New setup, almost all default, 1111&8888 DNS set but can only access few sites?

[WeiWang]

So, I have a protectli box with opnsense 23.7.5 installed, currently I have the ISP router/modem in front of the opnsense box and a laptop (which I have been dual booting between win/lin) to try to get things setup.
I am able to access sites like google.com, cloudflare, but also bing, facebook, and apparently opnsense.org via the linux laptop I have connected but that is about it - other sites like wikipedia.org or reddit.com (pretty much any other site) just give me a "cant connect to server" error. In Win I can't even access opnsense - it just times out and tells me 192.168.1.1 took too long to respond.
I can not ping 1.1.1.1 from the opnsense console nor from the computer I have connected to opnsense, it just tells me no route to host and 100% packet loss - so its that rules out DNS?

I have tried ticking so many boxes and have reset back to defaults so many times that starting to feel like pulling my hair out over this and can't figure what I am doing wrong, I am so hoping to just get the most basic setup going (access websites) and then back that up so I can try to figure the other things out.

Please. Please help - I will post whatever log info is needed but I didn't want to just willy nilly post useless info so please let me know and I will happily post it.

[WeiWang]

anyone? Please?

[chemlud]

If you can't ping an IP (1.1.1.1) it's not related to DNS.

Too spares info to even start thinking about a root cause for your problems. Try adding more DNS servers. Package loss on WAN? etc. pp....

[WeiWang]

ok, thanks i think.

Am trying my best to figure this out and of course am willing to post more information but am (obviously) a networking noob.

So I added two more DNS servers (adgaruds and OpenDNS Home)    208.67.222.222  and 94.140.14.14 but as far as i can tell that didn't seem to change anything.

Read up on WAN packet loss so tried going to interfaces, diag, packet capture and got:

Code: [Select]

