Kitz Forum
Broadband Related => Broadband Technology => Topic started by: Alex Atkin UK on February 12, 2021, 05:11:55 PM
-
Testing out pfSense 2.5.0 as its now hit release candidate.
So far I'm having problems getting gateway monitoring to work on Plusnet, for some reason the IP I was using before isn't getting a ping response. This is possibly related a long-standing issue I had with my configuration though, I can't ping out of the Plusnet WAN from pfSense and I have no idea why, but before it WAS at least working for gateway monitoring.
The only other issue is my AirVPN clients failed as one of the custom options they tell you to set is now deprecated in OpenVPN, so I simply removed that option.
-
My in place upgrade went well ;D
2.5.0-RC (amd64)
built on Fri Feb 12 03:07:06 EST 2021
FreeBSD 12.2-STABLE
The system is on the latest version.
Version information updated at Fri Feb 12 19:15:49 GMT 2021
-
I will probably stick with 2.4.5 for now. Its working well and is stable. I have tried 2.5 a couple of times on the bleeding edge versions and they worked fine, but it doesn't have any "must haves" for me that would require an update as yet.
-
Mine is still on the old one, do you have to click >system>update to install it.
I'm newish to pfs. :-\
-
Mine is still on the old one, do you have to click >system>update to install it.
I'm newish to pfs. :-\
You do yeah. You'll need to change the branch to "Next stable version (2.5.0RC).
-
There was an issue on 2.5.x that was broken for a year where dummynet was sending traffic to a blackhole on WAN interfaces but mysteriously was fine on LAN.
Then they had some kind of code crunch just before the RC and they fixed it in one direction, sadly its still broken on inbound traffic but pfsense still consider the bug fixed as almost everyone uses it on outbound matching only.
Having been using 2.5 for a year in a datacentre, that was/is the only problem I had with it.
2.5 is a bit of a unknown, as some who may not be aware netgate are now going to focus on their commercial product which is forking away from the community edition, they will still offer code contributions and still supervise the project, but as to how much attention it gets moving forward only time will tell.
I will be testing the commercial product on the dummynet bug as I am curious if that will work on there.
-
Isn't the commercial version supposed to be focusing on cloud management? I must say that bothers me.
Not only that it seem illogical for small businesses to have everything cloud based, but also how is that supposed to work if pfSense is what allows access to the cloud so if it breaks if you lose access to it?
I'm still not a huge fan of Cloud based anything. Case in point, I recently decided to integrate my Google Calendar into my Intranet home page (its displayed permanently on monitors in two different rooms in my house for network/server monitoring) using their PHP code sample, and its just suddenly stopped working with no indication of why. I have no clue how to even begin debugging this, there are no error messages coming back from the API and nothing in the cloud portal (there seems to be little you can actually do/see in there) to suggest its been blocked either.
-
They are claiming the initial release isnt much different to what the CE is, just a few small enhancements, but over time the gap will grow.
More info here.
https://www.netgate.com/blog/pfsense-plus-pfsense-ce-dev-insights-direction.html
Also they adopting rapid development (something I am not a fan off but seems its industry wide practice now), pfsense plus will be very rapid, CE not quite so rapid but still very frequent compared to historical levels. Hopefully they will adopt a longer period than 6 months support for each major release.
-
Well I use Fedora, so not exactly a stranger to rapid development. Although it does seem a risky approach for a router OS.
Maybe we will have to jump to OPNSense at some point, would be kinda annoying.
-
Maybe we will have to jump to OPNSense at some point, would be kinda annoying.
I have been thinking the same thing, I have played around with OPNsense a few times and I like the WebUI better but found that pfSense handles my load balancing better, this guy makes an interesting comparison (https://teklager.se/en/pfsense-vs-opnsense/) between the two OS. .
C
-
Oh yeah the opnsense UI is very nice I already use opnsense on 3 devices, my home setup with it been complex I have just been too lazy to attempt to move it.
-
pfSense 2.5.0 RELEASE is now out!
