Recent posts

[device=0x1533]

#91

25.7 Series / Re: upgrade to 25.7.2 from 25....

Last post by BrandyWine - August 30, 2025, 07:05:24 AM

According to this website, it should be the i210-AT nic.

igb1@pci0:5:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1533 subvendor=0x15d9 subdevice=0x1533

ls /boot/kernel | grep -v kernel . After this, i got a long list of modules, where i found if_igb.ko and if_igc.ko . I'm actually not sure what i'm looking at .

Kudos for you doing some digging.
The lastest driver for i210 is v5.19.4 from July 2025. I not sure when your OS (my version of freeBSD 14.3-RELEASE-p2) was compiled, can find that on freeBSD ste, but then need to know what i210 driver code version was compiled into the kernel.

That long list you asked about shows the driver tree that is compiled into the kernel. kldstat shows you the drivers that were loaded in manually ("dynamically").

Sometimes less can be easier on the eyes
pciconf -l

1 step further is we find the device ID and check that with intel docs (https://www.intel.com/content/dam/www/public/us/en/documents/faqs/ethernet-controller-i210-i211-faq.pdf?asset=9597&-907791053.1537776712&)

Is indeed the AT fully programmed flavor.

Issues with i210, makes me wonder if the firmware version in EEPROM is causing issue? Yours looks like v3.16, other sites seem to show v3.30 "fixing security issues".
Flashing the nic firmware is a bit tricky, perhaps too hard for most.

Just for reference:
https://www.intel.com/content/www/us/en/products/details/ethernet/gigabit-network-adapters/i210-server-adapters/resource.html
https://www.intel.com/content/www/us/en/support/articles/000005790/software/manageability-products.html
https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=5r8tk
https://github.com/dgrafe/i210-tools/tree/master/i210-flash

New stuff as of 7/2025
https://www.intel.com/content/www/us/en/products/sku/64400/intel-ethernet-controller-i210at/downloads.html
https://www.intel.com/content/www/us/en/download/14098/intel-network-adapter-driver-for-82575-6-82580-i350-and-i210-211-based-gigabit-network-connections-for-linux.html

The Intel I210 Ethernet controller has updatable firmware that can enhance its features and fix issues. You can update the firmware using a utility provided by Intel, which typically involves downloading the firmware package and running it on your system.

Overview of Intel I210 EEPROM Firmware

The Intel I210 Ethernet Controller requires firmware updates to enhance functionality and fix issues. The firmware is stored in the EEPROM (Electrically Erasable Programmable Read-Only Memory) and can be updated using specific utilities.
Updating the Firmware
Supported Operating Systems

    Windows
    Linux

Update Process

    Download the Firmware Update Utility:
        For Windows, download the I210_NVMUpdatePackage_v2_00_Windows.exe.
        For Linux, use the appropriate command-line tools.

    Installation Steps:
        Windows:
            Run the downloaded executable as an administrator.
            Follow the prompts to complete the update.
        Linux:
            Boot from a live USB (e.g., Ubuntu).
            Install necessary packages:
                sudo apt install gcc-12 linux-headers-$(uname -r) make ethtool
            Use the bootutil command to flash the firmware.

Important Considerations

    Ensure that the firmware version is compatible with your specific I210 model.
    Back up existing configurations before proceeding with the update.
    Be cautious, as improper updates can lead to bricking the device.

Features of the Firmware Update

    Fixes security vulnerabilities.
    Improves network stability and performance.
    Unlocks new features for enhanced functionality.

By following the correct procedures, users can successfully update the Intel I210 EEPROM firmware to maintain optimal performance and security.

#92

General Discussion / Re: Losing WAN connection peri...

Last post by BrandyWine - August 30, 2025, 06:21:37 AM

The fw WAN is likely not in a /30.
So let's ask.... OP, what subnet is your FW WAN getting from dhcp, or now whatever OS is connecting to the ISP?

#93

General Discussion / Re: Mixed untagged and vlan ta...

Last post by OPNenthu - August 30, 2025, 05:50:30 AM

Are you suggesting to split the network to try to isolate the leak?

Yes, but that's required unless you're using VLANs.   What VLANs bring to the table is that they create virtual L2 domains, which allows you to create networks atop shared physical infrastructure.  Without them (if you're using native networks) then you need separate ports / switches / cabling for each network in order to maintain L2 isolation.

So unless you switch to VLANs, you need to keep those networks physically separate.  It's not a hard requirement as you already know, it's possible to use the same L2 domain, but you'll see the kind of issues that you're seeing.

In that case, would it be best to put switch C, with the access point on the separate port?

Yes

Then that would have the guest subnet, and a sort of secondary lan subnet?

