"Recent posts
#1
Hardware and Performance / Re: Used PC as OPNsense router...
Last post by nero355 - April 10, 2026, 11:59:45 PMJust disable whatever bothers you in the BIOS/UEFI and use it for OPNsense or Proxmox + OPNsense ?!
Also check if there are any BIOS/UEFI updates or alternatives like CoreBoot/LibreBoot/etc. for the used Mainboard :)
Also check if there are any BIOS/UEFI updates or alternatives like CoreBoot/LibreBoot/etc. for the used Mainboard :)
#2
26.1 Series / Re: Is VPN kill switch rule st...
Last post by OPNenthu - April 10, 2026, 11:34:52 PMI'm having a little trouble finding documentation to confirm that pf processes WAN filter rules (specifically WAN "out" rules) for traffic that originated and was already filtered on an internal interface.
I know from practice that it works because of this VPN kill switch rule, as one example, but also because in the past I've been able to use WAN "out" rules to block things like plain DNS and RFC1918 leaks on WAN.
I don't know why some AI sources contradict this. I'm also confusing myself a bit because in the opposite direction (incoming connection) it's WAN that decides whether or not a packet is allowed and I don't think the receiving interface on LAN is consulted (?).
Appreciate if someone could set me straight on this.
I know from practice that it works because of this VPN kill switch rule, as one example, but also because in the past I've been able to use WAN "out" rules to block things like plain DNS and RFC1918 leaks on WAN.
I don't know why some AI sources contradict this. I'm also confusing myself a bit because in the opposite direction (incoming connection) it's WAN that decides whether or not a packet is allowed and I don't think the receiving interface on LAN is consulted (?).
Appreciate if someone could set me straight on this.
#3
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - April 10, 2026, 11:22:12 PMi figured it out, i have a speedtest scheduled twice a day, 5:55a and 2:55p. the 2:55p just ran (i am in america mountain time zone)
manually running speedtest...
more errors
Code Select
vlan0.201 1500 <Link#16> f4:90:ea:01:ef:cd 447245078 0 0 279796907 1731 0
manually running speedtest...
Code Select
$ speedtest --server-id=8862
Speedtest by Ookla
Server: CenturyLink - Denver, CO (id: 8862)
ISP: CenturyLink
Idle Latency: 2.97 ms (jitter: 0.15ms, low: 2.62ms, high: 3.02ms)
Download: 940.40 Mbps (data used: 458.4 MB)
7.86 ms (jitter: 28.55ms, low: 2.09ms, high: 283.75ms)
Upload: 940.56 Mbps (data used: 423.2 MB)
2.58 ms (jitter: 0.10ms, low: 2.41ms, high: 2.85ms)
Packet Loss: Not available.
more errors
Code Select
vlan0.201 1500 <Link#16> f4:90:ea:01:ef:cd 447610515 0 0 280159181 1932 0
#4
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - April 10, 2026, 11:08:24 PMQuote from: Patrick M. Hausen on April 10, 2026, 11:05:45 PMThen again an ONT is not a switch - so as long as the numbers are zero or close to it for everything internal, it's quite plausible it's not Deciso's fault. I would insist on getting a statement on that ASPM setting, though. I don't have their latest generation of devices, never had a problem with the 1 G versions.
well i have 3 other systems with igc that never had issues with the same ONT in over 5 years.. so while it might be that the DEC3920 BIOS and nic firmware is a bad combination with my ONT, no other system i had hard dropped the WAN 5x and < 2 days in over 5 years.
#5
Hardware and Performance / Re: DEC3920 Quick Review
Last post by Patrick M. Hausen - April 10, 2026, 11:05:45 PMThen again an ONT is not a switch - so as long as the numbers are zero or close to it for everything internal, it's quite plausible it's not Deciso's fault. I would insist on getting a statement on that ASPM setting, though. I don't have their latest generation of devices, never had a problem with the 1 G versions.
#6
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - April 10, 2026, 11:00:53 PMok it already increased...
it did seem to happen on the WAN DHCP renewal.. i have quantum fiber, the DHCP leases are for 30 min, so it RENEWs every 15 minutes...
so i am going to see it happen there is anything going on there. i guess i could also put my VP2440 back in service, i never looked at this values before, so i have no clue if this is normal for my setup or was happening all along. DEC3920 WAN going completely out was new though..
