Recent posts

[You]

#1

Hardware and Performance / Re: Sanity check for N100 / i2...

Last post by meyergru - Today at 07:02:58 AM

So you are saying that when I measure iPerf3 speeds between OPNsense and a Client that the speed will always be lower than between two any other type of Clients on the same subnet ?!

Yes, of course, just because when OpnSense is itself involved, iperf3 runs on top of the actual routing. Well, "on the same subnet" is incorrect, of course, because OpnSense would not be involved at all if the traffic were between two clients on layer 2.

Ofcourse you will always have to measure with as much threads as possible and sometimes even raise the window size and stuff like that... :)

You may know, but the OP did not state how exactly the measurements were taken, which is why I pointed it out again. RSS will not do any good with just one connection.

#2

Hardware and Performance / Re: cpu-microcode-intel: no ma...

Last post by BrandyWine - Today at 05:36:59 AM

This is from my std install of v14.3 (not opnsense). The _1 ucode pkg is not in Quarterly yet, but it in in fact in Latest.




download from Latest.
curl -O https://pkg.freebsd.org/FreeBSD%3A14%3Aamd64/latest/All/Hashed/cpu-microcode-intel-20260512_1~a2a4a2e6e1.pkg
pkg install cpu-microcode-intel-20260512_1~a2a4a2e6e1.pkg

All fixed??

#3

Hardware and Performance / Re: cpu-microcode-intel: no ma...

Last post by BrandyWine - Today at 05:28:02 AM

A bit convoluted to follow.
_1 has a last import of "new" on June 5 2026 (https://www.freshports.org/sysutils/cpu-microcode-intel/)

There seems to be two builds for 14 latest
https://ports.freebsd.org/cgi/ports.cgi?stype=pkg&query=sysutils/cpu-microcode-intel

#4

26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...

Last post by allan - Today at 04:44:16 AM

OP, if you ever decide to go down this path, I suggest to first set up Monit to watch log files and run a script based on keywords. When you see journal rollforward failed, that means Bind did not load that zone file. Your static DNS assignments in addition to Kea DDNS registrations are all offline at that point. Internet through Unbound still works but no LAN devices are resolvable. You need Monit to watch for that, quickly delete those journal files and restart Bind to recover before anyone notices. Until there is a better way, that is how I have it set up. I actually match on zone not loaded as my keyword.

#5

26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...

Last post by cinergi - Today at 03:04:45 AM

OP here.  Thanks to all for sharing your viewpoints and experiences.

My network is small - a home network with about 40 devices total, and IPv6 dual stack.  I don't NEED Kea - I just thought it might be fun to try to set it up with dynamic DNS entries via Bind.  However, @Monviech's point not to overcomplicate is well taken.  I'm currently using dnsmasq for DHCP + local DNS, and Unbound for upstream recursive DNS queries which dnsmasq does not support (I prefer going directly to the authoritative DNS servers rather than relying on my ISP's DNS).  To switch to the solution I inquired about in my OP, I would need (1) Kea, (2) radvd for IPv6 router advertisements, (3) Unbound for recursive DNS, and (4) Bind for local DNS.  This is a more complex solution with a lot more moving parts (to use Monviech's wording).

Thus, after further consideration, and also after seeing the various issues encountered by @allan, I've decided to leave things alone for now and avoid an angry wife and daughters 😯.  So it's dnsmasq --> Unbound.

Thanks all!

-cinergi

#6

26.1, 26,4 Series / Re: 26.1 upgrade chaos, Realte...

Last post by computer_freak_8 - Today at 01:40:01 AM

download os-Realtek-re and realtek kmod packages from here, copy on a stick and install manually


http://pkg.opnsense.org/FreeBSD:14:amd64/26.1/MINT/26.1/latest/All/

Thank you for this link. I was able to download and install this package (also had to download and install the realtek-re-kmod package first, as "pkg add" complained about it as a prerequisite/dependency).

HOWEVER, there was no change. I even rebooted, but still can not get any link/activity light from either the switch or the NIC with OPNsense 26.1 installed. (on old_hardware)

Testing 26.1 with the same config on new_hardware, and it works just fine with both versions of the Realtek driver (the included driver and the proprietary driver).

After reinstalling 25.7 on the old_hardware (minus HDD), and loading up the same config, it works. I haven't even installed the os-realtek-re package yet.

What changed from 25.7 to 26.1 that would have COMPLETELY broken my Realtek driver in my firewall (old_hardware), but not other Realtek chips (new_hardware)? If I do a ctrl+f on this page, nothing shows up for "real":
https://docs.opnsense.org/releases/CE_26.1.html

So I'm at a loss.

