With IPv4 this is working fine. With the IPv6 endpoint address of the tunnel it also would work.

But is it also possible to bind HAproxy to one or more IPv6 addresses of the routed IPv6 subnet instead of GIF tunnel endpoint address?

This would allow me proper DNS entries incl. PTR matching to the several domain names used.

Thank you.

The cheapest I could find with 6 NIC is the MINISYS IBOX-501 N13 with celeron 3865u (Kaby Lake). But this slightly is higher in price.

Thank you.

Looks like there is no significant difference between i5 and i7, at lest by benchmarks.

But still I do not understand why the newer Kaby Lake is more expensive if there is no advantage to the older generations.

IKEv2 in iOS does not have the selective split tunneling option (Send all traffic via vpn) and all traffic is by default routed via VPN

You are sure?

The routing of the outside traffic for me is not important, so I have not loocke deeply on it. You are right that there is no option on iOS to set-up the rooting. But when my VPN is enabled and I go to any "sho my IP" page I get the IP from mobile network and not from IP of OPNsense. So the outside traffic is not routed via OPNsense. It goes directly from the phone to to the internet

But my original question was not regarding routing. It was regarding the DNS server to be able to resolv the local net behind the VPN. Here I still have no idea how to realise it.

i  would say works as designed, but could mismatch.

OK. But why I have to posibility in IPsec seetings of server to give DNS server to the clients when it is not used anyway? Looks like I need to read more. Maybe a gap I do not yet understand.

you would have to route the complete traffic from your vpn through your Network.

If this is the solution it will be fine for me. In the first step I want to connect to local recources. The routing of the other trafic for me has no preference.

I have two both the i5 and i7

I run a 500/250 FTTP service on the i7 and even when I'm giving the link some real heavy work the cpu has never gone over 5%
The i5 is used on a FTTC 80/20 service and rarely hit more than 3%

Can you estimate how a Celeron 3865u (Kaby Lake) or a Core i3 7100u (Kaby Lake ) compares to the Core i5-5250U of Qotom is in regards of power consumption and power?

The MINISYS IBOX-501 N13 that is availiabe with Kaby Lake i3 Kaby Lake Celeron and  mentioned above looks interesting to me.

See also here:
https://forum.opnsense.org/index.php?topic=7637.0

[Broadwell]

Hello,

currently my OPNsense is running under Hyper-V. But I am planning to move it to a dedicated hardware.

Qotom is the company some are recommending also for pfsense. Qotom Q355G4 has CPU from Broadwell generation. The MINISYS IBOX-501 N13 has Kaby Lake CPU generation.

I am not familiar nowadays anymore with this big variety of different CPU types for mobile, embedded, desktop and server. Is here anybody with experience of different CPUs in combination with OPNsense?

Is there any significant difference in power and power consumption between Core i5-5250U of Qotom Q355G4 and Celeron 3865u and Core i3 7100u of MINISYS IBOX-501 N13?

Thanks.

Hello,

I finally could set-up road worrier VPN with IKEv2 to work with iPhone (iOS). On OPNsense "Mutual RSA" and on iPhone cert-based authentication was the only IKEv2 based combination I could get running. Firewall setting and access to OPNsense ubound is set-up and seems to me correct by now. (IPSEC is in virtual network 192.168.200.0/24 and LAN is 192.168.100.0/24)

Everything so far works fine except of DNS for local network. In "mobile clients" of IPSEC settings in OPNsense the local DNS server 192.168.100.1 is set-up. By using a network tool on iPhone I can get DNS resolution for clients on LAN from DNS server of OPNsense on 192.168.100.1. But by using standard without giving explicit DNS name the iPhone is not contacting the local DNS for local domain.

Configuration issue or bug on OPNsense or on iPhone with iOS 11?

Thank you.