*Inhalt gelöscht*
Zuletzt bearbeitet von einem Moderator:
Follow along with the video below to see how to install our site as a web app on your home screen.
Anmerkung: this_feature_currently_requires_accessing_site_using_safari
Das spricht aber dafür, das der TV ein Problem hat und in den Kabelanschluss reinstört.Habe ich auch, nachmittags, wenn mein kleiner die Glotze an macht, flieg ich aus WoT raus.
Fast hier um die Ecke, aber DSL und hier ist alles ruhig. Würde mir sehr schnell auffallen das ich nicht arbeiten kannHabe auch Voodoofone Kabel, aber in Bayern (Nermbercher Land).
Naja, war ja vorher auch ned so?Das spricht aber dafür, das der TV ein Problem hat und in den Kabelanschluss reinstört.
Kabelmodem: Ereignisprotokoll ansehen. Bei mir (Vodafone) gab's da zuletzt den einen oder anderen Vorfall (mit Neustart).
Läge es an der Opnsense, müsstest Du dort im System Log irgendwas sehen, zB Neustart. "Gateway errors" etc war bei mir immer das Modem (s.o.)
Die normale Vodafone Station ist - auch im bridge mode! - über 192.168.100.1 erreichbar.Hm, beim Modem werde ich nicht viel sehen - ist als reine "Übergabestation" konfiguriert - da werde ich nicht drauf/reinkommen.
Hey,
So this is the end of life release for the 23.1 series which includes the recent FreeBSD advisories as well as plugin support for Zabbix 6.4.
We have finished the OpenVPN MVC "instances" for anyone who is interested in a preview using the current development release. FreeBSD 13.2 side looks ready so we will be releasing 23.7-RC1 some time in the second half of July. The final 23.7 release is scheduled for July 31. The upgrade path from 23.1 will be enabled shortly after the new major release, but can take up to 24 hours due to testing and mirror propagation. Please do not despair.
Here are the full patch notes:
Stay safe,
- system: add RADIUS authentication support for MSCHAPv2 using Crypt_CHAP_MSv2()
- system: propagate error in rc.syshook scripts
- dhcp: validate client hostnames in Dnsmasq/Unbound lease watchers
- firmware: automatic kernel upgrade after reboot like base and package stages
- firmware: sticky advanced mode if flavour is set to non-default
- intrusion detection: add missing typecast in getAlertLogsAction()
- mvc: fix locking regression that caused bulk changes to not being rendered correctly
- plugins: os-zabbix-agent plugin variant for Zabbix 6.4
- plugins: os-zabbix-proxy plugin variant for Zabbix 6.4
- src: axgbe: account for 4 SFP ports during GPIO expander check
- src: ipsec: make algorithm tables read-only
- src: mpr: fix copying of event_mask[1]
- src: pam_krb5: fix spoofing vulnerability[2]
- src: loader: comconsole: do not unconditionally wipe out hw.uart.console[3]
- src: contrib/tzdata: import tzdata 2023c[4]
- src: ixgbe: change if condition for RSS and rxcsum
- src: pf: fix pf_nv##_array() size check
- src: e1000: fix VLAN 0
- ports: py-setuptools fix for CVE-2022-40897
Your OPNsense team
😉Hallo Freunde der gepflegten OPNsense,
Sind seit den letzten Updates irgendwelche "Internet-Abbrüche" bekannt?!
Hatte jetzt innerhalb von 2 Wochen 2x einen Ausfall meines Internets - dafür lief die Geschichte über eine Jahr völlig ohne Probleme.
Wie stellt man jetzt fest, ob's am Kabelmodem, oder der OPNSense liegt!?
LG
1) Bitte setze die "Firewall Optimization" auf "conservative" (https://docs.opnsense.org/manual/firewall_settings.html).
- Besprechungen via Teams => massive Aussetzer/tlw. gar nicht möglich
Klingt evtl. nach WLAN-Problem?
