Messages

16

23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes

« on: February 09, 2023, 03:38:33 pm »

I did post this before, but I wasn't posting all the errors.

I will have to wait until the weekend to do more testing/logging as it's very disruptive to others in the house. Will post back more soon. There were other log entries. I clear out dmesg frequently to help track the changes. I also have the Intel I225-V adapters that may be more unstable. Eventually connectivity does come back without my restarting anything, but it's what I would call very similar to a flapping interface type issue.

17

23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes

« on: February 09, 2023, 01:20:49 pm »

Does anyone see queue stalls with the kernel published here? No ping going through at all?

Yes, I believe so, but I'm very new to this and may be experiencing a different issue. However, dmesg fills up with errors. My comment previously was that the best way to cause the errors is a large upload/download or something bandwidth intensive. It was not in regards to performance.

Also, I can replicate issues, to less degree in some testing with the IPS feature, which I believe also uses netmap...but I'm not sure if it's using the emulated netmap driver. I have extensively tested the emulated driver for Zenarmor. While it works longer than the native netmap driver, it will fail causing wifi connectivity or other lan activity to experience complete drops for periods of time before eventually recovering.

So, for now, I'm using both IDS and Zenarmor in passive mode with no issues at all since netmap isn't used.

18

23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes

« on: February 09, 2023, 05:22:25 am »

I have it set on the interface to my LAN/wired network (igc0) and my access point (igc2). I had originally setup vlans for each of these with the intention to eventually logically separate in a downlink switch for IoT, etc. with additional vlans. Or for multiple SSIDs to the wireless, but I haven't done that yet since I don't have managed switches yet or an AP that supports vlan trunks. So, the vlans are pointless right now and were only associated with the parent interfaces but have never been assigned as an interface for firewall policies, etc.

I've deleted the vlans, but they do still show up in Zenarmor as an assignable interface, though I've never used them. Not sure how to clear them out of Zenarmor since they no longer exist.

19

23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes

« on: February 08, 2023, 09:21:22 pm »

After giving it a few more days of testing, like many others I'm still having issues with netmap, especially when significant bandwidth intensive traffic is taking place. I've resorted to placing Zenarmor into passive mode so that it's using just pcap and not having issues with that. I try to monitor the reports regularly and look for threats to possibly block in the firewall rules besides the other measures already in place (DNSBL's, Geo-IP, URL table subscriptions, CrowdSec, etc).

Here's hoping netmap fixes come soon...

20

23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes

« on: February 06, 2023, 02:23:15 am »

I still get errors, but this patch is enabling ZA to actually work in L3 routed mode. The following combination seems to work best for me using Intel I225-V 2.5G interfaces (Protectli VP2420):
- Disable flow control in tunables (dev.igc.0.fc, dev.igc.1.fc, dev.igc.2.fc, dev.igc.3.fc all set to 0)
- Install this 23.1-netmap kernel
- Set ZA to run in L3 Reporting and Blocking with emulated driver.

Any one of the above settings changed, and I have flapping interfaces and issues. Especially with wireless. Wired and wireless connect to different interfaces on the firewall with difference subnets and firewall rules.

Most of the errors occur on the wireless interface (igc2)
424.125647 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
438.207994 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
452.313472 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
484.519552 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
498.622187 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
514.752345 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
544.042637 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
558.191049 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
572.323451 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
599.501288 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
614.628354 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
632.829857 [ 320] generic_netmap_register   Emulated adapter for igc2 activated
763.054897 [ 320] generic_netmap_register   Emulated adapter for igc2 activated

With an occasional error on the wired interface:
325.237102 [ 320] generic_netmap_register   Emulated adapter for igc0 activated

21

23.1 Legacy Series / Re: Upgrade vs Clean Install

« on: February 02, 2023, 10:16:13 pm »

I did:

https://forum.opnsense.org/index.php?topic=25540.msg122731#msg122731

This is so cool, thanks for linking to your previous guide. Really appreciate it since I'm new to OPNsense. Reminds me of dual root partitions in Junos...
I'm excited to try this for the next major upgrade.

22

23.1 Legacy Series / Re: Upgrade vs Clean Install

« on: February 02, 2023, 12:50:31 pm »

Also, is it just a case of backing up the current installation, copying that to a USB drive then pointing the installer to that file?

The following article helped me, but since I'm new to OPNsense and was simply just changing out hardware (with different interface names), I didn't have too much else to think about other than changing the interface names and then reinstalling plugins afterwards. It's nice that OPNsense will flag the plugins that are missing.

Two tips:
1. Config backup should be unencrypted
2. I found that I not only needed to re-enable root but also temporarily disable MFA. Be sure to do this before backing up the config.

23

23.1 Legacy Series / Re: The new unbound reporting is pretty cool

« on: February 01, 2023, 01:22:34 pm »

Wonderful, I'm glad it has been put into the backlog.

24

23.1 Legacy Series / Re: The new unbound reporting is pretty cool

« on: January 31, 2023, 07:07:07 pm »

Unbound reporting is really cool. I'm a new user to OPNsense this month and am loving this new feature. One very minor suggestion would be to change the background font for the details tab to work better with the dark mode themes (like cicada or vicuna). I usually have to change to the default OPNsense theme to read that tab. Otherwise, fantastic work!