"Recent posts
#1
Hardware and Performance / Re: N150 / N355 good fits?
Last post by BrandyWine - Today at 06:15:24 AMIf you take the buy-once approach, the i5 would be my choice. Better to have the bigger/better engine for when the wheels get onto the autobahn. ;)
#2
Hardware and Performance / Re: N150 / N355 good fits?
Last post by pfry - Today at 05:57:37 AMDo you have a temperature constraint? Because you have enough equipment to make the contribution from any single device... less significant.
I'm going to have to stick a window A/C in my equipment room (to supplement the main system), but I'm in Texas, where the average high is about 35C in the summer. But then power is $.15/kWh.
I'm going to have to stick a window A/C in my equipment room (to supplement the main system), but I'm in Texas, where the average high is about 35C in the summer. But then power is $.15/kWh.
#3
General Discussion / Re: DNS Unbound Issue
Last post by Gizmo - Today at 03:38:48 AMCan anyone help? I've tried everything bar reverting back to an old config, which I'd rather avoid.
Its highly consistent across all devices the internet will now only work when connected to Nord VPN via the app on all private networks other than then IOT network.
I'm wondering if switching from KEA to DNSMAQ would help?
Its highly consistent across all devices the internet will now only work when connected to Nord VPN via the app on all private networks other than then IOT network.
I'm wondering if switching from KEA to DNSMAQ would help?
#4
25.7, 25.10 Series / Re: Upgraded acme.sh package i...
Last post by MarcHintz - Today at 02:29:54 AMQuote from: benyamin on October 07, 2025, 12:31:36 AMManaged via https://github.com/opnsense/plugins/issues/4964The information you shared is very useful, thank you.
Marking as solved.
#5
25.7, 25.10 Series / Re: LCP negotiation with MRU o...
Last post by hharry - November 23, 2025, 11:55:07 PMi can confirm the OP's point here, i as able to re-create the issue in LAB, can clearly see the received PPPoE servers MRU = 1472, however whilst OPNsense LCP ack's the PPPoE servers MRU, OPNsense then just defaults to a PPPoE interface MTU = 1492
Below can clearly see the PPPoE servers LCP advertised MRU = 1472, which OPNsesne LCP acks.
PPPoE server MAC address in below tcpdump == 00:0c:29:2a:de:ad
OPNsense PPPoE client interface MAC address == 00:0c:29:55:0d:8a
Operationally the PPPoE interface MTU on OPNsense still defaults to 1492, despite LCP ack'ing the remote PPPoE servers MRU = 1472
OPNsense not handling any vlan's in above example!, all vlan handling performed in ESXi vSwitch port groups...
Most vendors consider such behavior as a clear and repeatable defect, needing fixing !
Below can clearly see the PPPoE servers LCP advertised MRU = 1472, which OPNsesne LCP acks.
PPPoE server MAC address in below tcpdump == 00:0c:29:2a:de:ad
OPNsense PPPoE client interface MAC address == 00:0c:29:55:0d:8a
Code Select
root@OPNsense_LAB:~ # tcpdump -nevi vmx0
tcpdump: listening on vmx0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
08:05:48.180841 00:0c:29:55:0d:8a > ff:ff:ff:ff:ff:ff, ethertype PPPoE D (0x8863), length 36: PPPoE PADI [Host-Uniq 0x40517C3B00F8FFFF] [Service-Name]
08:05:48.201268 00:0c:29:2a:de:ad > 00:0c:29:55:0d:8a, ethertype PPPoE D (0x8863), length 74: PPPoE PADO [AC-Name "VYOS03"] [Service-Name] [AC-Cookie 0x7A9041E0E45617BFDABF9F34EF35229B4B7E454C99D2D63C] [Host-Uniq 0x40517C3B00F8FFFF]
08:05:48.201293 00:0c:29:55:0d:8a > 00:0c:29:2a:de:ad, ethertype PPPoE D (0x8863), length 74: PPPoE PADR [Host-Uniq 0x40517C3B00F8FFFF] [AC-Cookie 0x7A9041E0E45617BFDABF9F34EF35229B4B7E454C99D2D63C] [AC-Name "VYOS03"] [Service-Name]
08:05:48.221657 00:0c:29:2a:de:ad > 00:0c:29:55:0d:8a, ethertype PPPoE D (0x8863), length 60: PPPoE PADS [ses 0x180] [AC-Name "VYOS03"] [Service-Name] [Host-Uniq 0x40517C3B00F8FFFF]
08:05:48.221879 00:0c:29:55:0d:8a > 00:0c:29:2a:de:ad, ethertype PPPoE S (0x8864), length 36: PPPoE [ses 0x180] LCP (0xc021), length 16: LCP, Conf-Request (0x01), id 1, length 16
encoded length 14 (=Option(s) length 10)
MRU Option (0x01), length 4: 1492
Magic-Num Option (0x05), length 6: 0xcb840b5a
08:05:48.221932 00:0c:29:2a:de:ad > 00:0c:29:55:0d:8a, ethertype PPPoE S (0x8864), length 60: PPPoE [ses 0x180] LCP (0xc021), length 21: LCP, Conf-Request (0x01), id 137, length 21
encoded length 19 (=Option(s) length 15)
Auth-Prot Option (0x03), length 5: CHAP, MD5
MRU Option (0x01), length 4: 1472
Magic-Num Option (0x05), length 6: 0x5a0802f3
08:05:48.222042 00:0c:29:55:0d:8a > 00:0c:29:2a:de:ad, ethertype PPPoE S (0x8864), length 41: PPPoE [ses 0x180] LCP (0xc021), length 21: LCP, Conf-Ack (0x02), id 137, length 21
encoded length 19 (=Option(s) length 15)
Auth-Prot Option (0x03), length 5: CHAP, MD5
MRU Option (0x01), length 4: 1472
Magic-Num Option (0x05), length 6: 0x5a0802f3
08:05:48.242128 00:0c:29:2a:de:ad > 00:0c:29:55:0d:8a, ethertype PPPoE S (0x8864), length 60: PPPoE [ses 0x180] LCP (0xc021), length 16: LCP, Conf-Ack (0x02), id 1, length 16
encoded length 14 (=Option(s) length 10)
MRU Option (0x01), length 4: 1492
Magic-Num Option (0x05), length 6: 0xcb840b5a
Operationally the PPPoE interface MTU on OPNsense still defaults to 1492, despite LCP ack'ing the remote PPPoE servers MRU = 1472
Code Select
root@OPNsense_LAB:~ # ifconfig
pppoe1: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
description: WAN (wan)
options=0
inet 192.168.40.1 --> 192.168.40.254 netmask 0xffffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
OPNsense not handling any vlan's in above example!, all vlan handling performed in ESXi vSwitch port groups...