Interface Timestamp SRC DST output
WAN
igb1 2024-05-04
17:24:41.672662 6c:4b:b4:68:01:51 ff:ff:ff:ff:ff:ff Unknown Ethertype (0x7373), length 121:
WAN
igb1 2024-05-04
17:24:41.800722 6c:4b:b4:68:01:51 01:80:c2:00:00:00 802.3, length 38: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 0000.6c:4b:b4:68:01:51.8001, length 43
WAN
igb1 2024-05-04
17:24:42.035789 30:89:4a:a1:7b:79 33:33:ff:68:01:51 IPv6, length 86: fe80::ca88:bea6:3b48:e015 > ff02::1:ff68:151: ICMP6, neighbor solicitation, who has fe80::6e4b:b4ff:fe68:151, length 32
WAN
igb1 2024-05-04
17:24:42.117316 30:89:4a:a1:7b:79 ff:ff:ff:ff:ff:ff IPv4, length 366: 0.0.0.0.68 > 255.255.255.255.67: UDP, length 324
WAN
igb1 2024-05-04
17:24:42.117917 6c:4b:b4:68:01:51 ff:ff:ff:ff:ff:ff IPv4, length 391: 192.168.1.254.67 > 255.255.255.255.68: UDP, length 349
WAN
igb1 2024-05-04
17:24:42.226942 30:89:4a:a1:7b:79 33:33:ff:68:01:51 IPv6, length 86: 2600:1700:25d1:a710:b575:be42:7840:290f > ff02::1:ff68:151: ICMP6, neighbor solicitation, who has fe80::6e4b:b4ff:fe68:151, length 32
WAN
igb1 2024-05-04
17:24:42.335468 30:89:4a:a1:7b:79 ff:ff:ff:ff:ff:ff ARP, length 60: Request who-has 192.168.1.218 tell 0.0.0.0, length 46
WAN
igb1 2024-05-04
17:24:42.335704 30:89:4a:a1:7b:79 33:33:ff:48:e0:15 IPv6, length 78: :: > ff02::1:ff48:e015: ICMP6, neighbor solicitation, who has fe80::ca88:bea6:3b48:e015, length 24
WAN
igb1 2024-05-04
17:24:42.335858 30:89:4a:a1:7b:79 33:33:ff:96:8f:5f IPv6, length 78: :: > ff02::1:ff96:8f5f: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710:49b3:3a7f:dc96:8f5f, length 24
WAN
igb1 2024-05-04
17:24:42.336001 30:89:4a:a1:7b:79 33:33:ff:40:29:0f IPv6, length 78: :: > ff02::1:ff40:290f: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710:b575:be42:7840:290f, length 24
WAN
igb1 2024-05-04
17:24:42.336128 30:89:4a:a1:7b:79 33:33:ff:00:00:46 IPv6, length 78: :: > ff02::1:ff00:46: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710::46, length 24
WAN
igb1 2024-05-04
17:24:42.336144 30:89:4a:a1:7b:79 33:33:00:00:00:02 IPv6, length 62: fe80::ca88:bea6:3b48:e015 > ff02::2: ICMP6, router solicitation, length 8
WAN
igb1 2024-05-04
17:24:42.336364 30:89:4a:a1:7b:79 33:33:00:00:00:16 IPv6, length 190: fe80::ca88:bea6:3b48:e015 > ff02::16: HBH ICMP6, multicast listener report v2, 6 group record(s), length 128
WAN
igb1 2024-05-04
17:24:42.535991 30:89:4a:a1:7b:79 33:33:ff:00:00:01 IPv6, length 86: 2600:1700:25d1:a710:b575:be42:7840:290f > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710::1, length 32Interface Timestamp SRC DST output
WAN
igb1 2024-05-04
17:24:41.672662 6c:4b:b4:68:01:51 ff:ff:ff:ff:ff:ff Unknown Ethertype (0x7373), length 121:
WAN
igb1 2024-05-04
17:24:41.800722 6c:4b:b4:68:01:51 01:80:c2:00:00:00 802.3, length 38: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 0000.6c:4b:b4:68:01:51.8001, length 43
WAN
igb1 2024-05-04
17:24:42.035789 30:89:4a:a1:7b:79 33:33:ff:68:01:51 IPv6, length 86: fe80::ca88:bea6:3b48:e015 > ff02::1:ff68:151: ICMP6, neighbor solicitation, who has fe80::6e4b:b4ff:fe68:151, length 32
WAN
igb1 2024-05-04
17:24:42.117316 30:89:4a:a1:7b:79 ff:ff:ff:ff:ff:ff IPv4, length 366: 0.0.0.0.68 > 255.255.255.255.67: UDP, length 324
WAN
igb1 2024-05-04
17:24:42.117917 6c:4b:b4:68:01:51 ff:ff:ff:ff:ff:ff IPv4, length 391: 192.168.1.254.67 > 255.255.255.255.68: UDP, length 349
WAN
igb1 2024-05-04
17:24:42.226942 30:89:4a:a1:7b:79 33:33:ff:68:01:51 IPv6, length 86: 2600:1700:25d1:a710:b575:be42:7840:290f > ff02::1:ff68:151: ICMP6, neighbor solicitation, who has fe80::6e4b:b4ff:fe68:151, length 32
WAN
igb1 2024-05-04
17:24:42.335468 30:89:4a:a1:7b:79 ff:ff:ff:ff:ff:ff ARP, length 60: Request who-has 192.168.1.218 tell 0.0.0.0, length 46
WAN
igb1 2024-05-04
17:24:42.335704 30:89:4a:a1:7b:79 33:33:ff:48:e0:15 IPv6, length 78: :: > ff02::1:ff48:e015: ICMP6, neighbor solicitation, who has fe80::ca88:bea6:3b48:e015, length 24
WAN
igb1 2024-05-04
17:24:42.335858 30:89:4a:a1:7b:79 33:33:ff:96:8f:5f IPv6, length 78: :: > ff02::1:ff96:8f5f: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710:49b3:3a7f:dc96:8f5f, length 24
WAN
igb1 2024-05-04
17:24:42.336001 30:89:4a:a1:7b:79 33:33:ff:40:29:0f IPv6, length 78: :: > ff02::1:ff40:290f: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710:b575:be42:7840:290f, length 24
WAN
igb1 2024-05-04
17:24:42.336128 30:89:4a:a1:7b:79 33:33:ff:00:00:46 IPv6, length 78: :: > ff02::1:ff00:46: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710::46, length 24
WAN
igb1 2024-05-04
17:24:42.336144 30:89:4a:a1:7b:79 33:33:00:00:00:02 IPv6, length 62: fe80::ca88:bea6:3b48:e015 > ff02::2: ICMP6, router solicitation, length 8
WAN
igb1 2024-05-04
17:24:42.336364 30:89:4a:a1:7b:79 33:33:00:00:00:16 IPv6, length 190: fe80::ca88:bea6:3b48:e015 > ff02::16: HBH ICMP6, multicast listener report v2, 6 group record(s), length 128
WAN
igb1 2024-05-04
17:24:42.535991 30:89:4a:a1:7b:79 33:33:ff:00:00:01 IPv6, length 86: 2600:1700:25d1:a710:b575:be42:7840:290f > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710::1, length 32

Not much of it makes sense to me, the "Unknown Ethertype" seems suspect but after googling I am honestly a bit more confused.

I can totally run some more things but I really haven't a clue what else would be useful to run/post.

[chemlud]

How about some infos on your hardware, ISP, potential modems used. Package loss can be seen in GUI Lobby under "Gateways". ;-)

[WeiWang]

right, thanks!

