"Recent posts
#1
26.1 Series / Re: DHCP Stopped Tagging Lease...
Last post by mtowagb - Today at 12:11:40 AMI suspect this is happening due to a configuration file on a partition that is not deleted by the OS installation process, but I have to figure out which one that is exactly.
#2
Zenarmor (Sensei) / Re: Zenarmor performance @ Int...
Last post by OPNenthu - March 31, 2026, 11:57:40 PMQuote from: nero355 on March 31, 2026, 03:08:28 PMQuote from: OPNenthu on March 31, 2026, 12:21:20 AMIt's the same crap like with Docker : https://github.com/containers/podman/blob/main/docs/tutorials/basic_networking.mdQuote from: nero355 on March 30, 2026, 11:00:56 PMPodman is just an alternative to Docker and something I don't feel like maintaining either :)That's the beauty of it: you don't manage anything. It manages itself, including updates. You don't touch a thing on the OS. From the user perspective it's just an app installer. You run it. It installs UOS. Done.
That wasn't the case in the past. You needed to install and maintain Docker yourself, as well as each container (MongoDB, Network) and their connections.
I don't need those additional Network Interfaces on my Host ;)
There are none. It doesn't change anything on your host network and what you'll see in 'ip a' is the same as what you had before. It listens on the host IP rather than some internal 172.x address like what Docker does with virtual interfaces.
This is all I see on my UOS VM:
Code Select
$ ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
altname enp0s18
altname enxbc2411e2f30a
inet 192.168.1.116/24 brd 192.168.1.255 scope global dynamic noprefixroute ens18
valid_lft 73385sec preferred_lft 58071se
Just add the host IP to DNS as 'unifi.' and you're done. Maybe also open the needed host firewall ports.
The entire UOS stack is hidden from you in its own podman context. You don't interact with it. Just install it in a VM and see.
Maybe this from ChatGPT explains it best:
QuoteUniFi OS isn't just "Podman + containers"—it's a full appliance OS. It uses its own management layer to:
- deploy containers
- restart them
- control networking
- enforce updates
So even though Podman is underneath, you're not meant to interact with it directly like a normal host.
#3
Tutorials and FAQs / Re: IPv6 Control Plane with FQ...
Last post by OPNenthu - March 31, 2026, 11:17:02 PMBTW, I don't find an obvious issue with the ACK rules. Do you spot anything?
The first rule (sequence 1) is the one in question. The only difference between it and the upload ACK rule (sequence 6) is the 'Direction': in vs. out. Both are positioned before any other rules.
The first rule (sequence 1) is the one in question. The only difference between it and the upload ACK rule (sequence 6) is the 'Direction': in vs. out. Both are positioned before any other rules.
#4
Tutorials and FAQs / Re: IPv6 Control Plane with FQ...
Last post by OPNenthu - March 31, 2026, 10:27:48 PMHere is the full image of that cropped one in my post. This was before I reduced the download pipe, so at this point I was experiencing stalls. Note that even setting the pipe a bit lower, for example 850Mbps, did not resolve the stalling.
You cannot view this attachment.
(As an aside, it appears that my Download queues have an error that I only just realized after comparing with yours. The download data went to the ACK qeueue. I need to debug this, but at least the queues have equal priority on the pipe so that shouldn't affect the outcome I think.)
My plan wasn't originally 1000/35. It was something like 800/35, IIRC, but while on a support call a couple months ago the agent offered me a free increase to "gigabit." Unfortunately they only increased the downstream. So I wonder if the originally designed plan was better balanced overall.
I don't know much about this. How can you tell if SACKs are used from the screenshot?
I'm not sure what my numbers show but if the data is accurate, it appears that the theoretical maximum of 4% is being exceeded by at least a factor of 2x.
You cannot view this attachment.
(As an aside, it appears that my Download queues have an error that I only just realized after comparing with yours. The download data went to the ACK qeueue. I need to debug this, but at least the queues have equal priority on the pipe so that shouldn't affect the outcome I think.)
My plan wasn't originally 1000/35. It was something like 800/35, IIRC, but while on a support call a couple months ago the agent offered me a free increase to "gigabit." Unfortunately they only increased the downstream. So I wonder if the originally designed plan was better balanced overall.
Quote from: meyergru on March 31, 2026, 10:40:08 AMI can imagine two things that may shift the results:
1. With TCP ACKs, you can have pure ACKs and SACKs, so the number of packets used can be severly lower than the number of data packets. That is obviously the case in my test. You did not show the downstream part of your test, you we cannot know if SACK was used, which would be dependend on the client.
I don't know much about this. How can you tell if SACKs are used from the screenshot?
Quote2. Regardless of the net data being transferred, pure ACK packets are way shorter than data packets, so they incur a larger overhead, so the net data results may not mirror the real bandwitdhs used.
I'm not sure what my numbers show but if the data is accurate, it appears that the theoretical maximum of 4% is being exceeded by at least a factor of 2x.
#5
Virtual private networks / Re: RESOLVED: Issues with new ...
Last post by mrzaz - March 31, 2026, 10:22:40 PMI made a quick little lazy for this if anyone else needs it. :-)
//Danne
//Danne
#6
General Discussion / Re: Why I am retiring from con...
