Recent posts

#1
German - Deutsch / Re: 10G Hardware Empfehlungen
Last post by meyergru - Today at 09:59:17 PM
Man muss bei den Alder Lake-Systemen ein paar Dinge beachten, sind hier unter Punkt 23 beschrieben. Insbesondere die Tuneables im dort verlinkten Post sind wichtig.

Darüber hinaus gibt es oft noch zwei Probleme:

1. Die Fertigungsqualität ist oft nicht die beste, weil die CPU nicht gut am Gehäuse anliegt oder die Wärmeleitpaste schlecht sitzt.
Außerdem wäre ein passiv gekühlter N3xx wohl zu viel des Guten, speziell, wenn noch die Abwärme der 10G-Ports hinzukommt

2. Die Hersteller (auch CWWK) betreiben die Nxxx CPUs meist am oberen Limit Ihrer möglichen TDP, beispielsweise beim N100 statt mit 6W mit 25 Watt, und oft genug kommt man im BIOS an diese Einstellungen nicht ohne weiteres heran.

Habe ich alles schonmal hier erzählt - aber Du hast ja einen mit Lüfter, da wiegt das nicht so schwer.


#2
Olá pessoal,

Preciso que a VPN TAP (é... tem que ser TAP) não crie o gateway default (rota 0.0.0.0).
Já tentei "route-nopull", "route-noexec" (servidor, cliente via CSC, arquivo de exportação).

Vamos especificar o que eu preciso. 
  • Clientes autenticam com usuário e senha (freeradius, até aqui está perfeito)
  • Somente clientes com configuração do CSC podem autenticar na VPN
  • Clientes recebem IP da LAN via CSC
  • Somente as rotas da LAN devem ser criadas no cliente. Mas ele cria a rota default e com métrica abaixo da já existente.  AQUI ESTÁ MEU PROBLEMA!

Seguem os arquivos (editei para remover dados sensíveis)

Servidor: # cat /var/etc/openvpn/*.conf | sed -n '1,200p'
dev ovpns1
ping-timer-rem
topology subnet
dh /usr/local/etc/inc/plugins.inc.d/openvpn/dh.rfc7919
verify-client-cert require
remote-cert-tls client
server-bridge
username-as-common-name
client-config-dir /var/etc/openvpn-csc/1
auth-user-pass-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py --defer '29533187-c920-428c-b82f-6fd2c670ad14'" via-env
learn-address "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '1'"
client-disconnect "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '29533187-c920-428c-b82f-6fd2c670ad14'"
tls-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '29533187-c920-428c-b82f-6fd2c670ad14'"
multihome
push "explicit-exit-notify"
push "route 172.16.0.0 255.255.0.0"
route 172.16.0.0 255.255.0.0
persist-tun
persist-key
keepalive 10 60
dev-type tap
dev-node /dev/tap1
script-security 3
writepid /var/run/ovpn-instance-29533187-c920-428c-b82f-6fd2c670ad14.pid
daemon openvpn_server1
management /var/etc/openvpn/instance-29533187-c920-428c-b82f-6fd2c670ad14.sock unix
proto udp4
verb 7
disable-dco
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
port 1194
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
block-ipv6
float
explicit-exit-notify
fast-io
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----


Cliente CSC:  # cat /var/etc/openvpn-csc/1/guilherme.gontijo@uftm.edu.br  | sed -n '1,200p'
ifconfig-push 172.16.7.2 255.255.0.0


Arquivo Exportado:
dev tap
persist-tun
persist-key
data-ciphers-fallback AES-256-GCM
client
resolv-retry infinite
remote 186.248.203.214 1194 udp4
remote 200.131.62.250 1194 udp4
lport 0
verify-x509-name "C=BR, ST=MG, L=Uberaba, O=UFTM, OU=PROTIC, CN=vpnserver-certificate.uftm.br" subject
remote-cert-tls server
auth-user-pass
auth-nocache
route-noexec
route-nopull
<ca>
-----BEGIN CERTIFICATE-----


OBS.: Chat GPT e Gemini não conseguiram me ajudar nessa... kkkk 
#3
Nothing weird I can see in the config.

