Recent posts

Pages1 2 3 ... 10
#1
26.1, 26,4 Series / Re: 26.1 upgrade chaos, Realte...
Last post by computer_freak_8 - Today at 01:40:01 AM
Quote from: newsense on June 04, 2026, 05:42:18 PMdownload os-Realtek-re and realtek kmod packages from here, copy on a stick and install manually


http://pkg.opnsense.org/FreeBSD:14:amd64/26.1/MINT/26.1/latest/All/


Thank you for this link. I was able to download and install this package (also had to download and install the realtek-re-kmod package first, as "pkg add" complained about it as a prerequisite/dependency).

HOWEVER, there was no change. I even rebooted, but still can not get any link/activity light from either the switch or the NIC with OPNsense 26.1 installed. (on old_hardware)

Testing 26.1 with the same config on new_hardware, and it works just fine with both versions of the Realtek driver (the included driver and the proprietary driver).

After reinstalling 25.7 on the old_hardware (minus HDD), and loading up the same config, it works. I haven't even installed the os-realtek-re package yet.

What changed from 25.7 to 26.1 that would have COMPLETELY broken my Realtek driver in my firewall (old_hardware), but not other Realtek chips (new_hardware)? If I do a ctrl+f on this page, nothing shows up for "real":
https://docs.opnsense.org/releases/CE_26.1.html

So I'm at a loss.

In cased it's useful, I ran this:
Code Select
# pciconf -lv | grep -B3 network
re0@pci0:3:0:0:    class=0x020000 rev=0x06 hdr=0x00 vendor=0x10ec device=0x8168 subvendor=0x1043 subdevice=0x8432
    vendor    = 'Realtek Semiconductor Co., Ltd.'
    device    = 'RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet Controller'
    class      = network
#2
26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...
Last post by allan - Today at 12:40:02 AM
I felt brave and decided to bite the bullet. After about 12 hours, I didn't get it all working so I caught a little hell from my wife. 😬 I think I finally got most of the fires out so below are my notes:

  • I decided to break out my different VLANs (e.g. IoT) into their own forward zones. I used sub-zones in the format vlan.domain.tld. This method makes it easier to troubleshoot.
  • Uncheck Register ISC DHCP4 Leases and Register DHCP Static Mappings under Services > Unbound > General to avoid creating entries in Unbound since I still have ISC dhcpd installed.
  • Restarting Bind caused the zone reload to fail with journal rollforward failed: journal out of sync with zone errors in the Bind log. I used rndc sync -clean to clear out the *.jnl files before restarting. I need to find a better way since I lose DDNS entries without the journal.
  • Under each Kea subnet DDNS setting, I had to end the forward and reverse zones, and qualifying suffix fields with a dot (.). Otherwise, Bind could not find the correct zone to update.
  • I got DDNS update failures with 'RRset exists (value dependent)' errors in Bind for devices that are IPv4+IPv6 dual stack. I think this is due to both using the same DHCID and it became a race to create the first record. I set no-check-with-dhcid in each Kea subnet to fix it.
  • My gateway was named "gw.vlan.domain.tld". Even when Unbound is set to forward all vlan.domain.tld queries to Bind, it refused to forward this one. I had to change my gateway domain name under System > Settings > General > Domain to something else.
  • Some devices (OpenWRT) only send host names to Kea. This is what "DNS qualifying suffix" was supposed to fix. That setting worked for IPv4 but not IPv6; maybe OpenWRT sent FQDNs on IPv4 but I did not check. Kea logs showed No DNS servers match FQDN hostname. Reserving their IPv6 address fixed it. I think this issue is with upstream but that requires confirmation. Any IPv6 lease that is not FQDN under the Hostname column needs this reservation.
  • I used dig @x.x.x.x -p 53530 name to query Bind directly. Otherwise, I got Unbound's cached entry.
  • Once everything is confirmed to work, I set Bind to listen on 127.0.0.1 and ::1 so networks cannot query it directly.

