Recent posts

#1
General Discussion / Re: Degraded printer functiona...
Last post by drosophila - Today at 02:25:25 AM
Good detective work! This seems to indicate that there is some cruft stored in the config files, possibly leftovers from old configuration changes, now masked by their wrapper services being disabled. IDK why sense would store ARP things in the config, but it might be old entries for IP assignments on some obscure sub-service page, or maybe even MAC-based rules for the firewall that have a side-effect. Fixed ARP entries are possible at least in the config files (you can manually add ARP entries from the console, so scripts can also do it). The fact that it comes back only after some time hints that it might coincide with provider-induced WAN IP reassignments, resulting in the respective services are being refreshed.
Of course, it is possible to assign arbitrary MACs to interfaces in most OS/drivers, but that would also have been set up manually, just like custom scripts.

It might work to "clean up" the config by exporting it, clearing the current one, then re-importing the previously exported one. That would get rid of everything that is in auto-generated config files but not in the actual config. You could however grep through the generated xml and see if those MACs appear in it, and if so, where.
#2
General Discussion / Re: Troubleshooting guidance
Last post by drosophila - Today at 01:46:04 AM
Quote from: mrThirsty on May 06, 2026, 11:56:30 AMall devices both wired and wireless can't seem to do anything during this
First thing to check: what do the lights do? Do switch / NIC indicate heavy traffic? No traffic at all? Normal traffic?
Second thing to check: can they communicate among themselves? IOW, on their segment / switch?
Quote from: mrThirsty on May 06, 2026, 11:56:30 AM, I am leaning toward it being a WAN-related issue as on the odd occasion when the freeze up has been long enough, I am still able to log into the Admin portal on my router.
So the LAN part is perfectly fine (unless you're using a dedicated admin port?), and the devices on your LAN can probably communicate normally among themselves. And the Protectli isn't frozen either, nor is the network stack. Keep the dashboard open and observe it for CPU / RAM / whatever spikes that shouldn't be there when the lockup happens. You probably need to add a couple of useful widgets first, like "CPU", "Traffic Graphs" and "Thermal Sensors".
Quote from: mrThirsty on May 06, 2026, 11:56:30 AMI have determined the issue is my OpnSense router as I have removed it from my network and then ran each of the ISP modem and Amplify-HD as the router for a day each and during those two days I did not have any of the freezes. I have also taken the extreme move of completely wiping my router and just having it run as it comes out of the box, just as a DHCP server, no ZenArmour or OpenVPN etc. and I still get the freezing. No matter what configuration I run my network in, as soon as OpnSense is the router, the freezing happens.
That rules out updates for ZA or other blocklists clogging up the machine. I'd look for WAN-related events like IP address changes, possibly interface-related if we assume that the WAN interface might simply have a defect. Would it be possible to reassign the WAN and one of the other interfaces (the box has 4 AFAICS) to see if the issue persists unchanged (so, on WAN) or sticks to the interface?

Also, you could observe the "Live view" on the Firewall. You don't need to interpret the individual lines, just look for changes in pattern (note that to do so, you'd need to stare at those logs while everything is normal for a while to be able to see what the normal patterns might be: not every "wall of red lines" indicates something unusual.). You might need to first enable logging for all rules first. Familiarize yourself with the settings and buttons on that page so you can hit the "stop" button in time, possibly increase the "Table size" to 100 or even more for that.

Since that is an Intel, you should install the "os-cpu-microcode-intel" plugin, even though this doesn't seem to be CPU related.

I would set up a machine that is normally on anyway (like your desktop / work machine) to do a continuous ping (not floodping, just a friendly once-per-second endless ping (/t in Windows, I believe)) to one of your other "always on" LAN devices (printer, TV, smartbulb, home automation, toaster, ...) in one terminal, and another such ping to something on the internet that won't be going anywhere, say, www.microsoft.com. Possibly a third terminal pinging the LAN interface of your Sensebox for good measure.