- Hängt das iPhone im WLAN => ordentliche Aussetzer bei Videos auf Facebook
Das klingt nach den klassischen Vodafone Kabelmodem-Problemen. Die OPNsense ist es meiner Erfahrung nach nicht.Tritt das Problem auf, Modem+OPNSense ausschalten, wieder in Betrieb nehmen und dann läuft das Ganze wieder auf unbestimmte Zeit (mehrere Tage - bis zu einer Woche).
cc_cdg_load load CGG congestion control kernel module environment YES
cc_cubic_load Load CUBIC congestion control module. environment YES
dev.cpu.0.cx_lowest https://forum.opnsense.org/index.php?topic=28031.0 runtime C3
dev.cpu.1.cx_lowest https://forum.opnsense.org/index.php?topic=28031.0 runtime C3
dev.cpu.2.cx_lowest lowest Cx sleep state to use runtime C3
dev.cpu.3.cx_lowest lowest Cx sleep state to use runtime C3
dev.igb.0.fc Flow Control runtime 0
dev.igb.1.fc Flow Control runtime 0
dev.igb.2.fc Flow Control runtime 0
dev.igb.3.fc unsupported 0
hw.acpi.cpu.cx_lowest defaults to C1 runtime C3
hw.em.eee_setting Disable eee settings on all network cards. boot-time 1
hw.em.max_interrupt_rate Default 8000 boot-time 16000
hw.em.rx_process_limit disable for a small performance win https://papers.freebsd.org/2018/asiabsdcon/cochard-tuning_freebsd_for_routing_and_firewalling.files/cochard-tuning_freebsd_for_routing_and_firewalling-slides.pdf boot-time -1
hw.ibrs_disable https://docs.opnsense.org/troubleshooting/hardening.html The IBRS mitigation main disadvantage is the significant performance penalty. In OPNsense IBRS is enabled (for Intel) by default by disabling (0) hw.ibrs_disable, upstream FreeBSD standard is disabled (1). runtime 0
hw.intr_storm_threshold default 1000 runtime 9000
hw.ix.enable_aim Enable adaptive interrupt moderation runtime 1
hw.pci.honor_msi_blacklist Whether to honor OLD(!) MSI blacklist, e.g. on VMware ESXi default 1 boot-time 0
kern.elf64.aslr.enable ASLR - Not enabled by default and may be buggy runtime 1
kern.elf64.aslr.pie_enable Not enabled by default. May be buggy runtime 1
kern.hz https://www.neelc.org/posts/freebsd-dummynet-kernhz/ boot-time 1000
kern.ipc.maxsockbuf Maximum socket buffer size default (4262144) runtime 16777216
kern.ipc.soacceptqueue Default 128; increase slightly to test runtime 256
kern.random.fortuna.minpoolsize Minimum pool size necessary to cause a reseed runtime 256
kern.random.harvest.mask 351 = 33119: standard tuning apparently 33375: kern.random.harvest.mask_symbolic: PURE_RDRAND,[UMA],FS_ATIME,[SWI],[INTERRUPT],NET_NG,[NET_ETHER],NET_TUN,MOUSE,KEYBOARD,ATTACH,CACHED runtime 351
machdep.hwpstate_pkg_ctrl Selects between package-level control (the default) and per-core control. "1" selects package-level control and "0" selects core-level control. boot-time 0
machdep.hyperthreading_allowed HT abgestellt, da sich virtuelle Kerne in Verbindung mit NICs - angeblich - eher behindern und für 20% Einbussen sorgen können. Kurzer eigener Test hat das bestätigt - Windows-performance + iperf3 deutlich besser wenn firewall kein hyperthreading aktiv hat. (temperaturen mit HT aber deutlichst! niedriger!) https://forum.opnsense.org/index.php?PHPSESSID=8bif29r50ks6dua908cv099u0v&topic=9714.msg67571#msg67571 boot-time 1
machdep.hyperthreading_intr_allowed https://cgit.freebsd.org/src/commit/?id=bb7aaac3792bf7797faa6c43bb2a7e49ca372724 Enabling interrupts on htt cores has benefits to workloads which are primarily interrupt driven by increasing the logical cores available for interrupt handling. The tunable is named machdep.hyperthreading_intr_allowed boot-time 1
net.bpf.zerocopy_enable https://github.com/opnsense/docs/issues/278 https://forum.opnsense.org/index.php?PHPSESSID=cqjfqtjlpvi3krbf86neqt6s82&topic=5595.15 Default 0 runtime 1
