OPNsense Forum
English Forums => Hardware and Performance => Topic started by: labsy on September 20, 2023, 08:17:24 pm
-
Hi,
I have one pretty powerfull ESX 6.7 host with a dozen of web and mail services. All are protected with another virtual machine:
OPNsense 19.1.10_1-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019
I've tried to upgrade many times before, but failed, dunno what exactly went wrong, but due to failures I simply kept it running at this old version.
I have over hundred of rules, aliases, tunnels, routes and stuff, which I will need to manually retype into new OPNSense, if I decide to do so. And I will definitelly go for it, but I need a good reason - what you say, will I benefit in performance or somewhere else, if I go with new version? Or should I expect same performance and security after a week of manually migrating all over?
-
Will you benefit from upgrading to a version not affected by a few dozen known vulnerabilities? Is that a trick question?
Cheers
Maurice
-
Maurice is correct, there are many vulnerabilities that you can fix by upgrading to current.
I'm more curious what issues you had with the upgrades? I upgrade my VMs all the time (HyperV and ESXi 6.7/7.x) and haven't had an issue afterwards.
Clone the VM first, and also take a snapshot of the original before the upgrade. Make sure you've got openvmtools installed so you can quiesce the disk during the snapshot and get a consistent rollback.
What VM hardware are you running for the OPNsense VM? You may need to "upgrade" the VM hardware to a later version as you step up through the BSD versions within OPNsense during the upgrade cycle. It's the same with the NICs, are you using vmxnet3 or e1000?
-
Hi,
I have one pretty powerfull ESX 6.7 host with a dozen of web and mail services. All are protected with another virtual machine:
OPNsense 19.1.10_1-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019
I've tried to upgrade many times before, but failed, dunno what exactly went wrong, but due to failures I simply kept it running at this old version.
I have over hundred of rules, aliases, tunnels, routes and stuff, which I will need to manually retype into new OPNSense, if I decide to do so. And I will definitelly go for it, but I need a good reason - what you say, will I benefit in performance or somewhere else, if I go with new version? Or should I expect same performance and security after a week of manually migrating all over?
There's no upgrade path from 19.1.
-
> There's no upgrade path from 19.1.
Looking at the mirror I think there is, but it would be better just to use the latest image to boot a live env (config import) and see if it works and what to fix.
Cheers,
Franco
-
Hey guyz,
thank you for tips! :D
I will try fresh install + restore config. The only question is, whether 19.1 config is compatible with latest 23.7. But having my old VM just shut down, brings me peace of mind. If anything goes wrong, I have old VM to power it up.
Will report back how it went...
-
> There's no upgrade path from 19.1.
Looking at the mirror I think there is, but it would be better just to use the latest image to boot a live env (config import) and see if it works and what to fix.
Cheers,
Franco
Sorry, forgot things are organized based on FreeBSD version, my bookmark takes me straight to 13 which only has the last 2 years.
I agree booting 23.7 and importing the config would be the fastest path forward, there would be too much time wasted and unnecessary downloads crawling up from 19.1.
Still great to have it as an option when in a pinch - such as being remote - and having no other option then the slow upgrade route. Thanks for the reminder Franco.
-
SUCESS!
As per your advice, I went with exporting and importing config. Then I manually edited XML config file to reflect interfaces name change, which happened somewhere after FreeBSD 11 (I guess?) and few other specific settings, which might cause problems. Caveat in my case was I only have WAN access, because it is ESX host in datacenter and I am not into spending few hours there on console.
When finished, all FW and Plugins need to be updated, once again rebooted, and services came up to life.
Thank you guyz!
-
Great news, now keep an eye for 23.7.5 early next week
-
Hmmm...well, first half day and I am concerned about CPU performance. Same Virtual Hardware config (8GB, 4 CPU, 120GB SSD RAID 10), same modules, config, plugins... ok, I added ACME client for LE SSL, but this should have no performance hit....
- os-vmware plugin is installed
- NICs are E1000
- ESX VM is 6.7U2 version
Old 19.1 OPNSense: average CPU approx. 270 MHz
New 23.7 OPNSense: average CPU approx 1250 MHz
That's almost 5x more CPU consumption! See BLUE line: old 19.1 was stratching the bottom, while new 23.7 has significant CPU usage even on Sunday morning when there is no business traffic.
TOP shows most of the time suricata process consuming a lot of CPU.
(https://i.ibb.co/Z1L0QzT/5xCPU.png)
-
Any logs of suricata? IDS or IPS?
-
Well, I disabled IDS/IPS entirely, because I have weird connectivity problems with servers behind this firewall. BTW...disabling IDS/IPS cut down 50% of CPU load.
What connectivity problems I have after upgrading 19.1 --> 23.7 version?
Well...looks like TLS traffic either timeouts or gets rejected. For example:
- MAIL server behind OPNSense has now postfix LOG with a lot of errors like this:
postfix/smtps/smtpd[16986]: SSL_accept error from some.mail.server[123.10.14.72]: -1
- Then another MAIL server behind firewall has problems resolving blacklist multi.uribl.com:
554 5.7.1 Service unavailable; Sender address [some.name@gmail.com] blocked using multi.uribl.com; 127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 172.253.12.3]
I tracked down logs and those errors begin just at the time when I put new OPNSense 23.7 into production.
Ideas welcome...