Recent posts

#1
German - Deutsch / Speedtest-Ergebnisse an Home A...
Last post by mzurhorst - Today at 07:41:40 PM
Hallo zusammen.

Ich lasse in OPNsense seit drei Jahren mehrmals am Tag einen Speedtest durchführen, und der wird auch munter gesammelt in der Firewall.
Nun habe ich aber gerade mit Erschrecken festgestellt, dass ich schon seit einigen Wochen einen deutlichen Einbruch im Download habe.
Das war wohl nicht so ganz dramatisch, dass ich es jemals in der Firewall probiert hätte. Internet fühlte sich manchmal etwas zäh an, aber nie schlimm genug, dass ich dann akut Zeit oder Not hatte, mich drum zu kümmern.

Long story short:  Wie kann ich denn diese Messwerte irgendwie automatisiert nutzen für Benachrichtungen?
Home Assistant wäre für mich erste Wahl, weil ich da alles parat habe, um die Benachrichtungen und Automationen zu erstellen nach gusto.

Hat jemand eine Idee? Oder das evtl. sogar schon mal gemacht?

Danke & Grüße,
   Marcus
#2
26.1, 26,4 Series / Re: KEA is still a mess IMHO
Last post by Monviech (Cedrik) - Today at 07:24:09 PM
Can we let this thread die now please? Its not about KEA anymore. For general discussions about IPv6 please open a new thread.

Since I develop a lot in the current KEA implementation I'd like actionable tickets that can be solved.

Thank you :)
#3
General Discussion / Re: Help with GeoIP and csv fo...
Last post by meyergru - Today at 07:13:05 PM
Because ip66.dev is what the OP mentioned. IPinfo was thrown into the mix only after that.

As I said, I only though that the ASN columns were needed. In fact, they are not from the GeoIP data at all. It was all down to having to set the HTTP header if you want to coerce OpnSense to read a .csv.gz file like the one from IPinfo.
#4
@meyergru If you run your own local Elastiflow instance you can enrich the data with Maxmind's GeoIP info by configuring the flow collector like so:

EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE: "true"
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_PATH: /etc/elastiflow/maxmind/GeoLite2-ASN.mmdb

As you can see the configuration points to the full path to the database file. The setup of acquiring that file and regular updates is completely outside of Elastiflow and in my case handled by the geoipupdate package on Ubuntu.

Question is: does IPinfo use the same file format and can I replace the Maxmind database with the IPinfo one?

If not, are there tools to convert?

I don't understand why you bring in IP66 - I don't even know what that is ;-)

Kind regards,
Patrick
#5
26.1, 26,4 Series / Re: ping: sendto: Invalid argu...
Last post by ajr - Today at 06:47:42 PM
Quote from: viragomann on Today at 10:46:22 AM
Quote from: ajr on Today at 09:41:54 AMtcpdump does not show any packets on the WAN interface so I do not know the sender address.
Any source address in packets stemming from 127.0.0.0/8 is translated to the CARP VIP on the WAN due to your rule. So it's obvious the you cannot see any IP of this subnet.^^


So I try this:
root@opn1:~ # pfctl -s nat
no nat proto carp all
nat on igb1 inet from ! <opn1_igb1_plus_lo_addr> to any -> 192.168.178.2 port 1024:65535
nat on igb1 inet from <opn1_igb1_plus_lo_addr> to any -> <opn1_igb1_address> port 1024:65535 round-robin
root@opn1:~ # pfctl -T show -t opn1_igb1_address
   192.168.178.11
root@opn1:~ # pfctl -T show -t opn1_igb1_plus_lo_addr
   127.0.0.0/8
   192.168.178.11
192.168.178.11 is the interface address and 192.168.178.2 is the VIP.

Any comments ?
#6
26.1, 26,4 Series / Re: ping: sendto: Invalid argu...
Last post by nero355 - Today at 06:07:06 PM
Quote from: ajr on May 09, 2026, 07:37:28 PM192.168.178.1 is DSL Router.
Sounds like a 'NAT behind NAT' setup behind a Fritz!Box Modem/Router ??

Why not replace it with something like a DrayTek Vigor 167 (or whatever the latest model is) to avoid potential Double NAT issues ?!
#7
26.1, 26,4 Series / Re: KEA is still a mess IMHO
Last post by OPNenthu - Today at 05:53:36 PM
Sorry guys, it's not a safe bet that there will always be an EUI-64 address present.  I agree there will be a stable address, but it can be what's known as a 'stable privacy' address not related to the MAC and thus not able to be guessed by Dnsmasq.

For example:

3: enp10s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 24:xx:xx:xx:77:cd brd ff:ff:ff:ff:ff:ff
    inet 172.21.30.100/24 brd 172.21.30.255 scope global dynamic noprefixroute enp10s0
       valid_lft 77087sec preferred_lft 77087sec
    inet6 fd5a:xxxx:xxxx:1003:5dec:dd53:a78e:2964/64 scope global temporary dynamic
       valid_lft 86375sec preferred_lft 76947sec
    inet6 fd5a:xxxx:xxxx:1003:xxxx:610f:948:xxxx/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 86375sec preferred_lft 86375sec
    inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

The management address here ("mngtmpaddr") does not have the signature "ff:fe" bits in the host part and the 'tmp' in the name gives it away.  The host is using this:

You cannot view this attachment.

"EUI64" is the other option on the drop-down menu, but they are mutually exclusive.
#8
26.1, 26,4 Series / Re: KEA is still a mess IMHO
Last post by nero355 - Today at 05:50:45 PM
Quote from: meyergru on Today at 05:08:23 PMEven if it does use privacy extensions, it will most probably have an EUI-64-based management IPv6. I have never seen any client using privacy extensions with no management IP as well. As the name suggests: Those are extensions, which means those addresses are used "on top" of any other assigned IP for outbound connections only.

Thus, for addressability, you can always use the management EUI-64 IP.
That's how I have always understood the whole Privacy Extension thing to work too, but I never got to use it so far because my last two ISP's didn´t/don't have IPv6 sadly :)
#9
Virtual private networks / Re: restart wireguard service
Last post by FredFresh - Today at 05:35:28 PM
@chemlud did you try to traceroute to the proton peer ip? (10.2.0.1). Usually that solve your issue.
#10
Virtual private networks / Re: restart wireguard service
Last post by chemlud - Today at 05:29:59 PM
Have this cron job for DNS-resolution for stale WG tunnels for years, working fine in general. But not in this case. Only wa to resolve after reboot: Obtain a fresh WAN IP (DHCP) by changing MAC of WAN interface. Otherwise this one specific tunnel won't come back after reboot. Very, very, very annoying. Had been doing fine for years.