net.inet.rss.bits This one is dependent on the amount of cores you have. By default the amount of bits here represent the amount of cores x 2 in binary. This is done on purpose to provide load-balancing, though there is no current implementation for this so I recommend setting this value to the amount of bits representing the number of CPU cores. This means we use the following values: - for 4-core systems, use ‘2’ - for 8-core systems, use ‘3’ - for 16-core systems, use ‘4’ Nicht sicher ob 1=2 echte CPUs oder 2=4 HT-CPUs besser ist. boot-time 2
net.inet.rss.enabled Enable RSS. Default 0 = disabled boot-time 1
net.inet.tcp.abc_l_var Calomel: 44 if net.inet.tcp.mssdflt = 1460, 52 if 1240. Default 2. runtime 44
net.inet.tcp.cc.abe Calomel RFC 8511 TCP Alternative Backoff with ECN Default (0) runtime 1
net.inet.tcp.cc.algorithm Default: newreno runtime cubic
net.inet.tcp.initcwnd_segments Calomel vorher Default (10) runtime 44
net.inet.tcp.isn_reseed_interval Default 0 off. # RFC 6528 Initial Sequence Numbers (ISN) refer to the unique 32-bit sequence # number assigned to each new Transmission Control Protocol (TCP) connection. # The TCP protocol assigns an ISN to each new byte, beginning with 0 and # incrementally adding a secret number every four seconds until the limit is # exhausted. In continuous communication all available ISN options could be # used up in a few hours. Normally a new secret number is only chosen after the # ISN limit has been exceeded. In order to defend against Sequence Number # Attacks the ISN secret key should not be used sufficiently often that it # would be regarded as predictable, and thus insecure. Reseeding the ISN will # break TIME_WAIT recycling for a few minutes. BUT, for the more paranoid, # simply choose a random number of seconds in which a new ISN secret should be # generated. https://tools.ietf.org/html/rfc6528 # runtime 4237
net.inet.tcp.minmss Vorher eingestelt: 216 (!!) runtime 536
net.inet.tcp.mssdflt vorher eingestellt: 536 (!!) Jetzt Empfehlung auf 1448 https://www.c0ffee.net/blog/freebsd-server-guide/, da net.inet.tcp.rfc1323 gem. FreeBSD Standard =1 ist. runtime 1448
net.inet.tcp.nolocaltimewait Test. Default 0. runtime 1
net.inet.tcp.recvbuf_max https://fasterdata.es.net/host-tuning/freebsd/ runtime 16777216
net.inet.tcp.rfc6675_pipe Calomel Default (0) runtime 1
net.inet.tcp.sendbuf_inc # increase autotuning step size runtime 16384
net.inet.tcp.sendbuf_max https://fasterdata.es.net/host-tuning/freebsd/ runtime 16777216
net.isr.bindthreads Default 0 boot-time 1
net.isr.dispatch default = direct Alternativ = deferred für RSS = hybrid runtime hybrid
net.isr.maxthreads Def 1 boot-time -1
Here are the full patch notes against 23.1.11:
o system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect
o system: fix assorted PHP 8.2 deprecation notes
o system: fix assorted permission-after-write problems
o system: introduce a gateway watcher service and fix issue with unhandled "loss" trigger when "delay" is also reported
o system: enabled web GUI compression (contributed by kulikov-a)
o system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses
o system: allow "." DNS search domain override
o system: on boot let template generation wait for configd socket for up to 10 seconds
o system: do not allow state modification on GET for power off and reboot actions
o system: better validation and escaping for cron commands
o system: better validation for logging user input
o system: improve configuration import when interfaces or console settings do not match
o system: name unknown tunables as "environment" as they could still be supported by e.g. the boot loader
o system: sanitize $act parameter in trust pages
o system: add severity filter in system log widget (contributed by kulikov-a)
o interfaces: extend/modify IPv6 primary address behaviour
o interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)
o interfaces: introduce a lock and DAD timer into newwanip for IPv6
o firewall: move all automatic rules for interface connectivity to priority 1
