"Recent posts
#21
25.7, 25.10 Series / Re: Intel Thermal Sensor Virtu...
Last post by pfry - January 21, 2026, 07:45:13 PM"None/ACPI" may be worth a try. I have a Gigabyte board that exports a bunch of sensors via ACPI, including some from add-in cards; my Asrock boards do not.
#22
General Discussion / Re: Can’t get the shaper on OP...
Last post by Seimus - January 21, 2026, 07:23:14 PMQuote from: mooh on January 21, 2026, 07:11:53 PMI'm guessing that physical bandwidth below pipe bandwidth may mess with the scheduling.
You are correct. You can not shape BW you do not have.
Imagine for example where you have an ISP contracted WAN throughput of 10Mbit/s.
You set your Pipe to 10Mbit/s and split it using WFQ, you give 5Mbit/s to one Queue and 5 Mbit/s to other.
Now lets say the ISP given BW us highly variable and drops to 5Mbit/s. If one of those Queues goes full it technically eats all the real available BW at the time causing a partial starvation on the other. Because services like DNS are UDP based, packets are dropped without any mechanism to recover it. Thus you may get timeout for DNS.
Regards,
S.
#23
General Discussion / Re: Can’t get the shaper on OP...
Last post by mooh - January 21, 2026, 07:11:53 PMThanks guys, your discussion adds valuable information that helped me get my setup running (finally). But while experimenting with the settings I noticed something:
At a site with limited upload capacity, traffic from one network needs to be de-prioritised when other traffic is present. So, I added an upload pipe with the full nominal bandwidth to the ISP, added two weighted queues and the rules (great to have interface pairs in rules!). Generally, everything works as expected. Occasionally however, I get DNS resolution failures on the hi-prio networks while the low-prio network is uploading at full speed. This has not been observed before using traffic shaping. I'm not 100% sure what is going on. Shifting queue weights doesn't seem to do much to solve the issue. Latest test is to lower the pipe bandwidth to a few Mbits below the nominal bandwidth because the connection is via VDSL and the actual bandwidth is fluctuating somewhat. I'm guessing that physical bandwidth below pipe bandwidth may mess with the scheduling.
Since the DNS timeouts occur only sporadically, I can't be sure if this really fixes the issue. Has anyone else seen this and is there a know solution?
At a site with limited upload capacity, traffic from one network needs to be de-prioritised when other traffic is present. So, I added an upload pipe with the full nominal bandwidth to the ISP, added two weighted queues and the rules (great to have interface pairs in rules!). Generally, everything works as expected. Occasionally however, I get DNS resolution failures on the hi-prio networks while the low-prio network is uploading at full speed. This has not been observed before using traffic shaping. I'm not 100% sure what is going on. Shifting queue weights doesn't seem to do much to solve the issue. Latest test is to lower the pipe bandwidth to a few Mbits below the nominal bandwidth because the connection is via VDSL and the actual bandwidth is fluctuating somewhat. I'm guessing that physical bandwidth below pipe bandwidth may mess with the scheduling.
Since the DNS timeouts occur only sporadically, I can't be sure if this really fixes the issue. Has anyone else seen this and is there a know solution?
#24
General Discussion / Re: Where is TCP processed - C...
Last post by Seimus - January 21, 2026, 07:09:28 PMQuote from: chemlud on January 21, 2026, 03:01:11 PMTells me what? ;-)Tells you if there is something on the device itself beyond the NIC that could case the behaviour.
Yea the next step would be to mess with the driver. Best do it indeed locally.
Regards,
S.
#25
25.7, 25.10 Series / wireguard - totally disable ke...
Last post by FredFresh - January 21, 2026, 07:00:02 PMI want to totally disable the keepalive signal to peers of wireguard connections, is it possible?
If I put nothing in the box, it sends signals. If I put 0, it is not allowed. It seems the only thing I can do is to use the maximum value allowed of 65535 secs.
Thanks
If I put nothing in the box, it sends signals. If I put 0, it is not allowed. It seems the only thing I can do is to use the maximum value allowed of 65535 secs.
Thanks
#26
25.7, 25.10 Series / Re: How to increase a proxmox ...
Last post by dgrns - January 21, 2026, 06:50:59 PMThis was a timely nugget of information.
I'm trying to reproduce a multi-site wireguard site-to-site issue and am using VMs to mimic the environments. My VM template disk was too small, but with `touch /.probe.for.growfs` I was back up and running in minutes...
And also a big thanks to @Maurice for the aarch64 images!
I'm trying to reproduce a multi-site wireguard site-to-site issue and am using VMs to mimic the environments. My VM template disk was too small, but with `touch /.probe.for.growfs` I was back up and running in minutes...
And also a big thanks to @Maurice for the aarch64 images!
#27
German - Deutsch / Re: Bridge mit VXLAN verschluc...
Last post by EFS - January 21, 2026, 06:40:25 PMHallo Patrick,
ich habe folgende gesetzt:
Auch nach dem Ändern der Tunables, inkl. Neustart der OPNsense, hat sich leider nichts geändert.
ich habe folgende gesetzt:
- net.link.bridge.pfil_member = 0
- net.link.bridge.pfil_bridge = 1
Auch nach dem Ändern der Tunables, inkl. Neustart der OPNsense, hat sich leider nichts geändert.
#28
25.7, 25.10 Series / Re: python -- several vulnerab...
Last post by franco - January 21, 2026, 06:38:52 PMPython has not gone ahead with releasing a new version yet. It was met with a bit of irritation. For now it is what it is.
Cheers,
Franco
Cheers,
Franco
#29
25.7, 25.10 Series / Re: Unbound to DNSmasq/KEA?
Last post by readr00m - January 21, 2026, 06:26:13 PMI just have a small homelab setup, so I moved to dnsmasq for DHCP only and kept unbound for DNS. I was using KEA for a period of time and it worked fine, but I read that KEA is better for larger setups and smaller/personal setups are better with dnsmasq.
#30
25.7, 25.10 Series / Re: Unbound to DNSmasq/KEA?
Last post by julsssark - January 21, 2026, 06:10:56 PMI was using almost the same setup you are thinking about, and it worked great for my homelab that only uses IPv4. I used Kea for DHCP and AdGuard to Unbound for DNS. Just make sure that you set the DNSMasq port to 53 and use a different port for Unbound (e.g., 15353). Be aware that with this configuration, when you set static hosts in Kea, you will also need to add an entry to DNSMasq if you want to reference that host by name/DNS.
Is there a reason/feature that you want to use Kea for DHCP vs. letting DNSMasq do it? The OPNsense docs summarize the options nicely: https://docs.opnsense.org/manual/dhcp.html#available-options
Edit: I switched to DNSMasq for DHCP when that became the recommended setup for small installations.
Is there a reason/feature that you want to use Kea for DHCP vs. letting DNSMasq do it? The OPNsense docs summarize the options nicely: https://docs.opnsense.org/manual/dhcp.html#available-options
Edit: I switched to DNSMasq for DHCP when that became the recommended setup for small installations.
