Messages

1

22.1 Legacy Series / Re: How to block access to OPNSense GUI

« on: July 06, 2022, 09:25:40 pm »

You're blocking all traffic on every port to those IP addresses.  You most likely want to block just 22, 80, and 443 for a destination port.

2

22.1 Legacy Series / Re: [CALL FOR TESTING] FreeBSD 13.1 / 22.7 operating system preview

« on: May 26, 2022, 01:26:55 pm »

Thank you for the fixes in 22.1.8 as well as providing an onramp to beta test 13.1-RELEASE.

What does the upgrade cycle look like if we go to 22.7.b for when 22.7 proper is released?  Is that just an opnsense-update jump away to get on the 22.7 series proper once released?

Correct me if I'm wrong but it shouldn't matter as this is just the underlying FreeBSD OS and kernel.  Not the Opnsense extensions.  For the others that are confused, as Franco said previously, you're going to see an update if you check for updates.  If you want to prevent the downgrade to 13.0, you need to lock the base and kernel packages.  Worked great for me.

Thank you Franco and team.  No issues so far.  I was using the pre3 version as well and had zero issues.

3

22.1 Legacy Series / Re: Cannot establish IPsec tunnel with 22.1

« on: January 06, 2022, 04:50:24 am »

Adding the tunable fixed it here as well.  Thank you!

4

22.1 Legacy Series / Re: Cannot establish IPsec tunnel with 22.1

« on: January 04, 2022, 05:52:16 pm »

Was going to post something about this eventually since I noticed the same behavior including the error messages in the logs.  I guess I'll just say me too here.

5

22.7 Legacy Series / Re: Development versions: Alpha, Beta and Release Candidate explained

« on: December 24, 2021, 08:45:17 pm »

Someone correct me if I'm wrong but I'm think I remember reading that the development version will always offer something to update to.  One question I have though is, is there an easy way to see on GitHub what changes are being offered with the update?

6

21.7 Legacy Series / Re: Interfaces randomly go down/unroutable

« on: December 18, 2021, 01:33:27 am »

For what it's worth, I have only had the single instance of the issue I had and I'm still running suricata.  Not sure but I think mine was just a hiccup.

7

21.7 Legacy Series / Re: Interfaces randomly go down/unroutable

« on: December 01, 2021, 01:46:10 am »

I had this problem this morning.  I rebooted because I wasn't sure what was going on as it was just one of my networks on the router that had the issue.  I couldn't ping or reach anything on the network
  This network is on a BCE adapter.  I am running suricata on both networks.  I didn't think anything of it until now because I made some firewall rule changes last night and thought it was that.  I'll troubleshoot more next time.

8

22.1 Legacy Series / Re: OPNSense has a wrong packagesite, need to recreate database

« on: November 26, 2021, 03:57:21 pm »

See here:
https://forum.opnsense.org/index.php?topic=25535.0

Please note that the beta version will always be available for upgrade when
switching to the development version.  At this point no stable packages
are provided and this includes plugins.  These will become available as
the release candidate is released in early January 2022.

9

22.1 Legacy Series / Re: [Tutorial/Call for Testing] Enabling Receive Side Scaling on OPNsense

« on: October 27, 2021, 01:51:41 pm »

Removed the question.  Sorry, lack of caffeine.  It's working great on 21.7.4.  Thank you for the work as always!

10

22.1 Legacy Series / Re: [Tutorial/Call for Testing] Enabling Receive Side Scaling on OPNsense

« on: October 22, 2021, 04:48:14 am »

Just curious as it's been a while since this was initially posted for testing.  Will this eventually be rolled into an upcoming point release soon or an updated kernel with the latest changes in the repo?

Thank you so much for the fort and work you guys do!

11

22.1 Legacy Series / Re: [Tutorial/Call for Testing] Enabling Receive Side Scaling on OPNsense

« on: October 04, 2021, 07:28:45 pm »

Same thing here with the kernel.  No matter what you type in, it will append -rss to the name.  Looking at the verbose output it's saying that it's trying to download from the sets folder but when I look on every mirror, these kernels are in the snapshots folder.  Not sure if they were removed?  Due to this I'm getting a no valid signature error.

12

22.1 Legacy Series / Re: [Tutorial/Call for Testing] Enabling Receive Side Scaling on OPNsense

« on: September 18, 2021, 03:54:19 pm »

Does anyone know if there is a way to change the policy on the ip6 protocol from flow to cpu?  That is the difference I notice in some of the previous posts.  Thinking this may be why I'm not getting RSS on ip6.

13

22.1 Legacy Series / Re: [Tutorial/Call for Testing] Enabling Receive Side Scaling on OPNsense

« on: September 11, 2021, 02:11:48 am »

ix also seems to have support for RSS, passed through my other 10G card to OPNsense.

