Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Some observations testing 25.11.r.20251118.1708 on Netgate 2100

    Scheduled Pinned Locked Moved Plus 25.11 Snapshots
    2 Posts 2 Posters 82 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pst
      last edited by

      Here are some initial observations from a day's testing of 25.11.r.20251118.1708 on a Netgate 2100.

      Overview

      The Netgate 2100 running 25.07.1 was factory reset and rebooted, then I installed 25.11-RC and rebooted. The default config booted fine so I proceeded with loading a 25.07.1 config from my main pfsense box (after manually changing the interfaces, which is the only difference in the config.xml). This configuration did not boot, with the Wireguard config being the cause. After a quick hack to the WG startup I managed to complete the boot and the system has been running fairly reliably since then.

      Detailed issues

      Wireguard and peers with FQDN

      A longstanding issue which is yet to be fixed (although I doubt it ever will) is the issue with Wireguard and peers configured with FQDNs (there's a redmine somewhere...). As no resolver is running when the early Wireguard setup is done during boot there is a risk of triggering the BSD boot supervision timer (15 minutes) when there are many WG tunnels to configure. This is what the console shows then:

      tun_wg9: link state changed to UP
wg10: changing name to 'tun_wg10'
tun_wg10: link state changed to UP
wg11: changing name to 'tun_wg11'
tun_wg11: link state changed to UP
Shutdown NOW!
shutdown: [pid 74600]
2025-11-20T21:18:09.731370+01:00 - shutdown 74600 - - reboot by root: 

System shutdown time has arrived
Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `syncer' to stop... 
Syncing disks, vnodes remaining... 0 0 done
All buffers synced.
Uptime: 15m19s
uhub0: detached
uhub1: detached
TIM-1.0
WTMI-devel-1.0.0-1115f12
WTMI: system early-init
SVC REV: 5, CPU VDD voltage: 1.225V

      In previous versions of pfSense a simple work-around was to boot without the WAN connected, which unfortunately no longer works for 25.11-RC. The redmine (somewhere...) also has a patch for 25.07.1 to work around the issue, which unfortunately doesn't work for 25.11-RC. This new hack does the job, at least on my system:

      --- /usr/local/pkg/wireguard/includes/wg_service.inc	2025-11-21 01:15:27.746449000 +0100
+++ /usr/local/pkg/wireguard/includes/wg_service.inc.new	2025-11-21 01:16:10.635223000 +0100
@@ -57,6 +57,7 @@
 
 	switch (strtolower($argv[1])) {
 		case 'start':
+	                if (is_platform_booting()) { exit(0); } // PST hack to prevent WG starting during boot
 			$ret_code = wg_service_cli_start($serialize);
 			break;

      With this patch I got 25.11-RC up and running, and here are some other observations:

      Unbound

      I found this in the system log in conjunction with my testing of limiters.

      2025-11-21 23:59:23.101284+01:00	php-fpm	53250	/rc.newwanipv6: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', 
the output was '[1763765963] unbound[73909:0] warning: setsockopt(..., SO_SNDBUF, ...) was not granted: No buffer space available [1763765963] 
unbound[73909:0] warning: so-sndbuf 4194304 was not granted. Got 57344. 
To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set so-sndbuf: 0 (use system value). 
[1763765963] unbound[73909:0] error: bind: address already in use [1763765963] unbound[73909:0] fatal error: could not open ports'

      kern.ipc.maxsockbuf is not changed from the default AFAIK

      [25.11-RC][admin@temperance.local.lan]/root: sysctl kern.ipc.maxsockbuf
kern.ipc.maxsockbuf: 4262144

      Testing WAN limiters

      With a 100/100 Mbs limiter configured on WAN (buffer bloat config) the syslog is filled with these:

      2025-11-21 03:52:22.376876+01:00	kernel	-	fq_codel_enqueue maxidx = 967
2025-11-21 03:52:22.376801+01:00	kernel	-	fq_codel_enqueue over limit
2025-11-21 03:52:22.376629+01:00	kernel	-	fq_codel_enqueue maxidx = 967
2025-11-21 03:52:22.376247+01:00	kernel	-	fq_codel_enqueue over limit
2025-11-21 03:52:22.376198+01:00	kernel	-	fq_codel_enqueue maxidx = 967

      Manually releasing WAN DHCP lease

      I got these errors just after upgrading, once I think, I have not seen it since.

