Recent posts

#1

25.7, 25.10 Legacy Series / Re: Android 16 and NDP cache

Last post by Patrick M. Hausen - Today at 10:10:21 PM

RA always works with multicast. Multicast is a mandatory part of IPv6.

To make sure you at least have the chance that everything works with the bridge as intended, make sure to

- set the two tunables from step 6 of the LAN bridge guide in the docs
- assign the LAN interface with IP addresses (v4 and v6) to the bridge interface and not any of the members
- do not assign any of the member interfaces, especially never configure an IP address on a bridge member

If that is all configured correctly, I do not see why you should not use a 6 port PC as a 5 port "switch" just like any consumer router. Only do not expect 10 G speeds. But 1 G is perfectly fine. The FreeBSD bridge is better than some say.

HTH,
Patrick

#2

26.1, 26,4 Series / Firewall log and wireguard log...

Last post by FredFresh - Today at 10:10:17 PM

Suddenly today the log of the firewall rules and the log of wireguard stopped: both stopped to update / add lines.

I tried a couple of time to reboot, no solution.
Tried to switch off and wait a couple of minute before to restart, still no solution.

I am using the 26.1.6

Any suggestion?

#3

25.7, 25.10 Legacy Series / Re: Android 16 and NDP cache

Last post by nero355 - Today at 10:08:11 PM

Originally I thought that having 6 ports directly on the firewall mini-PC (the brand is "sharedvi" and has 6x i226) would be cool, but now I see that the Unix philosophy always wins, and I should have bought a 2-port thing and a proper switch

I disagree : It's great to have one NIC Port for each Network and maybe only use the 6th one for assigning VLAN Interfaces to it :)

I have done the same with the 4 NIC Ports that my OPNsense has :
- NIC Port 0 = WAN
- NIC Port 1 = Default LAN as Management Network for all devices.
- NIC Port 2 = Home Network
- NIC Port 3 = Guest VLAN Interface assigned and any other stuff in the future...

#4

General Discussion / Re: Ubiquity Cloud Fiber Gatew...

Last post by t84a - Today at 09:58:48 PM

Anyone have any experience with these?  I'm looking to migrate from OPNSense to one. Thanks

Maybe the UI community forum, https://community.ui.com/ ?

Having said that, I do use a not-cloud Fiber Gateway (UXG-Fiber). Price/performance is great but of course not as many features as OPNsense. I use Technitium for DNS and don't use IDS at all + some region blocking (but not really necessary since I don't have any web services accessible from the internet). IPv6 is missing features but generally works.


What features are using on your OPNsense?

Not many. I'm not having the success with OPNSense as others and haven't had luck getting help. Thanks

#5

General Discussion / Re: Ubiquity Cloud Fiber Gatew...

Last post by nero355 - Today at 09:53:53 PM

I have. They suck.
Great switches an APs though

The more I think about it, the more I would only keep their In Wall Accesspoints and replace everything else with a different brand :)

Now if I could only somehow ditch the UniFi Controller too and have a webGUI on each In Wall itself...


Some new hack to flash EdgeSwitch Firmware on UniFi Switches would be fine too by the way!

#6

25.7, 25.10 Legacy Series / Re: Android 16 and NDP cache

Last post by reinob - Today at 09:49:32 PM

Thanks for the additional info. I may be able to test a few things during the weekend (can't afford to disturb the network while $FAMILY is busy).

Originally I thought that having 6 ports directly on the firewall mini-PC (the brand is "sharedvi" and has 6x i226) would be cool, but now I see that the Unix philosophy always wins, and I should have bought a 2-port thing and a proper switch (though I have to say that aside from this weird problem with the Motorola everything is working great).

For now I've set up a cron job (had to learn the (to me) weird — but elegant :) — way of defining cron jobs in Opnsense) which runs a shell script which generates the (expected/assumed) GUAs of the phone and adds them to NDP (and removes unexpected GUAs).

It seems to work OK, but I still have to check it for longer periods. The phone has Tailscale always on, which I hope is not affecting things. The good thing is that if I set my opnsense router (which also has tailscale) as exit node, everything works perfectly, both at home and away (5G, other WLANs, etc.).

But I'd prefer not being dependent on this (at the expense of being dependent of a workaround in Opnsense, but hey).

Ideally (even though it's also a workaround) it would be nice to disable IPv6 for this specific client, but Android doesn't allow that, and I don't think radvd/dnsmasq (or the whole RA concept) allows for that.