# Hardware:
modem (isp provided) - bgw320-500
router - protectli FW2B-2-8-120, opnsense 23.7.5 with 8gb mem
comp using to access router (for what its worth) - gen4 x1 yoga dual booting lin/win, using edge/firefox to access opnsense webgui

# ISP:
AT&T fiber

GUI Lobby, doh! noted

[WeiWang]

ok, so as i understand it i used nslookup and dig incorrectly before, when i redid it i got:

Code: [Select]

kubuntu@kubuntu:~$ nslookup www.google.com 1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; no servers could be reached
 
 
kubuntu@kubuntu:~$ nslookup www.cloudflare.com 1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; no servers could be reached
 
 
kubuntu@kubuntu:~$ nslookup www.google.com 8.8.8.8
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; no servers could be reached
 
 
kubuntu@kubuntu:~$ dig www.google.com @8.8.8.8
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
 
; <<>> DiG 9.18.18-0ubuntu2-Ubuntu <<>> www.google.com @8.8.8.8
;; global options: +cmd
;; no servers could be reached
 
kubuntu@kubuntu:~$ dig www.cloudflare.com @1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
 
; <<>> DiG 9.18.18-0ubuntu2-Ubuntu <<>> www.cloudflare.com @1.1.1.1
;; global options: +cmd
;; no servers could be reached
I had also tried ifconfig -a thinking it would give me more information about why I was not able to access opnsense via 192.168.1.1 (that is it would show me the gateway):

Code: [Select]

kubuntu@kubuntu:~$ ifconfig -a
enp0s31f6: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether f8:75:a4:ab:47:bc  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xea200000-ea220000 
 
enx00e04cefcb25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.197  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 2600:1700:25d1:a71f::19af  prefixlen 128  scopeid 0x0<global>
        inet6 2600:1700:25d1:a71f:f8e9:7092:c27d:8229  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::b2bc:371a:aed0:56ec  prefixlen 64  scopeid 0x20<link>
        inet6 2600:1700:25d1:a71f:6cd2:f4b3:8aaa:a9  prefixlen 64  scopeid 0x0<global>
        ether 00:e0:4c:ef:cb:25  txqueuelen 1000  (Ethernet)
        RX packets 36167  bytes 48159820 (48.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14770  bytes 1684296 (1.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1738  bytes 192775 (192.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1738  bytes 192775 (192.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
wlp0s20f3: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 5c:80:b6:1c:d0:7c  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
but it seems that was also incorrect, but at the same time I'm told this seems to point to ipv6 working but ipv4 not working, so, how can I further diagnose why ipv4 is not working?

I also ran (trying to determine if opnsense is actually the gateway) ip and netstat:

Code: [Select]

kubuntu@kubuntu:~$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enx00e04cefcb25
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 enx00e04cefcb25
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enx00e04cefcb25
kubuntu@kubuntu:~$ ip route
default via 192.168.1.1 dev enx00e04cefcb25 proto dhcp src 192.168.1.197 metric 100
169.254.0.0/16 dev enx00e04cefcb25 scope link metric 1000
192.168.1.0/24 dev enx00e04cefcb25 proto kernel scope link src 192.168.1.197 metric 100
Also, for what its worth I am able to use apt with no issues - i guess it uses ipv6?

[chemlud]

https://www.whatismyip.com/169-254-ip-address/

No one knows how you have exactly configured what, so nobody can debug this remotely...

[WeiWang]

I got that. Caveat is I have no idea what information to give. I've kind of just tried posting whatever info I can in hopes THAT bit of info would be the useful bit of info. I am truly sorry I am such a noob.
Thank you for the link, so DHCP isnt configured correctly? I'll try playing around with that I guess. In the meantime, you mentioned "configured" so I am not sure if my config file will help but I don't know what else to post yet so... Below is my config file:

Code: [Select]

