[SOLVED] Unbound, update_tables and newwanipv6 consumes a lot of CPU

Started by MenschAergereDichNicht, January 17, 2022, 12:45:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 17, 2022, 12:45:06 PM Last Edit: January 20, 2022, 12:14:12 AM by MenschAergereDichNicht
I have some problems regarding the reliability of the WAN connection.

Lately this seems to center around Unbound using up most of the CPU:
Code Select

unbound 103 0 563M 446M CPU3 3 0:43 95.46% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbound}
unbound 52 0 563M 446M kqread 1 0:00 82.67% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbound}
unbound 52 0 563M 446M kqread 0 0:00 82.57% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbound}
unbound 52 0 563M 446M kqread 3 0:00 82.57% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbound}
91701 unbound 37 0 71M 59M CPU0 0 0:04 64.78% /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf list_local_data


Another problem is a top-profile like this:
Code Select

83.05% /usr/local/opnsense/scripts/filter/update_tables.py
47.39% /sbin/sysctl -WaN
40.26% /usr/local/bin/php /usr/local/etc/rc.filter_configure


Which also appeared while the connection was going downhill (first lots of packet losses and than no connection at all for some time).

I also have lots of messages inside the system log:
Code Select

2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: Removing static route for monitor 1.0.0.1 via 192.168.0.1
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: Adding static route for monitor 1.1.1.1 via 192.168.69.1
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: Removing static route for monitor 1.1.1.1 via 192.168.69.1
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: Adding static route for monitor 2606:4700:4700::1111 via fe80::eadf:70ff:fe7a:23da%igb3
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: Removing static route for monitor 2606:4700:4700::1111 via fe80::eadf:70ff:fe7a:23da%igb3
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: keeping current default gateway 'fe80::eadf:70ff:fe7a:23da%igb3'
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: setting IPv6 default route to fe80::eadf:70ff:fe7a:23da
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: IPv6 default gateway set to wan
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: keeping current default gateway '192.168.69.1'
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: setting IPv4 default route to 192.168.69.1
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: IPv4 default gateway set to wan
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: entering configure using 'wan'
2022-01-16T16:19:34 Error opnsense /usr/local/etc/rc.newwanipv6: The command '/sbin/route add -host -'inet6' '2606:4700:4700::1111' 'fe80::eadf:70ff:fe7a:23da%'' returned exit code '71', the output was 'route: fe80::eadf:70ff:fe7a:23da%: Name does not resolve'
2022-01-16T16:19:33 Error opnsense /usr/local/etc/rc.newwanipv6: On (IP address: <IPv6-Address>) (interface: WAN[wan]) (real interface: igb3).
2022-01-16T16:19:33 Error opnsense /usr/local/etc/rc.newwanipv6: IPv6 renewal is starting on 'igb3'
2022-01-16T16:19:31 Error opnsense /usr/local/etc/rc.linkup: Warning! dhcpd_radvd_configure(auto) found no suitable IPv6 address on igb1_vlan13
2022-01-16T16:19:30 Error opnsense /usr/local/etc/rc.linkup: ROUTING: skipping IPv6 default route
2022-01-16T16:19:30 Error opnsense /usr/local/etc/rc.linkup: ROUTING: IPv6 default gateway set to wan
2022-01-16T16:19:30 Error opnsense /usr/local/etc/rc.linkup: ROUTING: creating /tmp/igb3_defaultgw using '192.168.69.1'


and inside the Unbound log lots of the following entries
Code Select

Error unbound [31602:0] error: could not SSL_write crypto error:00000000:lib(0):func(0):reason(0)
2022-01-17T12:58:36 Error unbound [70967:0] error: remote control failed ssl crypto error:00000000:lib(0):func(0):reason(0)


I currently have a very basic configuration on a APU4D4. Only some rules and DNS over TLS.
WAN is connected using a static IP for IPv4 and DHCP for IPv6.
I have monitoring of the Wan connection enabled inside the Gateways for IPv4 and Ipv6. Additionally inside the System DNS settings i selected those Gateways.
I use Unbound as a DNS server and some block lists are enabled.
January 17, 2022, 06:47:32 PM #1
I had a similar problem in 21.7, where unbound loading blocklists is very slow. I switched to bind, which is worlds faster.
January 17, 2022, 07:27:46 PM #2
Thank you for the feedback.

The thing is i have a nearly identical setup running with version 21.7.

I tried to replicate this setup with the new version and cleaning up a little bit while doing this. Additionally i am testing some Multi-WAN things.
But the DNS configuration should be the same in both versions.
January 17, 2022, 08:03:06 PM #3 Last Edit: January 19, 2022, 10:00:55 PM by MenschAergereDichNicht
My problems were caused by a combination of things out of scope of the OpnSense installation (upstream router setup) that caused the WAN link to become unstable.
Print
Go Up Pages1
User actions