"Recent posts
#91
Hardware and Performance / Re: Internet speeds reduced se...
Last post by manki_09 - January 13, 2026, 12:09:45 AMI've done a bit more testing that could point towards the Xfinity Gateway (in bridge mode) being the issue. I have a cheap managed switch with 2 SFP+ ports and 4x 2.5 gb ports. Put in between the Router and the Gateway, this gives me the ability to change port speeds on each device.
Here are my test results after running a speedtest a few times. I cycled through the ports a couple time to ensure nothing changed.
It seems to run pretty consistent when the modem's link is set to 1GB at 900-940mpbs as a 1GB link should.
However, when the modem's link is set to 2.5GB I get pretty inconsistent speeds, sometimes better than the speeds above but usually only 50-100mbps better. Never reaching within a 1GB link should be.
I have not tested my 2.5GB USB adapter yet since I have services being hosted on this and requires a gateway reboot to connect a new device/MAC. I may try it out tomorrow morning, but for now things seem to point towards the modem.
Yes that's the post I learned that NIC needs to be manually set to get 2.5gb/5gb links by default. I don't have the latest firmware (3.70) for the NIC, but I do have 3.50 and looking at the change log I don't appear to be exhibiting the bugs that were fixed.
Last night I did do a bit of research and found this on the forums.
Adding Speed Parameters to X550 Config
I added a tunable option of dev.ix.1.advertise_speed with a value of 23 which now allows my NIC to auto negotiate to either 100, 1g, 2.5g or 10g. This seems to be working now.
Here are my test results after running a speedtest a few times. I cycled through the ports a couple time to ensure nothing changed.
| Modem | Router | Speed Result |
| 2.5GB | 10GB | ~325mbps |
| 2.5GB | 2.5GB | ~325mpbs |
| 2.5GB | 1GB | ~650mpbs |
| 1GB | 10GB | 940mpbs |
| 1GB | 2.5GB | 940mpbs |
| 1GB | 1GB | 940mpbs |
It seems to run pretty consistent when the modem's link is set to 1GB at 900-940mpbs as a 1GB link should.
However, when the modem's link is set to 2.5GB I get pretty inconsistent speeds, sometimes better than the speeds above but usually only 50-100mbps better. Never reaching within a 1GB link should be.
I have not tested my 2.5GB USB adapter yet since I have services being hosted on this and requires a gateway reboot to connect a new device/MAC. I may try it out tomorrow morning, but for now things seem to point towards the modem.
Quote from: passeri on January 12, 2026, 03:14:41 AMQuote from: manki_09 on January 11, 2026, 11:01:56 PMI currently have shaping turned off. I tried shaping as a troubleshooting step to limit the speed to 1gb but nothing changed.I see. You mean like this comment which I found on the Intel site here?
The intel x550 NICs will not auto negotiate to 2.5gbps. Which is programmed into the firmware. Manual selection is required. This is why I have a 2.5gb usb nic order so I can test if the NIC is at fault.Quote from: Intel engineerThe autonegotiation for 2.5 and 5Gb speeds for the X550 was changed in 2020.
Default autonegotiation excludes the 2.5 and 5Gb speeds.
If 2.5 or 5Gb is chosen in the dropdown, it will change autonegotiation to only advertise that speed. So it is not forcing to 2.5Gb or 5Gb when those options are chosen, it changes the advertised speed.
That may be an issue if the switch is configured as forced to 2.5Gb instead of autonegotiate.
If that still does not help, please make sure the ethernet updated to the latest NVM and drivers.
This comment and the prior discussion on the Intel site imply to me that the problem may lie with NIC configuration rather than with Opnsense config. Your proposed test may be informative ("may" because I lack complete confidence in USB-Ethernet adapters even though I sometimes use them in testing).
Yes that's the post I learned that NIC needs to be manually set to get 2.5gb/5gb links by default. I don't have the latest firmware (3.70) for the NIC, but I do have 3.50 and looking at the change log I don't appear to be exhibiting the bugs that were fixed.
Last night I did do a bit of research and found this on the forums.
Adding Speed Parameters to X550 Config
I added a tunable option of dev.ix.1.advertise_speed with a value of 23 which now allows my NIC to auto negotiate to either 100, 1g, 2.5g or 10g. This seems to be working now.
#92
General Discussion / Re: Install problem on NVMe (n...
