"Recent posts
#1
General Discussion / Re: Intermittent traffic drops
Last post by issuing_scone - Today at 10:44:51 PMSolution was simple and an oversight on my part.
I had created a NAT outbound rule for LAN devices, but I had forgotten to make one for WireGuard devices. The reason the result was intermittent was because the firewall was allowing traffic until sessions died, at which point it would begin blocking attempts to renew sessions that were expired.
While Live View showed traffic being blocked by the default deny rule on the VPN interface, that stopped when the NAT outbound rule was made.
I had created a NAT outbound rule for LAN devices, but I had forgotten to make one for WireGuard devices. The reason the result was intermittent was because the firewall was allowing traffic until sessions died, at which point it would begin blocking attempts to renew sessions that were expired.
While Live View showed traffic being blocked by the default deny rule on the VPN interface, that stopped when the NAT outbound rule was made.
#2
General Discussion / Re: Stop automatic default rou...
Last post by franco - Today at 10:22:43 PM"force down" isn't about fbsd at all, it's a sense thing that came to be with the gateway monitoring and is effectively labelled incorrectly. It's more of a "do not use for automation" flag with the twist that it blanks the status for the gateway. Won't be easy to clean this up. ;)
Cheers,
Franco
Cheers,
Franco
#3
German - Deutsch / Re: Dual WAN Setup mit IPv6 Pr...
Last post by martine - Today at 08:39:35 PMVielen Dank für eure Hilfe, ich werde mich am Vorschlag mit dem VLANs versuchen.
#4
Hardware and Performance / Re: DEC4280 Interfaces Setting...
Last post by Patrick M. Hausen - Today at 07:47:47 PMIt's the safest and most robust setting. TCP checksum offloading for instance doesn't make sense in a router anyway, only in endpoints of a network connection.
#5
Hardware and Performance / DEC4280 Interfaces Settings Di...
Last post by FD-Tim - Today at 07:43:44 PMHello,
we use two DEC4280 as HA with CARP. I just found out, that all three checkboxes to disable hardware offload are set by default on this factory image. Do you know why?
For the Forum search the full texts:
we use two DEC4280 as HA with CARP. I just found out, that all three checkboxes to disable hardware offload are set by default on this factory image. Do you know why?
For the Forum search the full texts:
- Disable hardware checksum offload (i) Checking this option will disable hardware checksum offloading. Checksum offloading is broken in some hardware, particularly some Realtek cards. Rarely, drivers may have problems with checksum offloading and some specific NICs.
- Disable hardware TCP segmentation offload (i) Checking this option will disable hardware TCP segmentation offloading (TSO, TSO4, TSO6). This offloading is broken in some hardware drivers, and may impact performance with some specific NICs.
- Disable hardware large receive offload (i) Checking this option will disable hardware large receive offloading (LRO). This offloading is broken in some hardware drivers, and may impact performance with some specific NICs.
#6
Hardware and Performance / Re: DEC750 Questions
Last post by ProximusAl - Today at 07:03:14 PMIf anyone is interested, I did successfully upgrade the i226-V's in a DEC750 to 2.32.
I used the 1MB bin file from BrandyWine.
All 5 of the DEC750s I ordered had the 2.25 EEPROM by default, and all have been successfully upgraded to 2.32, and had a bit of a hammer test. All seem to work fine.
I'm sure some of you are asking.....why?
I guess because I can. I just like to make sure that all BIOS and other firmware is up to date before putting it into prod.
I'm sure someone might be interested, but if not, I've at least shared it's possible. :)
I used the 1MB bin file from BrandyWine.
All 5 of the DEC750s I ordered had the 2.25 EEPROM by default, and all have been successfully upgraded to 2.32, and had a bit of a hammer test. All seem to work fine.
I'm sure some of you are asking.....why?
I guess because I can. I just like to make sure that all BIOS and other firmware is up to date before putting it into prod.
I'm sure someone might be interested, but if not, I've at least shared it's possible. :)
#7
25.7, 25.10 Series / Re: DNSmasq and Unbound Peacef...
Last post by DEC670airp414user - Today at 06:20:19 PMscreen shot 3. i would turn off DNS within dnsmasq. change listen port to 0. you also do not need dnssec enabled if using quad 9
i use unbound and it works 100% reliable.
i setup dns over tls for quad 9 or similar products though.
i use unbound and it works 100% reliable.
i setup dns over tls for quad 9 or similar products though.
#8
General Discussion / Re: Stop automatic default rou...
Last post by Seimus - Today at 06:07:40 PMI tested the GW and behavior cause its an interesting Topic and the Use case the OP has is often used for BGP.
GW = disabled
GW itself or any static routes with this GW will not be in the route table | GW is still selectable in FW for PBR = no traffic will be routed to it
GW = force disabled
GW itselfs appears in the routing table so does any static route with this GW | GW selectable in Rules PBR = traffic is routed
Honestly I have no clue what actually should this Force Disable do in fbsd, but per the behavior I have seen it smells like its to remove it from the default route selection.
Regards,
S.
GW = disabled
GW itself or any static routes with this GW will not be in the route table | GW is still selectable in FW for PBR = no traffic will be routed to it
GW = force disabled
GW itselfs appears in the routing table so does any static route with this GW | GW selectable in Rules PBR = traffic is routed
Honestly I have no clue what actually should this Force Disable do in fbsd, but per the behavior I have seen it smells like its to remove it from the default route selection.
Regards,
S.
#9
General Discussion / Re: Stop automatic default rou...
Last post by Seimus - Today at 05:33:59 PMYou can as well delete the routes in the table directly. If there are no statics/active GW for those statics when you delete them from RIB they will not be populated back.
Regards,
S.
Regards,
S.
#10
25.7, 25.10 Series / DNSmasq and Unbound Peacefully...
Last post by spetrillo - Today at 05:10:43 PMHello all,
I made the move to DNSmasq for local DNS and DHCP services, with Unbound as my authoritative server that looks at Quad9 on the Internet. Attached is my Dnsmasq config and Unbound config. Am I missing anything in the configs? Lastly I am using the DNSSEC services from Quad9. When I try to hit their URL for this I get back an unable to parse request message. Does this mean I do not have DNSSEC configured correctly?
Thanks,
Steve
I made the move to DNSmasq for local DNS and DHCP services, with Unbound as my authoritative server that looks at Quad9 on the Internet. Attached is my Dnsmasq config and Unbound config. Am I missing anything in the configs? Lastly I am using the DNSSEC services from Quad9. When I try to hit their URL for this I get back an unable to parse request message. Does this mean I do not have DNSSEC configured correctly?
Thanks,
Steve
