"Recent posts
#11
General Discussion / Re: Adding an additional LAN i...
Last post by jbresee - Today at 05:27:17 PMThe interface is an SFP port.
Since I am getting a DHCP address on the client, and I can see traffic coming from the client to the firewall, and in live view I can see the packet arriving at the firewall and passing the allow all out rule, it seems like basic connectivity is up.
I've attached a screen shot for both the existing LAN interface and the new SFP interface.
I also attached a packet capture from the firewall showing traffic coming from the client machine with a ping that is not responded to.
Thanks for any thoughts!
Since I am getting a DHCP address on the client, and I can see traffic coming from the client to the firewall, and in live view I can see the packet arriving at the firewall and passing the allow all out rule, it seems like basic connectivity is up.
I've attached a screen shot for both the existing LAN interface and the new SFP interface.
I also attached a packet capture from the firewall showing traffic coming from the client machine with a ping that is not responded to.
Thanks for any thoughts!
#12
Hardware and Performance / Re: Jumbo frames on axgbe / DE...
Last post by patient0 - Today at 05:27:15 PMOut of curiosity I restarted my DEC740 with VyOS (on a stick) and in that setup I was able to set the MTU to 9000 (eth3 below) and ping was successful. No hardware restriction, software only.
The setup was: DEC740 (eth3, 10.66.6.1) - MikroTik Switch CSS610-8P-2S+IN - QNAP QNA-UC5G1T (5Gbit USB NIC, 10.66.6.2)
Trying the same with FreeBSD 15-CURRENT 2025-05-08 showed the same issue as with OPNsense.
Btw: Linux also reports 3 rx and 3 tx queues, seems to be implemented that way in hardware.
The setup was: DEC740 (eth3, 10.66.6.1) - MikroTik Switch CSS610-8P-2S+IN - QNAP QNA-UC5G1T (5Gbit USB NIC, 10.66.6.2)
Code Select
vyos@vyos# run sh inter ethernet eth3
eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP group default qlen 1000
link/ether f4:90:ea:00:73:63 brd ff:ff:ff:ff:ff:ff
altname enp6s0f1
inet 10.66.6.1/24 brd 10.66.6.255 scope global eth3
valid_lft forever preferred_lft forever
inet6 fe80::f690:eaff:fe00:7363/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
226837 366 0 0 0 109
TX: bytes packets errors dropped carrier collisions
160576 88 0 0 0 0
vyos@vyos# ping -M do -s 8972 -c 4 10.66.6.2
PING 10.66.6.2 (10.66.6.2) 8972(9000) bytes of data.
8980 bytes from 10.66.6.2: icmp_seq=1 ttl=64 time=1.13 ms
8980 bytes from 10.66.6.2: icmp_seq=2 ttl=64 time=1.29 ms
8980 bytes from 10.66.6.2: icmp_seq=3 ttl=64 time=1.42 ms
8980 bytes from 10.66.6.2: icmp_seq=4 ttl=64 time=1.23 msTrying the same with FreeBSD 15-CURRENT 2025-05-08 showed the same issue as with OPNsense.
Btw: Linux also reports 3 rx and 3 tx queues, seems to be implemented that way in hardware.
#13
High availability / Quality graph with pppoe
Last post by mdastous - Today at 05:24:04 PMI just switch to provider that requires pppoe, and since then the quality graph gives me values below 1ms... so Im assuming it's not pinging the right gateway. Under System->Gateway->Configuration I set a value for "Monitor IP", but that didn't change anything in the graph.
#14
25.1, 25.4 Production Series / Re: Unbound to DNSMasq
Last post by meyergru - Today at 05:21:39 PMI would rather say that DNSmasq is taking over from ISC DHCP. @Monviech wrote that with ISC DHCP phasing out and with Kea DHCP not being up to par yet, there needed to be an alternative.
While DNQmasq can do all three of DNS, DHCP and router advertisements in one tool, it cannot do recursive DNS or DoT/DoH - it needs an upstream DNS resolver. So the proposed approach is to have Unbound for that, if you need it. I do not, so I started to use it now for all it supports.
I have even used some scripts to facilitate the migration from local Unbound DNS aliases and ISC DHCP reservations.
While DNQmasq can do all three of DNS, DHCP and router advertisements in one tool, it cannot do recursive DNS or DoT/DoH - it needs an upstream DNS resolver. So the proposed approach is to have Unbound for that, if you need it. I do not, so I started to use it now for all it supports.