o firewall: rewrote group handling using MVC/API
o firewall: clean up AliasField to use new getStaticChildren()
o firewall: "kill states in selection" button was hidden when selecting only a rule for state search
o firewall: cleanup port forward page and only show the associated filter rule for this entry
o captive portal: safeguard template overlay distribution
o dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API
o dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)
o dhcp: align router advertisements VIP code and exclude /128
o dhcp: allow "." for DNSSL in router advertisements
o firmware: opnsense-version: remove obsolete "-f" option stub
o firmware: properly escape crash reports shown
o ipsec: add missing config section for HA sync
o ipsec: add RADIUS server selection for "Connections" when RADIUS is not defined in legacy tunnel configuration
o ipsec: only write /var/db/ipsecpinghosts if not empty
o ipsec: check IPsec config exists before use (contributed by agh1467)
o ipsec: fix RSA key pair generation with size other than 2048
o ipsec: deprecating tunnel configuration in favour of new connections GUI
o ipsec: clean up SPDField and VTIField types to use new getStaticChildren()
o openvpn: rewrote OpenVPN configuration as "Instances" using MVC/API available as a separate configuration option[2]
o openvpn: rewrote client specific overrides using MVC/API
o unbound: rewrote general settings and ACL handling using MVC/API
o unbound: add forward-tcp-upstream in advanced settings
o unbound: move unbound-blocklists.conf to configuration location
o unbound: add database import/export functions for when DuckDB version changes on upgrades
o unbound: add cache-max-negative-ttl setting (contributed by hp197)
o backend: minor regression in deeper nested command structures in configd
o mvc: fill missing keys when sorting in searchRecordsetBase()
o mvc: properly support multi clause search phrases
o mvc: allow legacy services to hook into ApiMutableServiceController
o mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng
o mvc: add generic static record definition for ArrayField
o ui: introduce collapsible table headers for MVC forms
o plugins: os-acme-client 3.18[3]
o plugins: os-dnscrypt-proxy 1.14[4]
o plugins: os-dyndns removed due to unmaintained code base
o plugins: os-frr 1.34[5]
o plugins: os-telegraf 1.12.8[6]
o plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL
o plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL
o src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode
o src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled
o src: ipsec: add PMTUD support
o src: FreeBSD 13.2-RELEASE[7]
o ports: krb 1.21.1[8]
o ports: nss 3.91[9]
o ports: php 8.2.8[10]
o ports: py-duckdb 0.8.1
o ports: py-vici 5.9.11
o ports: sudo 1.9.14p2[11]
o ports: suricata now enables Netmap V14 API
Migration notes, known issues and limitations:
o The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups -- especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.
o Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility "monitor" still exists but is only provided for compatibility reasons with existing user scripts.
o IPsec "tunnel settings" GUI is now deprecated and manual migration to the "connections" GUI is recommended. An appropriate EoL annoucement will be made next year.
o The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.
o The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.
Alleine der Arbeitsbereich "Altenheim IT" hat 180 Tabs.Ich will ja nicht mosern aber du hast
600 TABS
in einem Browser auf????
Was zum fick machst du da???
23.7, nicknamed "Restless Roadrunner", features numerous MVC/API conversions
including the new OpenVPN "instances" configuration option, OpenVPN group
alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2
plus much more.