Most vendors consider such behavior as a clear and repeatable defect, needing fixing !
#6
German - Deutsch / Re: Opnsense DNS Warum funktio...
Last post by Gh0sti - November 23, 2025, 11:10:56 PMDu zitierst die Theorie der RFC und hast damit teils auch recht geht aber an dem vorbei was ich als Problem bezeichne.
In der sollte natürlich der DNS genommen werden der schneller antwortet. WILL ich aber nicht. Ich will das der Lancache die erste anfrage bekommt und sollte der nicht erreichbar sein soll die Anfrage an die OpnSense gehen.
Fakt ist das es mit ISC tadelos funktioniert hat die reihenfolge festzulegen!
Und das die Windows Clients das ALLE in meinem Netz auch so übernommen haben. DAS IST FAKT.
Es geht also nur mit KEA NICHT.
In der sollte natürlich der DNS genommen werden der schneller antwortet. WILL ich aber nicht. Ich will das der Lancache die erste anfrage bekommt und sollte der nicht erreichbar sein soll die Anfrage an die OpnSense gehen.
Fakt ist das es mit ISC tadelos funktioniert hat die reihenfolge festzulegen!
Und das die Windows Clients das ALLE in meinem Netz auch so übernommen haben. DAS IST FAKT.
Es geht also nur mit KEA NICHT.
#7
Hardware and Performance / Re: N150 / N355 good fits?
Last post by Billy2010 - November 23, 2025, 10:07:35 PMThat would be big news so I asume they don't.
But lets anticipate they eventually might do so.
I do want that IDS/IPS.
CWWK also has these other boards.
Based on a i5 1335u wich should run at 15W.
And a i7 155h at 28W. I find this a bit much but "maybe ok" it also has a 4x sfp+/4x 2.5G.
Pricewise that 155h starts to move up to that of a minisforum a2 but the latter draws 100W.
But lets anticipate they eventually might do so.
I do want that IDS/IPS.
CWWK also has these other boards.
Based on a i5 1335u wich should run at 15W.
And a i7 155h at 28W. I find this a bit much but "maybe ok" it also has a 4x sfp+/4x 2.5G.
Pricewise that 155h starts to move up to that of a minisforum a2 but the latter draws 100W.
#8
Hardware and Performance / Re: N150 / N355 good fits?
Last post by meyergru - November 23, 2025, 09:23:08 PMIDK if zenarmor has finally made the jump to being multithreaded, there was a long ongoing discussion about that. If not, then an N355 will probably do nothing at all over an N150, because it only has more cores.
Any type of IDS/IPS will stress the CPU way more than pure routing. With an N150 and without IDS, you should get 10G routing throughput (or close to it, because most 82559-based devices cannot really reach full 10G speed.
Any type of IDS/IPS will stress the CPU way more than pure routing. With an N150 and without IDS, you should get 10G routing throughput (or close to it, because most 82559-based devices cannot really reach full 10G speed.
#9
General Discussion / Re: GUI/Shell crashing
Last post by meyergru - November 23, 2025, 09:17:59 PMI really do not know.
#10
25.7, 25.10 Series / Re: Adding a VLAN takes 26 cli...
Last post by Patrick M. Hausen - November 23, 2025, 09:07:21 PMQuote from: johnmcallister on November 23, 2025, 08:56:02 PM*cough* that said, it sure would be nice to be able to copy-and-paste firewall rules between interfaces, say, by ticking the rule-selector checkbox and clicking "copy to Interface X"...
Click the "duplicate" symbol to the right, change interface in the opened rule edit dialog, possibly change some more things like source from "interface1 net" to "interface2 net", save, done. The UI will even take you to the "interface2" rules instead of where you started.