Last post by Jwidess - January 12, 2026, 11:17:20 PMQuote from: bsdimp on January 12, 2026, 10:13:55 PMSo async events are problems with the drive, usually temperature. Log page 2 is the SMART page and it should say what it is.
But if it's a constant spew, then maybe we aren't clearing enough bits in the event masks. Turning off logging almost certainly is the wrong approach, since all those interrupts are boggong down the system...
What does logpage 2 say? nvmecontrol logpage -p2 nvme0
Warner
Good point, I suppose just hiding these is not a great solution. My PR was primarily just a solution to give myself the option to suppress them to allow for an install. At the end of the bug report, I have my output from that machine with the drive experiencing the errors:
SP500GBP44UD900 nvmecontrol Output:
Code Select
~ # nvmecontrol logpage -p 2 nvme0
SMART/Health Information Log
============================
Critical Warning State: 0x00
Available spare: 0
Temperature: 0
Device reliability: 0
Read only: 0
Volatile memory backup: 0
Temperature: 311 K, 37.85 C, 100.13 F
Available spare: 100
Available spare threshold: 10
Percentage used: 0
Data units (512,000 byte) read: 7531
Data units written: 10305
Host read commands: 216800
Host write commands: 150867
Controller busy time (minutes): 2596
Power cycles: 32
Power on hours: 43
Unsafe shutdowns: 9
Media errors: 0
No. error info log entries: 0
Warning Temp Composite Time: 0
Error Temp Composite Time: 0
Temperature 1 Transition Count: 0
Temperature 2 Transition Count: 0
Total Time For Temperature 1: 0
Total Time For Temperature 2: 0Bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292410
#93
Virtual private networks / WireGuard VPN - OpenID Connect...
Last post by paulo.pereira - January 12, 2026, 10:53:20 PMHi,
We have bought a DEC4280 firewall to replace our current Cisco one.
We have configured WireGuard as our VPN with OpenID Connect as authentication on Captive Portal.
We have Unbound DNS disabled, we have internal DNS server.
The issue we have is that, in order to the Captive Portal to redirect to the right Microsoft Endpoints (ex. login.microsoft.com) I have to put the Microsoft Endpoints ip's addresses to the Captive Portal field "Allowed addresses", and this is unfeasible because of the many ip's that Microsoft uses.
We have tried to "Disable firewall rules" on the Portal and create them manually according to the Opnsense Docs on the Wireguard Interface, but with no luck.
Any help with this will be appreciated, thanks!
Best Regards,
Paulo Pereira
We have bought a DEC4280 firewall to replace our current Cisco one.
We have configured WireGuard as our VPN with OpenID Connect as authentication on Captive Portal.
We have Unbound DNS disabled, we have internal DNS server.
The issue we have is that, in order to the Captive Portal to redirect to the right Microsoft Endpoints (ex. login.microsoft.com) I have to put the Microsoft Endpoints ip's addresses to the Captive Portal field "Allowed addresses", and this is unfeasible because of the many ip's that Microsoft uses.
We have tried to "Disable firewall rules" on the Portal and create them manually according to the Opnsense Docs on the Wireguard Interface, but with no luck.
Any help with this will be appreciated, thanks!
Best Regards,
Paulo Pereira
#94
General Discussion / Re: Install problem on NVMe (n...
Last post by Patrick M. Hausen - January 12, 2026, 10:23:22 PM@Warner welcome! Great to have you joining. Thanks a lot!
#95
Hardware and Performance / Starting homelab network - har...
Last post by hacktheplanet - January 12, 2026, 10:22:32 PMHi all!
I will be building out a homelab and would like to have the router running OPNSense. I am coming from a Fritzbox 7530 AX.
I am considering a number of hardware options and would appreciate some advice to help me narrow it down.
Use Case
My use case, as I implied above, is to set up a homelab but also just have a secure and functional home network, so I can do the following:
My maximum budget would be €800, though ideally I'd like to stay well under that if possible.
Ready and Purpose Built Options
As far as brand new devices, I have been looking at the following:
1. Protectli VP2430
Pros:
Cons
Overkill alternative:
Protecli VP2440
Similar pros and cons, just not sure if getting 10GbE is worth it.
I am not really convinced of the various Chinese brands that do similar devices, primarily due to concerns regarding ongoing support and security updates, but if somebody has similar suggestions that address these concerns somewhat, I would be interested in finding out more.
