"Recent posts
#1
General Discussion / Re: Net-SNMP Layer 3 visibilit...
Last post by proctor - Today at 09:38:26 AMSearched for that as well. The only hint I found [1] is the following:
"Layer 2 visibility covers physical connections: switch ports, VLANs, MAC addresses, and access point associations. Layer 3 visibility covers logical connections: IP addresses, routing paths, subnets, and gateway relationships. A tool that only provides Layer 3 maps cannot tell you which physical switch port a specific device is connected to. A tool that only provides Layer 2 maps cannot help you trace a routing problem."
[1] https://blog.domotz.com/all/network-visualization-tools/ - (search page for "Layer 3 Visibility")
"Layer 2 visibility covers physical connections: switch ports, VLANs, MAC addresses, and access point associations. Layer 3 visibility covers logical connections: IP addresses, routing paths, subnets, and gateway relationships. A tool that only provides Layer 3 maps cannot tell you which physical switch port a specific device is connected to. A tool that only provides Layer 2 maps cannot help you trace a routing problem."
[1] https://blog.domotz.com/all/network-visualization-tools/ - (search page for "Layer 3 Visibility")
#2
Hardware and Performance / Re: Sanity check for N100 / i2...
Last post by meyergru - Today at 08:35:27 AMIf your connection was still on PPPoE, it would blame that, but it is not.
I have tested the pure routing speed of N100-based OpnSense systems between VLANs to ~6 Gbps, so that should work.
W/R to the Windows 11 system, I have seen network drivers that needed tuning to exceed 1.5 Gbps on some network adapters, like disabling interrupt moderation, enlarge buffer sizes or changing flow of control settings.
I have tested the pure routing speed of N100-based OpnSense systems between VLANs to ~6 Gbps, so that should work.
W/R to the Windows 11 system, I have seen network drivers that needed tuning to exceed 1.5 Gbps on some network adapters, like disabling interrupt moderation, enlarge buffer sizes or changing flow of control settings.
#3
26.1, 26,4 Series / Re: Attempting to use IPv6 wit...
Last post by meyergru - Today at 08:27:23 AMa. If your concern is to tighten security, you can use the client MAC to enforce rules.
b. If you aim to cause clients to use only the DHCPv6-assigned address for outbound access, you want to disable the "autonomous address-configuration flag" from RFC4862.
With Kea and RADVD, you must use "Managed" mode for the interface if you want DHCPv6, see this table. "Assisted" mode would allow for DHCPv6, but still allows the client to use privacy extensions. As I do not use DNSmasq, I cannot tell how to do it when it sends RAs by itself, but I guess it is documented.
c. You can also configure individual clients to disable privacy extensions completely.
That being said, I never tried nor verified it, because I actually want clients to use privacy extensions. If I want to control or limit a client, I do that regardless of the used IPv6 via its MAC (method a.). The only thing I can imagine is if you want to look into logs and identify the actual client involved.
b. If you aim to cause clients to use only the DHCPv6-assigned address for outbound access, you want to disable the "autonomous address-configuration flag" from RFC4862.
With Kea and RADVD, you must use "Managed" mode for the interface if you want DHCPv6, see this table. "Assisted" mode would allow for DHCPv6, but still allows the client to use privacy extensions. As I do not use DNSmasq, I cannot tell how to do it when it sends RAs by itself, but I guess it is documented.
c. You can also configure individual clients to disable privacy extensions completely.
That being said, I never tried nor verified it, because I actually want clients to use privacy extensions. If I want to control or limit a client, I do that regardless of the used IPv6 via its MAC (method a.). The only thing I can imagine is if you want to look into logs and identify the actual client involved.
#4
Russian - Русский / Re: os-amneziawg — плагин Amne...
Last post by Zlobniy Shurik - Today at 08:14:08 AMТак, чисто для информации. Поставил распоследнюю на данный момент версию плагина (v3.0.0). Всё работает нормально, проблем нет, селективный роутинг в наличии.
OPNsense 26.1.9-amd64
Амнезия v2.0 (подымал вот с этим сервером https://github.com/AlexisHW/amneziawg-web-ui/)
OPNsense 26.1.9-amd64
Амнезия v2.0 (подымал вот с этим сервером https://github.com/AlexisHW/amneziawg-web-ui/)
#5
26.1, 26,4 Series / Re: "Inverting destinations is...
Last post by techturtle - Today at 07:54:45 AM #6
Hardware and Performance / Re: Sanity check for N100 / i2...