I have been thinking the same thing, I have played around with OPNsense a few times and I like the WebUI better but found that pfSense handles my load balancing better, this guy makes an interesting comparison (https://teklager.se/en/pfsense-vs-opnsense/) between the two OS. .
C
I guess once I have FTTP and load balancing wont matter any more, it could be a good time to look into it. Though I do have a spare Atom PC I could install it on to have a look.
Although ZFS and pfBlockerNG are things I'm quite fond of.
-
pfSense Plus 21.02-RELEASE and pfSense CE 2.5.0-RELEASE Now Available
-
Still can't figure out why I can neither ping nor traceroute out of the Plusnet gateway from pfSense but it WILL work from the LAN.
More frustrating is apparently just turning off gateway action didn't work, it still marks the gateway offline in the gateway group unless I disable monitoring entirely. This makes it harder to figure out if I ever fix gateway pinging as I can't have it enabled and use the Internet properly.
-
The 2.5.0-RELEASE update popped up for me yesterday so I ran it and it seems to have installed pretty smoothly, the only two things I have noticed so far are :
- NTP Server is disabled - my NNTP is enabled in the Service is menu server but shows as disabled on the dashboard
- A little globe icon has now appeared next to my 'default connection'
C
-
NTP is fine here.
sudo ntpdate router.lan
19 Feb 18:29:57 ntpdate[5804]: adjust time server 192.168.1.254 offset +0.000004 sec
OpenVPN clients (specifically to AirVPN UK) seem less stable than before though, but I have gateway action off for those as didn't want the firewall bouncing if the VPN is having issues. I thinks its some quirk with the AirVPN client configuration rather than a pfSense problem.
-
I've been able to move my IoT WiFi over to pfSense directly as FreeBSD 12 supports 802.11n on the integrated WiFi card. This was actually one of the improvements I was expecting from the new release so glad to see it works.
It still seems much slower than the nanoHD (but different channel so could be crosstalk related) but fine for IoT devices.
It means once I move to WiFi 6 I will be able to properly test how that functions on 2.4Ghz by ONLY having WiFi 6 clients on it.
-
If anyone has unbound instability on 2.5, a fast tracked update has been pushed in, can be updated with the following command.
'pkg upgrade -fy unbound; pfSsh.php playback svc restart unbound'
-
Well I seem to have solved the Plusnet monitoring issue when I changed the default gateway to one where all gateways are tier 1.
For some reason when I had it set to the gateway group that has both DSL as tier 1 and LTE as tier 2, that wasn't working correctly. It blocked anything specifically directed out of the Plusnet WAN from the pfSense box, plus never fell back to LTE even when both modems were switched off. Discovered that yesterday when my drop wire was being replaced.
Its really bizarre as it makes no sense that setting it to the gateway group where everything is tier 1 would make a difference, especially as monitoring WAS working for LTE which is what you'd think "might" break when it was set to tier 2. I wonder if just changing the default gateway has somehow fixed a configuration glitch.
Can't say I've noticed any problems with Unbound though.
-
Unbound has so far been ok for me as well, but since is a lot of noise about it on netgate, I thought I would post it just in case.
-
Yeah its good to know, I'd expect a minor update to bring that patch into the main branch shortly.
-
I have started to have problems which might be Unbound related as I think its DNS lookups failing on the LAN.
Strange thing is, Unbound is always running when I check the router. Installed the update to see if it fixes it.
-
Did this upgrade last night.
I’ve disabled unbound and use bind9 instead. After the upgrade and reboot, bind had stopped and its config option was missing from the Services menu.
Package Manager still showed bind as being installed, but I clicked ‘reinstall’ and everything came back. No loss of configuration, luckily.
-
You don't use pfBlockerNG? That's a big reason people use pfSense rather than say OPNsense.
-
This doesnt make good reading for Netgate.
https://arstechnica.com/gadgets/2021/03/in-kernel-wireguard-is-on-its-way-to-freebsd-and-the-pfsense-router/
Not sure I would want to be using the wireguard implementation in 2.5.
Also seems 2.5.1 is on the horizon.
--
Looking into it all, I think I will be following Martin on to opnsense for home router, I already am using it on other devices anyway so the migration shouldnt be a big thing hopefully.
