Messages

Hi,

I tried enabling RSS and Suricata works. Better spread of CPU load and better performance. However, haproxy runs into issues. HAProxy can't connect to anything, not for health checks and not for live traffic. Based on earlier comment on so_reuseport, I changed my config to simple binds and enabled noreuseport for haproxy, but haproxy still fails to connect.

It gets very sporadic, ~10%, successes but that's rare enough for a health check not to clear. Since I have 8 RSS queues it is almost like haproxy only gets traffic from 1 queue which would amount to 12.5% success.

I have an X520 (ix) and that does not support RSS to my knowledge.  running this will confirm:

sysctl dev.ix | grep rss

No results means driver/nic is unsupported, mine returns nothing.

I've tried all combos of net.inet.rss.enable, noreuseport, with health checks, w/o health checks and success/failure depends completely on net.inet.rss.enable. The error reported from haproxy is "Layer4 timeout"

driver: ix
NIC: Intel D-1500 soc 10 gbe, (X552)
Opnsense: 22.1.7_1

I more than happy to help testing but would appreciate any suggestions in what direction to start.

Has anyone else run into issues with the mDNS Repeater plugin? Initially it worked fine for me, though now I see maybe 3-4 cast devices and the rest do not appear. Interestingly enough, the ones that do appear all chromecast videos, the rest of the devices that do not appear are google home and mini, as well as a google chromecast audio. I have tried several configurations on my managed switch for IGMP snooping, though Im not really sure what all of the settings mean. It seems odd that it worked with the default IGMP settings, and then stopped.

UDP broadcast Relay plugin

Broadcast Address: 224.0.0.251
Source Address: 1.1.1.1
Instance ID: 1
Relay Port: 5353

This is for Apple devices, you can google the correct settings for google but should be similar

Are you using the OPNsense backend? Services->Dynamic DNS->General Settings? I could not get the columns to update without switching the backend.

I am using backend, still no dice, I am going to uninstall and re-install and see if that fixes anything - RC2 here

Hi,

Actually, the passive mode is using pcap, not netmap. the disadvantage of it is that you lose blocking features. @GeoffW, I will get back to you on Monday about the passive mode issue.

Interesting I did not know that! Thank you for the clarification.

Following this thread, I have switched 2 domains and it seems to work. Need an IP change to test, but looks like it updated A records.

Also, why aren't you using Argo Tunnels ;) removes the need for dynamic DNS updates.

Edit: Current IP and Updated do not populate, looking into potential causes

I didn't see anything in the change log this morning but I'm assuming the RC does not currently have an in place upgrade yet? Im seeing the latest beta in the dev channel but no RC. Do I have to update to dev channel prior to going to the RC?

Had this as well, intel nics.  This has happened on these nics for over a year, I did reach out to support who did offer to remote in, which is hard to do when interfaces are all down ;) I uninstalled, but have you tried emulated mode? Ive heard emulated is pretty stable now...

I have not! I'll give it a shot when I get home next week. Can't do remote as last few installs have also just hard locked the system when adjusting anything touching netmap

Following for a fix, I keep having to uninstall as it barely hits gigabit (10gb network here). I see multi gig on the roadmap, maybe I'll circle back when it doesn't cut my speed so dramatically.

Yep that fixed that issue. Now it is blocking nothing per policy on intel ix based nic. And when placed in bypass mode, it drops all internet on opnsense until a restart of the firewall. uninstalling yet again and will wait for a less buggy release. Thank you!

WOW that was it, thank you, I don't remember that every being an option...is this enabled by default? Should it?? :) I didn't enable it. That did indeed fix the issue.

I see the actual source and destination then a couple other random IPs that aren't mine listed for that as well with the interface MAC (usually) as the MAC of the bad IP.

10.105.21.169 is listed as source for the MAC that's supposed to be 10.0.0.5, that's the same for ALL IPs on the network.  There is also this duplicated for a junk IP but the interface MAC is listed. Is this expected? I got an intel Nic for this and it appears to still be broken to some extent, at least.

removed

ZA will cut your speed down a lot, Ive tuned and tuned and ended up disabling ZA as I went from 10Gb to like 5, even in passive monitoring mode. Which seems odd as their target market seems to be SMBs that will have at least 10Gb...All testing I was doing with this was done using iPerf, I verify 10Gb through the firewall, enable ZA, test to verify speed is about half, then I did a bunch of performance tuning but nothing really helped.

It doesn't matter, both tie into netmap and as such both will perform similarly as long as you have decent hardware. For context I have 10Gb networking and with ZA enabled passive OR routed bandwidth is cut to ~5gb to about half. SO I don't think it matters and you could just leave it in routed mode.