But just to ask: can RA work with unicast instead of multicast?

(I know, many questions, all dumped into a single thread, but I hope that's OK)

#7

26.1, 26,4 Series / Re: openvpn problems since cro...

Last post by franco - Today at 09:30:45 PM

Not sure where the original config came from but 26.1.x compatible configs don't fully work in 25.10.x but they should work fine in 26.4 which came out today...


Cheers,
Franco

#8

26.1, 26,4 Series / openvpn problems since crossgr...

Last post by PotatoCarl - Today at 09:22:33 PM

Hi
I need to post a stupid question and hope for an intelligent answer:
I am using since long openvpn for our roadwarriors and others. That works well with the legacy setup up to 26.1. Community edition.
I tried a few times to convert it to the "new setup" but never succeeded.

Now a necessary hardware upgrade made us switch to the business editoion.
After a few hickups we got everything up and running in 25.10 business - except openvpn. There is no contact possible, client stucks at "waiting for reply"

Heres what I did:

- started the new appliance out of the box wir 25.y business
- restored backup from 25.7.
- assigned interfaces
- reboot
- installed missing plugins
- updated opnsense to 25.10

All works well, except no VPN.
Plugging tje "old" applicance in: bang. Works. Upgraded the old community to 26.x. no change except the warning that openvpn server is depreciated.

So anyone any idea what the problem might be and how to get openvpn up and running?

Also a comprehensible howto for the new openvpn interface wohld be great. I tried the path from the manual with no success whatever (the old took about 5min and worked perfectly)

Also maybe some good instructions for wireguard and the chances to operate it in china but that is off topic (and I have not tried everything with wireguard yet).

Any help will be apreaciated.

Thank you.

[top -aSH]

#9

25.7, 25.10 Legacy Series / Re: Business Edition 25.10 - s...

Last post by bx2 - Today at 09:13:03 PM

I've been able to get into SSH on the secondary unit and running top -aSH shows very high CPU usage on [idle{idle: cpu0}] to [idle{idle: cpu3}]

It will fluctuate between 60-90% on idle CPU.

Code Select Expand

339 threads:   6 running, 308 sleeping, 25 waiting
CPU:  1.0% user,  0.0% nice,  2.6% system,  0.5% interrupt, 95.9% idle
Mem: 5466M Active, 4188K Inact, 1599M Laundry, 753M Wired, 2056K Buf, 45M Free
ARC: 248M Total, 191M MFU, 41M MRU, 5741K Anon, 1550K Header, 9298K Other
     199M Compressed, 350M Uncompressed, 1.76:1 Ratio
Swap: 8418M Total, 5057M Used, 3361M Free, 60% Inuse, 3160K In, 16M Out

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
   11 root        187 ki31     0B    64K CPU0     0 212:59  98.46% [idle{idle: cpu0}]
   11 root        187 ki31     0B    64K RUN      1 213:02  97.30% [idle{idle: cpu1}]
   11 root        187 ki31     0B    64K RUN      2 213:18  97.11% [idle{idle: cpu2}]
   11 root        187 ki31     0B    64K CPU3     3 213:02  96.48% [idle{idle: cpu3}]
    2 root        -60    -     0B    64K WAIT     2   1:59   2.19% [clock{clock (0)}]
   16 root        -16    -     0B    16K psleep   3   0:53   2.08% [vmdaemon]
    9 root        -16    -     0B    48K swbufa   0   1:11   1.93% [pagedaemon{laundry: dom0}]
26862 root         20    0    15M  2748K CPU2     2   0:00   0.66% top -aSH
    9 root        -16    -     0B    48K CPU1     1   3:31   0.53% [pagedaemon{dom0}]
   12 root        -64    -     0B   336K WAIT     1   0:10   0.40% [intr{irq61: nvme0:io1}]
64127 root         24    0   984M   249M swread   3   0:17   0.33% /usr/local/bin/php-cgi
65172 root         20    0   746M    81M swread   0   0:14   0.28% /usr/local/bin/php-cgi
95245 root         20    0   538M   115M swread   1   0:04   0.27% /usr/local/bin/php-cgi
69176 root         21    0   634M   168M swread   3   0:19   0.27% /usr/local/bin/php-cgi
   12 root        -64    -     0B   336K WAIT     3   0:10   0.25% [intr{irq63: nvme0:io3}]