Code Select
vlan0.201 1500 <Link#16> f4:90:ea:01:ef:cd 446025589 0 0 278611733 1609 0
it did seem to happen on the WAN DHCP renewal.. i have quantum fiber, the DHCP leases are for 30 min, so it RENEWs every 15 minutes...
Code Select
2026-04-10T14:55:01-06:00 Notice dhclientdhclient-script: Reason RENEW on vlan0.201 executing
so i am going to see it happen there is anything going on there. i guess i could also put my VP2440 back in service, i never looked at this values before, so i have no clue if this is normal for my setup or was happening all along. DEC3920 WAN going completely out was new though..
#7
Hardware and Performance / Re: DEC3920 Quick Review
Last post by Patrick M. Hausen - April 10, 2026, 10:41:33 PMThis is a commercial device with great performance especially in relation to power consumption, well worth the money, IMHO, but still a commercial solution. So if ASPM is an issue, it's Deciso's job to provide a BIOS that either categorically disables it or at least gives you the option to.
Just saying ...
Not a big fan of 2.5 Gbit/s anyway. 1 G is enough for all connected desktop systems and 10 G fibre is just better than anything else up to that speed.
Just saying ...
Not a big fan of 2.5 Gbit/s anyway. 1 G is enough for all connected desktop systems and 10 G fibre is just better than anything else up to that speed.
#8
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - April 10, 2026, 10:30:05 PMQuote from: Patrick M. Hausen on April 10, 2026, 10:16:40 PMQuote from: dirtyfreebooter on April 10, 2026, 09:55:10 PMthough, 767 errors out of 277,320,308 packets.. that is probably on the range of normal i would think...
Yet, any number significantly greater than zero in production would spark my curiosity. With Gigabit and above full duplex, flow control, etc. layer 2 errors should just not happen.
If you reboot the connected switch for an update or unplug and replug the cable(s) while the firewall is in full operation - yes. But you should be able to name the cause easily because it was something like that. As soon as the interface goes down no output errors should occur, either. So in these reboot/unplug cases they come from the fraction of a second when the other side is disconnected and OPNsense has not yet noticed that.
On my system I have single digit numbers probably from my last Mikrotik update. If 767 errors out of 277,320,308 fits that bill in your scenario is yours to judge.
yea, i am going to watch these values from now on, i had the ONT powered off when i booted the DEC3920, then after it was booted, i restored power, so those could have all been from that initial power on of the ONT, maybe the port flaps while initializing, who knows how this cheapo ONT reacts when initializing.
IMO, i still think this is related to i226 firmware/driver and ASPM. looking at my VMs i do some opnsense development on, they all have zero errors, but much less data going through and they are not connected to the cheapest hardware i own, which is the ONT. i wish intel would bring the freebsd igc driver up to par with linux, as i have never had a single issue with i226 and linux.
i will give this about a week, then i might try and use the other SFP port with an UniFi 1G SFP to RJ45 adaptor (it listed on the supported SFP transceivers), just to compare.
#9
26.1 Series / Re: lots of empty space in new...
Last post by Patrick M. Hausen - April 10, 2026, 10:18:14 PMSeconded. A browser has scroll bars. Just use all of the bloody space. And play all "action" buttons - new, select, delete, ... as well as apply - at the top of the page. Render a web page. It's a web UI, not an application.
#10
Hardware and Performance / Re: DEC3920 Quick Review
Last post by Patrick M. Hausen - April 10, 2026, 10:16:40 PMQuote from: dirtyfreebooter on April 10, 2026, 09:55:10 PMthough, 767 errors out of 277,320,308 packets.. that is probably on the range of normal i would think...
Yet, any number significantly greater than zero in production would spark my curiosity. With Gigabit and above full duplex, flow control, etc. layer 2 errors should just not happen.
If you reboot the connected switch for an update or unplug and replug the cable(s) while the firewall is in full operation - yes. But you should be able to name the cause easily because it was something like that. As soon as the interface goes down no output errors should occur, either. So in these reboot/unplug cases they come from the fraction of a second when the other side is disconnected and OPNsense has not yet noticed that.
On my system I have single digit numbers probably from my last Mikrotik update. If 767 errors out of 277,320,308 fits that bill in your scenario is yours to judge.