So far so good. I had to create some CNAME records for our printer and SIP proxy. This gets Windows and desk phone working until I get time to reconfigure them and switch to using their IoT names instead.

#3
26.1, 26,4 Series / Re: This makes me want to cry!...
Last post by nero355 - June 07, 2026, 11:37:08 PM
Quote from: tschips on June 07, 2026, 10:10:20 PMBut I ran out of ideas how to identify these problems?

Any suggestions what to look for or which logs might be helpful?
Have you read the whole topic and done everything mentioned along the way ?!
#4
Hardware and Performance / Re: DEC750 realistic 10G expec...
Last post by nero355 - June 07, 2026, 11:35:02 PM
Quote from: Monviech (Cedrik) on June 07, 2026, 06:27:12 PMAn intel core i5 also has a way higher TDP.
Quote from: ou1 on June 07, 2026, 07:45:29 PMRegarding TDP - yes, this CPU can use a lot more power. I got it up to 40W by running iperf3 directly from the firewall, but otherwise it idles at 18W, which I can live with. Maybe there is room for optimization, I haven't done anything yet.
Sometimes it's better to have a slightly higher TDP rated CPU that is good at "Racing back to IDLE" instead of having a low TDP rated CPU that needs a lot more time for the same task and because of that eventually consumes more power for the same task.

It all depends on your needs and useage... :)
#5
Hardware and Performance / Re: Sanity check for N100 / i2...
Last post by nero355 - June 07, 2026, 11:29:15 PM
Quote from: Ozymandias on June 07, 2026, 06:42:28 PMI'll get a Linux based Live Boot up over the next few days and give it a test, plus maybe a fresh OPNsense basic install on a spare drive.
Good plan! :)

Quote from: meyergru on June 07, 2026, 06:51:47 PM1. There is a big difference between OpnSense routing sessions between different partners and OpnSense being the endpoint (the latter one is slower).
So you are saying that when I measure iPerf3 speeds between OPNsense and a Client that the speed will always be lower than between two any other type of Clients on the same subnet ?!

For example :

Windows or Linux iPerf3 Server/Client <----> Windows or Linux iPerf3 Server/Client = 2,37 Gbps

OPNsense iPerf3 Server/Client <----> Windows or Linux iPerf3 Server/Client = Always less than the speed above ?!

Quote2. Since this is iperf, I also like to point out this article, point 10. I totally depends on how many TCP sessions you use.

Pulling these together, I see ~1.87 Gbps with iperf -P1 vs. 3.56 Gbps with iperf -P4 vs. 6 Gbps when OpnSense routes only.
Ofcourse you will always have to measure with as much threads as possible and sometimes even raise the window size and stuff like that... :)
#6
26.1, 26,4 Series / Re: This makes me want to cry!...
Last post by tschips - June 07, 2026, 10:10:20 PM
I'm happy I found this thread as I'm suffering from the exact same problem on my private opnsense router.
The WebGUI is quite unreliable, the dashboard loads widgets only seldomly (oftentimes after a fresh restart) and my uptime shows the exact same weird value of 20611 days. Also other parts of the WebGUI, like for example the DHCP leases overview, often don't show information. A few page reloads later it might. System updates via the WebGUI don't work as well. Via SSH everything is fine.

Just to make things clear, system time seems to be fine.

