I am currently running 24.7.12_4 on an HP T730 Thin Client with 8GB of RAM.
My RAM usage sits at around 4 - 4.5GB and the system load is often below 1.00 although this does sometimes creep up to around ~1.5 or so under heavy usage.
When I have tried upgrading to the latest 25.1, the RAM usages goes through the roof after the upgrade has completed and pretty much maxes out, and the system load averages go crazy as well. The system then becomes unusable and I even lose connectivity for a minute or so before it comes back but then the same thing happens again, over and over.
For the time being I have rolled back to a snapshot that I took before attempting the upgrade and everything is back to normal again.
Something is not happy when I do the upgrade. Any advice on what it could be?
What happens to resource use when you do a clean install of 25.1?
I'm not sure unfortunately as I'm not currently in a position where I am able to do a clean install
I fear you either need to reduce your resource consumption or increase the available resources. The way to find the big consumers is to add them to a clean install, but you can also remove them from an existing config.
By comparison, my virtual firewall uses less than 1GB RAM and 5% CPU with two cores. It does not do DNS or DHCP for the LAN, has no plugins other than crowdsec and wireguard/tailscale. Traffic peaks at 11Mbps on the WAN.
Bart...
Finding out will need a bit of looking at the processes i.e. with top, htop and ps. That isn't of much help when the system is already maxed out so my suggestion will be to disable (but not remove) one or more of the known hungrier services prior to the reboot, on your next attempt of course.
More often than not, something like this happens when a huge netflow database is present. I would try to clear out the netflow database before upgrade. Also, I found that even a normal reboot takes ages when the netflow database is too big, because it will be tarred and untarred - unless you disable that.
True. I disabled netflow a long while ago. Do you know where is its db kept? /var/db maybe (checked but haven't enabled to verify).
The reason I ask is to have a quick look around the interwebs for a way to apply a db vacuum to help the OP.
You can reset the netflow database under Reporting: Settings. The location of the files is /var/netflow.
And the periodic backups can be controlled under System: Settings: Miscellaneous.
/var/netflow - thanks.
Mine are as expected since is disabled, 0 B in size, dated 2023.
My system has an i5-6500 with 16GB of RAM. With 24.x, it was using around 30% of RAM.
Immediately after the update to 25.1, the memory utilization jumped up to 50+%. There were also a few weird things happening with the GUI. After doing a manual reboot, the GUI sorted itself. The memory utilization was still a little elevated but when I came back to check on it several hours later, it was back down to ~30%.
In the interest of marking this as solved, I finally got to the bottom of the cause of the problem.
It seems that the upgrade had enabled something to do with IPv6 on the gateway. I only have IPv4 available to me so changing the following has completely fixed this problem for me:
Interfaces -- [WAN] -- IPv6 Configuration Type: None
It had set itself to IPv6 Configuration Type: DHCPv6
This was somehow causing the system to consume all of it's available RAM and the system load was going crazy high until eventually the system and my whole network became unusable. Presumably it was attempting over and over again to obtain a DHCPv6 address which it was never going to get as DHCPv6 is unavailable to me
> It had set itself to IPv6 Configuration Type: DHCPv6
That's the default in an attempt to auto-configure IPv6. Doesn't always work, especially when the ISP mangled their stack.
Cheers,
Franco
Quote from: franco on March 03, 2025, 05:29:05 PM> It had set itself to IPv6 Configuration Type: DHCPv6
That's the default in an attempt to auto-configure IPv6. Doesn't always work, especially when the ISP mangled their stack.
Cheers,
Franco
Is this something new for 25.1? I'm still fairly new to *sense but I had previously been running the past couple of 24.x versions and had no problems.
Like I say, IPv6 is not offered by my ISP so I've got zero experience with anything to do with it
No, this default predates the fork even.
Cheers,
Franco
I have one system where I don't have IPv6 on the WAN yet (*) and the "IPv6 Configuration Type" is set to "Track Interface". Not sure what exactly this would do in case some IPv6 may be available on the WAN, but it does not cause any issue so far.
(*) It is on cable TV and the modem can be in either router mode (with public IPv6, but IPv4 only with Carrier Grade NAT) or bridge mode (with public IPv4 address only).
Quote from: franco on March 04, 2025, 10:02:30 AMNo, this default predates the fork even.
Cheers,
Franco
No idea why then that on 24.7.12 (and prior versions that I have used) this gateway IPv6 Configuration Type stayed set as None, but the update to 25.1 definitely switched it to DHCPv6 which then caused my problems.
It's possible that when I first joined OPNsense at version 24.1.x I may have manually set the gateway IPv6 Configuration Type to None during my initial set up, but all upgrades after that point did not set it back to DHCPv6, but the 25.1 upgrade definitely did
Are you using PPPoE?
Yes, I am
Ok, easy then:
community/25.1/25.1:o interfaces: remove "Use IPv4 connectivity" setting as it will be set by default
We've removed the Use IPv4 connectivity setting because it was backwards for PPPoE (it should be set by default but it was unset). Removing the setting allowed us to force the new (and correct default), but it also means that your PPPoE was now looking for IPv6 connectivity.
Old bug, good progress, but also sorry for the noise.
Cheers,
Franco
Ah ha. Yes that makes sense.
Will there be a way that you can stop it looking for IPv6, maybe after a short timeout, if it's not available?
Quote from: jim1985 on March 04, 2025, 03:40:54 PMAh ha. Yes that makes sense.
Will there be a way that you can stop it looking for IPv6, maybe after a short timeout, if it's not available?
Probably not. Then it would stop trying for legitimate ipv6 setups that have a temporary failure.
Quote from: senser on March 04, 2025, 04:18:28 PMQuote from: jim1985 on March 04, 2025, 03:40:54 PMAh ha. Yes that makes sense.
Will there be a way that you can stop it looking for IPv6, maybe after a short timeout, if it's not available?
Probably not. Then it would stop trying for legitimate ipv6 setups that have a temporary failure.
Fair point.
Well I'm not too fussed, now I was able to locate the source of my problem & put it right anyway