All features I have tested and ran for months without crashes.

Strange.

I could only recommend slowly disabling features until it doesnt happen anymore.

E.g. first disable RA/DHCPv6...check, then DHCPv4... check

That could get to the bottom of this.


------

Also since the known memory leak seems to refer to reading hostnames from files, maybe check if dnsmasq_watcher.py is running?

I refer to this part

# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases
#4
If you configure any of the automated backup plugins (SFTP, Nextcloud, git, ...) OPNsense will run a backup every night at 2:00. No need to configure an explicit cron job if daily backups are enough for you.
#5
25.7, 25.10 Series / random sFTP connection attempt...
Last post by Tamas Halmai - Today at 09:32:06 PM
Hi,

I am running OPNsense 25.7.9 and succesfuly enabled automated sFTP backup to my local NAS every day at 10:00.

So, far so good. But, I have noticed in the System -> General log that the FW randomly tries to make an sFTP attempt around 02:00 every day. Since my NAS is switched off during night the sFTP connection obviously fails.

Could you please advise how I could disable these particular unwanted connection attempts?

Thanks in advance,

Tamas Halmai
#6
25.7, 25.10 Series / Re: Unbound DNS, DoT - Priorit...
Last post by Kets_One - Today at 08:47:13 PM
When the first DoT server does not respond, Unbound treats it as unresponsive and applies a probing scheme with exponential backoff. Initially, failed queries receive a SERVFAIL response. Unbound then blocks the non-responsive server for a default period (typically 15 minutes, controlled by infra-ttl) and periodically sends a single probe query to test its availability.

During this time, Unbound automatically forwards new queries to the next available server in the configuration. Once the blocked server responds to a probe, it is reinstated into the pool for normal use
#7
25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...
Last post by dmurphy - Today at 08:42:37 PM
Quote from: hina on Today at 06:26:17 PMSome extra data points on my current system

Thank you!  Here's my dnsmasq config; I removed the static reservations since they are repetitive and I didn't feel like masking all of the MAC addresses ... that's just pure laziness on my part.

Nothing crazy in here I don't think!

EDIT: Oh, FYI, the hardware is a DEC2752, vanilla standard ...  the internal interfaces are an 802.3ad active-active LAGG across ax0/ax1;  WAN is on igc0.

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#

rebind-localhost-ok
stop-dns-rebind

port=53053

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=lagg0_vlan77,lagg0_vlan99,lagg0,lagg0_vlan91



dhcp-fqdn
domain=home
# This tells dnsmasq that a domain is local and it may answer queries from /etc/hosts
# or DHCP but should never forward queries on that domain to any upstream servers.
local=/home/
local=/dmz/
local=/winhome/
local=/guest/




# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces




# Never forward addresses in the non-routed address spaces.
bogus-priv

server=/plex.direct/8.8.8.8
rebind-domain-ok=/plex.direct/

# By  default,  dnsmasq  will  send queries to any of the upstream
# servers it knows about and tries to favour servers to are  known
# to  be  up.  Uncommenting this forces dnsmasq to try each query
# with  each  server  strictly  in  the  order  they   appear   in
# /etc/resolv.conf
strict-order

# Never forward to servers in /etc/resolv.conf
no-resolv






# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases

dns-forward-max=5000
cache-size=10000
local-ttl=1

conf-dir=/usr/local/etc/dnsmasq.conf.d,*.conf

dhcp-range=tag:lagg0_vlan77,192.168.77.50,192.168.77.200,255.255.255.0,86400

domain=dmz,lagg0_vlan77
dhcp-range=tag:lagg0_vlan91,192.168.91.20,192.168.91.50,255.255.255.0,86400

domain=winhome,lagg0_vlan91
dhcp-range=tag:lagg0_vlan99,192.168.99.100,192.168.99.190,255.255.255.0,86400

domain=guest,lagg0_vlan99
dhcp-range=tag:lagg0,192.168.0.100,192.168.0.245,255.255.252.0,86400

domain=home,lagg0
dhcp-range=tag:lagg0,192.168.1.100,192.168.1.250,255.255.252.0,86400