2. DEC697
Pros:
Cons
Questions I have about this product:
- Since this is running an AMD chip, does the lack of Coreboot still present a loss in terms of privacy and security?
- How limiting will 8GB be going forward?
Overkill alternative:
DEC750
Again, mainly for 10G future proofing.
Mini PCs
I have also looked into repurposing a SSF/USFF device as a router, like for example a Lenovo ThinkCentre M720q. I also have access to a bunch of Optiplex 5070 Micros, but these don't have the advantage of the PCIe slot (when used with a riser) that the Lenovo has.
Pros
Cons
I also have an old Intel i5-4960k and GTX 970 system lying about in a big case, which maybe I could look at converting into a small form factor build, similar concerns as above though (mainly around security). In general, I am comfortable enough with problem solving with servers and personal devices as a Linux user, but ideally my router would be fairly set and forget (and reliable!), which I'm not sure these options would provide.
Bonus questions:
Any advice very much appreciated. Happy to elaborate on anything if need be.
I will be building out a homelab and would like to have the router running OPNSense. I am coming from a Fritzbox 7530 AX.
I am considering a number of hardware options and would appreciate some advice to help me narrow it down.
Use Case
My use case, as I implied above, is to set up a homelab but also just have a secure and functional home network, so I can do the following:
- Segment my network into multiple VLANs
- Set up semi-managed switches
- Set up access points
- Explore the IDS/IPS features - will probably run CrowdSec
- Support personal devices for a household of 2-4 people
- Set up PoE security cameras on seperate VLAN
- Establish homelab to mess about with things like HomeAssistant, etc.
- Set up a VPN or similar means of accessing self-hosted services when away from home
- Future proof my network, at least 2.5G capable
My maximum budget would be €800, though ideally I'd like to stay well under that if possible.
Ready and Purpose Built Options
As far as brand new devices, I have been looking at the following:
1. Protectli VP2430
Pros:
- From my understanding, specs wise it should be able to handle everything I need.
- I can also configure it to have more than 8GB of RAM or just get it with 8GB and update it myself down the road if I see the need.
- Can be configured with Coreboot
- Can be configured with a TPM
- Has a standard 2-year warranty
Cons
- American company (with EU offices) - would prefer to support an EU company and not have to worry about current/future international relations
- Relatively pricey, considering similar devices are available from Ali Express and other similar marketplaces
Overkill alternative:
Protecli VP2440
Similar pros and cons, just not sure if getting 10GbE is worth it.
I am not really convinced of the various Chinese brands that do similar devices, primarily due to concerns regarding ongoing support and security updates, but if somebody has similar suggestions that address these concerns somewhat, I would be interested in finding out more.
2. DEC697
Pros:
- From my understanding, specs wise it should also be able to handle everything I need.
- Supports OPNSense development
- European
- Comes with 2 year warranty
- Comes with 1 year OPNSense Business Edition
Cons
- RAM not upgradable, may not be as future proof?
- Also pretty pricey
Questions I have about this product:
- Since this is running an AMD chip, does the lack of Coreboot still present a loss in terms of privacy and security?
- How limiting will 8GB be going forward?
Overkill alternative:
DEC750
Again, mainly for 10G future proofing.
Mini PCs
I have also looked into repurposing a SSF/USFF device as a router, like for example a Lenovo ThinkCentre M720q. I also have access to a bunch of Optiplex 5070 Micros, but these don't have the advantage of the PCIe slot (when used with a riser) that the Lenovo has.
Pros
- Much cheaper
- Possibly slightly better specs
- Can be configured with more RAM later
- Relatively low power still
Cons
- Sourcing a device that's in good condition, with original power brick may be difficult
- Need to source reputable/genuine Intel NIC
- Need to source riser for PCIe slot or alternative for the Optiplex option
- Very DIY, would feel afraid of misconfiguring the device and exposing myself to security issues
- No warranty or support
- Not as quiet
- Higher power consumption
I also have an old Intel i5-4960k and GTX 970 system lying about in a big case, which maybe I could look at converting into a small form factor build, similar concerns as above though (mainly around security). In general, I am comfortable enough with problem solving with servers and personal devices as a Linux user, but ideally my router would be fairly set and forget (and reliable!), which I'm not sure these options would provide.