Just keep them running until the event and see which one starts failing / changes behavior, and how, once it occurs. Or even if at all: if it is a DNS issue, running pings won't be affected.
#3
Quote from: pOpY2k25 on May 03, 2026, 06:12:41 PMBUT Finally!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The i226-v driver bug i am reffering to in #110 posts (performance loss when ASPM is on) is fixed in unraid 7.3.0-rc1 (kernel 6.18.23).
Here is the commit which fixed the issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0325143b59c6c6d79987afc57d2456e7a20d13b7
Basically disabling aspm L1.2, preventing the performance issue with minimal higher power consumption.


So with this commit, i can recommend the Intel i226-v for low power opnsense/unraid builds WITH full ASPM support and no performance loss.
The c-states rabbit hole has become smaller for me


It's interesting, and maybe someone can shed some light.
That igc fix (jul 2025) seems to identify an issue related to i226 nvm from 2024 (https://lore.kernel.org/intel-wired-lan/15248b4f-3271-42dd-8e35-02bfc92b25e1@intel.com/), but it does not explicitly name the nvm version in the 2025 git fix.

If I follow the git igc update, their "fix" does not leave you with a "fully functional ASPM", it basically cripples a feature of ASPM in order to keep things from being problematic, also known as a workaround, it's not a fix.

And then the mystery, does this latest nvm we have use fixed code that would not cause problems if the igc code removes the workaround?

It almost appears like the kernel side is moving faster than the nvm, but technically it's the nvm that needed fixing, yet Intel submits igc "fixes" instead of releasing new fixed nvm. Probably because updating a distro kernel is easier than trying to have end-users flash hardware? Not sure.

All that said, you mention you installed the latest nvm and still had issue with ASPM fully active. Using what is mention in the git igc fix, perhaps there's still an issue with i226 itself or that 2MB nvm. What exact version of the i226 do you have? I suspect we match the git issue as described to that (your) specific i226 hardware version with that specific 2MB nvm. The git page (seems like Intel words) seems to indicate maybe a silicon issue, something they cant fix in nvm?

With the igc workaround as seen in the git commit, that PCIe Link state is disable for ALL 226's. So on one side some got a workaround, but for others using different i226, perhaps they get dinged because their system can no longer use that PCIe power state.






#4
Don't we get new updated plugins when a OS/FW upgrade is done? The CPU remains the same.
#5

QuoteIs NIC firmware V2.32 worth the flash, or should I focus on BIOS tweaks first?
Quote from: nero355 on May 05, 2026, 08:46:06 PMI would always check with the manufacturer first in this case and flash a newer BIOS/UEFI if they have one or think it would help!

Just for some reader clarity, the nvm for i226 is not any bios/efi thing.

There are probably no cases where updating nvm causes issue for a bios/uefi. There are however possible pitfalls (low risk) where an older driver (klm and the like) does not work 100% with new nvm, but this is usually something in old driver that cannot take advantage of some new feature in new nvm. The general rule has been, use latest nvm with latest driver. An unfortunate of most distro's is use of the GENERIC build, making it difficult to just unload bad klm and load in new better klm. It's only my opinion, but I think it's better to compile kernel very stripped, then do the load in of needed klm's.

I don't think I have ever seen any kernel code version that was dependent on the (as example) igc hardware nvm.
If the kernel supports igc, then the nvm version should (should) make no difference.

What we expect from updated nvm is, security/bug fixes and in some cases added features.

I believe most of the functionality changes (problems) are seen at the driver level (klm or otherwise). The kernel tree gets some new/bad code, it compiles down, goes to distro, and the bug list begins, then some patch is released, then final fix in next kernel tree. Certainly, Intel devices that use the igc driver code, is code probably supplied by Intel. I am not aware of say Oracle having a dev team who is writing their own "igc" driver for i226. Custom dev drivers certainly do exist, but that's for specialty/boutique stuff likely running with custom compiled kernel.

Getting to nvm v2.32 to fix a problem, was likely just Intel goofing up some code along the way, then they finally fixed it.
#6
26.1, 26,4 Series / Partial config wipe after upda...
Last post by Crane_Train - Today at 12:49:00 AM
Ran firmware update this morning and had 3 VPN tunnel configs, interfaces, gateways, fw policies, associated aliases and gw groups wiped from my system on reboot. Snapshot is gone, last backup is dated 22/03/2026.

