"Recent posts
#1
Hardware and Performance / Re: DEC3920 Quick Review
Last post by OPNenthu - Today at 04:19:34 AMI see a similar imbalance on mine where one queue is preferred. If your network is not very diverse (for example if you are a single client doing a bunch of speed tests) then this might explain the skew toward a single core, perhaps?
In my case igc2 is the VLAN parent for my workstation and igc1 is WAN. The skew makes sense, since the majority of the web traffic is igc2->igc1 and it's mostly the same exact kinds of flows (speed tests, YouTube...) from the same host. I've been doing a lot of shaper related testing lately.
igc3 is iot/mobiles and other background traffic... family browsing/streaming, etc.
Code Select
root@firewall:~ # vmstat -i | grep igc
irq130: igc0:rxq0 91154 0
irq131: igc0:rxq1 27129 0
irq132: igc0:rxq2 27424 0
irq133: igc0:rxq3 35187 0
irq134: igc0:aq 2 0
irq135: igc1:rxq0 24060289 111
irq136: igc1:rxq1 48661715 224
irq137: igc1:rxq2 43006681 198
irq138: igc1:rxq3 155563356 715
irq139: igc1:aq 2 0
irq145: igc2:rxq0 140748349 647
irq146: igc2:rxq1 13709652 63
irq147: igc2:rxq2 13733157 63
irq148: igc2:rxq3 13726372 63
irq149: igc2:aq 2 0
irq150: igc3:rxq0 23630091 109
irq151: igc3:rxq1 26275878 121
irq152: igc3:rxq2 23673100 109
irq153: igc3:rxq3 23192884 107
irq154: igc3:aq 2 0
In my case igc2 is the VLAN parent for my workstation and igc1 is WAN. The skew makes sense, since the majority of the web traffic is igc2->igc1 and it's mostly the same exact kinds of flows (speed tests, YouTube...) from the same host. I've been doing a lot of shaper related testing lately.
igc3 is iot/mobiles and other background traffic... family browsing/streaming, etc.
#2
26.1 Series / Re: Tried moving from Dnsmasq ...
Last post by OPNenthu - Today at 04:02:38 AMQuote from: pseudonym3k on Today at 01:56:43 AMUnbound is disabled.
Quote from: pseudonym3k on Today at 01:56:43 AMAt first I thought perhaps DNS wasn't being served because KEA hadn't yet picked up any leases.
DNS is not being served when you disable Dnsmasq because there is no DNS built into Kea.
Dsnmasq is a combined DHCP+DNS solution, but Kea is strictly DHCP. You need to bring your own DNS (same as with the old ISC) and this is where Unbound comes in.
A Kea user might be able to confirm this (I don't know if these only work with ISC) but I think you'll need to enable at least one setting in Unbound:
- Register ISC DHCP4 Leases
- Register DHCP Static Mappings (optional)
https://docs.opnsense.org/manual/unbound.html
Or, you can enter the static ones manually in Unbound as 'Overrides.'
#3
26.1 Series / Re: lots of empty space in new...
Last post by randell - Today at 03:48:37 AMSorry, my post about creating an account to +1 might have come across a little "complainy". That wasn't what I intended.
I did play around with a tampermonkey script to set the UIBootgrid.options.disableScroll. Setting this to true and also setting the table height to auto gave me the results I wanted, but unfortunately trying to monkeypatch that was not very dependable. (There are issues with tampermonkey and @run-at document-start when a page executes too fast, when most things was cached)
If someone with more knowledge of developing for opnSense wants to implement it, an option to set that to true and to change or stop setting the calculated height might be the best of both worlds.
Just a thought. It isn't a show stopper or anything.
This was one of the variations of my not always working but sort of working script I was playing around to better explain what I was doing:
I did play around with a tampermonkey script to set the UIBootgrid.options.disableScroll. Setting this to true and also setting the table height to auto gave me the results I wanted, but unfortunately trying to monkeypatch that was not very dependable. (There are issues with tampermonkey and @run-at document-start when a page executes too fast, when most things was cached)
If someone with more knowledge of developing for opnSense wants to implement it, an option to set that to true and to change or stop setting the calculated height might be the best of both worlds.