Code Select
root@fw:~ # sysctl kern.boottime
kern.boottime: { sec = 1778614567, usec = 705583 } Tue May 12 21:36:07 2026

top doesn't show high load, but I'm wandering why this machine swaps with 8GB of RAM.
Code Select
last pid: 64090;  load averages:  3.05, 10.70, 11.72                                        up 26+00:13:03  21:49:10
1559 processes:1 running, 1558 sleeping
CPU:  3.4% user,  0.0% nice, 14.2% system,  0.0% interrupt, 82.5% idle
Mem: 4147M Active, 47M Inact, 9520M Laundry, 1463M Wired, 56K Buf, 476M Free
ARC: 470M Total, 231M MFU, 109M MRU, 8365K Anon, 5040K Header, 117M Other
     259M Compressed, 933M Uncompressed, 3.60:1 Ratio
Swap: 8192M Total, 3637M Used, 4555M Free, 44% Inuse, 12K In

I'm pretty sure it has to do with my configuration or something going havoc on the network. Any business opnsense installation i came across doesn't show this behaviour. But I ran out of ideas how to identify these problems? Any suggestions what to look for or which logs might be helpful?
#7
Hardware and Performance / Re: DEC750 realistic 10G expec...
Last post by ou1 - June 07, 2026, 07:45:29 PM
Quote from: Monviech (Cedrik) on June 07, 2026, 06:27:12 PMAn intel core i5 also has a way higher TDP.

About the UDP vlan fragmentation issue, on a DEC device you can solve that in Interfaces: Settings by enabling vlan hardware filtering.

I'll need to test again, but I'm pretty sure I tried with VLAN HW Filtering both on and off. My SIP phone doesn't receive any response from the registration requests. I'm not 100% sure it's the checksum problem, but I am leaning towards that theory. Unfortunately I didn't spend enough time trying to figure out how to calculate checksums myself to see if they're correct.

Regarding TDP - yes, this CPU can use a lot more power. I got it up to 40W by running iperf3 directly from the firewall, but otherwise it idles at 18W, which I can live with. Maybe there is room for optimization, I haven't done anything yet.

I don't know which device I'll end up using as my main device, I don't need the extra speed from this i5 CPU. It was more of an exercise to see if I can build a cheap 10G firewall. I also wanted to experiment with VyOS now that I have spare hardware.
#8
Hardware and Performance / Re: Sanity check for N100 / i2...
Last post by meyergru - June 07, 2026, 06:51:47 PM
Quote from: nero355 on June 07, 2026, 06:30:17 PMOK, but this clearly shows there is something wrong with the OPNsense Mini PC itself :
Quoteiperf3:
1.60 Gbits/sec from Win11 to OPNsense iperf3 server.
2.37 Gbits/sec from Win11 to Unraid (N95) iperf3 server.
These two should always be equal IMO :)

No:

1. There is a big difference between OpnSense routing sessions between different partners and OpnSense being the endpoint (the latter one is slower).

2. Since this is iperf, I also like to point out this article, point 10. I totally depends on how many TCP sessions you use.

Pulling these together, I see ~1.87 Gbps with iperf -P1 vs. 3.56 Gbps with iperf -P4 vs. 6 Gbps when OpnSense routes only.
#9
Hardware and Performance / Re: Sanity check for N100 / i2...
Last post by Ozymandias - June 07, 2026, 06:42:28 PM
I'll get a Linux based Live Boot up over the next few days and give it a test, plus maybe a fresh OPNsense basic install on a spare drive.
#10
Hardware and Performance / Re: Sanity check for N100 / i2...
Last post by nero355 - June 07, 2026, 06:30:17 PM
Quote from: meyergru on June 07, 2026, 06:15:06 PMThere are big timing differences between internet and local connections and also, the endpoints can behave differently, thus there can be any number of problems w/r to timing and/or buffering.
The latter depends on which TCP algorithms are in use, such that flow control and buffering or interrupt coalescing can very well play a role.
OK, but this clearly shows there is something wrong with the OPNsense Mini PC itself :
Quote from: Ozymandias on June 06, 2026, 11:39:10 PMiperf3:
1.60 Gbits/sec from Win11 to OPNsense iperf3 server.
2.37 Gbits/sec from Win11 to Unraid (N95) iperf3 server.
These two should always be equal IMO :)

To rule out FreeBSD specific issues he could also test with a random Linux based Live Boot Environment now that I think of it...
Pages1 2 3 ... 10