Recent posts

#1
Hardware and Performance / Re: DEC3920 Quick Review
Last post by OPNenthu - Today at 04:19:34 AM
I see a similar imbalance on mine where one queue is preferred.  If your network is not very diverse (for example if you are a single client doing a bunch of speed tests) then this might explain the skew toward a single core, perhaps?

root@firewall:~ # vmstat -i | grep igc
irq130: igc0:rxq0                  91154          0
irq131: igc0:rxq1                  27129          0
irq132: igc0:rxq2                  27424          0
irq133: igc0:rxq3                  35187          0
irq134: igc0:aq                        2          0
irq135: igc1:rxq0               24060289        111
irq136: igc1:rxq1               48661715        224
irq137: igc1:rxq2               43006681        198
irq138: igc1:rxq3              155563356        715
irq139: igc1:aq                        2          0
irq145: igc2:rxq0              140748349        647
irq146: igc2:rxq1               13709652         63
irq147: igc2:rxq2               13733157         63
irq148: igc2:rxq3               13726372         63
irq149: igc2:aq                        2          0
irq150: igc3:rxq0               23630091        109
irq151: igc3:rxq1               26275878        121
irq152: igc3:rxq2               23673100        109
irq153: igc3:rxq3               23192884        107
irq154: igc3:aq                        2          0

In my case igc2 is the VLAN parent for my workstation and igc1 is WAN.  The skew makes sense, since the majority of the web traffic is igc2->igc1 and it's mostly the same exact kinds of flows (speed tests, YouTube...) from the same host.  I've been doing a lot of shaper related testing lately.

igc3 is iot/mobiles and other background traffic... family browsing/streaming, etc.
#2
26.1 Series / Re: Tried moving from Dnsmasq ...
Last post by OPNenthu - Today at 04:02:38 AM
Quote from: pseudonym3k on Today at 01:56:43 AMUnbound is disabled.

Quote from: pseudonym3k on Today at 01:56:43 AMAt first I thought perhaps DNS wasn't being served because KEA hadn't yet picked up any leases.

DNS is not being served when you disable Dnsmasq because there is no DNS built into Kea.

Dsnmasq is a combined DHCP+DNS solution, but Kea is strictly DHCP.  You need to bring your own DNS (same as with the old ISC) and this is where Unbound comes in.

A Kea user might be able to confirm this (I don't know if these only work with ISC) but I think you'll need to enable at least one setting in Unbound:

- Register ISC DHCP4 Leases
- Register DHCP Static Mappings (optional)

https://docs.opnsense.org/manual/unbound.html

Or, you can enter the static ones manually in Unbound as 'Overrides.'
#3
26.1 Series / Re: lots of empty space in new...
Last post by randell - Today at 03:48:37 AM
Sorry, my post about creating an account to +1 might have come across a little "complainy". That wasn't what I intended.

I did play around with a tampermonkey script to set the UIBootgrid.options.disableScroll. Setting this to true and also setting the table height to auto gave me the results I wanted, but unfortunately trying to monkeypatch that was not very dependable. (There are issues with tampermonkey and @run-at document-start when a page executes too fast, when most things was cached)

If someone with more knowledge of developing for opnSense wants to implement it, an option to set that to true and to change or stop setting the calculated height might be the best of both worlds.

Just a thought. It isn't a show stopper or anything.

This was one of the variations of my not always working but sort of working script I was playing around to better explain what I was doing:

// ==UserScript==
// @name         OPNSense Scroll
// @namespace    http://tampermonkey.net/
// @version      2026-04-10
// @description  Disables tabulator scrolling
// @author       Me
// @match        https://xxxxxx:444/*
// @icon         https://www.google.com/s2/favicons?sz=64&domain=taxfodder.com
// @grant        none
// @run-at       document-start
// ==/UserScript==

(function()
 {
    'use strict';

    let _jquery;

    const applyPatch = (instance) => {

        if (!instance.fn || instance.fn.UIBootgrid_Patched) return;
        let _uiBootgrid;