Code: [Select]

ix0: <Intel(R) X520 82599ES (SFI/SFP+)> port 0xf020-0xf03f mem 0xfd600000-0xfd67ffff,0xfd680000-0xfd683fff irq 10 at device 17.0 on pci0
ix0: Using 2048 TX descriptors and 2048 RX descriptors
ix0: Using 4 RX queues 4 TX queues
ix0: Using MSI-X interrupts with 5 vectors
ix0: allocated for 4 queues
ix0: allocated for 4 rx queues
ix0: Ethernet address: ***
ix0: PCI Express Bus: Speed 5.0GT/s Width x8
ix0: Error 2 setting up SR-IOV
ix0: netmap queues/slots: TX 4/2048, RX 4/2048

root@OPNsense:~ # sysctl -a | grep rss
net.inet.rss.bucket_mapping: 0:0 1:1 2:2 3:3 4:0 5:1 6:2 7:3
net.inet.rss.enabled: 1
net.inet.rss.debug: 0
net.inet.rss.basecpu: 0
net.inet.rss.buckets: 8
net.inet.rss.maxcpus: 64
net.inet.rss.ncpus: 4
net.inet.rss.maxbits: 7
net.inet.rss.mask: 7
net.inet.rss.bits: 3
net.inet.rss.hashalgo: 2
hw.bxe.udp_rss: 0
hw.ix.enable_rss: 1

root@OPNsense:~ # netstat -Q
Configuration:
Setting                        Current        Limit
Thread count                         4            4
Default queue limit                256        10240
Dispatch policy                 direct          n/a
Threads bound to CPUs          enabled          n/a

Protocols:
Name   Proto QLimit Policy Dispatch Flags
ip         1   1000    cpu   hybrid   C--
igmp       2    256 source  default   ---
rtsock     3    256 source  default   ---
arp        4    256 source  default   ---
ether      5    256    cpu   direct   C--
ip6        6    256   flow  default   ---
ip_direct     9    256    cpu   hybrid   C--
ip6_direct    10    256    cpu   hybrid   C--

Workstreams:
WSID CPU   Name     Len WMark   Disp'd  HDisp'd   QDrops   Queued  Handled
   0   0   ip         0     4        0      664        0     6779     7443
   0   0   igmp       0     0        0        0        0        0        0
   0   0   rtsock     0     0        0        0        0        0        0
   0   0   arp        0     0      415        0        0        0      415
   0   0   ether      0     0     2429        0        0        0     2429
   0   0   ip6        0     1       39        0        0        6       45
   0   0   ip_direct     0     0        0        0        0        0        0
   0   0   ip6_direct     0     0        0        0        0        0        0
   1   1   ip         0     6        0      688        0     6492     7180
   1   1   igmp       0     0        0        0        0        0        0
   1   1   rtsock     0     7        0        0        0      338      338
   1   1   arp        0     0      188        0        0        0      188
   1   1   ether      0     0     1955        0        0        0     1955
   1   1   ip6        0     2      114        0        0       31      145
   1   1   ip_direct     0     0        0        0        0        0        0
   1   1   ip6_direct     0     0        0        0        0        0        0
   2   2   ip         0     5        0     1341        0     2715     4056
   2   2   igmp       0     0        0        0        0        0        0
   2   2   rtsock     0     0        0        0        0        0        0
   2   2   arp        0     0       73        0        0        0       73
   2   2   ether      0     0     4118        0        0        0     4118
   2   2   ip6        0     0      782        0        0        0      782
   2   2   ip_direct     0     0        0        0        0        0        0
   2   2   ip6_direct     0     0        0        0        0        0        0
   3   3   ip         0    16        0      353        0     4932     5285
   3   3   igmp       0     0        0        0        0        0        0
   3   3   rtsock     0     0        0        0        0        0        0
   3   3   arp        0     0        0        0        0        0        0
   3   3   ether      0     0      568        0        0        0      568
   3   3   ip6        0     1       26        0        0        1       27
   3   3   ip_direct     0     0        0        0        0        0        0
   3   3   ip6_direct     0     0        0        0        0        0        0

I also have an ix based card and it seems you're also having the same issue I'm having in regards to ip6 not having RSS enabled.  Not sure why this would be but it was enabled for me with the previous kernel version.

14

22.1 Legacy Series / Re: [Tutorial/Call for Testing] Enabling Receive Side Scaling on OPNsense

« on: September 08, 2021, 02:02:06 pm »

One thing I noticed between the two kernels is that ip6 went from hybrid to direct.  Not sure why ip6 wouldn't have RSS enabled.  Do we need to have a tunable set for this as well?

15

21.7 Legacy Series / Re: OPNsense 21.7.2-amd64: firewall rules order garbled

« on: September 08, 2021, 01:46:33 pm »

Even though I already think I know the answer to this, I feel I need to ask.  I'm assuming that if we upgraded to this but didn't modify any firewall rules, we're not affected by this bug?