Just a thought. It isn't a show stopper or anything.
This was one of the variations of my not always working but sort of working script I was playing around to better explain what I was doing:
Code Select
// ==UserScript==
// @name OPNSense Scroll
// @namespace http://tampermonkey.net/
// @version 2026-04-10
// @description Disables tabulator scrolling
// @author Me
// @match https://xxxxxx:444/*
// @icon https://www.google.com/s2/favicons?sz=64&domain=taxfodder.com
// @grant none
// @run-at document-start
// ==/UserScript==
(function()
{
'use strict';
let _jquery;
const applyPatch = (instance) => {
if (!instance.fn || instance.fn.UIBootgrid_Patched) return;
let _uiBootgrid;
Object.defineProperty(instance.fn, 'UIBootgrid', {
get: () => _uiBootgrid,
set: function(originalFunc) {
console.log("Hooked UIBootgrid successfully!");
_uiBootgrid = function(...args) {
const replacement = originalFunc.apply(this, args);
const bgInstance = replacement.data('UIBootgrid');
if (bgInstance) {
bgInstance.options.disableScroll = true;
}
//console.log('patched');
return replacement;
};
},
configurable: true
});
instance.fn.UIBootgrid_Patched = true;
};
const defineHook = (propName) => {
Object.defineProperty(window, propName, {
get: () => _jquery,
set: (val) => {
_jquery = val;
if (val && val.fn) {
applyPatch(val);
}
},
configurable: true
});
};
defineHook('jQuery');
defineHook('$');
// Handle the case where jQuery is already there
if (window.jQuery) {
_jquery = window.jQuery;
applyPatch(_jquery);
}
window.addEventListener('load', () => {
setTimeout(() => {
const tables = document.querySelectorAll('div.tabulator');
//console.log(tables);
if (tables) {
tables.forEach(t1 => {
t1.style.height = 'auto';
});
}
}, 100);
});
})();
#4
26.1 Series / ISC to DNSMASQ - Broadcast Opt...
Last post by randell - Today at 03:35:37 AMAfter converting from ISC to DNSMASQ I had 1 device that would not work, an Echo Spot device. All my other Amazon devices worked, just not this model. After playing around with just about everything I could think of, I finally resolved it by adding a file on the config.d folder to set "dhcp-broadcast".
I am not a network guy, so I'm badly parroting my google searches and AI explanations, but it seems that this device and some mediatek chips don't like a unicast response DHCPACK. It will only accept it if it was broadcast. From my understanding is the ISC broadcasts but DNSMASQ by default unicasts it.
Once I set this, the device worked. I was also able to get it to work if I created a "Host" entry, but I didn't want to set the hostname, ip address, and all the other things as a long term solution because while I only had 1 device now, if I added other devices, I didn't want to potentially have to add others.
I didn't see an option in the UI to toggle "dhcp-broadcast", but I think an option would be a good addition.
I am not a network guy, so I'm badly parroting my google searches and AI explanations, but it seems that this device and some mediatek chips don't like a unicast response DHCPACK. It will only accept it if it was broadcast. From my understanding is the ISC broadcasts but DNSMASQ by default unicasts it.
Once I set this, the device worked. I was also able to get it to work if I created a "Host" entry, but I didn't want to set the hostname, ip address, and all the other things as a long term solution because while I only had 1 device now, if I added other devices, I didn't want to potentially have to add others.
I didn't see an option in the UI to toggle "dhcp-broadcast", but I think an option would be a good addition.
#5
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - Today at 03:17:11 AMyea i saved the config.xml from first boot. it only had 3 tunables.
yea, without bindthreads/maxthreads/rss_enabled, the IRQs are mapped to separate CPUs, but the netstat stats show all the packets being queued on 1 cpu. honestly for 1 Gbps, i find it strange that this CPU can't do it with just 1 core, but yea.
with RSS disabled, watching sysctl
all the packets seem to go to txq0, but maybe its because 1 Gbps isn't enough to stress even one core.
strange is that i never really root cause my connection issue. was it because i powered off the ONT for 5 minutes and it really let it reset? was it because i moved from igc0 to igc1 for WAN?