<?xml version="1.0"?>
<opnsense>
  <theme>opnsense</theme>
  <sysctl>
    <item>
      <descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
      <tunable>vfs.read_max</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Set the ephemeral port range to be lower.</descr>
      <tunable>net.inet.ip.portrange.first</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Drop packets to closed TCP ports without returning a RST</descr>
      <tunable>net.inet.tcp.blackhole</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
      <tunable>net.inet.udp.blackhole</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Randomize the ID field in IP packets</descr>
      <tunable>net.inet.ip.random_id</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>
        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
        It can also be used to probe for information about your internal networks. These functions come enabled
        as part of the standard FreeBSD core system.
      </descr>
      <tunable>net.inet.ip.sourceroute</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>
        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
        It can also be used to probe for information about your internal networks. These functions come enabled
        as part of the standard FreeBSD core system.
      </descr>
      <tunable>net.inet.ip.accept_sourceroute</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>
        This option turns off the logging of redirect packets because there is no limit and this could fill
        up your logs consuming your whole hard drive.
      </descr>
      <tunable>net.inet.icmp.log_redirect</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
      <tunable>net.inet.tcp.drop_synfin</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Enable sending IPv6 redirects</descr>
      <tunable>net.inet6.ip6.redirect</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
      <tunable>net.inet6.ip6.use_tempaddr</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Prefer privacy addresses and use them over the normal addresses</descr>
      <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
      <tunable>net.inet.tcp.syncookies</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
      <tunable>net.inet.tcp.recvspace</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
      <tunable>net.inet.tcp.sendspace</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
      <tunable>net.inet.tcp.delayed_ack</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Maximum outgoing UDP datagram size</descr>
      <tunable>net.inet.udp.maxdgram</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
      <tunable>net.link.bridge.pfil_onlyip</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
      <tunable>net.link.bridge.pfil_local_phys</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
      <tunable>net.link.bridge.pfil_member</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Set to 1 to enable filtering on the bridge interface</descr>
      <tunable>net.link.bridge.pfil_bridge</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Allow unprivileged access to tap(4) device nodes</descr>
      <tunable>net.link.tap.user_open</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
      <tunable>kern.randompid</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
      <tunable>hw.syscons.kbd_reboot</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Enable TCP extended debugging</descr>
      <tunable>net.inet.tcp.log_debug</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Set ICMP Limits</descr>
      <tunable>net.inet.icmp.icmplim</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>TCP Offload Engine</descr>
      <tunable>net.inet.tcp.tso</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>UDP Checksums</descr>
      <tunable>net.inet.udp.checksum</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Maximum socket buffer size</descr>
      <tunable>kern.ipc.maxsockbuf</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
      <tunable>vm.pmap.pti</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
      <tunable>hw.ibrs_disable</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Hide processes running as other groups</descr>
      <tunable>security.bsd.see_other_gids</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Hide processes running as other users</descr>
      <tunable>security.bsd.see_other_uids</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
        and for the sender directly reachable, route and next hop is known.
      </descr>
      <tunable>net.inet.ip.redirect</tunable>
      <value>default</value>
    </item>
    <item>
      <descr>
        Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
        to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
        packets without returning a response.
      </descr>
      <tunable>net.inet.icmp.drop_redirect</tunable>
      <value>1</value>
    </item>
    <item>
      <descr>Maximum outgoing UDP datagram size</descr>
      <tunable>net.local.dgram.maxdgram</tunable>