Not sure where you're getting this "secondary" lan from?  There would only be two native networks: the main LAN (router port 1), and Guest (router port 2).

You might be thinking that the AP needs both a native network as well as a tag for Guest?  If so, I think that only applies when you are using the UniFi switch with VLANs.  If you're not using VLANs then there won't be any tagged network- just the native Guest net.

To be fair, I've never set up a UniFi AP this way so I'm speaking a little bit out of my rear end.  I *think* you can use it like this.  Someone should correct me if not :)

#94

General Discussion / Dnsmasq questions (from ISC)

Last post by jstarta - August 30, 2025, 03:42:00 AM

Hey all, I've done a full reinstall of Opnsense and have been learning the difference between Dnsmasq and ISC. Previous in ISC I could put in static leases with basically just the hostname, ip address, and the mac address. It would also automatically register leases into Unbound.

As far as i'm aware i've setup Dnsmasq as required - I've created DHCP Ranges for each interface and then created a bunch of Hosts entries, I found I needed to put in a Domain in order for it to resolvem, Is that correct or did I do something wrong? One thing I've also noticed is that under Hosts when I select a filter say for the LAN interface nothing actually shows up, does that mean i've set the Hosts incorrectly? I couldn't see an interface assignment or something when I created the host overrides.

I've set Dnsmasq to listen to 53053, enabled "Do not forward to system defined DNS servers", DHCP FQDN, DHCP local domain, and DHCP register firewall rules. In unbound i've set Register DHCP Static Mappings, and " Do not register system A/AAAA records" with an override to only return the LAN Ip for opnsense.

#95

25.7 Series / Re: System:Firmware:Plugins li...

Last post by ewtaylo - August 30, 2025, 03:25:27 AM

Thank you for your help.  Checking the "show community plugins" reveals quite a few more plugins.

I am having a hard time remembering exactly what the original list looked like prior to me typing in os- in the Name field.  Is it a correct statement that on a fresh install of 25.7 every plugin listed in the System:Firmware:Plugins area of the web console starts with os-?  If so I feel like a fool typing os- in the Name field when they are all named os-

#96

General Discussion / Re: Mixed untagged and vlan ta...

Last post by wiggler - August 30, 2025, 03:13:15 AM

OK I see. I think that would work, but switch A goes out to a bunch of other rooms (with switches of their own) throughout the house, switch C being one of them. I would like them all on the same main subnet, except the guest traffic.

Are you suggesting to split the network to try to isolate the leak? In that case, would it be best to put switch C, with the access point on the separate port? Then that would have the guest subnet, and a sort of secondary lan subnet?

#97

General Discussion / Re: Mixed untagged and vlan ta...

Last post by OPNenthu - August 30, 2025, 02:45:27 AM

You want me to bridge switches A and C through 2 ports on the firewall?

No.  No bridging.

Those are to be separate routed interfaces.  Check the diagram I just added to my last post.

#98

General Discussion / Re: Mixed untagged and vlan ta...

Last post by wiggler - August 30, 2025, 02:43:51 AM

You want me to bridge switches A and C through 2 ports on the firewall?

I've power cycled the windows machine and when it first comes up it gets an IPv6 address from the main untagged network right away, but after a minute it will get an address for the guest network. And you are right, the rule did nothing to help.

I think I'm going to need a managed switch to keep the guest network from leaking. Since the traffic for the guest network is only between the unifi access point and firewall, it should be simple.

#99

General Discussion / Re: Network type alias rule bl...

Last post by Jyling - August 30, 2025, 02:33:24 AM

What do the kids say these days? "Pics or it didn't happen"?

I don't recommend calling me a liar. Think again, better this time.

The separation of the subnet into its own pass rule is proof good enough for me.

#100

General Discussion / Re: Mixed untagged and vlan ta...

Last post by OPNenthu - August 30, 2025, 02:26:33 AM

You mentioned earlier that you had switch C connected to switch A.  Did you try separating those as well?  Put Switch A on one of the router ports and put Switch C (with the Windows PC) on the other router port.  Configure them as separate networks in OPNsense.  Make sure those switches don't link to each other.  Also, try disconnecting the Ethernet cable from the PC and plugging it in again in to reset the connection, in case the IPv6 addresses are sticking around.

Could adding a rule blocking lan from reaching the guest network prevent lan devices from getting guest addresses? I'll give it a try.

I don't think so, because IPv6 RAs are part of the ICMPv6 protocol which is enabled by default in OPNsense via system rules.  You can't disable or override those.  However, even if you managed to you would only be masking the issue.  I think that by having those switches all connected together you had a single broadcast domain and that needs to be sorted out, IMHO.

EDIT: attaching a sample diagram with some made-up IPs.