      <30>1 2025-11-21T02:23:28.096274+01:00 temperance.local.lan dhclient 16928 - - Internet Systems Consortium DHCP Client 4.4.3-P1
<30>1 2025-11-21T02:23:28.097282+01:00 temperance.local.lan dhclient 16928 - - Copyright 2004-2022 Internet Systems Consortium.
<30>1 2025-11-21T02:23:28.097374+01:00 temperance.local.lan dhclient 16928 - - All rights reserved.
<30>1 2025-11-21T02:23:28.097429+01:00 temperance.local.lan dhclient 16928 - - For info, please visit https://www.isc.org/software/dhcp/
<30>1 2025-11-21T02:23:28.097487+01:00 temperance.local.lan dhclient 16928 - - 
<27>1 2025-11-21T02:23:28.099839+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 4: expecting lease declaration.
<27>1 2025-11-21T02:23:28.100353+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.100818+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.101612+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 5: expecting semicolon.
<27>1 2025-11-21T02:23:28.102164+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.102255+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.102771+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 18: expecting lease declaration.
<27>1 2025-11-21T02:23:28.102846+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.102871+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.102921+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 19: expecting semicolon.
<27>1 2025-11-21T02:23:28.102945+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.102967+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.103174+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 32: expecting lease declaration.
<27>1 2025-11-21T02:23:28.103209+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.103232+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.103275+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 33: expecting semicolon.
<27>1 2025-11-21T02:23:28.103298+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.103320+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.103500+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 46: expecting lease declaration.
<27>1 2025-11-21T02:23:28.103539+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.103562+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.103605+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 47: expecting semicolon.
<27>1 2025-11-21T02:23:28.103639+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.103681+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.103879+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 60: expecting lease declaration.
<27>1 2025-11-21T02:23:28.103917+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.103940+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.103985+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 61: expecting semicolon.
<27>1 2025-11-21T02:23:28.104009+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.104031+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.104210+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 74: expecting lease declaration.
<27>1 2025-11-21T02:23:28.104246+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.104270+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.104313+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 75: expecting semicolon.
<27>1 2025-11-21T02:23:28.104336+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.104359+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.104538+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 88: expecting lease declaration.
<27>1 2025-11-21T02:23:28.104573+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.104598+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.104642+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 89: expecting semicolon.
<27>1 2025-11-21T02:23:28.104686+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.104711+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.104905+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 102: expecting lease declaration.
<27>1 2025-11-21T02:23:28.104943+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.104966+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.105008+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 103: expecting semicolon.
<27>1 2025-11-21T02:23:28.105032+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.105054+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.105232+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 116: expecting lease declaration.
<27>1 2025-11-21T02:23:28.105269+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.105294+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.105336+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 117: expecting semicolon.
<27>1 2025-11-21T02:23:28.105360+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.105382+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.105559+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 130: expecting lease declaration.
<27>1 2025-11-21T02:23:28.105595+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.105619+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.105678+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 131: expecting semicolon.
<27>1 2025-11-21T02:23:28.105714+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.105738+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.105935+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 144: expecting lease declaration.
<27>1 2025-11-21T02:23:28.105969+01:00 temperance.local.lan dhclient 16928 - -   next-server 
<27>1 2025-11-21T02:23:28.105993+01:00 temperance.local.lan dhclient 16928 - -    ^
<27>1 2025-11-21T02:23:28.106034+01:00 temperance.local.lan dhclient 16928 - - /var/db/dhclient.leases.mvneta0 line 145: expecting semicolon.
<27>1 2025-11-21T02:23:28.106057+01:00 temperance.local.lan dhclient 16928 - -   option 
<27>1 2025-11-21T02:23:28.106079+01:00 temperance.local.lan dhclient 16928 - -    ^
<30>1 2025-11-21T02:23:28.109557+01:00 temperance.local.lan dhclient 16928 - - Listening on BPF/mvneta

      DNS lookup of DHCPv6 leases

      As has been reported elsewhere, I noticed DNS lookup is not working for IPv6 addresses. Currently :

      nslookup host

      gives me the ipv4 address, and

      nslookup host.t

      gives the ipv6 address.

      The suggested patch from Marcos did not fix the issue (https://forum.netgate.com/post/1230709)

      pfBlockerNG

      I had to manually reinstall pfBlockerNG after the upgrade as it was throwing lots of weird errors, couldn't find the VIPs even though they were configured. pfBlockerNG worked fine after the reinstallation.

      .
      .

      I'll continue testing over the weekend, but 25.11 is looking in decent shape already :)

      dennypageD 1 Reply Last reply Reply Quote 0
      • dennypageD Offline
        dennypage @pst
        last edited by

        @pst said in Some observations testing 25.11.r.20251118.1708 on Netgate 2100:

        DNS lookup of DHCPv6 leases
        As has been reported elsewhere, I noticed DNS lookup is not working for IPv6 addresses. Currently :

        nslookup host
        gives me the ipv4 address, and

        nslookup host.t
        gives the ipv6 address.

        Marcos was able to successfully address it yesterday.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.