      <value>default</value>
    </item>
  </sysctl>
  <system>
    <optimization>normal</optimization>
    <hostname>router</hostname>
    <domain>tnbc</domain>
    <group>
      <name>admins</name>
      <description>System Administrators</description>
      <scope>system</scope>
      <gid>1999</gid>
      <member>0</member>
      <priv>page-all</priv>
    </group>
    <user>
      <name>root</name>
      <descr>System Administrator</descr>
      <scope>system</scope>
      <groupname>admins</groupname>
      <password>$2y$10$ZyasLp34vWYaO8i3.7NbSu3RrAQ9NaI/Koi2xVo9jFRqZJsV/.3OG</password>
      <uid>0</uid>
    </user>
    <nextuid>2000</nextuid>
    <nextgid>2000</nextgid>
    <timezone>Etc/UTC</timezone>
    <timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
    <webgui>
      <protocol>https</protocol>
      <ssl-certref>662c4a6b65a15</ssl-certref>
      <port/>
      <compression>9</compression>
      <ssl-hsts>1</ssl-hsts>
    </webgui>
    <disablenatreflection>yes</disablenatreflection>
    <usevirtualterminal>1</usevirtualterminal>
    <disableconsolemenu>1</disableconsolemenu>
    <disablevlanhwfilter>1</disablevlanhwfilter>
    <disablechecksumoffloading>1</disablechecksumoffloading>
    <disablesegmentationoffloading>1</disablesegmentationoffloading>
    <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
    <ipv6allow/>
    <powerd_ac_mode>hadp</powerd_ac_mode>
    <powerd_battery_mode>hadp</powerd_battery_mode>
    <powerd_normal_mode>hadp</powerd_normal_mode>
    <bogons>
      <interval>monthly</interval>
    </bogons>
    <pf_share_forward>1</pf_share_forward>
    <lb_use_sticky>1</lb_use_sticky>
    <ssh>
      <group>admins</group>
      <noauto>1</noauto>
      <interfaces/>
      <kex/>
      <ciphers/>
      <macs/>
      <keys/>
      <keysig/>
    </ssh>
    <rrdbackup>24</rrdbackup>
    <netflowbackup>24</netflowbackup>
    <firmware version="1.0.1">
      <mirror/>
      <flavour/>
      <plugins/>
      <subscription/>
    </firmware>
    <language>en_US</language>
    <dnsallowoverride_exclude/>
    <dnsserver>208.67.222.222</dnsserver>
    <dnsserver>94.140.14.14</dnsserver>
    <dnsserver>1.1.1.1</dnsserver>
    <dnsserver>8.8.8.8</dnsserver>
    <dns1gw>none</dns1gw>
    <dns2gw>none</dns2gw>
    <dns3gw>none</dns3gw>
    <dns4gw>none</dns4gw>
    <dns5gw>none</dns5gw>
    <dns6gw>none</dns6gw>
    <dns7gw>none</dns7gw>
    <dns8gw>none</dns8gw>
    <serialspeed>115200</serialspeed>
    <primaryconsole>video</primaryconsole>
    <thermal_hardware>coretemp</thermal_hardware>
    <dhcpbackup>24</dhcpbackup>
  </system>
  <interfaces>
    <wan>
      <enable>1</enable>
      <if>igb1</if>
      <ipaddr>dhcp</ipaddr>
      <ipaddrv6>dhcp6</ipaddrv6>
      <gateway/>
      <blockpriv>1</blockpriv>
      <blockbogons>1</blockbogons>
      <media/>
      <mediaopt/>
      <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
    </wan>
    <lan>
      <enable>1</enable>
      <if>igb0</if>
      <ipaddr>192.168.1.1</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <subnetv6>64</subnetv6>
      <media/>
      <mediaopt/>
      <track6-interface>wan</track6-interface>
      <track6-prefix-id>0</track6-prefix-id>
      <gateway/>
      <gatewayv6/>
    </lan>
    <lo0>
      <internal_dynamic>1</internal_dynamic>
      <descr>Loopback</descr>
      <enable>1</enable>
      <if>lo0</if>
      <ipaddr>127.0.0.1</ipaddr>
      <ipaddrv6>::1</ipaddrv6>
      <subnet>8</subnet>
      <subnetv6>128</subnetv6>
      <type>none</type>
      <virtual>1</virtual>
    </lo0>
  </interfaces>
  <dhcpd>
    <lan>
      <enable>1</enable>
      <range>
        <from>192.168.1.10</from>
        <to>192.168.1.100</to>
      </range>
    </lan>
  </dhcpd>
  <snmpd>
    <syslocation/>
    <syscontact/>
    <rocommunity>public</rocommunity>
  </snmpd>
  <nat>
    <outbound>
      <mode>automatic</mode>
    </outbound>
  </nat>
  <filter>
    <rule>
      <type>pass</type>
      <ipprotocol>inet</ipprotocol>
      <descr>Default allow LAN to any rule</descr>
      <interface>lan</interface>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any/>
      </destination>
    </rule>
    <rule>
      <type>pass</type>
      <ipprotocol>inet6</ipprotocol>
      <descr>Default allow LAN IPv6 to any rule</descr>
      <interface>lan</interface>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any/>
      </destination>
    </rule>
  </filter>
  <rrd>
    <enable/>
  </rrd>
  <load_balancer>
    <monitor_type>
      <name>ICMP</name>
      <type>icmp</type>
      <descr>ICMP</descr>
      <options/>
    </monitor_type>
    <monitor_type>
      <name>TCP</name>
      <type>tcp</type>
      <descr>Generic TCP</descr>
      <options/>
    </monitor_type>
    <monitor_type>
      <name>HTTP</name>
      <type>http</type>
      <descr>Generic HTTP</descr>
      <options>
        <path>/</path>
        <host/>
        <code>200</code>
      </options>
    </monitor_type>
    <monitor_type>
      <name>HTTPS</name>
      <type>https</type>
      <descr>Generic HTTPS</descr>