-
That's a depressing read, especially if you carry on down the comments.
-
Netgate really are proving themselves SO wrong in their decision to go closed source in the future.
If it was closed source now, then Jason Donenfeld couldn't have looked and seen that the wireguard code was crap and fixed it for them.
I am also mulling OPNsense like you guys.
-
Also trying to talk sense into pfsense leaders on open unbound issue, they want to roll back to an old version instead of simply disabling dhcp registration by default.
I will update the forum on how my migration to opnsense goes. I do remember Martin telling me you can still load ASN lists etc, into opnsense using its built in functions.
-
To me, dynamic DHCP registration is just a bad idea to begin with. What does it do if the hint from the client is the same name as an existing host? The whole idea opens up any client on the LAN to being able to mess with the entire LAN infrastructure which just seems bad.
I understand how that is acceptable for home use, but then anyone using pfSense should be thinking outside the box to begin with and so having static DHCP entries to deal with the problem should be a none-issue.
-
Agreed, even before this issue I had it turned off, and its usually one of the first things I advise people to do, as the option has always been problematic and makes little sense.
-
Also trying to talk sense into pfsense leaders on open unbound issue, they want to roll back to an old version instead of simply disabling dhcp registration by default.
Are you mentioning any of those settings as per my attachment?
-
Yes, were talking about Register DHCP leases as it requires Unbound to restart every time a client requests a DHCP lease which means for a moment all DNS on the network fails.
Its far better to use Register DHCP static mappings and give your clients a fixed IP address, that way it doesn't have to keep adding/removing them as they are the same every time.
-
Yes "DHCP Registration"
Sadly the proposal has already been rejected, instead they rolling back to a older version of unbound which we dont know if would solve the issue either, as a lot more in pfsense 2.5 has changed than just the unbound version.
DHCP Registration in general I would keep turned off even without the recent problems that have been reported. It will cause a mini DNS outage and flush DNS cache every time a dynamic DHCP lease is updated.
Every single person on netgate's forum I advised to turn it off reported back everything DNS related was fixed.
-
What's the new problem with DHCP Registration anyway? As far as I can tell its ALWAYS been broken on Unbound due to requiring a restart every time a client gets a new lease. Unbound was presumably never designed to have real-time live updates.
This option only makes sense for dnsmasq where it works seamlessly because the same client handled DNS and DHCP. It makes perfect sense there as dnsmasq is for people who don't want the complexity of Unbound so are more likely to need the tiny benefit registering DHCP leases gives.
Anyone who DOES want the complexity of Unbound should know better than to let random clients mess with the DNS server.
-
The new problem is instead of just been temporarily down for maybe 1-30 seconds for a restart (can be quite long is using large DNSBL lists on a slow device), it is actually staying down, and failing to restart.
The problem doesnt seem to occur with DNSBL reload, I think thats because the pfblockerng dev reloads unbound with just a rehash instead.
-
It worries me about them "rolling back" as I had TONS of problems with Unbound not restarting after a WAN bounced, firewall restart or DNSBL reload a few years back. So they could end up making the problem worse.
-
Now Netgate are 'cancelling' one of the devs who helped in the wireguard recode:
"I'd like to set the record straight. Netgate personnel were involved in part with my announcement of removal."
https://lists.zx2c4.com/pipermail/wireguard/2021-March/006522.html
-
It just keeps getting better and better. A nice slow sarcastic clap for Netgate.
-
Now Netgate are 'cancelling' one of the devs who helped in the wireguard recode:
"I'd like to set the record straight. Netgate personnel were involved in part with my announcement of removal."
https://lists.zx2c4.com/pipermail/wireguard/2021-March/006522.html
After Netgate requested the fixed code be pulled (as well as their own code), I do wonder now if wireguard even has a future in FreeBSD, potentially it wont happen as politics can hold things up for years, I hope this is not the case and the fixed implementation comes back, but this announcement isnt good at all and makes my fear more likely to become a reality.
-
Presumably the user level version can still be used, just vastly less efficient.
