Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
First experience with 24.x release
« previous
next »
Print
Pages: [
1
]
Author
Topic: First experience with 24.x release (Read 554 times)
JL
Newbie
Posts: 42
Karma: 1
First experience with 24.x release
«
on:
May 25, 2024, 09:17:12 pm »
a bad week, karma, or something entirely different, who will tell
things to know for working with 24.x
foremost:
know KEA DHCP
requires
for the
GATEWAYIP/MASK
to be set,
not the subnet/mask
as the GUI help suggests. Though Kea is interesting it seems sub-par in features compared to ISC and also seems less configurable. Curious for what will come of this.
There is a distinct impression the platform is just faster, pages load in an instant
Unbound is not behaving as well as can be again,
enabling DNSSEC is
not recommended
at first.
Just leave it off.
My assumption is an update may fix whatever is going on. If not, let me know what I did wrong.
Pairing Unbound with DNScrypt can be a headache.
Just point only the "query forwarding"
to the DNSCrypt service, don't combine this with "DNS over TLS" from unbound, stuff breaks here :-D Also, Unbound has its own visual dashboard.
Writing rules 'feels different', could be me paired with a lack of sleep.
I've also had the weirdest experience with getting the network to actually work properly. This not in small part due to Ubuntu 24 LTS, it is not recommended to upgrade just yet. Something seems alive in there and it is cheeky and mischievous.
Somehow "automatic outbound NAT rules" gave up on me a few times. I had to switch to hybrid mode. I mean, is there a ghost in the machine or what ?!? This makes a requirement to hide each network separately behind the WAN address. Including the WAN network it seems.
There quite a few small and notable changes and improvements. I'm actually getting curious about opnsense again. Though I do think there's too much awkwardness for casual use it's growing on me. I'm sure to try out the central management features.
There something different about how gateways are managed, not sure what, seems
too
easy now ?
There's something odd about "Dynamic gateway policy", do i need it enabled or not, the change does not seem to propagate or act consistently over time.
Lack of consistent behavior seems to be growing trend with open source software lately, it is quite concering. Settings were saved but were not, flows seemed to pass until they did not. The mess I've seen Ubuntu make of simple things is just disengious. OPNSense seems to suffer from "ghost states" and can sometimes use a reboot. Not recommendable to accept rebooting as a standard practice.
What I miss profoundly are a way to add exceptions to the bogon filtering. Now it has to be disabled because it matches DHCP and disrupts that. There appears to be some things missing here, maybe a feature deprecated ?
Suricata borks again, I hope I find back the post on how to keep it up and not have it randomly crash. It is stupid this is not documented or fixed in the build.
Yes,
all hardware offloading is disabled.
Oh wait,
yes, Suricata stops when the
MTU
is not set consistently for all interfaces. If you change the MTU updated it here. At least that used to work. Now it reports there is an "<Error> -- opening devname netmap:vtnet1/R failed: Invalid argument" I don't see why and did not find why yet.
Oh no
it does bork for all interfaces, with the same invalid argument argument. Let's
disable IPS mode
that worked last time, until i remember the fix.
Just in case, here is how i fixed it last time
https://forum.opnsense.org/index.php?topic=38140.0
Why is GeoIP under Firewall Aliases ? Why it is documented so vaguely what URL to point at it?
Works though. I think, can i actually see the GeoIP info anywhere ?
In all, it's okay to work with. It is a building block rather than a one stop toolkit.
Reminds me I have to get Elasticsearch up and running again, pair it with Grafana and stuff.
Setting up DNScrypt requires little but you should know what.
«
Last Edit: May 25, 2024, 09:27:56 pm by JL
»
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: First experience with 24.x release
«
Reply #1 on:
May 25, 2024, 09:41:32 pm »
Thanks for your feedback. Let me just comment on a couple of things.
> There is a distinct impression the platform is just faster, pages load in an instant
I'm missing all context here: which platform? faster than what? which pages?
> Lack of consistent behavior seems to be growing trend with open source software lately, it is quite concering. Settings were saved but were not, flows seemed to pass until they did not.
I'm also missing bit of consistency in these plenty-fold unspecified weirdness.
Suricata and IPS can be like: there was one problem and now there is too. It heavily depends on setup and hardware in this case.
> Why is GeoIP under Firewall Aliases ? Why it is documented so vaguely what URL to point at it?
Works though. I think, can i actually see the GeoIP info anywhere ?
https://docs.opnsense.org/manual/aliases.html#geoip
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html
There is a diagnostics tool for showing each alias table content in full.
Get some sleep!
Cheers,
Franco
«
Last Edit: May 25, 2024, 09:45:26 pm by franco
»
Logged
JL
Newbie
Posts: 42
Karma: 1
Re: First experience with 24.x release
«
Reply #2 on:
May 26, 2024, 09:37:38 am »
Missing the point goes two ways so it seems. Yeah, i'm also sleep deprived and known to be grumpy, yet helpful I can only hope.
The distinct impression the platform (opnsense obviously since it is the title topic) is faster was/is a compliment. Pages loading faster is indeed a generic statement since both the UI and surfing is perceived to be generally (far) more responsive.
"Lack of consitent behaviour"
is the observation a working config does not mean it works reliably for the next few hours, in part it is sure to be me. I'm also not being very specific to OPNSense but point at the dumpster fire Ubuntu in combination with OPNSense administration. For OPNSense it is an impression that just does not go away. It seems states are not purged instantly on commit (apply changes) and linger for some time until the new config is actually in effect.
Paired with the absolute madness Ubuntu is projecting with the latest LTS when it comes to networking on the desktop this
past impression
does not go away easily. Having worked with Juniper, CheckPoint, Cisco, Meraki, WatchGuard and other odd number of firewalls I hope I'm not simply making weird. I'm stating an observation which is not easy to pinpoint either.
The Suricata issue's with
every
set-up that does not stick to
MTU=default
(1500) I think to have observed this is actually from 1500-2048 MTU size. I've shared my fix with support, posted the fix here, nothing happened with that information. As if everyone seems to know already. Yet, forums are plenty with people observing the start/stop of Suricata.
The fix is literally one value in tunables, adding this as a default would save people loads of time.
Fix =
Tunable:
dev.netmap.bufsize
= <highest MTUsize here>
People like me who among other things manage firewalls and don't have time to make a dedicated life out of firewall administration for one product.
Regarding GeoIP
. I meant, what use is adding this if it is not displayed anywhere in the logs. Right?
OH
now I read the business edition has that GeoIPdb on-board already, so the logs ARE void of GeoIP info and no way to add a column to look this up. TLDR on that one, could have known. The 'full help' function in OPNSense could be useful to inform.
For example:
checking the Alias i created for Belgium i don't see IP registered for Belgium, such as 193.191.245.121
When i do a lookup reference it tells me it is Belgium but the list of subnets listed only shows 0 values.
By sharing the GEOIP link the collateral finding of 'URL tables' which I'm sure to explore, thanks for that, a new feature to test.
Either way, OPNSense is affordable and good enough for my purpose.
I'm sure people who can dedicate a considerable amount of their time will master to build larger and complex networks with it.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
First experience with 24.x release