Last post by chrcoluk - March 31, 2026, 10:07:41 PMNope, cant volunteer, so basically it sounds like its still not clear if its properly resolved upstream, my view is, if it isnt regression tested, it shouldnt have been committed in the first place, which aligns with the view that Dok posted.
So another broken network path in FreeBSD potentially lasting several years and multi generations of release. At least OPNsense has backed it out.
I do feel the decision all those years ago to keep the custom multi threaded PF over keeping up with OpenBSD PF has continued to hunt FreeBSD. This situation is part of that fallout with picking specific patches from OpenBSD in the hope of fixing it on FreeBSD. A Frankenstein PF. I did mention this on reddit not that long ago and ironically the guy who responded to me quite angry is the same person making the commit's in that big report. He really did not like me mentioning that.
So another broken network path in FreeBSD potentially lasting several years and multi generations of release. At least OPNsense has backed it out.
I do feel the decision all those years ago to keep the custom multi threaded PF over keeping up with OpenBSD PF has continued to hunt FreeBSD. This situation is part of that fallout with picking specific patches from OpenBSD in the hope of fixing it on FreeBSD. A Frankenstein PF. I did mention this on reddit not that long ago and ironically the guy who responded to me quite angry is the same person making the commit's in that big report. He really did not like me mentioning that.
#7
Virtual private networks / WireGuard local DNS resolution
Last post by donee - March 31, 2026, 10:03:05 PMI am able to connect to my WireGuard VPN. I can get to the internet. I can get to services behind the Wireguard VPN via IP but not by name. How do I get name resolution for services behind the router to work when on the WireGuard VPN?
I followed the how to https://docs.opnsense.org/manual/how-tos/wireguard-client.html
I followed the how to https://docs.opnsense.org/manual/how-tos/wireguard-client.html
#8
General Discussion / Re: Which trigger for new IPv6...
Last post by drosophila - March 31, 2026, 09:06:19 PMQuote from: meyergru on March 31, 2026, 08:57:26 PMThere are many dynamic DNS providers that are capable of chopping off the lower bits and only change the prefix to the incoming connection.Thanks for the hint, I will see if the one I chose (dynv6.com) will do that, which would alleviate the DynDNS issue. If it doesn't, I'll ask what you're using. ;)
However, I'd still need to reorder the addresses in a timely manner to make Voldemort use the correct PEA. :(
Oh, almost forgot: the reordering also breaks the Gateway monitor, which will, for whatever reason, show 100% loss for IPv6 even though the GW is perfectly reachable on the specified ULA address. I guess I'll just throw that out to make space for more important bits in the dashboard, but it shouldn't even be affected by this in the first place...?
#9
Virtual private networks / Re: Issues with new "IPSec" ve...
Last post by mrzaz - March 31, 2026, 09:03:23 PMQuote from: viragomann on March 30, 2026, 09:21:24 PMQuote from: mrzaz on March 29, 2026, 11:10:16 PMYou only have the following in PSK setting:The ID settings in question are in the local and remote authentication settings. ID is short for identifier.
Local Identifier Here I use my WAN IP.
Remote Identifier Here I use a Distinguished name (same as used in legacy Distinguished name and is a xxx.yyy.zz domain name)
Pre-Shared Key Our joint and unique PSK as set in both ends.
Type PSK
There is really no "Id" to specify here apart from Local and Remote identifier.
In the local specify the same string as the local identifier in the PSK.
And in the remote the same as remote identifier.
I think that did the trick. :-)
I used the same
PSK Local Identifier = xx.xx.xx.xx IP -> Local Auth ID = xx.xx.xx.xx IP
PSK Remote Identifier = xxx.domain.com -> Remote Auth ID = xxx.domain.com
and now the link came up OK. :-)
Thanks so much for the help. I have been using computers for ages and IPSec
for a long time but you never get to old to learn something new. :-)
I understood it was something simple, it is just to get how the new setups works
so I could work with it and not against it.
It is good that I could remove the old legacy connections and use the new StrongSwan Connections.
Anyway, thanks SO much for you input and help. Really appreciated.
Best regards
Dan Lundqvist
#10
General Discussion / Re: Which trigger for new IPv6...
Last post by meyergru - March 31, 2026, 08:57:26 PMI do that completely differently: Whatever the outbound IPv6 is, it will always have the same /56 prefix, because I use IA_NA only.
Thus, the lower 68 Bits consist of the interface ID + 64 bits of whatever any client or OpnSense has. In order to make services available, it is best to refrain from privacy addresses (because they change!) and use the (fixed) EUI-64 part. There are many dynamic DNS providers that are capable of chopping off the lower bits and only change the prefix to the incoming connection. I happen to use my own.
Thus, they keep whatever you manually configure the lower bits to be. This makes it possible to have dynamic DNS updates done by OpnSense "in lieu" of any client.
Thus, the lower 68 Bits consist of the interface ID + 64 bits of whatever any client or OpnSense has. In order to make services available, it is best to refrain from privacy addresses (because they change!) and use the (fixed) EUI-64 part. There are many dynamic DNS providers that are capable of chopping off the lower bits and only change the prefix to the incoming connection. I happen to use my own.
Thus, they keep whatever you manually configure the lower bits to be. This makes it possible to have dynamic DNS updates done by OpnSense "in lieu" of any client.
