Hi there,
just got here and was looking for any kind of documentation on what the recommended/supported settings are. Sadly I could not find any indication in the documentation or the GUI itself. I'm currently working with a DEC750, but I guess/hope all DEC-devices share common components/nics.
Examples would be:
- IDS/IPS > Pattern matcher, is Hyperscan supported? (Yes, answered by support)
- Interfaces > Hardware CRC, TSO, LRO, VLAN hardware filtering, are they OK to use on this hardware if IPS is not required?
Are there other configurations that should have specific settings to use the built-in hardware better?
Edit after two months, digging through stuff
Hyperscan is supported got that info via Decisio support.
TRIM was not activated by default
Control it via:
tunefs -p /
Enable it with:
- Connect via serial console.
- Reboot the device via web or console.
- Spam space bar (which will pause the 2s countdown on the important menu) until you get to the boot menu. I had to spam, due to the console not reacting to any key input in 50% of the cases. Getting into the paused boot menu means it reacts to keys. Hit "s" for single user mode.
# Ensure filesystem is clean
fsck -y
# Enable it
tunefs -t enable /
reboot
noatime was not set
According to the docs (https://docs.opnsense.org/manual/install.html), the access time of files should be disabled, but it was not with the default install that the device shipped with.
# Control it, /dev/gpt/rootfs should have noatime
cat /etc/fstab
# Set it, change "rw" to "rw,noatime" inside /etc/fstab
Ubiquiti / Unifi APs DNS errors
Detected it: Thousands of DNS misses and lots of Name resolution traffic in zenarmor on the hostname "unifi". Maybe because you take the Unifi Network App online only to provision changes and turn it off again, like me.
The Ubiquiti APs try to resolve "unifi.", but can't. You can not create that record through the web GUI, so you have to do it on the shell.
# Create a file that is injected into the config creation, prefix name of the file is important, must be "server_".
# Example /usr/local/etc/unbound.opnsense.d/server_manual_hosts.conf
# Insert something like this that points to the machine that runs the unifi network app or machine
local-data: "unifi A 192.168.1.10"
# Save and test configuration
configctl unbound check
# Login to one of your APs and run a nslookup unifi
Want some quality of life tools?
I missed htop and ncdu, thats how I go about it:
# Log into root console
opnsense-code tools ports src
# htop
cd /usr/ports/sysutils/htop
make install
# ncdu
cd /usr/ports/sysutils/ncdu
make install
Thank you for your post,
Did you find any resources about:
- Interfaces > Hardware CRC, TSO, LRO, VLAN hardware filtering, are they OK to use on this hardware if IPS is not required?
I'm kind of hoping to fully use the hardware instead of software workarounds of NIC's but perhaps i'm lacking experience why you would prefer all this in software instead of hardware. :)
Hardware CRC, TSO etc. is only useful for TCP connections terminating on the device in question. For a router that merely passes packets on behalf of other systems - that's what a firewall essentially is - they don't offer any benefit. The client systems behind your firewall can use all of these with their hardware if available.
You do not lose any "performance" when disabling all of this stuff or just leave it at the default if that works.
Sometimes I wonder what people think these options do?
You can find the config.xml for each DEC device here... https://docs.opnsense.org/hardware/defaults.html
Cheers,
Franco