Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[hushcoden]

Also trying to talk sense into pfsense leaders on open unbound issue, they want to roll back to an old version instead of simply disabling dhcp registration by default.

Are you mentioning any of those settings as per my attachment?

[Alex Atkin UK]

Yes, were talking about Register DHCP leases as it requires Unbound to restart every time a client requests a DHCP lease which means for a moment all DNS on the network fails.

Its far better to use Register DHCP static mappings and give your clients a fixed IP address, that way it doesn't have to keep adding/removing them as they are the same every time.

[Chrysalis]

Yes "DHCP Registration"

Sadly the proposal has already been rejected, instead they rolling back to a older version of unbound which we dont know if would solve the issue either, as a lot more in pfsense 2.5 has changed than just the unbound version.

DHCP Registration in general I would keep turned off even without the recent problems that have been reported.  It will cause a mini DNS outage and flush DNS cache every time a dynamic DHCP lease is updated.

Every single person on netgate's forum I advised to turn it off reported back everything DNS related was fixed.

[Alex Atkin UK]

What's the new problem with DHCP Registration anyway?  As far as I can tell its ALWAYS been broken on Unbound due to requiring a restart every time a client gets a new lease.  Unbound was presumably never designed to have real-time live updates.

This option only makes sense for dnsmasq where it works seamlessly because the same client handled DNS and DHCP.   It makes perfect sense there as dnsmasq is for people who don't want the complexity of Unbound so are more likely to need the tiny benefit registering DHCP leases gives.

Anyone who DOES want the complexity of Unbound should know better than to let random clients mess with the DNS server.

[Chrysalis]

The new problem is instead of just been temporarily down for maybe 1-30 seconds for a restart (can be quite long is using large DNSBL lists on a slow device), it is actually staying down, and failing to restart.

The problem doesnt seem to occur with DNSBL reload, I think thats because the pfblockerng dev reloads unbound with just a rehash instead.

[Alex Atkin UK]

It worries me about them "rolling back" as I had TONS of problems with Unbound not restarting after a WAN bounced, firewall restart or DNSBL reload a few years back.  So they could end up making the problem worse.

[underzone]

Now Netgate are 'cancelling' one of the devs who helped in the wireguard recode:

"I'd like to set the record straight. Netgate personnel were involved in part with my announcement of removal."

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006522.html

[Alex Atkin UK]

It just keeps getting better and better.  A nice slow sarcastic clap for Netgate.

[Chrysalis]

Now Netgate are 'cancelling' one of the devs who helped in the wireguard recode:

"I'd like to set the record straight. Netgate personnel were involved in part with my announcement of removal."

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006522.html

After Netgate requested the fixed code be pulled (as well as their own code), I do wonder now if wireguard even has a future in FreeBSD, potentially it wont happen as politics can hold things up for years, I hope this is not the case and the fixed implementation comes back, but this announcement isnt good at all and makes my fear more likely to become a reality.

[Alex Atkin UK]

Presumably the user level version can still be used, just vastly less efficient.

[Chrysalis]

I checked unbound and I already have the latest version without doing the extra update command, I think people who updated to 2.5.x late got the latest by default as thats what in the repo.

The user version of wireguard from what I understand can still be used in FreeBSD (although now has no maintainer), and in opnsense which is what they had already added.  pfSense I think is just using the kernel version that is based on the pfSense patch.

[Alex Atkin UK]

I was curious to maybe try Wireguard for my fixed links, but its not the end of the world.

I'm more bothered about their attitude to fixing problems, pissing off devs and rolling back to potentially broken versions of Unbound to fix a feature that arguably shouldnt exist for security reasons to begin with.

[underzone]

I have now installed OpenWrt instead of pfsense on my fancy x64 PC hardware.
WOW it is fast and super lightweight, performance is great!

Installation instructions, if you fancy trying it too:

Flash this with rufus or etcher to a USB pendrive (extract it first):
https://downloads.openwrt.org/releases/19.07.7/targets/x86/64/openwrt-19.07.7-x86-64-combined-ext4.img.gz

Boot it up (with a monitor connected) and set a new root password with: passwd
Set a static LAN IP address with: vim /etc/config/network
Then enter: service network reload
Now you can SSH in, and load the web interface.

In the web interface set up your WAN settings (PPPoE for me, Plusnet 80/20).
For BT/Plusnet VDSL2 etc, you need to add this to your PPPoE interface (in the web UI): Physical Settings, Custom Interface, ptm0.101

OpenWrt has Cake, Smart Queue Management (Common Applications Kept Enhanced) which is way better than FQ_Codel.
And best of all - it is Linux based, as I know naff all when it comes to FreeBSD.

To install Cake, SSH in and enter:
opkg update
opkg install luci-app-sqm

Then reboot & then it will appear in the web interface under: Network.
After setting Bandwidth to 85% of my max, I set Queue Discipline to: cake, piece_of_cake.qos

To enable 1500 MTU (baby jumbo frames aka RFC 4638) when using a suitable modem, set in the web interface: Override MTU to: 1522 (Interfaces - WAN - Advanced Settings)

This channel has loads of tips:
https://www.youtube.com/c/VanTechCorner/videos

My bufferbloat test from http://www.dslreports.com/speedtest is now always:
Overall A+  BufferBloat  A+  Quality  A+       

[Alex Atkin UK]

I used OpenWRT BEFORE pfSense, the problem is its a PITA to upgrade particularly as I don't trust booting off USB sticks for something I need to be reliable.

Also I found web pages "felt" like they loaded quicker on pfSense.  But power consumption is much much lower on OpenWRT.  FreeBSD has crap power management, but then arguably you don't want a router clocking up and down anyway as that introduces latency.

I agree with the idea that BSD is better for a router in general, the packet filtering is better apart from the lack of Cake/SQM.

[Chrysalis]

I was curious to maybe try Wireguard for my fixed links, but its not the end of the world.

I'm more bothered about their attitude to fixing problems, pissing off devs and rolling back to potentially broken versions of Unbound to fix a feature that arguably shouldnt exist for security reasons to begin with.

I proposed the change here and it was rejected. https://redmine.pfsense.org/issues/11316

Underzone, I agree on cake as well, sadly seems no hunger for anyone to get in FreeBSD (meaning also not in opnsense/pfSense).