-
I checked unbound and I already have the latest version without doing the extra update command, I think people who updated to 2.5.x late got the latest by default as thats what in the repo.
The user version of wireguard from what I understand can still be used in FreeBSD (although now has no maintainer), and in opnsense which is what they had already added. pfSense I think is just using the kernel version that is based on the pfSense patch.
-
I was curious to maybe try Wireguard for my fixed links, but its not the end of the world.
I'm more bothered about their attitude to fixing problems, pissing off devs and rolling back to potentially broken versions of Unbound to fix a feature that arguably shouldnt exist for security reasons to begin with.
-
I have now installed OpenWrt instead of pfsense on my fancy x64 PC hardware.
WOW it is fast and super lightweight, performance is great!
Installation instructions, if you fancy trying it too:
Flash this with rufus or etcher to a USB pendrive (extract it first):
https://downloads.openwrt.org/releases/19.07.7/targets/x86/64/openwrt-19.07.7-x86-64-combined-ext4.img.gz
Boot it up (with a monitor connected) and set a new root password with: passwd
Set a static LAN IP address with: vim /etc/config/network
Then enter: service network reload
Now you can SSH in, and load the web interface.
In the web interface set up your WAN settings (PPPoE for me, Plusnet 80/20).
For BT/Plusnet VDSL2 etc, you need to add this to your PPPoE interface (in the web UI): Physical Settings, Custom Interface, ptm0.101
OpenWrt has Cake, Smart Queue Management (Common Applications Kept Enhanced) which is way better than FQ_Codel.
And best of all - it is Linux based, as I know naff all when it comes to FreeBSD.
To install Cake, SSH in and enter:
opkg update
opkg install luci-app-sqm
Then reboot & then it will appear in the web interface under: Network.
After setting Bandwidth to 85% of my max, I set Queue Discipline to: cake, piece_of_cake.qos
To enable 1500 MTU (baby jumbo frames aka RFC 4638) when using a suitable modem, set in the web interface: Override MTU to: 1522 (Interfaces - WAN - Advanced Settings)
This channel has loads of tips:
https://www.youtube.com/c/VanTechCorner/videos
My bufferbloat test from http://www.dslreports.com/speedtest is now always:
Overall A+ BufferBloat A+ Quality A+ ;D
-
I used OpenWRT BEFORE pfSense, the problem is its a PITA to upgrade particularly as I don't trust booting off USB sticks for something I need to be reliable.
Also I found web pages "felt" like they loaded quicker on pfSense. But power consumption is much much lower on OpenWRT. FreeBSD has crap power management, but then arguably you don't want a router clocking up and down anyway as that introduces latency.
I agree with the idea that BSD is better for a router in general, the packet filtering is better apart from the lack of Cake/SQM.
-
I was curious to maybe try Wireguard for my fixed links, but its not the end of the world.
I'm more bothered about their attitude to fixing problems, pissing off devs and rolling back to potentially broken versions of Unbound to fix a feature that arguably shouldnt exist for security reasons to begin with.
I proposed the change here and it was rejected. https://redmine.pfsense.org/issues/11316
Underzone, I agree on cake as well, sadly seems no hunger for anyone to get in FreeBSD (meaning also not in opnsense/pfSense).
-
I actually have one of my old TP-Link WDR3600 on my friends cable connection and despite the fact its now underpowered for the package they've got, not heard any complaints from him except when its an actual problem with Virgin themselves causing the connection to fail.
I'd always recommend OpenWRT with Cake on the fastest consumer router they can find, for anyone who doesn't have fancy requirements.
I didn't want to use x86 for him as I already had a backup PC up there and it kept failing, he would never go and check on it. Its really not an ideal place as its in a loft that gets HOT in summer, but keeping all the networking up there stops his dad messing with it. He is one of those people who has a nasty habit of pulling cables and pressing buttons while not knowing what on earth he is doing.
I'm shocked its still working as it must be over 10 years now, I'd expect all the capacitors to be failing.
-
Got a decent opnsense config on my old pfsense box, I will probably be moving the internet cable over very soon to do some testing and then all is well will move the install to the faster hardware.