In cased it's useful, I ran this:

Code Select Expand

# pciconf -lv | grep -B3 network
re0@pci0:3:0:0:    class=0x020000 rev=0x06 hdr=0x00 vendor=0x10ec device=0x8168 subvendor=0x1043 subdevice=0x8432
    vendor    = 'Realtek Semiconductor Co., Ltd.'
    device    = 'RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet Controller'
    class      = network

#7

26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...

Last post by allan - Today at 12:40:02 AM

I felt brave and decided to bite the bullet. After about 12 hours, I didn't get it all working so I caught a little hell from my wife. 😬 I think I finally got most of the fires out so below are my notes:

• I decided to break out my different VLANs (e.g. IoT) into their own forward zones. I used sub-zones in the format vlan.domain.tld. This method makes it easier to troubleshoot.
• Uncheck Register ISC DHCP4 Leases and Register DHCP Static Mappings under Services > Unbound > General to avoid creating entries in Unbound since I still have ISC dhcpd installed.
• Restarting Bind caused the zone reload to fail with journal rollforward failed: journal out of sync with zone errors in the Bind log. I used rndc sync -clean to clear out the *.jnl files before restarting. I need to find a better way since I lose DDNS entries without the journal. I tried rndc stop and rndc freeze before clicking Save and neither fixed it.
• Under each Kea subnet DDNS setting, I had to end the forward and reverse zones, and qualifying suffix fields with a dot (.). Otherwise, Bind could not find the correct zone to update.
• I got DDNS update failures with 'RRset exists (value dependent)' errors in Bind for devices that are IPv4+IPv6 dual stack. I think this is due to both using the same DHCID and it became a race to create the first record. I set no-check-with-dhcid in each Kea subnet to fix it.
• My gateway was named "gw.vlan.domain.tld". Even when Unbound is set to forward all vlan.domain.tld queries to Bind, it refused to forward this one. I had to change my gateway domain name under System > Settings > General > Domain to something else.
• Some devices (OpenWRT) only send host names to Kea. This is what "DNS qualifying suffix" was supposed to fix. That setting worked for IPv4 but not IPv6; maybe OpenWRT sent FQDNs on IPv4 but I did not check. Kea logs showed No DNS servers match FQDN hostname. Reserving their IPv6 address fixed it. I think this issue is with upstream but that requires confirmation. Any IPv6 lease that is not FQDN under the Hostname column needs this reservation.
• I used dig @x.x.x.x -p 53530 name to query Bind directly. Otherwise, I got Unbound's cached entry.
• Once everything is confirmed to work, I set Bind to listen on 127.0.0.1 and ::1 so networks cannot query it directly.

So far so good. I had to create some CNAME records for our printer and SIP proxy. This gets Windows and desk phone working until I get time to reconfigure them and switch to using their IoT names instead.

#8

26.1, 26,4 Series / Re: This makes me want to cry!...

Last post by nero355 - June 07, 2026, 11:37:08 PM

But I ran out of ideas how to identify these problems?

Any suggestions what to look for or which logs might be helpful?

Have you read the whole topic and done everything mentioned along the way ?!

#9

Hardware and Performance / Re: DEC750 realistic 10G expec...

Last post by nero355 - June 07, 2026, 11:35:02 PM

An intel core i5 also has a way higher TDP.

Regarding TDP - yes, this CPU can use a lot more power. I got it up to 40W by running iperf3 directly from the firewall, but otherwise it idles at 18W, which I can live with. Maybe there is room for optimization, I haven't done anything yet.

Sometimes it's better to have a slightly higher TDP rated CPU that is good at "Racing back to IDLE" instead of having a low TDP rated CPU that needs a lot more time for the same task and because of that eventually consumes more power for the same task.

It all depends on your needs and useage... :)

#10

Hardware and Performance / Re: Sanity check for N100 / i2...

Last post by nero355 - June 07, 2026, 11:29:15 PM

I'll get a Linux based Live Boot up over the next few days and give it a test, plus maybe a fresh OPNsense basic install on a spare drive.

Good plan! :)

1. There is a big difference between OpnSense routing sessions between different partners and OpnSense being the endpoint (the latter one is slower).

So you are saying that when I measure iPerf3 speeds between OPNsense and a Client that the speed will always be lower than between two any other type of Clients on the same subnet ?!

For example :

Windows or Linux iPerf3 Server/Client <----> Windows or Linux iPerf3 Server/Client = 2,37 Gbps

OPNsense iPerf3 Server/Client <----> Windows or Linux iPerf3 Server/Client = Always less than the speed above ?!

2. Since this is iperf, I also like to point out this article, point 10. I totally depends on how many TCP sessions you use.

Pulling these together, I see ~1.87 Gbps with iperf -P1 vs. 3.56 Gbps with iperf -P4 vs. 6 Gbps when OpnSense routes only.

Ofcourse you will always have to measure with as much threads as possible and sometimes even raise the window size and stuff like that... :)