256
General Discussion / Filter ipv6 blocked logs?
« on: August 27, 2020, 06:09:59 pm »
I block IPV6, is there a way to filter out the "block all ipv6" log spam in the firewall logs? I can't seem to figure out how to get rid of it.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Is anyone having issues losing DNS? I have Unbound running and I can no longer resolve. I feel like this starts when I upgraded to 20.7.1.
I am going to fall back to 20.7 and see if DNS resolution stays steady.
@FullyBorked,
Not "max firewall states", which is 806000, but "max pfTables entries"...
Goldorak92
Hi,Mine is set to 802000 by default.
Have you went to firewall->params and change the max entries pfTables up to 400.000 (default is 200.000)?
Goldorak92
Force it and then try.Yea I've done this, I deleted everything and re-added them as mentioned in a few places. I even created a test alias with a name I'd never used with only one country. It simply refuses to work. I can't seem to find any logs to understand why though.
https://forum.opnsense.org/index.php?topic=15409.60 Msg #62
I'm not sure if I have seen a problem with GeoIPs (#2). I checked pfTables and see GeoIPs being filled in for all the Alias. Also "Firewall: Aliases > GeoIP settings tab" claims last update was 2020-08-14T20:38:26. Maybe the install I am looking at is OK, not sure how to test it.
Is it the GUI not displaying the GeoIP table or that GeoIP is not working.
Test the GUI by going to Firewall > Diagnostics > pftables and selecting the GeoIP rules to see what's there.
Test it's working by going to a site such as https://www.host-tracker.com/v3/en/check - there are many others.
This isn't comprehensive by any means, but outlines what I am experiencing. I've not found any workarounds for these issues. I consider 1 and 2 more serious than the others. I'll try and keep this up to date as issues are resolved or more are encountered.
1. WAN throughput is very slow IPS on or off doesn't matter, I'm only getting about 15% of my actual WAN bandwidth. A reboot fixes the issue temporarily but at some point it will drop back to being slow.
Edit: Messing with my power settings https://forum.opnsense.org/index.php?topic=18450.0 seemed to "fix" this somehow. Very confused, maybe it was stuck in a low power mode? No idea but my speed is fine now, maybe try cycling your power settings.
2. GEO IP Alias simply doesn't work, the zip file is being downloaded from maxmind.com but the alias won't populate, so any rules containing the alias fail to correctly function.
3. Dashboard traffic graphs don't show data with IPS enabled. I'm on an Intel NIC, some have suggested it's driver related. Worked ok in 20.1.9 though maybe there is a bug in the latest driver? No workaround has resolved the issue as of yet.
4.Syslog-NG service doesn't start on it's own after reboot. Starting it manually does seem to work, but is inconvenient after reboot.This appears to be fixed with 20.7.1.
4. Restarting suricata service sometimes stops the ntpd service for some reason. It can be manually started.
5. Bogons alias is inexplicably empty at times. Firewall > Diagnostics > pftables > bogons > "update bogons" does populate the list.
6. Seeing log spam just like https://forum.opnsense.org/index.php?topic=18480.msg84175#msg84175 constantly in the log. Not sure if this is cause of issue #1 or not.Code: [Select]kernel: pflog0: promiscuous mode enabled
kernel: pflog0: promiscuous mode disabled
I have observed many of the same issues. #3,4,5,6 are the ones that seem to also affect my installation.
No observed issue with bandwidth slowdowns (#1), even with IPS and traffic shaping turned on. Power Saving settings have "Use PowerD" enabled and Hiadaptive set for all drop downs.
I'm not sure if I have seen a problem with GeoIPs (#2). I checked pfTables and see GeoIPs being filled in for all the Alias. Also "Firewall: Aliases > GeoIP settings tab" claims last update was 2020-08-14T20:38:26. Maybe the install I am looking at is OK, not sure how to test it.
@FullyBorked: I'm having the issues #3 and #4 (both) too.
I've reported issue #3 some minutes ago (https://github.com/opnsense/core/issues/4272)
Regarding syslog-ng there are several reports of users which having the same or other issues (https://github.com/opnsense/core/issues/4263)
"amongst others" references the full change log below. It's intentionally ambiguous in the sense that the actual changes are listed below. If you don't see your issue there it's probably just that.
The second paragraph is more loose in terms of content from release to release. It is meant to hint at past and future events. In this case it unambiguously states that Sensei and IPS issues are not yet resolved in the release.
I'm not sure how to make this any clearer other than: don't panic and use 20.1 if you must.
Cheers,
Franco
@mb
Is 20.7.1 fixing the netmap issues adressed in the test kernel or would it set me back to the state before?
No, read the changelog. That is not fix the netmap issues.
Small update here with security advisories, multicast fixes and logging reliability patches amongst others.
So its back to normal or not? I'm not upgrading until it is fixed. I may wait for a point release before I upgrade. 20.7 seems to be full of bugs.
Hello All,
Test the energy management setting once
on Hightadaptive! All others reduce the transfer rates to about 50%.
Greetings from Germany