Absolutely no idea how/why this would happen, but not too happy about it.

Anyone else had a similar experience and managed a recovery somehow or should I just slug through the setups again? How can I be certain this won't happen again?

#7
26.1, 26,4 Series / System -> Trust -> Revocation ...
Last post by grapes2331 - Today at 12:43:12 AM
EDIT: I've changed my original post beacsue i have a better idea of what i think i swrong. Okay, I've been continuing to try and figure out why I can't get the CRL list to download. The issue is that when I push any of the below buttons to try and download, update, interact with the CRL nothing happens. It's not like I get an error or anything it just kind of stalls. I re-read the documentation and got confused originally. This is from the documentation.

QuoteA Certificate Revocation Lists (CRL) is a list of certificates that have been revoked by the certificate authority. Some services in OPNsense can use these to validate if a certificate is still valid to use even though it might not be expired.

Defining a CRL in OPNsense is not very complicated, just go to System ‣ Trust ‣ Revocation and click on the <+> sign for your (local) certificate authority to create a new CRL. When a CRL exists, you may edit it and add or remove certificates in it (using the pencil icon).

I'm importing a root CA and an intermediary certificate. This documentation with that + button mentioned is referring to a CA that is self-signed and created on this firewall. Is this something that is just automatically generated from the certificate when I import the root + intermediate?

Here is what I have I have inside the UI....



I think i made an error in my certificate when i defined my CRL URL, but i cant seem to find a way to easily inspect the certificate. Why is PKI so hard?


#8
26.1, 26,4 Series / Re: Set specific IP address fo...
Last post by nero355 - Today at 12:23:03 AM
Quote from: rama3124 on May 06, 2026, 09:34:35 AMand also in the unbound Query forwarding domain field.
This : https://docs.opnsense.org/manual/unbound.html#query-forwarding
Needs to be done too indeed.

QuoteYet for some reason it only resolves correctly if i do unraid.lan.internal.

Also none of my other hostnames resolve (e.g. homeassistant.lan.internal).
Then you have got .lan configured somewhere and need to remove it.

QuoteJust confirming, the hostname is the whatever appears in the 'Host' field of Dnsmasq DNS & DHCP - Hosts?
See here : https://docs.opnsense.org/manual/dnsmasq.html#dns-settings

Host should be : homeassistant
Domain should be : internal



/Slightly Offtopic :

Sometimes I wish the default DNS setup since DNSmasqd has replaced ISC by default after a fresh OPNsense install wasn't as it is right now :
Client => Local DNS Query => Unbound => DNSmasqd DNS Server part.
Client => External DNS Query => Unbound => Root DNS Servers and all...

But instead simply :
Client => Local DNS Query => DNSmasqd DNS Server part.
Client => External DNS Query => DNSmasqd DNS Server part => Unbound => Root DNS Servers and all...

I think it would be a lot more user friendly for a lot of people considering the many questions about DNS stuff in OPNsense :)
#9
General Discussion / Re: Open CVEs right after upda...
Last post by nero355 - Today at 12:00:47 AM
Quote from: franco on May 06, 2026, 05:26:48 PMMost of it is Python. According to https://peps.python.org/pep-0719/ 3.13.14 will be out by Tuesday, 2026-06-09.

In the meantime we'd have to put in a lot of effort to micro manage Python fixes and potentially clashing with similar efforts in FreeBSD ports. It's not a good option for us at the moment with the priorities we have.

So, yes, 2026. Welcome to the future.
Does that future include kicking out that weird snake at some point ?? :P
#10
General Discussion / Re: Troubleshooting guidance
Last post by nero355 - May 06, 2026, 11:59:13 PM
Maybe IPTV related Multicast Storms because the ISP's Router has IGMPv3 on it's built-in Switch and your OPNsense and AmpliFi hardware doesn't ?!



#JustGuessing...