Bonus questions:
- Has anybody had luck putting a device with OPNSense on it downstream of a FritzBox (which doesn't seem to support bridge mode) without too many issues due to double NAT? I've heard mixed reports that you can put the OPNSense router in the DMZ and forward traffic there, in order to avoid some issues with double NAT.
- Does anybody have any suggestions for PoE capable switches and access points that play nicely with OPNSense - I've been considering MicroTik but I'm not entirely sure what to look for.
Any advice very much appreciated. Happy to elaborate on anything if need be.
#96
General Discussion / Re: Install problem on NVMe (n...
Last post by bsdimp - January 12, 2026, 10:13:55 PMSo async events are problems with the drive, usually temperature. Log page 2 is the SMART page and it should say what it is.
But if it's a constant spew, then maybe we aren't clearing enough bits in the event masks. Turning off logging almost certainly is the wrong approach, since all those interrupts are boggong down the system...
What does logpage 2 say? nvmecontrol logpage -p2 nvme0
Warner
But if it's a constant spew, then maybe we aren't clearing enough bits in the event masks. Turning off logging almost certainly is the wrong approach, since all those interrupts are boggong down the system...
What does logpage 2 say? nvmecontrol logpage -p2 nvme0
Warner
#97
German - Deutsch / Re: Eigener DNS bei einer IPv6...
Last post by meyergru - January 12, 2026, 09:53:19 PMRichtig.
Beispielsweise kann man mit dynamischen IPv6 nur sehr schwer DNS-Eintragungen machen - dazu braucht es ja bekannte IPs. Meist wird dann empfohlen, für den internen DNS ULAs zu verwenden, was aber wiederum bei Dual Stack nicht funktioniert, weil die IPv4 höher priorisiert werden als ULA IPv6, wie bereits dargestellt.
Die Identifizierbarkeit eines Clients (z.B. in Firewall-Logs) anhand der IPv6 könnte man mittels DHCPv6 auch leicht erreichen. Ist mit dynamischen IPv6 de facto ausgeschlossen, weil die Leases mit DHCPv6 ggf. zu lange gültig wären. Das ist ja der Grund, wieso ich im IPv6 HowTo SLAAC-only vorschlage. Nur geht damit wieder keine DNS-Registrierung und die IPs sind quasi zufällig.
Selbst Firewall-Regeln für IPv6 kann man nur mit zwei Tricks machen: Entweder dynamische IPv6 Aliases, die auf bekannten EUI-64 basieren (was wie bereits diskutiert bei Windows, IOS und Android nur mit speziellen Einstellungen geht, wenn man SLAAC macht) oder, man macht Firewall-Regeln für IPv6 auf Basis der MAC...
Von Docker mit IPv6 und dynamischen Präfixen ganz zu schweigen. Wer mal versucht hat, mit Uptime Kuma eine IPv6 zu überwachen, weiß, was ich meine: geht nur per Proxy.
Alles blöde Ausweichlösungen, um nicht vorhandene statische Präfixe irgendwie zu umschiffen - und funktionieren tut es nur sehr bedingt. Mit statischen IPv6-Präfixen und DHCPv6 wäre das alles kein Problem. Dann rückt - bis auf LAN-Serverdienste (die DS-fähig sein sollten) und eine notwendige Brückenlösung für IPv4 im Internet - sogar IPv6-only im LAN in Reichweite.
Beispielsweise kann man mit dynamischen IPv6 nur sehr schwer DNS-Eintragungen machen - dazu braucht es ja bekannte IPs. Meist wird dann empfohlen, für den internen DNS ULAs zu verwenden, was aber wiederum bei Dual Stack nicht funktioniert, weil die IPv4 höher priorisiert werden als ULA IPv6, wie bereits dargestellt.
Die Identifizierbarkeit eines Clients (z.B. in Firewall-Logs) anhand der IPv6 könnte man mittels DHCPv6 auch leicht erreichen. Ist mit dynamischen IPv6 de facto ausgeschlossen, weil die Leases mit DHCPv6 ggf. zu lange gültig wären. Das ist ja der Grund, wieso ich im IPv6 HowTo SLAAC-only vorschlage. Nur geht damit wieder keine DNS-Registrierung und die IPs sind quasi zufällig.
Selbst Firewall-Regeln für IPv6 kann man nur mit zwei Tricks machen: Entweder dynamische IPv6 Aliases, die auf bekannten EUI-64 basieren (was wie bereits diskutiert bei Windows, IOS und Android nur mit speziellen Einstellungen geht, wenn man SLAAC macht) oder, man macht Firewall-Regeln für IPv6 auf Basis der MAC...