      <options>
        <path>/</path>
        <host/>
        <code>200</code>
      </options>
    </monitor_type>
    <monitor_type>
      <name>SMTP</name>
      <type>send</type>
      <descr>Generic SMTP</descr>
      <options>
        <send/>
        <expect>220 *</expect>
      </options>
    </monitor_type>
  </load_balancer>
  <ntpd>
    <prefer>0.opnsense.pool.ntp.org</prefer>
  </ntpd>
  <widgets>
    <sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
    <column_count>2</column_count>
  </widgets>
  <revision>
    <username>(root)</username>
    <time>1715908408.0369</time>
    <description>lan configuration from console menu</description>
  </revision>
  <OPNsense>
    <Interfaces>
      <vxlans version="1.0.1"/>
      <loopbacks version="1.0.0"/>
    </Interfaces>
    <proxy version="1.0.6">
      <general>
        <enabled>0</enabled>
        <error_pages>opnsense</error_pages>
        <icpPort/>
        <logging>
          <enable>
            <accessLog>1</accessLog>
            <storeLog>1</storeLog>
          </enable>
          <ignoreLogACL/>
          <target/>
        </logging>
        <alternateDNSservers/>
        <forwardedForHandling>on</forwardedForHandling>
        <uriWhitespaceHandling>strip</uriWhitespaceHandling>
        <enablePinger>1</enablePinger>
        <useViaHeader>1</useViaHeader>
        <suppressVersion>0</suppressVersion>
        <connecttimeout/>
        <VisibleEmail>admin@localhost.local</VisibleEmail>
        <VisibleHostname/>
        <cache>
          <local>
            <enabled>0</enabled>
            <directory>/var/squid/cache</directory>
            <cache_mem>256</cache_mem>
            <maximum_object_size/>
            <maximum_object_size_in_memory/>
            <memory_cache_mode>always</memory_cache_mode>
            <size>100</size>
            <l1>16</l1>
            <l2>256</l2>
            <cache_linux_packages>0</cache_linux_packages>
            <cache_windows_updates>0</cache_windows_updates>
          </local>
        </cache>
        <traffic>
          <enabled>0</enabled>
          <maxDownloadSize>2048</maxDownloadSize>
          <maxUploadSize>1024</maxUploadSize>
          <OverallBandwidthTrotteling>1024</OverallBandwidthTrotteling>
          <perHostTrotteling>256</perHostTrotteling>
        </traffic>
        <parentproxy>
          <enabled>0</enabled>
          <host/>
          <enableauth>0</enableauth>
          <user>username</user>
          <password>password</password>
          <port/>
          <localdomains/>
          <localips/>
        </parentproxy>
      </general>
      <forward>
        <interfaces>lan</interfaces>
        <port>3128</port>
        <sslbumpport>3129</sslbumpport>
        <sslbump>0</sslbump>
        <sslurlonly>0</sslurlonly>
        <sslcertificate/>
        <sslnobumpsites/>
        <ssl_crtd_storage_max_size>4</ssl_crtd_storage_max_size>
        <sslcrtd_children>5</sslcrtd_children>
        <snmp_enable>0</snmp_enable>
        <snmp_port>3401</snmp_port>
        <snmp_password>public</snmp_password>
        <ftpInterfaces/>
        <ftpPort>2121</ftpPort>
        <ftpTransparentMode>0</ftpTransparentMode>
        <addACLforInterfaceSubnets>1</addACLforInterfaceSubnets>
        <transparentMode>0</transparentMode>
        <acl>
          <allowedSubnets/>
          <unrestricted/>
          <bannedHosts/>
          <whiteList/>
          <blackList/>
          <browser/>
          <mimeType/>
          <googleapps/>
          <youtube/>
          <safePorts>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</safePorts>
          <sslPorts>443:https</sslPorts>
          <remoteACLs>
            <blacklists/>
            <UpdateCron/>
          </remoteACLs>
        </acl>
        <icap>
          <enable>0</enable>
          <RequestURL>icap://[::1]:1344/avscan</RequestURL>
          <ResponseURL>icap://[::1]:1344/avscan</ResponseURL>
          <SendClientIP>1</SendClientIP>
          <SendUsername>0</SendUsername>
          <EncodeUsername>0</EncodeUsername>
          <UsernameHeader>X-Username</UsernameHeader>
          <EnablePreview>1</EnablePreview>
          <PreviewSize>1024</PreviewSize>
          <OptionsTTL>60</OptionsTTL>
          <exclude/>
        </icap>
        <authentication>
          <method/>
          <authEnforceGroup/>
          <realm>OPNsense proxy authentication</realm>
          <credentialsttl>2</credentialsttl>
          <children>5</children>
        </authentication>
      </forward>
      <pac/>
      <error_pages>
        <template/>
      </error_pages>
    </proxy>
    <TrafficShaper version="1.0.3">
      <pipes/>
      <queues/>
      <rules/>
    </TrafficShaper>
    <unboundplus version="1.0.8">
      <general>
        <enabled>1</enabled>
        <port>53</port>
        <stats/>
        <active_interface/>
        <dns64>0</dns64>
        <dns64prefix/>
        <noarecords>0</noarecords>
        <regdhcp>1</regdhcp>
        <regdhcpdomain/>
        <regdhcpstatic>1</regdhcpstatic>
        <noreglladdr6>0</noreglladdr6>