Last post by dirtyfreebooter - Today at 03:28:26 AMwhen RSS is enabled,
the kernel will override dispatch and always make it hybrid (so you can leave that tunable out if you are enabling RSS), you can verify my claim with netstat -Q
---
i tested a protectli VP2440 with N150 with i226 with Zenarmor and i was able to get 2.5 gbps
using the x710 10g interface without Zenarmor, i was able to get 9.46 gbps
so i would think that N100 could easily do 2 Gbps without IDS/IPS.
the tunables i used were (including installing the Intel Microcode Plugin):
note that i think the intel microcode plugin + vm.pmap.pcid_enabled = 0 is pretty much the gold standard with the N100/N150/N305 cpus, as they have a bug in the freebsd kernel otherwise...
i did update my i226 firmwares to v2.32 tho i dont think that mattered.
Code Select
net.inet.rss.enabled = 1the kernel will override dispatch and always make it hybrid (so you can leave that tunable out if you are enabling RSS), you can verify my claim with netstat -Q
Code Select
net.isr.dispatch = hybrid---
i tested a protectli VP2440 with N150 with i226 with Zenarmor and i was able to get 2.5 gbps
using the x710 10g interface without Zenarmor, i was able to get 9.46 gbps
so i would think that N100 could easily do 2 Gbps without IDS/IPS.
the tunables i used were (including installing the Intel Microcode Plugin):
Code Select
dev.hwpstate_intel.0.epp = 10
dev.hwpstate_intel.1.epp = 10
dev.hwpstate_intel.2.epp = 10
dev.hwpstate_intel.3.epp = 10
dev.igc.0.fc = 0
dev.igc.1.fc = 0
hw.acpi.cpu.cx_lowest = C2
hw.ibrs_disable = 1
net.inet.tcp.soreceive_stream = 1
net.isr.bindthreads = 1
net.isr.maxthreads = -1
vm.pmap.pcid_enabled = 0
vm.pmap.pti = 0
note that i think the intel microcode plugin + vm.pmap.pcid_enabled = 0 is pretty much the gold standard with the N100/N150/N305 cpus, as they have a bug in the freebsd kernel otherwise...
i did update my i226 firmwares to v2.32 tho i dont think that mattered.
#7
26.1, 26,4 Series / Attempting to use IPv6 with ma...
Last post by pasha-19 - Today at 03:21:35 AMI have successfully setup IPv6 DHCP server using both DNSmasq and Kea DHCPv6 (different interfaces/vlans not at the same time). Both assign the desired managed address and two more preferred addresses. However my windows PC in addition to my managed address shows addresses with my ULA prefix and I guess a MAC or DUID generated last 4 hextets for the address. The Router addresses given are IPv6 Link Local addresses (fe80::/10). I am attempting to write firewall rules and acl rules on a switch. These non-managed addresses using my prefix and the link local addresses used after DHCP has assigned a managed address are preventing me from knowing about my device based on my established subnets based on managed DHCP and static address assignments. I know a link-local address is part of the IPv6 DHCP process and that is not my problem. I was hoping that after the DHCP assigned a managed IP address or manual static assigned IP addresses by me; the subsequent traffic can hopefully be forced to use the managed address and not link-local or the mac/duid generated value preceded by my chosen ULA address based prefix a /64. Does anyone know how to encourage the use of my managed addresses over the other UNMANAGED addresses? Is this possible, does anyone have any suggestions?
#8
Hardware and Performance / Re: Sanity check for N100 / i2...
Last post by Ozymandias - June 06, 2026, 11:39:10 PMPeaks at about 40%.
iperf3:
1.48 Gbits/sec from the router to a public server.
1.28 Gbits/sec from Win11 to the same public server.
1.60 Gbits/sec from Win11 to OPNsense iperf3 server.
2.37 Gbits/sec from Win11 to Unraid (N95) iperf3 server.
iperf3:
1.48 Gbits/sec from the router to a public server.
1.28 Gbits/sec from Win11 to the same public server.
1.60 Gbits/sec from Win11 to OPNsense iperf3 server.
2.37 Gbits/sec from Win11 to Unraid (N95) iperf3 server.
#9
Tutorials and FAQs / Re: HOWTO - Redirect all DNS R...
Last post by yourfriendarmando - June 06, 2026, 11:05:53 PMHi
I didn't realize the text was that mangled, it is difficult to express many FW rules at once.
I replaced it with a screenshot attached to that post.
I added the missing local_link alias referenced in this guide
I also added the comprehensive list of Dangerous ports that I prevent accessing out on the internet.
I didn't realize the text was that mangled, it is difficult to express many FW rules at once.
I replaced it with a screenshot attached to that post.
I added the missing local_link alias referenced in this guide
I also added the comprehensive list of Dangerous ports that I prevent accessing out on the internet.
#10
26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...
Last post by allan - June 06, 2026, 10:38:39 PMGood point. If I am considering a workaround, I should at least look at other options as well. Thanks for that suggestion.
