Messages

If both devices are on the same vlan then they should be able to communicate at layer 2 with no firewall in the path. Check your switch configs.

For trouble-free operation, all the hosts on the LAN should have the same MTU and all the connected switch ports should have an equal or larger MTU.

When I navigate to System > Configuration > History I can see a long history of config changes. I know I can select them 1 by 1 and download them, but is there a way to grab all of them off the filesystem? Are they stored individually?

What is the recommended way to disable ISC then when I'm ready to enable KEA? If I disable ISC on every interface and stop the service will it remain stopped?

The documentation says

If you want to tryout KEA in OPNsense, just disable the legacy dhcp server on the specific interface and go to the KEA DHCP menu available under Services ‣ Kea DHCP.

This is incorrect in my experience, as I disabled ISC DHCP server on a single interface and then enabled KEA DHCP server on the same interface. Clients failed to get a lease and the KEA log shows this:

Code Select Expand

2024-10-15T17:31:45-04:00 Warning kea-dhcp4 WARN [kea-dhcp4.dhcpsrv.0x13d887012000] DHCPSRV_NO_SOCKETS_OPEN no interface configured to listen to DHCP traffic
2024-10-15T17:31:45-04:00 Warning kea-dhcp4 WARN [kea-dhcp4.dhcpsrv.0x13d887012000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface lagg0_vlan152, reason: failed to bind fallback socket to address 10.15.2.1, port 67, reason: Address already in use - is another DHCP server running?

This is confirmed in the shell:

Code Select Expand

# sockstat -l4 | grep 67
dhcpd    dhcpd      42491 23  udp4   *:67                  *:*

Is there a way to force ISC DHCP server to bind only to interfaces where it is enabled so that KEA can be bound to others?

I have 4 OPNsense firewalls with tailscale installed from mimugmail's repository. 3 of them work as expected, where the tailscaled service starts after boot. The 4th does not, and I have to get remote hands to start it for me.

The main difference I'm aware of between this one and the other three is that the other three had tailscale built from ports before I switched them to mimugmail's repo.

I have run service tailscaled enable and I can see tailscaled_enable="YES" in /etc/rc.conf. I'm not sure what else to check. What else should I be looking for to see why the service doesn't start at boot?

I'm trying to find out what CPU architecture the Sonicwall Supermassive 9800 has, and more specifically, whether one might have any hope of installing OPNsense on it, but this information is elusive, and as far as I can tell nobody has talked publicly about trying it.

It appears the rest of the 9000 series uses a Marvel Octeon chip, but not the 9800. Anybody know what's in this behemoth?

(Octeon in the 9600) https://www.itpro.com/server/20258/dell-sonicwall-supermassive-9600-review

(64 cores in the 9800) https://www.sonicwall.com/medialibrary/en/datasheet/datasheet-sonicwall-supermassive-series.pdf

(Up to 32 cores in Octeon) https://www.marvell.com/products/data-processing-units.html

(9800 is different from 9000 series) https://www.reddit.com/r/sonicwall/comments/oa732o/supermassive_9800/

I have the adapter, so it's ready for a PCIe card. I've been doing some reading on the i225 and i226 cards from Intel. It seems people are having mixed results with these, so I'm loathe to drop money on them.

Intel's X550 adapters are 10/5/2.5/1 GBE capable, but pretty pricey. There doesn't seem to be much for affordable used hardware on ebay either.

Any other brands worth looking at? I'm guessing the 10/5/2.5/1 models are going to be expensive as they're still current tech, but if there are any 2.5 GBE adapters that are known to work well then I'd like to hear any recommendations.

When you use a domain name for an alias, OPNsense will do a DNS lookup on that name and then store the resolved IP address(es) for that alias. Some sites have many IP addresses, and not all of these will be returned on a DNS lookup. So when a local host tries to access the domain in question, it will do a DNS lookup and may get an address back that doesn't match the address in the firewall's alias, and so access to that site is not blocked.

If you need to block a domain with OPNsense, you can do multiple DNS lookups and add all of the returned IP addresses to your alias. Another option would be to have your DNS service return 127.0.0.1 for that domain. You may have other options through upper-layer filters such as suricata or some plugin.

I've just ordered an internet upgrade. The new cable modem includes a 2.5 GBE LAN port, so my trusty OPNsense firewall is going to need an expansion card to connect. What is the consensus on good hardware? I know some users have reported problems with certain Intel chipsets, and I'm not interested in cheap hardware a la Realtek, TP Link or whatever.

Here are my priorities:

• Compatibility (currently using a Cisco ASA 5525-X with a PCIe slot)
• Stability
• Performance
• Efficiency
• Upgradability (10 GBE compatibility?)
• Price

What do people recommend? Alternatively, am I better off just ditching the ASA for something with 2.5 GBE on board? I don't want to spend a bundle, but I know the ASA isn't super power efficient. I do like having lots of physical ports though.

Run

Code Select Expand

top -PSH to show detailed CPU usage during your tests.

I was getting "no such file or directory" errors when trying to run updates with RSS enabled. If you have RSS enabled you might try again after disabling it and rebooting.

Did you complete the installation and reboot from your permanent media? I wouldn't worry too much about configuration challenges while running from the installer media.

I was seeing many strange symptoms, like sometimes I got that error and sometimes not. I tried using 'cp', 'cat', 'dd' and 'echo' to populate that file from another system but got an error every time. Something like "file does not exist" or similar.

It also required a lot of trial and error just to get OPNsense to resolve names properly. If I tried to ping an internet host by name it would just time out with a DNS error, even though on a packet dump I could see DNS requests going out and responses coming back. I eventually got it to work by disabling Unbound and telling OPNsense to not use the internal resolver. It's strange that just changing that one tunable fixed these problems.

Bingo. I changed `net.inet.rss.enabled` from `1` to `0` and rebooted. OPNsense updates fine now.

I just did a fresh install with a config import and it still won't update. Apparently there's something wrong with my config, but I'm scratching my head. I've managed dozens of OPNsense installs and never seen this problem. The only thing I can think that I've done unique on this system is to enable RSS, so maybe that's a problem. I'll have to try disabling it.