        Object.defineProperty(instance.fn, 'UIBootgrid', {
            get: () => _uiBootgrid,
            set: function(originalFunc) {
                console.log("Hooked UIBootgrid successfully!");
                _uiBootgrid = function(...args) {
                    const replacement = originalFunc.apply(this, args);
                    const bgInstance = replacement.data('UIBootgrid');
                    if (bgInstance) {
                        bgInstance.options.disableScroll = true;
                    }
                    //console.log('patched');
                    return replacement;
                };
            },
            configurable: true
        });

        instance.fn.UIBootgrid_Patched = true;
    };

    const defineHook = (propName) => {
        Object.defineProperty(window, propName, {
            get: () => _jquery,
            set: (val) => {
                _jquery = val;
                if (val && val.fn) {
                    applyPatch(val);
                }
            },
            configurable: true
        });
    };

    defineHook('jQuery');
    defineHook('$');

    // Handle the case where jQuery is already there
    if (window.jQuery) {
        _jquery = window.jQuery;
        applyPatch(_jquery);
    }

    window.addEventListener('load', () => {
        setTimeout(() => {
            const tables = document.querySelectorAll('div.tabulator');
            //console.log(tables);
            if (tables) {
                tables.forEach(t1 => {
                    t1.style.height = 'auto';
                });
            }
        }, 100);
    });

})();
#4
26.1 Series / ISC to DNSMASQ - Broadcast Opt...
Last post by randell - Today at 03:35:37 AM
After converting from ISC to DNSMASQ I had 1 device that would not work, an Echo Spot device. All my other Amazon devices worked, just not this model. After playing around with just about everything I could think of, I finally resolved it by adding a file on the config.d folder to set "dhcp-broadcast".

I am not a network guy, so I'm badly parroting my google searches and AI explanations, but it seems that this device and some mediatek chips don't like a unicast response DHCPACK. It will only accept it if it was broadcast. From my understanding is the ISC broadcasts but DNSMASQ by default unicasts it.

Once I set this, the device worked. I was also able to get it to work if I created a "Host" entry, but I didn't want to set the hostname, ip address, and all the other things as a long term solution because while I only had 1 device now, if I added other devices, I didn't want to potentially have to add others.

I didn't see an option in the UI to toggle "dhcp-broadcast", but I think an option would be a good addition.
#5
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - Today at 03:17:11 AM
yea i saved the config.xml from first boot. it only had 3 tunables.

hw.ibrs_disable=1
vm.pmap.pti=0
ice_ddp_load=YES

yea, without bindthreads/maxthreads/rss_enabled, the IRQs are mapped to separate CPUs, but the netstat stats show all the packets being queued on 1 cpu. honestly for 1 Gbps, i find it strange that this CPU can't do it with just 1 core, but yea.

with RSS disabled, watching sysctl
# sysctl dev.igc.1.iflib.{txq0,txq1,txq2,txq3}.r_enqueues
dev.igc.1.iflib.txq0.r_enqueues: 3928608
dev.igc.1.iflib.txq1.r_enqueues: 1070
dev.igc.1.iflib.txq2.r_enqueues: 1219
dev.igc.1.iflib.txq3.r_enqueues: 235

all the packets seem to go to txq0, but maybe its because 1 Gbps isn't enough to stress even one core.

strange is that i never really root cause my connection issue. was it because i powered off the ONT for 5 minutes and it really let it reset? was it because i moved from igc0 to igc1 for WAN?
#6
26.1 Series / Re: Is VPN kill switch rule st...
Last post by OPNenthu - Today at 03:13:38 AM
@keeka I'm answering my own questions here, so I would just caution you not to follow my ramblings unless they're confirmed :P  There are things that I still am confused about.  For example, take the egress case:

local client ---> [LAN]("in" rules) ---> [WAN]("out" rules) ---> remote server

If a LAN "in" rule matches and allows the packet, is the state created right then and there?  Does it bypass any WAN "out" rule that might have otherwise blocked it, or is the state created after the WAN "out" processing is done?

In other words: if a flow is filtered in both locations, do both filters always get taken into account?

We really do need better documentation around this, IMO.

Quote from: keeka on April 11, 2026, 09:57:31 AMIf a state has been established during ingress on one interface, does it mean a packet's not being examined on egress on a second interface by virtue of the existence of state?

I think this is variant of the same question.

Quote from: keeka on April 11, 2026, 09:57:31 AMWould this impact for example flows that rely on tagging by one interface and subsequent treatment of that tag on another iface.