Von Docker mit IPv6 und dynamischen Präfixen ganz zu schweigen. Wer mal versucht hat, mit Uptime Kuma eine IPv6 zu überwachen, weiß, was ich meine: geht nur per Proxy.
Alles blöde Ausweichlösungen, um nicht vorhandene statische Präfixe irgendwie zu umschiffen - und funktionieren tut es nur sehr bedingt. Mit statischen IPv6-Präfixen und DHCPv6 wäre das alles kein Problem. Dann rückt - bis auf LAN-Serverdienste (die DS-fähig sein sollten) und eine notwendige Brückenlösung für IPv4 im Internet - sogar IPv6-only im LAN in Reichweite.
#98
German - Deutsch / Re: Eigener DNS bei einer IPv6...
Last post by Patrick M. Hausen - January 12, 2026, 09:15:53 PMDu kannst deine internen Interfaces alle statisch konfigurieren, Router Advertisments/SLAAC anknipsen und es wird einfach magisch alles funktionieren ohne weitere Verrenkungen.
Genau so ist IPv6 gedacht. Den Erfindern kam nicht im Traum in den Sinn, dass jemand ein Prefix auf einer Leitung periodisch durchrotieren würde. Es ist einfach komplett blödsinnig.
Wenn man sich die frühe Literatur über IPng wie das damals noch hieß durchliest, dann war ein automatischer Prefixwechsel natürlich geplant. Aber in den Beispielszenarien findet man dann z.B. den Wechsel von Internet-Anbieter A zu Internet-Anbieter B. Man hängt beide Uplink-Router parallel ins Netz, wobei man dem neuen eine niedrigere Priorität gibt. Wenn die ersten Tests gut aussehen, vertauscht man die Prioritäten. Am nächsten Tag schaltet man den alten Router ab. Dazu ist das gedacht ... nicht dazu, dass der ISP dir alle 24h ein neues Prefix rein drückt.
Grüße
Patrick
Genau so ist IPv6 gedacht. Den Erfindern kam nicht im Traum in den Sinn, dass jemand ein Prefix auf einer Leitung periodisch durchrotieren würde. Es ist einfach komplett blödsinnig.
Wenn man sich die frühe Literatur über IPng wie das damals noch hieß durchliest, dann war ein automatischer Prefixwechsel natürlich geplant. Aber in den Beispielszenarien findet man dann z.B. den Wechsel von Internet-Anbieter A zu Internet-Anbieter B. Man hängt beide Uplink-Router parallel ins Netz, wobei man dem neuen eine niedrigere Priorität gibt. Wenn die ersten Tests gut aussehen, vertauscht man die Prioritäten. Am nächsten Tag schaltet man den alten Router ab. Dazu ist das gedacht ... nicht dazu, dass der ISP dir alle 24h ein neues Prefix rein drückt.
Grüße
Patrick
#99
German - Deutsch / Re: Hardware Suche N150 mit In...
Last post by newbe - January 12, 2026, 09:12:44 PMMan findet reichlich Mini PCs mit 2x LAN Schnittstellen, Blackview, SOYO Mini, GMKtec...:
Mini-PC SOYO M4 Mini Intel Twin Lake N150 Prozessor LPDDR5 12 GB RAM 512 GB ROM Windows 11 Pro WiFi 5
https://de.aliexpress.com/item/1005010734755262.html
138,75€
Ich habe u.a. Blackview und kann nicht meckern, auch welche die seit Monaten 24/7 laufen.
Nutzererfahrung findest du auch hier: https://www.mydealz.de/gruppe/mini-pc
Mini-PC SOYO M4 Mini Intel Twin Lake N150 Prozessor LPDDR5 12 GB RAM 512 GB ROM Windows 11 Pro WiFi 5
https://de.aliexpress.com/item/1005010734755262.html
138,75€
Ich habe u.a. Blackview und kann nicht meckern, auch welche die seit Monaten 24/7 laufen.
Nutzererfahrung findest du auch hier: https://www.mydealz.de/gruppe/mini-pc
#100
German - Deutsch / Re: Eigener DNS bei einer IPv6...
Last post by n3 - January 12, 2026, 08:50:45 PMWelchen Vorteil siehst du bei einer festen IP?
