Recent posts

#1

25.7, 25.10 Legacy Series / Re: About Unbound DNS wildcard...

Last post by LazyLamaLlama - Today at 07:28:32 PM

Hi @mangobiche, I signed up to the forum to say thank you for this solution. I had exactly the same problem and your trick with changing the internal domain solved this. Have you noticed any caveats of this choice?

#2

German - Deutsch / Re: Falsche Zuweisung der IPv6...

Last post by meyergru - Today at 07:13:39 PM

Die Wahrscheinlichkeit ist hoch, dass die statische vergebene IPv6 noch im gecachten Lease-File für eine andere DUID (Frage: nutzt Du wirklich die MAC die Zuordnung?) steht, dann klappt die statische Nutzung nicht mehr. Das ist einer der Gründe, wieso man die statischen und dynamischen Bereiche bei DHCP strikt trennen sollte.

Ich nutze für IPv6 ohnehin kein DHCP. und adressiere Clients im Netz nur per IPv4 (IPv6 wird nur outbound verwendet), siehe: https://forum.opnsense.org/index.php?topic=45822.0

#3

Hardware and Performance / Re: latencyspikes of seconds ...

Last post by thelittleblackbird - Today at 07:11:48 PM

I'd watch the live log (rule logging must be enabled) and make sure the ruleset is working as expected. (I'm lazy, and also look at the "Firewall States" dashboard widget for a total, as well as the "Sessions" and "States" GUI diags.) With so many rules I would not expect a functional loop. Also, "netstat" - "-m", "-i", perhaps "-Q", "-T", "-x", "-s" options (most have to be issued separately), and see if anything looks bad.

I didnt see anything in the vmstat, the irq rates didnt move higher in comparision with other tests.

to add some more confusion to this problem i did a small test with the speedtest-cli utility and got those results:
- the pf output is almost silent
- the cpu usage is < 15% for a 350 mbps line

in comparision when i use the webversion in a firefox i got this:
- pf is quite verbose (see attached file)
- the cpu goes to 100% in the interrupts

by the way, i realize that the cpu spikes happens when the test is finishing (closing/cleaning connections?)

is this level of RST and bad states messages normal?

#4

26.1, 26,4 Series / Re: Help With DHCP, IPv6 and D...

Last post by meyergru - Today at 07:04:32 PM

My clients are now only receiving the IPv4 addresses for my PiHole and OPNsense Unbound, in that order, and will fallback to the OPNsense server if the PiHole goes away for whatever reason.

AFAIK, this is a common misconception: There is no guaranteed order if you specify multiple DNS servers. A client may choose to send out the DNS queries in parallel and take the first answer. Thus, the order is arbitrary, so this is not a "fallback" in its strict sense. This exact behaviour can be detrimental for DNS blocking.

[DNSmasq & DHCP]

#5

German - Deutsch / Falsche Zuweisung der IPv6 Adr...

Last post by chrisfnf - Today at 07:00:12 PM

Hallo in die Runde,

ich habe das Problem, dass die IPv6 Adresse eines 'registrierten Hosts' falsch an diesen übertragen wird.

Ich verwende OPNsense 26.1.8_5 und benötige: VLAN Funktion, DHCP statisch und dynamisch im Dual-Stack Betrieb, DNS Namensauflösung. 
Das geht meines Verständnisses nach nur mit dem DNSmasq & DHCP Modul? (Ich bin fortgeschrittener Anfänger und habe keine Expertenkenntnisse mit OPNsense)

In DNSmasq & DHCP habe ich die IPv4, die IPv6 und die MAC Adresse des jeweilgen Geräts eingetragen; in /etc/network/interfaces der Geräte habe ich 'iface enp2s0 inet6 dhcp' hinzugefügt.

Statt der IPv6 Adresse xxxx:x:xxx:f64::35 wird die Adresse xxxx:x:xxx:f64:af vergeben und auch so in den IPv6 Leases augelistet. Die Lupe im Lease Fenster führt zurück auf die 'Hosts' Seite wo die Adressen richtig eingetragen sind.

Folgende Aktionen habe ich zur Fehlerhebung durchgeführt:
- Dienst neu starten
- OPNsense Modul (POKINI F2 Einplatinenrechner) neu starten
- in Unbound-DNS
    - Statische DHCP-Zuweisungen registrieren aktiviert
    - DNS-Cache beim Neustart leeren aktiviert
   dann neu starten

Leider hat davon nichts geholfen

Ist euch dieses Verhalten bekannt und hat jemand eine Lösung dafür?

Danke vorab.

#6

26.1, 26,4 Series / Re: WAN interface passing to p...

Last post by meyergru - Today at 06:56:36 PM

Why do you prefer the null routes solution?

That has been discussed in this thread: https://forum.opnsense.org/index.php?topic=50678 - essentially, with "out" rules, you may forget that you actually have RFC1918 IPs you want to reach on WAN, whereas with null routes, that works out of the box. Also, note the "disable reply-to" problem here: https://forum.opnsense.org/index.php?msg=258978

On the other hand, you are correct in that you will see nothing the logs, for this is routing, not a firewall rule.

#7

Virtual private networks / Re: Wireguard site to site fil...

Last post by meyergru - Today at 06:47:33 PM

By RSS, I meant: https://docs.opnsense.org/troubleshooting/performance.html, which is also referenced in the READ ME FIRST article. In order to make it work under Proxmox, you nee to enable it on both OpnSense and Proxmox (aka "multiqueue").

However, as said, with Wireguard, out-of-order packets may result that could also give lower performance.

#8

26.1, 26,4 Series / Re: WAN interface passing to p...

Last post by keeka - Today at 06:43:23 PM

I went with the out rule on the WAN blocking destination RFC1918. Why do you prefer the null routes solution?
AISI a firewall rule, with logging enabled, can at least alert you to what is probably unexpected traffic.
Using that approach, the two instances of unexpected RFC1918 I have so far encountered are leaked docker network IPs and a phone app looking for an IOT device at its default address when it could not find it on the expected IP.

#9

26.1, 26,4 Series / Re: WAN interface passing to p...

Last post by nero355 - Today at 06:35:22 PM

That they would block this kind of traffic but apparently do not ?!?!

Not going out the interface, only in...

I get that, but the question is : Why not ?!

Would it be reasonable to ask the OPNsense developers to add that to those options or perhaps create additional ones for Outgoing Traffic ??

#10

26.1, 26,4 Series / Re: WAN interface passing to p...

Last post by meyergru - Today at 06:31:15 PM

That they would block this kind of traffic but apparently do not ?!?!

Not going out the interface, only in...