If the tag is meant to block traffic leaving a specific interface, then it would only work if the packet arriving on the forbidden interface doesn't already match an existing state.  This is where I think it gets fuzzy with 'floating' states.

To be safe I would change some of the rules to use interface-bound states, but which ones?  WAN rules?  VPN rules?

I really would prefer to understand this better before changing anything, so hopefully some of the OPNsense maintainers or power users can chime in here.
#7
26.1 Series / Re: Kea DDNS in practice...
Last post by sopex8260 - Today at 02:55:14 AM
Quote from: Ed V. on April 10, 2026, 08:59:52 PMUpdate to v26.1.6 didn't add any new options /fields in the Kea DDNS or DHCP tabs.

https://github.com/opnsense/ports/issues/265 filed at GitHub to request the "Manual" flag.

Thank you!

Under each subnet's settings there are the DDNS options.
#8
26.1 Series / Re: New features
Last post by OPNenthu - Today at 02:53:19 AM
Quote from: pfry on April 11, 2026, 03:13:45 PM
Quote from: OPNenthu on April 11, 2026, 08:43:13 AMFeature idea: Can OPNsense give me a report of the ports/protocols seen in firewall logs, by host, so that I can make quick decisions about which ones I need to keep open and which ones I can safely block?  This is useful for e.g. egress filtering and tightening down the default 'allow LAN to any' rules.

I assume you're looking at the client/internal side. But such a report could be... more useful with, say, data transferred and session time. I don't think pf logging is really amenable to that, though.

Yeah, I just want to be able to profile things on an IoT network, for instance, without babysitting and manually filtering on firewall logs.

For example this guy profiled his Roku over some time frame and it revealed tcp/2350 as kind of an oddball (and also plain HTTP which is strange these days): https://www.michaelhorowitz.com/roku.network.trace.html

This kind of thing can be automated.
#9
Hardware and Performance / Re: DEC3920 Quick Review
Last post by OPNenthu - Today at 02:39:03 AM
I think that 'igc' devices don't depend on RSS being enabled in kernel settings.  They use it implicitly.

You can check that by leaving 'net.inet.rss.enabled' to its default (0/off) and the output of 'vmstat -i' will show that igc devices have interrupts distributed across RX queues.  On my machine the number of queues matches the number of cpus (4).

I don't think it hurts to leave the setting enabled though, and it probably benefits your SFP+ interfaces.  But as others said, this kind of thing should either already be the default on your expensive firewall platform if it's needed, or it shouldn't be needed at all.

It looks like Deciso have not yet provided a default config for the DEC3920 but when they do, you could check it to see if RSS is explicitly enabled: https://docs.opnsense.org/hardware/defaults.html

The problem is now that you've made multiple changes, we don't know which one(s) affected your original issue. :-/

#10
General Discussion / Re: Trouble understanding VLAN...
Last post by pfry - Today at 02:14:26 AM
Quote from: bloodyNetworker on April 11, 2026, 11:15:27 PM[...]Here is how I imagine how in the end the interfaces in OpnSense should look like:[...]

I use something similar, with four bridges (I run everything through the firewall, and bridges make for convenient addressing; also, my Internet service is bridged): EDGE (static IPs), TRUST, GUEST, and JAIL. (I haven't used a VPN in a while.)

I only have one wireless access point (I own... uh... five, but I barely use one) (running OpenWRT), and I break it down into (surprise) two bridges: "management" and "access", segregated by physical interface (I didn't bother with VLANs). The "access" bridge has no IP address, so no communication from the AP itself, and is plugged into the guest bridge; the management side is jailed (and gets an IP from the firewall via DHCP). I used bridges in case I want to plug something else into them (temporarily), as the AP is handy and has 5 ports. Anyway, it's likely too simple for your needs. I suppose if I wanted different access levels I could just plug in a couple more APs, but I only use wi-fi to update my phone.

I do use VLANs, but only to aggregate interfaces onto the firewall. That is, I assign a unique VLAN (untagged) to each access port on my switches, and all (tagged) to the uplink to the firewall, turning the switches into port expanders. I then assign each port (physical or VLAN) on the firewall to the appropriate bridge. Positive separation for (effectively) unlimited ports with three DCHP pools.