Here is what I had when I ran top -o size

Code Select Expand

root@FW02:~ # top -o size
last pid:  9419;  load averages:  4.04,  4.38,  4.72                                                                                                                                        up 0+04:14:12  12:56:00
76 processes:  1 running, 71 sleeping, 1 zombie, 3 waiting
CPU: 38.8% user,  0.0% nice,  6.3% system,  0.7% interrupt, 54.1% idle
Mem: 4471M Active, 1060K Inact, 2614M Laundry, 740M Wired, 2056K Buf, 40M Free
ARC: 248M Total, 193M MFU, 44M MRU, 45K Anon, 1576K Header, 9401K Other
     205M Compressed, 364M Uncompressed, 1.78:1 Ratio
Swap: 8418M Total, 8407M Used, 11M Free, 99% Inuse, 15M In, 49M Out

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
64127 root          1  20    0   874M    67M swread   2   0:34   0.14% php-cgi
90300 root          1  20    0   824M   110M pfault   2   0:05   0.22% php
84811 root          1  20    0   824M    81M pfault   1   0:05   0.08% php
 9889 root          1  20    0   824M    55M pfault   2   0:07   0.24% php
 8548 root          1  20    0   824M    49M swread   3   0:07   0.27% php
10724 root          1  20    0   824M    25M swread   3   0:06   0.21% php
67711 root          1  20    0   824M    13M swread   0   0:07   0.40% php
17207 root          1  20    0   746M    76M select   0   0:34   0.00% php-cgi
65172 root          1  20    0   746M    69M swread   2   0:24   0.14% php-cgi
70166 root          1  23    0   746M  4096B lockf    1   0:33   0.00% <php-cgi>
70079 root          1  24    0   746M  4096B lockf    1   0:31   0.00% <php-cgi>
  395 root         19  21    0   741M  4096B WAIT     2   0:51   0.00% <python3.11>
54338 root          1  20    0   726M   110M pfault   0   0:05   0.22% php
95464 root          1  20    0   726M    75M swread   0   0:04   0.14% php
 6824 root          1  20    0   726M    64M swread   1   0:05   0.14% php
49842 root          1  20    0   726M    46M swread   0   0:04   0.19% php
67322 root          1  28    0   635M   296M lockf    0   0:37   2.03% php-cgi
68272 root          1  28    0   634M   236M lockf    1   0:43   0.00% php-cgi
69176 root          1  21    0   634M   219M select   3   0:33   0.00% php-cgi
68381 root          1  20    0   634M    84M select   3   0:31   0.01% php-cgi
64196 root          1  20    0   634M   129M pfault   2   0:27   0.21% php-cgi
66839 root          1  20    0   634M    32M select   1   0:34   0.00% php-cgi
18065 root          1  20    0   538M   380M select   1   0:34   0.00% php-cgi
69630 root          1  20    0   538M  5988K select   3   0:29   0.00% php-cgi
68121 root          1  21    0   538M  4096B lockf    3   0:29   0.00% <php-cgi>
59949 root          1  20    0   538M   356M select   3   0:25   0.00% php-cgi
 2236 root          1  20    0   538M   317M select   3   0:23   0.00% php-cgi
 8262 root          1  20    0   538M   198M select   3   0:18   0.00% php-cgi
71237 root          1  20    0   538M   169M select   1   0:27   0.00% php-cgi
71329 root          1  20    0   538M    26M select   1   0:26   0.00% php-cgi
95245 root          1  24    0   538M  4096B WAIT     1   0:19   0.00% <php-cgi>
 4833 root          1  36    0   510M   407M pfault   3   0:02  16.10% php
98709 root          1  34    0   490M   396M pfault   0   0:02  17.35% php
 4317 root          1  36    0   490M   395M pfault   1   0:02  18.56% php
 7701 root          1  40    0   450M   369M pfault   3   0:02  33.57% php
 8680 root          1  34    0   446M   356M pfault   0   0:01  12.93% php
 8837 root          1  36    0   440M   359M pfault   3   0:01  16.98% php
 7792 root          1  36    0   438M   357M pfault   1   0:01  19.34% php
 7077 root          1  36    0   438M   356M pfault   1   0:01  18.72% php
52571 root         17  68    0    97M  3236K sigwai   3   0:00   0.00% charon
 3712 root          1  29    0    70M    39M pfault   2   0:01   4.29% python3.11
16540 root          1  20    0    53M  4096B wait     2   0:00   0.00% <php-cgi>
62847 root          1  20    0    53M  4096B wait     0   0:00   0.00% <php-cgi>
62672 root          1  68    0    53M  4096B wait     2   0:00   0.00% <php-cgi>
63410 root          1  68    0    53M  4096B wait     1   0:00   0.00% <php-cgi>
31731 root          3  20    0    49M  2564K kqread   2   0:05   0.03% syslog-ng
17415 root          1  20    0    41M  3612K nanslp   3   3:28   0.01% python3.11
  393 root          1  68    0    35M  4096B wait     2   0:00   0.00% <python3.11>
53436 root          1  20    0    28M  4408K select   1   0:01   0.01% python3.11
53217 root          1  20    0    27M  3788K select   3   0:00   0.02% python3.11
20171 root          4  68    0    26M  1360K uwait    2   0:02   0.02% dpinger
31675 root          1  68    0    24M  4096B wait     3   0:00   0.00% <syslog-ng>
57565 root          2  20    0    24M  3144K select   1   0:02   0.01% ntpd
61730 root          1  20    0    23M  3228K kqread   0   0:02   0.00% lighttpd
35568 root          1  20    0    20M  2064K select   3   0:00   0.02% sshd-session
  451 root          1  20    0    20M  1072K select   3   0:00   0.00% sshd-session
86829 root          1  20    0    20M  2536K select   0   0:00   0.00% sshd
88249 root          1  20    0    17M  4096B pause    3   0:00   0.00% <csh>
56438 root          1  20    0    15M  2040K CPU3     3   0:00   0.10% top
  757 root          1  20    0    15M   408K select   1   0:00   0.00% devd
65025 root          1  68    0    14M  1000K ttyin    2   0:00   0.00% sh
36343 root          1  20    0    14M  4096B wait     2   0:00   0.00% <sh>
64828 root          1  56    0    14M  4096B wait     0   0:00   0.00% <login>
  197 root          1  20    0    14M  1416K piperd   3   0:00   0.11% cron
16433 root          1  20    0    14M  1300K bpf      3   0:00   0.03% filterlog
 2237 root          1  20    0    14M  4096B wait     2   0:00   0.00% <flock>
72462 root          1  20    0    14M  1304K kqread   2   0:00   0.00% tail
74613 root          1  20    0    14M  1296K select   0   0:00   0.00% tail
15949 root          1  20    0    14M  4096B WAIT     3   0:00   0.00% <cron>
52141 root          1  68    0    13M  4096B kqread   0   0:00   0.00% <daemon>
88865 root          1  68    0    13M  4096B kqread   2   0:00   0.00% <daemon>
61055 root          1  20    0    13M  1072K select   3   0:01   0.01% powerd
40897 _flowd        1  20    0    13M   980K select   2   0:00   0.00% flowd
40882 root          1  68    0    13M  4096B sbwait   1   0:00   0.00% <flowd>


