Recent posts

#1
For what it's worth, I upgraded from 26.1.11 to 26.7rc1 last night and had issues . I had to rollback. I just upgraded to rc2 and it worked straight away.
#2
General Discussion / Re: Unbound DNS keeps crashing...
Last post by keeka - Today at 06:50:49 PM
What about a rule permitting the redirected traffic?
Also, assuming you have not permitted DNS elsewhere, that floating block rule may be redundant.
#3
Quote from: cookiemonster on Today at 06:15:19 PMbut why limit your investigation to that metric only?
Unless I misread the whole thing you have a firewall that has an apparent overuse of cpu cycles. You are trying to investigate what _process_ might be the one(s) causing the spike in cpu cycles. Here is what my suggestion is, to use htop to see what processes are using up the cpus. From that you can hopefully identify the processes and start digging into them to figure out why.
A ps no matter what flags to use is only a point-in-time list of processes. top/htop are updating real time unless the whole machine is too overwhlemed.

The cpu is consumed in the irq context, it is an exception handler, not a process, the IRQ is calling the netisr that is the procedure executed in the interrupt context-> this procedure is in charge of receiving and processing the packet into the PF path.

you have a detailed investigation in the thread i posted in the beginning, IRQ per second is normal, not error logged, not any HW misbehaving.

I positively know it is the logging of the FW or something related / called by pf, because logging verbosity, and fw disabled has an impact in the test.

I am currently investigating the console output (i have it enabled by default), because i also dont know what else could be once we ruled out the logging subsystem or problems wiht the ssd
#4
26.1, 26,4 Series / Re: a few hundreds of messages...
Last post by cookiemonster - Today at 06:15:19 PM
but why limit your investigation to that metric only?
Unless I misread the whole thing you have a firewall that has an apparent overuse of cpu cycles. You are trying to investigate what _process_ might be the one(s) causing the spike in cpu cycles. Here is what my suggestion is, to use htop to see what processes are using up the cpus. From that you can hopefully identify the processes and start digging into them to figure out why.
A ps no matter what flags to use is only a point-in-time list of processes. top/htop are updating real time unless the whole machine is too overwhlemed.
#5
26.1, 26,4 Series / Re: Source NAT vs Outbound ?
Last post by franco - Today at 06:08:15 PM
Auto-NAT rule are shared between both components, but don't show entirely on the source NAT page yet but they are in effect (the code for this did not change).

The migration tool was added in 26.1.11 so very recently.


Cheers,
Franco
#6
General Discussion / Re: Unbound DNS keeps crashing...
Last post by apoorv569 - Today at 05:43:08 PM
Here is my entire floating rule for blocking port 53 and the destination NAT rule for forwarding port 53 traffic to 127.0.0.1, for all 9 VLANs I have,
Let me know if anything else is needed as well.
#7
General Discussion / Re: Unbound DNS keeps crashing...
Last post by RES217AIII - Today at 05:32:49 PM
My idea about the problem:
When you restart Unbound or a client makes a new request, your destination NAT intercepts it, forwards it to 127.0.0.1 and a state is created. The client receives his answer.

However, Unbound itself needs to communicate with the outside world (upstream DNS or root server) via port 53. Depending on how your floating rule is configured, Unbound will block its own outbound requests. As soon as Unbound needs to update an entry or fetch a new request from the Internet, it will be blocked by the floating rule; it enters an error state, logs a "SERVFAIL", and DNS resolution fails until you restart the service (which clears the status records).

Maybe it's worth trying to adjust the floating rule so that all requests that are not made to the firewall are blocked: using the "Invert" function in the destination:
• Destination: [X] Invert
• Target: This Firewall (self)
#8
High availability / [Plugin] os-carp-vip-dhcp - ...
Last post by toreamun - Today at 05:22:13 PM
If you run (or want to run) an OPNsense HA pair with CARP but your WAN is DHCP-assigned rather than static, you've probably hit this wall: the docs assume 3 static WAN IPs, and stock CARP can't work on DHCP or single IP. This plugin closes that gap.

Why stock CARP can't do it: a CARP virtual IP is static, and a DHCP WAN only routes an address while a live DHCP lease is bound to its MAC - so the VIP never gets a lease and never receives traffic. dhclient can't help either: it can't decouple the DHCP chaddr from the interface's hardware MAC.

What it does: a small daemon keeps a DHCP lease alive for the CARP VIP's virtual MAC. The ISP then routes the VIP to that MAC, native CARP answers ARP and fails over as usual - so the shared IP works and fails over on a dynamic WAN. Runs on both nodes redundantly, follows a changing address, and keeps the upstream ARP fresh (some gateways silently blackhole otherwise).

Tested on two independent real ISP lines (one CGNAT, one a plain public-DHCP WAN). On a two-node bench the whole path is verified end-to-end: the VIP holds its lease on the virtual MAC, CARP fails over cleanly (master link down -> backup takes over, VIP held), the ARP nudge is answered by the real ISP gateway, and follow works (the VIP tracks a changed address without ever dropping the lease).

When it applies: an HA pair + a DHCP (not static/PPPoE) WAN. Works whether the line hands out several concurrent leases (one per node's WAN + one for the VIP - the straightforward case) or only a single address.

Only a single IP? Supported too - a single floating VIP holds the one lease while each node uses a private WAN IP for CARP, and the backup reaches the internet through the master. Every mechanism is lab-validated on the bench, but I haven't yet run the whole single-IP topology on a live one-IP line — so I'd love a field report if you run it on a real single-IP WAN.

Also worth knowing for HA: for outbound traffic to survive a failover, point Outbound NAT at the CARP VIP (not a node's own WAN address). If the address is dynamic, the plugin can keep a firewall alias in sync so NAT/rules follow it automatically.

Personal third-party plugin for now. If there's interest I'd like to propose it for the official OPNsense community plugins - so say so if it'd be useful, and a star on the repo helps make that case.

Repo + one-line installer: https://github.com/toreamun/opnsense-plugins
#9
26.1, 26,4 Series / Re: Source NAT vs Outbound ?
Last post by keeka - Today at 05:20:42 PM
Quote from: franco on Today at 04:38:40 PMYes, there is a migration tool. As far as capabilities go outbound and source NAT shall be identical and the switch is mainly made to enable MVC/API access to that component. Outbound NAT will eventually move to the os-firewall-legacy plugin as well.

Thanks @franco. I redefined my outbound rules under SNAT manually a while back and did not see or use the tool.
In order for auto NAT rules to be listed under the new SNAT interface (as per hharry's screenshot), do we need to run the tool? I cannot find it. I even added a temporary rule under old Outbound interface, in case this was needed to trigger the visibility of the tool.
#10
But still, the Deciso DEC697 uses a 256GB NVMe. Any one knows the brand and model ?