Code Select
hw.ibrs_disable=1
vm.pmap.pti=0
ice_ddp_load=YES
yea, without bindthreads/maxthreads/rss_enabled, the IRQs are mapped to separate CPUs, but the netstat stats show all the packets being queued on 1 cpu. honestly for 1 Gbps, i find it strange that this CPU can't do it with just 1 core, but yea.
with RSS disabled, watching sysctl
Code Select
# sysctl dev.igc.1.iflib.{txq0,txq1,txq2,txq3}.r_enqueues
dev.igc.1.iflib.txq0.r_enqueues: 3928608
dev.igc.1.iflib.txq1.r_enqueues: 1070
dev.igc.1.iflib.txq2.r_enqueues: 1219
dev.igc.1.iflib.txq3.r_enqueues: 235
all the packets seem to go to txq0, but maybe its because 1 Gbps isn't enough to stress even one core.
strange is that i never really root cause my connection issue. was it because i powered off the ONT for 5 minutes and it really let it reset? was it because i moved from igc0 to igc1 for WAN?
#6
26.1 Series / Re: Is VPN kill switch rule st...
Last post by OPNenthu - Today at 03:13:38 AM@keeka I'm answering my own questions here, so I would just caution you not to follow my ramblings unless they're confirmed :P There are things that I still am confused about. For example, take the egress case:
local client ---> [LAN]("in" rules) ---> [WAN]("out" rules) ---> remote server
If a LAN "in" rule matches and allows the packet, is the state created right then and there? Does it bypass any WAN "out" rule that might have otherwise blocked it, or is the state created after the WAN "out" processing is done?
In other words: if a flow is filtered in both locations, do both filters always get taken into account?
We really do need better documentation around this, IMO.
I think this is variant of the same question.
If the tag is meant to block traffic leaving a specific interface, then it would only work if the packet arriving on the forbidden interface doesn't already match an existing state. This is where I think it gets fuzzy with 'floating' states.
To be safe I would change some of the rules to use interface-bound states, but which ones? WAN rules? VPN rules?
I really would prefer to understand this better before changing anything, so hopefully some of the OPNsense maintainers or power users can chime in here.
local client ---> [LAN]("in" rules) ---> [WAN]("out" rules) ---> remote server
If a LAN "in" rule matches and allows the packet, is the state created right then and there? Does it bypass any WAN "out" rule that might have otherwise blocked it, or is the state created after the WAN "out" processing is done?
In other words: if a flow is filtered in both locations, do both filters always get taken into account?
We really do need better documentation around this, IMO.
Quote from: keeka on April 11, 2026, 09:57:31 AMIf a state has been established during ingress on one interface, does it mean a packet's not being examined on egress on a second interface by virtue of the existence of state?
I think this is variant of the same question.
Quote from: keeka on April 11, 2026, 09:57:31 AMWould this impact for example flows that rely on tagging by one interface and subsequent treatment of that tag on another iface.
If the tag is meant to block traffic leaving a specific interface, then it would only work if the packet arriving on the forbidden interface doesn't already match an existing state. This is where I think it gets fuzzy with 'floating' states.
To be safe I would change some of the rules to use interface-bound states, but which ones? WAN rules? VPN rules?
I really would prefer to understand this better before changing anything, so hopefully some of the OPNsense maintainers or power users can chime in here.
#7
26.1 Series / Re: Kea DDNS in practice...
Last post by sopex8260 - Today at 02:55:14 AMQuote from: Ed V. on April 10, 2026, 08:59:52 PMUpdate to v26.1.6 didn't add any new options /fields in the Kea DDNS or DHCP tabs.
https://github.com/opnsense/ports/issues/265 filed at GitHub to request the "Manual" flag.
Thank you!
Under each subnet's settings there are the DDNS options.