        <noregrecords>0</noregrecords>
        <txtsupport>0</txtsupport>
        <cacheflush>1</cacheflush>
        <local_zone_type>transparent</local_zone_type>
        <outgoing_interface/>
        <enable_wpad>0</enable_wpad>
      </general>
      <advanced>
        <hideidentity/>
        <hideversion/>
        <prefetch/>
        <prefetchkey/>
        <serveexpired/>
        <serveexpiredreplyttl/>
        <serveexpiredttl/>
        <serveexpiredttlreset/>
        <serveexpiredclienttimeout/>
        <qnameminstrict/>
        <extendedstatistics/>
        <logqueries/>
        <logreplies/>
        <logtagqueryreply/>
        <logservfail/>
        <loglocalactions/>
        <logverbosity>1</logverbosity>
        <valloglevel>0</valloglevel>
        <privatedomain/>
        <privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
        <insecuredomain/>
        <msgcachesize/>
        <rrsetcachesize/>
        <outgoingnumtcp/>
        <incomingnumtcp/>
        <numqueriesperthread/>
        <outgoingrange/>
        <jostletimeout/>
        <cachemaxttl/>
        <cachemaxnegativettl/>
        <cacheminttl/>
        <infrahostttl/>
        <infrakeepprobing/>
        <infracachenumhosts/>
        <unwantedreplythreshold/>
      </advanced>
      <acls>
        <default_action>allow</default_action>
      </acls>
      <dnsbl>
        <enabled>0</enabled>
        <safesearch/>
        <type/>
        <lists/>
        <whitelists/>
        <blocklists/>
        <wildcards/>
        <address/>
        <nxdomain/>
      </dnsbl>
      <forwarding>
        <enabled/>
      </forwarding>
      <dots/>
      <hosts/>
      <aliases/>
      <domains/>
    </unboundplus>
    <Firewall>
      <Lvtemplate version="0.0.1">
        <templates/>
      </Lvtemplate>
      <Category version="1.0.0">
        <categories/>
      </Category>
      <Alias version="1.0.1">
        <geoip>
          <url/>
        </geoip>
        <aliases/>
      </Alias>
    </Firewall>
    <Netflow version="1.0.1">
      <capture>
        <interfaces/>
        <egress_only/>
        <version>v9</version>
        <targets/>
      </capture>
      <collect>
        <enable>0</enable>
      </collect>
      <activeTimeout>1800</activeTimeout>
      <inactiveTimeout>15</inactiveTimeout>
    </Netflow>
    <OpenVPNExport version="0.0.1">
      <servers/>
    </OpenVPNExport>
    <OpenVPN version="1.0.0">
      <Overwrites/>
      <Instances/>
      <StaticKeys/>
    </OpenVPN>
    <captiveportal version="1.0.1">
      <zones/>
      <templates/>
    </captiveportal>
    <IPsec version="1.0.1">
      <general>
        <enabled/>
      </general>
      <keyPairs/>
      <preSharedKeys/>
    </IPsec>
    <Swanctl version="1.0.0">
      <Connections/>
      <locals/>
      <remotes/>
      <children/>
      <Pools/>
      <VTIs/>
      <SPDs/>
    </Swanctl>
    <Syslog version="1.0.1">
      <general>
        <enabled>1</enabled>
      </general>
      <destinations/>
    </Syslog>
    <IDS version="1.0.9">
      <rules/>
      <policies/>
      <userDefinedRules/>
      <files/>
      <fileTags/>
      <general>
        <enabled>0</enabled>
        <ips>0</ips>
        <promisc>0</promisc>
        <interfaces>wan</interfaces>
        <homenet>192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</homenet>
        <defaultPacketSize/>
        <UpdateCron/>
        <AlertLogrotate>W0D23</AlertLogrotate>
        <AlertSaveLogs>4</AlertSaveLogs>
        <MPMAlgo>ac</MPMAlgo>
        <detect>
          <Profile>medium</Profile>
          <toclient_groups/>
          <toserver_groups/>
        </detect>
        <syslog>0</syslog>
        <syslog_eve>0</syslog_eve>
        <LogPayload>0</LogPayload>
        <verbosity/>
      </general>
    </IDS>
    <cron version="1.0.4">
      <jobs/>
    </cron>
    <monit version="1.0.12">
      <general>
        <enabled>0</enabled>
        <interval>120</interval>
        <startdelay>120</startdelay>
        <mailserver>127.0.0.1</mailserver>
        <port>25</port>
        <username/>
        <password/>
        <ssl>0</ssl>
        <sslversion>auto</sslversion>
        <sslverify>1</sslverify>
        <logfile>syslog facility log_daemon</logfile>
        <statefile/>
        <eventqueuePath/>
        <eventqueueSlots/>
        <httpdEnabled>0</httpdEnabled>
        <httpdUsername>root</httpdUsername>
        <httpdPassword>9ec0GgZn7WfYSY6fK4ZTs17AH</httpdPassword>
        <httpdPort>2812</httpdPort>
        <httpdAllow/>
        <mmonitUrl/>
        <mmonitTimeout>5</mmonitTimeout>
        <mmonitRegisterCredentials>1</mmonitRegisterCredentials>
      </general>
      <alert uuid="25261175-cbdb-44e2-8ff2-c1263e9b266c">
        <enabled>0</enabled>
        <recipient>root@localhost.local</recipient>
        <noton>0</noton>
        <events/>
        <format/>
        <reminder>10</reminder>
        <description/>
      </alert>
      <service uuid="4351d165-0877-490b-b02b-dad60becb552">
        <enabled>1</enabled>
        <name>$HOST</name>
        <description/>
        <type>system</type>
