So it seems all started with upgrade to 26.1 and at that time (January) issues with Neighbours Discovery. That was sorted out by the next upgrades/fixes but I started having similar issues with netflow/rrd. Once they are enabled, they cause high I/O and CPU demand. I tried, repair and reset netflow/rrd data plus manual removal of content of /various/netflow/ folder (with stopped neighbours discovery and netflow). Nothing helps; currently system is up to date: 26.1.6.
How to fix it?
Writing above post triggered better thinking ;-). The culprit was selection of VPNs' interfaces in netflow settings. Once they've been removed, all went back to normal...
Don't save netflow data on OPNsense. Export to a netflow collector like Elastiflow and save your SSD 🙂
Quote from: Patrick M. Hausen on April 12, 2026, 01:36:32 PMDon't save netflow data on OPNsense. Export to a netflow collector like Elastiflow and save your SSD 🙂
Looks seriously sweet as far as I can tell from your other recent post : https://forum.opnsense.org/index.php?msg=264974
Should I need something like that I will definitely consider it! :)
For now I have got almost all logging disabled in OPNsense since I barely need any of it.
Netflow is a behemoth designed for large ISPs. It will scrub your SSD to death in weeks if you log locally and have some considerable amount of traffic.
It was designed from the start to just collect the data on the (at the time) seriously underpowered control plane of the (Cisco) device and get it off the box to some collector as fast as possible.
The smallest recommended deployment - even for a home lab - for Elastiflow is 4 cores, 16 G of RAM, a couple of hundred G of disk.
Repeating myself - you don't want that on OPNsense proper.
But it works as advertised. I get the same beautiful graphs from my OPNsense to my Ubuntu VM running the stack. And noticed as written in that other post some odd traffic on UDP/1194 immediately ;-)
They promise the license will be free forever, they just want you to register an account and extend the license once per year. Like e.g. Maxmind, too.
The limit for the free tier is 4000 flow records per second. If you outgrow that, you have bigger fish to fry ;-)
Kind regards,
Patrick
Quote from: Patrick M. Hausen on April 12, 2026, 08:23:06 PMNetflow is a behemoth designed for large ISPs. It will scrub your SSD to death in weeks if you log locally and have some considerable amount of traffic.
The smallest recommended deployment - even for a home lab - for Elastiflow is 4 cores, 16 G of RAM, a couple of hundred G of disk.
They promise the license will be free forever, they just want you to register an account and extend the license once per year. Like e.g. Maxmind, too.
The limit for the free tier is 4000 flow records per second. If you outgrow that, you have bigger fish to fry ;-)
Good to know! Thnx! :)
Akvorado is another great option to visualize flows without any artifical limitations or registration requirements.
Thanks! I will check both export options, as I ended up with disabling netflow - vacuum caused also CARP flapping.
Also had some netflow issues after this update. everything up to 26.1.5 was fine, system load running at ~0.5 at normal. As soon as I updated to 26.1.6, system load was immediately at 1.5 - 1.9. I did
Culprit was flowd_aggregate.py which is related to 'Insight Aggregator' service, which is weird because that file hasn't been touched in over a year:
root@artimus:/home/dbyrd # ps aux | grep python
root 66256 100.0 0.3 35072 21564 - Rs 12:55 1:01.25 /usr/local/bin/python3 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py (python3.13)
For my particular issue, I was able to resolve by going to Reporting -> Settings then click 'Repair Netflow Data' and then 'Reset Netflow Data'. I did these in quick succession, so I don't know which one exactly solved my issue.