#8
26.1 Series / Re: New features
Last post by OPNenthu - Today at 02:53:19 AMQuote from: pfry on April 11, 2026, 03:13:45 PMQuote from: OPNenthu on April 11, 2026, 08:43:13 AMFeature idea: Can OPNsense give me a report of the ports/protocols seen in firewall logs, by host, so that I can make quick decisions about which ones I need to keep open and which ones I can safely block? This is useful for e.g. egress filtering and tightening down the default 'allow LAN to any' rules.
I assume you're looking at the client/internal side. But such a report could be... more useful with, say, data transferred and session time. I don't think pf logging is really amenable to that, though.
Yeah, I just want to be able to profile things on an IoT network, for instance, without babysitting and manually filtering on firewall logs.
For example this guy profiled his Roku over some time frame and it revealed tcp/2350 as kind of an oddball (and also plain HTTP which is strange these days): https://www.michaelhorowitz.com/roku.network.trace.html
This kind of thing can be automated.
#9
Hardware and Performance / Re: DEC3920 Quick Review
Last post by OPNenthu - Today at 02:39:03 AMI think that 'igc' devices don't depend on RSS being enabled in kernel settings. They use it implicitly.
You can check that by leaving 'net.inet.rss.enabled' to its default (0/off) and the output of 'vmstat -i' will show that igc devices have interrupts distributed across RX queues. On my machine the number of queues matches the number of cpus (4).
I don't think it hurts to leave the setting enabled though, and it probably benefits your SFP+ interfaces. But as others said, this kind of thing should either already be the default on your expensive firewall platform if it's needed, or it shouldn't be needed at all.
It looks like Deciso have not yet provided a default config for the DEC3920 but when they do, you could check it to see if RSS is explicitly enabled: https://docs.opnsense.org/hardware/defaults.html
The problem is now that you've made multiple changes, we don't know which one(s) affected your original issue. :-/
You can check that by leaving 'net.inet.rss.enabled' to its default (0/off) and the output of 'vmstat -i' will show that igc devices have interrupts distributed across RX queues. On my machine the number of queues matches the number of cpus (4).
I don't think it hurts to leave the setting enabled though, and it probably benefits your SFP+ interfaces. But as others said, this kind of thing should either already be the default on your expensive firewall platform if it's needed, or it shouldn't be needed at all.
It looks like Deciso have not yet provided a default config for the DEC3920 but when they do, you could check it to see if RSS is explicitly enabled: https://docs.opnsense.org/hardware/defaults.html
The problem is now that you've made multiple changes, we don't know which one(s) affected your original issue. :-/
#10
General Discussion / Re: Trouble understanding VLAN...
Last post by pfry - Today at 02:14:26 AMQuote from: bloodyNetworker on April 11, 2026, 11:15:27 PM[...]Here is how I imagine how in the end the interfaces in OpnSense should look like:[...]
I use something similar, with four bridges (I run everything through the firewall, and bridges make for convenient addressing; also, my Internet service is bridged): EDGE (static IPs), TRUST, GUEST, and JAIL. (I haven't used a VPN in a while.)
I only have one wireless access point (I own... uh... five, but I barely use one) (running OpenWRT), and I break it down into (surprise) two bridges: "management" and "access", segregated by physical interface (I didn't bother with VLANs). The "access" bridge has no IP address, so no communication from the AP itself, and is plugged into the guest bridge; the management side is jailed (and gets an IP from the firewall via DHCP). I used bridges in case I want to plug something else into them (temporarily), as the AP is handy and has 5 ports. Anyway, it's likely too simple for your needs. I suppose if I wanted different access levels I could just plug in a couple more APs, but I only use wi-fi to update my phone.
I do use VLANs, but only to aggregate interfaces onto the firewall. That is, I assign a unique VLAN (untagged) to each access port on my switches, and all (tagged) to the uplink to the firewall, turning the switches into port expanders. I then assign each port (physical or VLAN) on the firewall to the appropriate bridge. Positive separation for (effectively) unlimited ports with three DCHP pools.