#10

25.7, 25.10 Legacy Series / Re: dnsmasq dhcp: Clients accu...

Last post by fab - Today at 08:18:01 PM

This sounds like stale RA lifetimes rather than dnsmasq itself, clients keep old prefixes until they expire. Have you checked if your RA settings properly deprecate old prefixes or tried lowering valid/preferred lifetimes?

Dnsmasq should deprecate old prefixes automatically if I use it for the RAs, when set up new, or? But it doesn't. All machines accumulate and try to use these prefixes until their lifetime is up (that was 84600 secs (unconfigured). I set these down to 7200 seconds, but these have still to time out the full lifetime until they are not (erronoeusly) used anymore.

And if I restart my OpnSense Router with dnsmasq set up three times, I get a new set of three "valid" IPv6 addresses on each machine, although the prefixes are deprecated, which are all tried to be used despite being deprecated. I haven't tested but it's also possible that these deprecated addresses are renewed once the lifetime is up despite being deprecated. I'm not sure what's wrong with dnsmasq but it doesn't deprecate old prefixes, it seems. Not sure what settings are wrong.

In the meantime I've gone back to the old, original RA service in the router by completely rolling back my settings from backup. So now I'm using the original RA service with th the old ISC DHCP server and the problems are gone for now. But I really want to use dnsmasq for its advantages in future (together with unbound), because it completely resolves also dynamic IPv6 addresses (DNS) for dhcp(v6), dns and RAs. But if it stays this way, there's no way for me to use dnsmasq.

I would be really thankful, if someone could point out which settings I have to apply to correctly deprecates old prefixes and what could be wrong.

Thank you,
fab