domain=home,lagg0
dhcp-range=tag:lagg0,::,constructor:lagg0,ra-names,ra-stateless,64,86400

domain=home,lagg0
ra-param=lagg0,60,1200

dhcp-range=tag:lagg0_vlan77,::,constructor:lagg0_vlan77,ra-stateless,64,86400

domain=dmz,lagg0_vlan77
ra-param=lagg0_vlan77,60,1200

dhcp-range=tag:lagg0_vlan91,::,constructor:lagg0_vlan91,ra-names,ra-stateless,64,86400

domain=winhome,lagg0_vlan91
ra-param=lagg0_vlan91,60,1200

dhcp-range=tag:lagg0_vlan99,::,constructor:lagg0_vlan99,ra-stateless,64,86400

domain=guest,lagg0_vlan99
ra-param=lagg0_vlan99,60,1200


===== 8< 24 static reservations, all in the same format ... >8 =====
dhcp-host=08:00:20:00:00:00,192.168.0.3,sun-microsystems-forver
===== 8< 24 static reservations, all in the same format ... >8 =====

dhcp-option-force=tag:lagg0_vlan99,3,192.168.99.1
dhcp-option-force=tag:lagg0_vlan99,6,192.168.99.1
dhcp-option-force=tag:lagg0_vlan91,3,192.168.91.1
dhcp-option-force=tag:lagg0_vlan91,6,208.67.222.222,208.67.220.200
dhcp-option-force=tag:lagg0,1,255.255.252.0
dhcp-option-force=tag:lagg0,6,192.168.0.1
dhcp-option-force=tag:lagg0,3,192.168.0.1

# default dns mapped to this server (0.0.0.0)
dhcp-option=6,0.0.0.0


no-ident

Looks like your dnsmasq has a large memory footprint as well - keep an eye on it and see if it continues to grow.

I saw the same post about the dnsmasq 2.92RC3 but didn't have time last night to dig into the patch; seems it's related to parsing some static host files which "shouldn't" be the issue here, but who knows!  Worth checking out.

Thanks so much for digging into this ... thankfully the hourly restart is getting me through but it's certainly not ideal.
#8
What are those cc interfaces? Looks kinda weird.

What NIC hardware is that? The Chelsio T6225-CR?

Ive never seen that used ever, maybe there is some weird sideffect, especially if netmap is also running on them.

Can you try to deactivate any netmap drivers that attach to these interfaces by disabling zenarmor/intrusion detection and see if dnsmasq still inflates RAM?
#9
German - Deutsch / Re: 10G Hardware Empfehlungen
Last post by bsch - Today at 08:07:30 PM
Quote from: bimbar on Today at 12:42:43 PMVon CWWK würde ich inzwischen abraten, die letzten zwei Geräte hatten selbst im voll funktionalen Zustand massive Mängel.

Man kann das zum Laufen bekommen, aber das Leben ist eigentlich zu kurz dazu.

Wieso? Also laufen tut das Ding bisher. Und war auch wie gewohnt eigentlich bisher alles ganz normal. Welche Probleme gab es?
#10
German - Deutsch / Re: 10G Hardware Empfehlungen
Last post by bsch - Today at 08:06:02 PM
Quote from: Patrick M. Hausen on Today at 10:31:03 AMBei "China Boxen" generell: mach das Gerät mal auf und überprüf, ob ein guter Formschluss zwischen CPU und Gehäuse vorliegt und die richtige Menge Wärmeleitpaste aufgebracht wurde.

Das ist so einer der gängigen Schwachpunkte in der Endmontage.

Kannst dir natürlich auch erst mal die CPU-Temperatur angucken. Wenn die OK ist, musst du wahrscheinlich nichts machen.

Ja, hab ich auf dem Schirm. Wurde gestern direkt zerlegt und das Widget hinzugefügt :D Sieht soweit erstmal gut aus, behaupte ich. Liegt im Schnitt so bei 45 Grad. Aber Vollast steht noch aus :)

Ich habe zuvor eigentlich auch nur gute Erfahrungen mit solchen Geräten gemacht. Dazu noch der Verkauf über Amazon... Schauen wir mal wie das so läuft.