Recent posts

#1
If there is an actual bypass in that box, it's an inline L1 switch chip. I wonder what the serial console is, does the bios/uefi have the bypass util in it?

The OS will always see the logical part of the 350 354, but the actual L1 can be diverted and the OS wont even know it, and, getting actual connectivity through the nic to OS will be lost.

So maybe some more investigating the actual hardware?
#2
26.1, 26,4 Series / Re: When to migrate to new fir...
Last post by tigo003 - Today at 01:39:00 AM
Just did the migration of the rules and nat rules. It was a matter of exporting & importing them using the migration assistant, then a review audit of the rules - along with testing connectivity to be as expected. Indeed all worked correctly. I had tried this a few months ago, and it was bad experience that I just reverted to the backup, and in an earlier forum chat, I concluded that I'd leave this till December / January. But now that it's done, things will hopefully be smoother moving forward with the upgrades, and any changes.
#3
Hardware and Performance / Re: Problems With Nics not bee...
Last post by pfry - Today at 01:09:57 AM
Huh! Yeah, I'd expect the em driver... but then igb and em seem oddly interchangeable.

ifconfig may also show the devices. My concern was this line in their lame excuse for a data sheet: "3 x 1G bypass bridge pair", which usually indicates the presence of a hardware bypass, which must be deactivated (via custom software interface) to use the interfaces... somewhat normally. So the drivers may load, the interfaces may be configurable, but they will be electrically isolated by the bypass. But that's a supposition - I didn't find better docs offhand.
#4
Hardware and Performance / Re: Transparant bridge with 2 ...
Last post by pfry - Today at 12:53:39 AM
Perlman's (initial) work pre-dated or was contemporaneous to the development of the OSI model. Heck, for all I know she was in on it, as she contributed to DECNET and ISO standards such as CLNS/CLNP and IS-IS. (I believe she was also one of the DIX folks who transitioned to the IEEE 802 group. Seifert always thought Ethernet would dominate networking; back then I don't think anybody would have picked IP to dominate.)

Anyway, the OSI model is just a model. I can make a device that forwards using any information within the packet... or without. Conventions aid communication, though... most of the time.
#5
26.1, 26,4 Series / Re: signature invalid during 2...
Last post by ayanami_rei - Today at 12:38:45 AM
ok, after retrying 2 hours later, the update completes, don't know what the problem was. possibly delayed update on the mirror? i do not know.

greetings
#6
26.1, 26,4 Series / Re: signature invalid during 2...
Last post by newsense - Today at 12:16:50 AM
Can you post the health check first to get a better picture of what's going on?
#7
net.inet.ip.forwarding: 1
net.inet6.ip6.forwarding: 1

This only allows a packet to move across/traverse the internal routing engine. 0 = host-only mode, hence a packet that comes in on iface-A with L3 dst not in local subnet of iface-A, such packet goes straight into bit bucket, and perhaps an icmp response.

In reality, those conf setting, "forwarding" should have been "nexthop", because that setting is attached to "ip", which is L3.

Routing is always next-hop, switching is forwarding. People and their books have mangled terms over past xxx years. ;)

Take this saying: "a switch forwards packets, a router forwards packets".
So then whats the diff between a router and a switch?
As I mentioned before, a switch cannot make next-hop decision, it has no routing engine. A router however must have a switcher in it, otherwise no frames could move via L1 Tx & Rx.

So the known devices we commonly use:
L3/L2/L1 device ("router", next-hop L3 + forwarder L2)
L2/L1 device ("switch", forwarder L2)

;)

#8
Zenarmor (Sensei) / Re: Cancelling my subscription...
Last post by cookiemonster - Today at 12:06:28 AM
Quote from: philippe_crowdsec on July 02, 2026, 11:25:49 AM@cookiemonster: I'm interested in the discussion about CrowdSec.

The product is free (security engine, scenarios, vpatch, WAF rules, Claude skill, etc.) and is MIT-licensed.
A blocklist is shared amongst users who share signals, for free, and many more are also free of charge.
There is 0 cost on the OpnSense integration.

So I'd be interested to understand your feelings better (or maybe it's about the SaaS console)?
If you have time and the will to discuss this, please PM me.
Hi @philippe_crowdsec - thanks for the note. I will keep it short here so as to not hijack the thread. Yes those are free but my _main_ issue is that the integration was limited and was never advanced. The note since 2024 if I'm not mistaken is:
QuoteAt the moment, the CrowdSec package for OPNsense is fully functional on the command line but its web interface is limited; you can only list the installed objects and revoke decisions. For anything else you need the shell or the CrowdSec Console.
Which means most of the existing and new functionality is unmanageable from the plugin. For instance I can't use SPOA for haproxy on OPN when using the OPN haproxy plugin.
If you are still willing to listen to my points (thank you for the offer) I shall open a new post so we can discuss them. In the open I suspect will be suitable for other users too. If you agree. Again, thank you. Just confirm and I will.
#9
26.1, 26,4 Series / Re: [SOLVED] Upgrade to 26.1.1...
Last post by muchacha_grande - July 02, 2026, 11:25:20 PM
@franco, I was at 26.1.10 and noted this behavior. The first part of the update were fine and I could see all the packages update progress.
When it reached the point to update kernel and base packages it stuck a while until it showed kernel download complete, and then stuck again until base download complete.
After that, the update continued as normal, with kernel and base installation and reboot.

It was the kernel and base download that I couldn't see the progress, so depending on the download speed one could think that the update stopped.
#10
Hardware and Performance / Re: Problems With Nics not bee...
Last post by BrandyWine - July 02, 2026, 11:22:51 PM
Post #1 igb list does not align with the output from pciconf ??
mgmt is the 210 ?
Since the kernel has igb loaded and the driver is mapping to 350 and 354 and the 210, I see no reason why the system (OS) cant see them, unless something is wrong with the driver being used (see below).

pciconf shows
igb
2 210
3 350
4 350
5 354
6 354
7 354
8 354

And when I dig on it, igb is not listed in 14.3 supported list???
They show em as the driver handling i350 and i354 and i210.
Hmmmmm (scratch head).
https://www.freebsd.org/releases/14.3R/hardware/#ethernet

BUT, Intel docs show igb does support 350 354 and 210. I suspect the freebsd doc is wrong.

So, someone needs to dig more than I have.