I have even used some scripts to facilitate the migration from local Unbound DNS aliases and ISC DHCP reservations.
#15
25.1, 25.4 Production Series / Unbound to DNSMasq
Last post by spetrillo - Today at 05:09:09 PMHello all,
I need some clarity. In reading the notes from 25.1.6 update it seems to give me the impression that DNSmasq is beginning to take over from Unbound. I run Unbound as my DNS server, and use ISC DHCP for DHCP purposes. If the move is to Kea DHCP does that mean I need to move from Unbound to DNSMasq for DNS purposes? Like I said I am trying to gain some clarity here.
Thanks,
Steve
I need some clarity. In reading the notes from 25.1.6 update it seems to give me the impression that DNSmasq is beginning to take over from Unbound. I run Unbound as my DNS server, and use ISC DHCP for DHCP purposes. If the move is to Kea DHCP does that mean I need to move from Unbound to DNSMasq for DNS purposes? Like I said I am trying to gain some clarity here.
Thanks,
Steve
#16
Hardware and Performance / Re: Permit to reset all tunabl...
Last post by Seimus - Today at 04:46:32 PMThere is a reset button, you can reset all tunable to default when you click the trash-bin icon on the tunable page.
Regards,
S.
Regards,
S.
#17
Zenarmor (Sensei) / Re: I just had a Zenarmor ad *...
Last post by Seimus - Today at 04:45:20 PMNothing new.
They do this actually for a long time. When they have a new feature or implementation around ZA. You will see this even in OPNsense ZA Dashboard panel.
Regards,
S.
They do this actually for a long time. When they have a new feature or implementation around ZA. You will see this even in OPNsense ZA Dashboard panel.
Regards,
S.
#18
25.1, 25.4 Production Series / Re: Floating rules for grouped...
Last post by meyergru - Today at 04:27:23 PMBy making its target not "any", but a negated alias that contains RFC1918 or by putting a block rule for RFC1918 before the "allow any" rule for such less privileged VLANs.
I would not put these rules in the floating rules, but either into the VLAN rules or into a rule for a firewall group that contains all less privileged VLANs. The reason for this is that you may want to have some rules for well-known services on your LAN that are in RFC1918 and that must be specifically allowed in the floating rules (say, a file, a logging or NTP server).
I would not put these rules in the floating rules, but either into the VLAN rules or into a rule for a firewall group that contains all less privileged VLANs. The reason for this is that you may want to have some rules for well-known services on your LAN that are in RFC1918 and that must be specifically allowed in the floating rules (say, a file, a logging or NTP server).
#19
25.1, 25.4 Production Series / Re: Floating rules for grouped...
Last post by nautilus7 - Today at 04:16:13 PMMan, not sure I follow, sorry.
If a default "allow all" rule, floating or per vlan, is needed to access the internet, how am I going to block my untrusted vlans to access my trusted ones?
If a default "allow all" rule, floating or per vlan, is needed to access the internet, how am I going to block my untrusted vlans to access my trusted ones?
#20
Virtual private networks / OPNSense S2s VTI Setup not wor...
Last post by seroal - Today at 04:05:39 PMI have some issues migrationg from Policy Based to route based vpn for a OPNsense S2S VPN (both systems are OPNsense). Actually the Tunnel builts up including Phase2. I can see 0.0.0.0/0 as local and remote identifier. After configuring everything according to the documentation (https://docs.opnsense.org/manual/vpnet.html#new-23-1-vpn-ipsec-connections) routing still does not work. Packetcaptures on vti interfaces on both firewalls shows nothing. I tried to ping the remote VTI adress, but nothing happens. The install policy checkfield was unchecked for sure on both sides.
Just FYI: In the swantctl.conf I did not find anything related to "if_id_in" or "if_id_out". The swantctl doc about VTI says, that this is important... (https://docs.strongswan.org/docs/latest/features/routeBasedVpn.html)
What is the best way troubleshooting this?
Thanks.
Just FYI: In the swantctl.conf I did not find anything related to "if_id_in" or "if_id_out". The swantctl doc about VTI says, that this is important... (https://docs.strongswan.org/docs/latest/features/routeBasedVpn.html)
What is the best way troubleshooting this?
Thanks.
