Recent posts

#1
26.1, 26,4 Series / Re: lots of empty space in new...
Last post by nero355 - Today at 08:38:21 PM
Quote from: Monviech (Cedrik) on Today at 06:02:38 PMThe statistics column unhides when you press the Inspect button to show rule statistics.
Makes sense! :)

Totally forgot about that... d0h!

QuoteMy normal screen has 5120x2160. I can have two complete rule windows open side by side xD
Well... technically... I have got 5760x1200 in front of me, but even after 16 years or so that's not really standard now... is it ?! :P
#2
The loopback initialization is only called on boot and when using console option 13. So the patch apply works, but not easily called.

Hotfix is already out and upgrade paths have been adjusted. Release notes follow later tonight. That will hopefully give more people the opportunity to test.  :)


Cheers,
Franco
#3
Looks great with the latest release. Oddly, I had to power cycle the device, which is odd. Not likely a scenario in which folks would get this patch when updating though.
#4
General Discussion / Re: How to set up Single NIC O...
Last post by nero355 - Today at 08:34:28 PM
Quote from: Patrick M. Hausen on Today at 06:51:07 PMMake that WAN also a tagged VLAN of your chosing, then connect an untagged switch port in that VLAN to the modem. If the ISP needs another tag, let the modem set it.

Don't mix tagged and untagged - especially when WAN and LAN are on the same port.
Good point! :)

I forgot FreeBSD does not like Untagged and Tagged on the same port...
#5
26.1, 26,4 Series / First time OPNsense setup - po...
Last post by daveMar - Today at 08:28:38 PM
Hi,
I am a OPNsense first-timer trying to setup an OPNsense firewall in an apartment house with 5 parties sharing the same internet connection. The goal was to establish separated networks for each party as well as separate house automation devices and shared infrastructure (printer, NAS) to be able to limit access for certain parties.
I purchased a Protectli Vault Pro VP2440, fitted it with 128GB SSD and 8GB DDR5 memory and installed OPNsense. Configured VLANs (connected via SFP+ to switch) and WAN port via the first ethernet port (DHCP). The second ethernet port was configured for debugging in case the VLANs do not work. I've put in firewall rules for all VLAN networks to let traffic PASS to all networks (for now). NAT was enabled automatically as the second ethernet port was configured as "LAN".

This configuration works until it suddenly appears to be loosing packets. Websites no longer open, DNS does no longer resolve. The websites don't open for a few seconds/refreshes, after that it works again for a bit before it fails again. If I restart the firewall, it temporarily resolves the issue until it comes back. I've found out that resetting the "states" also resolves the issue, just like the restart. I've run Wireshark from my Windows PC and also done a packet capture from the WAN interface of OPNsense to get some more information on what is going on.

The main thing I could find out so far (with my limited knowledge) is that there are TCP packet retransmissions for SYN packets on OPNsense WAN port. It's not a general internet outage, other parallel connections continue to work smoothly (i.e. parallel video call). However I don't think TCP is the only issue. I am also seeing DNS timeouts when using public nameservers (1.1.1.1). For me it looks like the NAT port is opened when the request from LAN network is received, but is closed before any answer from WAN is received - retransmissions fail just as the first transmission. In the firewall sessions table I believe to have identified the outgoing ports in status CLOSED:SYN_SENT when this happens, but as the interface does not refresh that fast it could also be after the retransmissions. I have seen the problem appear both via the VLAN configuration as well as my "debug" port.

I am a bit clueless as I would not expect the NAT to need specific configuration, however as I said it's my first configuring an OPNsense firewall.

I had to revert the network setup a bit again to have the ISP router no longer "bridge" the public IP to my device but build a private network to enable internet connection again. But the OPNsense is running behind that and still producing the same issue.

Any help is very much appreciated, let me know what information I can provide.
Thank you all very much!
#6
When the system is booting, is this from room ambient, or is the thing already toasty when you reboot it?


This however only works when the OS is running. So depends where in boot stage it is.
nvmecontrol logpage -p 2 nvme0



    Poll it repeatedly (example: once per second, modify as needed as print command only prints the value, etc):

sh

while true; do
  nvmecontrol logpage -p 2 nvme0 | awk -F': ' '/Temperature:/{print $2; exit}'
  [ do some checks and actions here ]
  sleep 1
done
#7
General Discussion / Re: Periodic NIC issues (?) wi...
Last post by BrandyWine - Today at 07:54:01 PM
You're troubleshooting while on old problematic NVM. Why?
Your 226's are five (5) revs behind. Start at step #1, update NVM.

Also a note for readers, in this thread the NVM is the 2MB version. 2MB versions have more features in it, makes me wonder if this issue is specific to the 2MB version?

v2.25
Bug Fix:
• HSD 13010560068: Link Flaps with Energy Efficient Ethernet Enabled

There's also a 2MB v2.27 and a v2.32 available.

Oddly from the billy curtis notes (fixes section), v2.22 states the link flap issue was fixed, but in v2.25 the same issue is fixed again.

Also to note, ASPM and EE are not the same. Best recommendation is to disable ASPM and then tune EE C states so that nothing can ever go 100% sleep.

EEE for igc can be done via sysctl
sysctl hw.igc.eee_setting=1
sysctl dev.igc.0.eee_control=1
sysctl dev.igc.1.eee_control=1

And I not sure why, I think this was mentioned by another user elsewhere, the logic is backwards in the actual c code. "1" means to disable (which should be default), and "0" means enable. I mentioned 802.3az in the other thread some time ago.

QuoteWhen EEE is enabled, the igc NIC uses the IEEE 802.3az "Energy Efficient Ethernet" behavior: during periods of low/no transmit activity it can reduce link power by entering Low Power Idle (LPI) (often coordinated with the switch/peer), then wake up quickly when traffic resumes. The goal is to cut power use during low utilization while keeping normal connectivity.
#8
Make that WAN also a tagged VLAN of your chosing, then connect an untagged switch port in that VLAN to the modem. If the ISP needs another tag, let the modem set it.

Don't mix tagged and untagged - especially when WAN and LAN are on the same port.
#9
The statistics column unhides when you press the Inspect button to show rule statistics.

My normal screen has 5120x2160. I can have two complete rule windows open side by side xD

Overprovisioning is a fix everywhere lol.
#10
Quote from: Greg_E on Today at 05:35:53 PMThere are ways to unlock the cards
IIRC at some point there was a certain DELL LSI based HBA that was very popular and the process was pretty much :
- Tape off certain PCIe pins.
- Flash general LSI Firmware + BOOT ROM.

And DONE! :)

Perhaps something like that applies to some of the Intel 10 Gbps NIC cards too ?!