        <pidfile/>
        <match/>
        <path/>
        <timeout>300</timeout>
        <starttimeout>30</starttimeout>
        <address/>
        <interface/>
        <start/>
        <stop/>
        <tests>b96b7318-666e-414d-98a4-122962234349,fd42fc79-b30b-46bd-9466-1fe93fda6f71,6abe35bd-2f69-4713-8360-61754511fbe3,5bdfe018-88b7-42cf-a257-15586cc42f7e</tests>
        <depends/>
        <polltime/>
      </service>
      <service uuid="ad2bc2c9-0704-47ca-8bd8-fdab32f40b9e">
        <enabled>1</enabled>
        <name>RootFs</name>
        <description/>
        <type>filesystem</type>
        <pidfile/>
        <match/>
        <path>/</path>
        <timeout>300</timeout>
        <starttimeout>30</starttimeout>
        <address/>
        <interface/>
        <start/>
        <stop/>
        <tests>d8f00d05-6774-4205-8bea-e33bacf9d802</tests>
        <depends/>
        <polltime/>
      </service>
      <service uuid="7e337156-4390-4941-9721-ebd21f66db1a">
        <enabled>0</enabled>
        <name>carp_status_change</name>
        <description/>
        <type>custom</type>
        <pidfile/>
        <match/>
        <path>/usr/local/opnsense/scripts/OPNsense/Monit/carp_status</path>
        <timeout>300</timeout>
        <starttimeout>30</starttimeout>
        <address/>
        <interface/>
        <start/>
        <stop/>
        <tests>f1070c99-a293-41fc-b1df-22c9aa22cf81</tests>
        <depends/>
        <polltime/>
      </service>
      <service uuid="7a8bc9bd-c466-47f3-83ac-733a044145a4">
        <enabled>0</enabled>
        <name>gateway_alert</name>
        <description/>
        <type>custom</type>
        <pidfile/>
        <match/>
        <path>/usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert</path>
        <timeout>300</timeout>
        <starttimeout>30</starttimeout>
        <address/>
        <interface/>
        <start/>
        <stop/>
        <tests>09f6939a-3bf9-4641-b1ba-42ad85b05cfa</tests>
        <depends/>
        <polltime/>
      </service>
      <test uuid="d1fc5d1f-84ad-4a90-a001-cdc420dd99e7">
        <name>Ping</name>
        <type>NetworkPing</type>
        <condition>failed ping</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="3080609e-fe72-4164-8157-ae44e920807f">
        <name>NetworkLink</name>
        <type>NetworkInterface</type>
        <condition>failed link</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="9b516f06-bbc4-4d57-91c0-e2b280936e0b">
        <name>NetworkSaturation</name>
        <type>NetworkInterface</type>
        <condition>saturation is greater than 75%</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="b96b7318-666e-414d-98a4-122962234349">
        <name>MemoryUsage</name>
        <type>SystemResource</type>
        <condition>memory usage is greater than 75%</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="fd42fc79-b30b-46bd-9466-1fe93fda6f71">
        <name>CPUUsage</name>
        <type>SystemResource</type>
        <condition>cpu usage is greater than 75%</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="6abe35bd-2f69-4713-8360-61754511fbe3">
        <name>LoadAvg1</name>
        <type>SystemResource</type>
        <condition>loadavg (1min) is greater than 4</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="5bdfe018-88b7-42cf-a257-15586cc42f7e">
        <name>LoadAvg5</name>
        <type>SystemResource</type>
        <condition>loadavg (5min) is greater than 3</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="8e3d3490-e7aa-49df-a54b-6495b262ec33">
        <name>LoadAvg15</name>
        <type>SystemResource</type>
        <condition>loadavg (15min) is greater than 2</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="d8f00d05-6774-4205-8bea-e33bacf9d802">
        <name>SpaceUsage</name>
        <type>SpaceUsage</type>
        <condition>space usage is greater than 75%</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="f1070c99-a293-41fc-b1df-22c9aa22cf81">
        <name>ChangedStatus</name>
        <type>ProgramStatus</type>
        <condition>changed status</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="09f6939a-3bf9-4641-b1ba-42ad85b05cfa">
        <name>NonZeroStatus</name>
        <type>ProgramStatus</type>
        <condition>status != 0</condition>
        <action>alert</action>
        <path/>
      </test>
    </monit>
    <Gateways version="0.0.1"/>
  </OPNsense>
  <laggs version="1.0.0">
    <lagg/>
  </laggs>
  <vlans version="1.0.0">
    <vlan/>
  </vlans>
  <virtualip version="1.0.0">
    <vip/>
  </virtualip>
  <openvpn/>
  <staticroutes version="1.0.0">
    <route/>
  </staticroutes>
  <ifgroups version="1.0.0"/>
  <bridges>
    <bridged/>
  </bridges>
  <gifs>
    <gif/>
  </gifs>
  <gres>
    <gre/>
  </gres>
  <ppps>
    <ppp/>
  </ppps>
  <wireless>
    <clone/>
  </wireless>
  <ca/>
  <dhcpdv6/>
  <gateways>
    <gateway_item/>
  </gateways>
  <cert>
    <refid>662c4a6b65a15</refid>
    <descr>Web GUI TLS certificate</descr>
 
</opnsense>



[cookiemonster]

Does your ISP use IPv6? If no, you could start by disabling it on OPN