Messages

121

General Discussion / Re: Changing GeoIP / try to apply ends with an error

« on: November 08, 2024, 10:20:41 pm »

And the remedy is probably also the same as has been pointed to before. Read the documentation thoroughly and you will get at least two hints on how to fix this problem.

122

23.7 Legacy Series / Re: kern.maxfiles limit exceeded by uid 0, please see tuning(7)

« on: November 08, 2024, 07:32:28 pm »

kern.maxfiles is currently 514279 (sysctl kern.maxfiles). If that limit is exceeded, there must be a file descriptor leak in some optional package. On my system, the number of open files is only at ~500 (sysctl kern.openfiles).

I do not use Zenarmor or things like that.

So you should look into what causes this. OpnSense itself seems not to be the culprit.

123

24.7 Production Series / Re: IPv6, DHCP and Prefix Delegation (Need help to troubleshoot)

« on: November 08, 2024, 06:46:46 pm »

How did you get the packet capture? From OpnSense itself or did you connect anything else to the WAN?

The XID mismatch says that there was a different XID for the DHCP SOLICIT that for the REPLY. If you have another device (like your PC with Wireshark) on the interface, it might itself request a DHCP address and then things get tough...

See: https://docs.netgate.com/pfsense/en/latest/troubleshooting/dhcpv6-xid-mismatch.html


You obviously get an IA-PD prefix of correct size, so you should be well apart from that last error.

124

24.7 Production Series / Re: IPv6, DHCP and Prefix Delegation (Need help to troubleshoot)

« on: November 08, 2024, 02:51:22 pm »

You should first look at your WAN interface to see if it gets 0, 1 or 2 IPv6 addresses.

If your ISP conforms to standard, it should be two:

1. One IPv6 GUA with a /128 netmask for your WAN interface (IA-NA).
2. One IPv6 GUA prefix with a /56 netmask (IA-PD) to be able to delegate to your LAN(s) with an 8-bit prefix ID in order to have /64 for SLAAC on your LAN(s)

If you have none or only one, it depends. None often means that your ISP is only capable of doing #2 from above. You should indicate that by checking the "request IPv6 prefix only", maybe then your ISP will give you a IA-PD prefix at least.

With an assigned /56 prefix (IA-PD), you should be able to track your LAN interface(s) like you described. You should then set your LAN interface to use router advertisements (SLAAC).

Your WAN can be used either if it already has a /128 GUA (IA-NA) or you can use one of the available prefix IDs to assign an IPv6 from your IA-PD range.

125

24.7 Production Series / Re: CPU temp increase since 24.7.8

« on: November 07, 2024, 12:41:24 pm »

A jump of 20°C can most likely be attributed to a higher load by some process. More often than not, such load is caused by a defective RRD database after a reboot - especially if you do not use ZFS as underlying filesystem.

Try checking your process list via 'top' and if there is a CPU-hogging process, you can try to reset the RRD and Netflow databases under Reporting: Settings.

P.S.: I do not see any jump.

126

German - Deutsch / Re: SSL für interne Dienste einrichten

« on: November 06, 2024, 10:56:39 am »

Caddy ist eigentlich die einfachere Variante. Es gibt ein Tutorial dafür, das funktioniert. Man muss dazu nicht einmal den ACME Client nutzen, das Plugin kann direkt mit diversen Diensten ein DNS-01 Challenge durchführen.

127

24.7 Production Series / Re: HAProxy no SNI

« on: November 05, 2024, 07:50:59 pm »

Did you use ssl_fc_sni, instead of req.ssl_sni? The latter only works with TLS, not with TCP.

128

24.7 Production Series / Re: Last try - 24.7.7 keeps crashing due to IPv6

« on: November 03, 2024, 06:42:17 pm »

You are mixing up DHCPv6 as a client (i.e. OpnSense vs. DG) and DHCPv6 as a server (OpnSense vs. your LAN clients). You do not need the latter.

You set "DHCPv6" as IPv6 configuration type on the WAN interface, then "Track WAN Interface" on your LAN interface.

Then, you set RA: Assisted or Unmanaged in Services : Router Advertisements and disable the DHCPv6 server (under "Services") for your LAN accordingly.

There are no RA settings for your WAN interface, because you use DHCPv6 for that. Set "Use Prefix only" and "Optional Prefix ID" with an ID that is different from your LAN Prefix ID.


BTW: Just follow my instructions here.

129

24.7 Production Series / Re: Last try - 24.7.7 keeps crashing due to IPv6

« on: November 03, 2024, 02:23:28 pm »

Why don't you try with RA: "unmanaged" or "assisted" at most and radvd only? Many client devices do not support DHCPv6 anyways. I also use "request prefix only" and the new "Optional prefix ID" feature to give the WAN interface an IPv6 address out of the GUA prefix range.

I have three instances running like that with DG and no problems.

130

General Discussion / Re: New-cwwk-connected to wifi for management

« on: November 03, 2024, 10:08:32 am »

Are you sure you want that?

First off, what you claim to be aiming at in your text does not match your drawing.

If your drawing is what you are aiming for:

It is wise to have the OpnSense as the (only) central router and not have a primary router in front of it, creating a router-behind-router scenario. However, you create new types of problems if you re-use your existing router as a secondary router/AP/switch behind OpnSense, UNLESS that devices can be switched to a non-router, pure bridged mode. Otherwise, I would always use separate (manageable) switches and (pure) APs.

131

24.7 Production Series / Re: [AUSTRALIA]Opnsense on N100 - Optus NBN

« on: November 03, 2024, 09:59:39 am »

These look unspecific. These N100 devices are known to be picky with memory, which is hard to diagnose. Many people had success with exchanging the DDR5 sticks by another brand.

132

General Discussion / Re: No network interfaces are assigned

« on: November 02, 2024, 11:28:18 pm »

It is not too modern, it is Realtek, they are known to be flaky on FreeBSD and thus, OpnSense. I already told you.

The cheapness probably stems from the fact that sub-par hardware is being used. Also: cheaper than what? You did not tell yet what brand and model this is.

133

General Discussion / Re: Help with setting up an access point (Netgear router in AP mode)

« on: November 02, 2024, 10:47:46 pm »

You have to set the device up as a pure wireless access point, not as a router.

When configured as a router, the device will get an IP from OpnSense and be able to access the internet via that, so update will be fine. However, your WiFi devices devices behind that router will not work.

In WiFi AP mode, the device will act as a bridge. You have a look at the documentation, there is a section that handles AP mode.

134

General Discussion / Re: Opnsense - Tagged-Trunk port only?

« on: November 02, 2024, 09:10:21 am »

Although some NICs may have problems with a tagged/untagged mixture, I have resorted to the same setup with MGMT on untagged and all other VLANs tagged as well.

I tried to use MGMT tagged, but I found that Unifi equipment has problems doing that: once the devices are adopted, you can change their management VLAN, but you must adopt new devices untagged first. That was too much of a hassle to me.

I have seen no problems with tagged/untagged mix on I225 and I226 NICs.

135

General Discussion / Re: Where is the log in prompt!

« on: October 31, 2024, 10:34:47 pm »

As it stands, I bet there are no usable ethernet NICs, see this, points 5 and 6.

There are two Gigabit NICS on this new mini pc. Which is why I bought it

Note the "usable" adjective - I chose my words only after giving it some thought. What I meant was: "usable under FreeBSD / OpnSense", as noted in the "READ ME FIRST" article.

So what type of mini-PC do you use, exactly? Maybe the manufacturer gives some details on what NICs are built in.

But I suppose that plugging in some cables did the trick.