OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: interkrome on September 21, 2017, 06:27:38 am
-
Hi everyone,
My system keep on crashing. Really need some help here.
-
I'd guess that some details of hardware specifications and which version of OPNsense you're using might also help.
-
OPNsense 17.7.2-i386
FreeBSD 11.0-RELEASE-p12
OpenSSL 1.0.2l 25 May 2017
CPU: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz (2926.06-MHz 686-class CPU)
Origin="GenuineIntel" Id=0x1067a Family=0x6 Model=0x17 Stepping=10
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0xc08e3bd<SSE3,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,OSXSAVE>
AMD Features=0x20100000<NX,LM>
AMD Features2=0x1<LAHF>
VT-x: HLT,PAUSE
TSC: P-state invariant, performance statistics
real memory = 2147483648 (2048 MB)
avail memory = 2036559872 (1942 MB)
Event timer "LAPIC" quality 400
ACPI APIC Table: <DELL APIC0152>
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
random: unblocking device.
ioapic0 <Version 2.0> irqs 0-23 on motherboard
random: entropy device external interface
wlan: mac acl policy registered
kbd1 at kbdmux0
netmap: loaded module
cryptosoft0: <software crypto> on motherboard
acpi0: <DELL WN09 > on motherboard
acpi0: Power Button (fixed)
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
attimer0: <AT timer> port 0x40-0x43 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
atrtc0: <AT realtime clock> port 0x70-0x71 irq 8 on acpi0
Event timer "RTC" frequency 32768 Hz quality 0
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 950
Event timer "HPET" frequency 14318180 Hz quality 450
Event timer "HPET1" frequency 14318180 Hz quality 440
Event timer "HPET2" frequency 14318180 Hz quality 440
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
:
FreeBSD/SMP: 1 package(s) x 2 core(s)
random: unblocking device.
ioapic0 <Version 2.0> irqs 0-23 on motherboard
random: entropy device external interface
wlan: mac acl policy registered
kbd1 at kbdmux0
netmap: loaded module
cryptosoft0: <software crypto> on motherboard
acpi0: <DELL WN09 > on motherboard
acpi0: Power Button (fixed)
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
attimer0: <AT timer> port 0x40-0x43 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
atrtc0: <AT realtime clock> port 0x70-0x71 irq 8 on acpi0
Event timer "RTC" frequency 32768 Hz quality 0
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 950
Event timer "HPET" frequency 14318180 Hz quality 450
Event timer "HPET1" frequency 14318180 Hz quality 440
Event timer "HPET2" frequency 14318180 Hz quality 440
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pcib0: _OSC returned error 0x10
pci0: <ACPI PCI bus> on pcib0
vgapci0: <VGA-compatible display> port 0xdc00-0xdc07 mem 0xfe400000-0xfe7fffff,0xd0000000-0xdfffffff irq 16 at device 2.0 on pci0
agp0: <Intel G41 SVGA controller> on vgapci0
agp0: aperture size is 256M, detected 32764k stolen memory
vgapci0: Boot video device
hdac0: <Intel 82801G HDA Controller> mem 0xfe9f8000-0xfe9fbfff irq 16 at device 27.0 on pci0
pcib1: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0
pcib1: [GIANT-LOCKED]
pcib2: <ACPI PCI-PCI bridge> irq 18 at device 28.2 on pci0
pcib2: [GIANT-LOCKED]
pci1: <ACPI PCI bus> on pcib2
bge0: <Broadcom BCM57780 A1, ASIC rev. 0x57780001> mem 0xfeaf0000-0xfeafffff irq 18 at device 0.0 on pci1
bge0: CHIP ID 0x57780001; ASIC REV 0x57780; CHIP REV 0x577800; PCI-E
miibus0: <MII bus> on bge0
brgphy0: <BCM57780 1000BASE-T media interface> PHY 1 on miibus0
brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master, auto, auto-flow
bge0: Using defaults for TSO: 65518/35/2048
bge0: Ethernet address: 84:2b:2b:8c:7b:1b
uhci0: <Intel 82801G (ICH7) USB controller USB-A> port 0xd880-0xd89f irq 23 at device 29.0 on pci0
uhci0: LegSup = 0x2f00
usbus0 on uhci0
uhci1: <Intel 82801G (ICH7) USB controller USB-B> port 0xd800-0xd81f irq 19 at device 29.1 on pci0
uhci1: LegSup = 0x2f00
usbus1 on uhci1
uhci2: <Intel 82801G (ICH7) USB controller USB-C> port 0xd480-0xd49f irq 18 at device 29.2 on pci0
uhci2: LegSup = 0x2f00
usbus2 on uhci2
uhci3: <Intel 82801G (ICH7) USB controller USB-D> port 0xd400-0xd41f irq 16 at device 29.3 on pci0
uhci3: LegSup = 0x2f00
usbus3 on uhci3
ehci0: <Intel 82801GB/R (ICH7) USB 2.0 controller> mem 0xfe9f7c00-0xfe9f7fff irq 23 at device 29.7 on pci0
usbus4: EHCI version 1.0
usbus4 on ehci0
pcib3: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci2: <ACPI PCI bus> on pcib3
re0: <Realtek PCI GBE Family Controller> port 0xe800-0xe8ff mem 0xfebffc00-0xfebffcff irq 21 at device 1.0 on pci2
re0: Using Memory Mapping!
re0: Using line-based interrupt
re0: version:1.93
re0: Ethernet address: d4:6e:0e:00:06:a9
This product is covered by one or more of the following patents:
US6,570,884, US6,115,776, and US6,327,625.
re0: Ethernet address: d4:6e:0e:00:06:a9
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH7 SATA300 controller> port 0xd080-0xd087,0xd000-0xd003,0xcc00-0xcc07,0xc880-0xc883,0xc800-0xc80f irq 19 at device 31.2 on pci0
ata2: <ATA channel> at channel 0 on atapci0
ata3: <ATA channel> at channel 1 on atapci0
acpi_button0: <Power Button> on acpi0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
pmtimer0 on isa0
orm0: <ISA Option ROM> at iomem 0xc0000-0xcc7ff pnpid ORM0000 on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ata0: <ATA channel> at port 0x1f0-0x1f7,0x3f6 irq 14 on isa0
ata1: <ATA channel> at port 0x170-0x177,0x376 irq 15 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
ppc0: parallel port not found.
est0: <Enhanced SpeedStep Frequency Control> on cpu0
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 6160b2506000b25
device_attach: est0 attach returned 6
est1: <Enhanced SpeedStep Frequency Control> on cpu1
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 6160b2506000b25
device_attach: est1 attach returned 6
Timecounters tick every 1.000 msec
nvme cam probe device init
hdacc0: <Realtek ALC662 HDA CODEC> at cad 2 on hdac0
hdaa0: <Realtek ALC662 Audio Function Group> at nid 1 on hdacc0
pcm0: <Realtek ALC662 (Rear Analog)> at nid 20 and 24,26 on hdaa0
pcm1: <Realtek ALC662 (Front Analog)> at nid 27 and 25 on hdaa0
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 12Mbps Full Speed USB v1.0
usbus2: 12Mbps Full Speed USB v1.0
usbus3: 12Mbps Full Speed USB v1.0
usbus4: 480Mbps High Speed USB v2.0
ugen0.1: <Intel> at usbus0
uhub0: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
ugen2.1: <Intel> at usbus2
uhub1: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus2
ugen1.1: <Intel> at usbus1
uhub2: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus1
ugen4.1: <Intel> at usbus4
uhub3: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus4
ugen3.1: <Intel> at usbus3
uhub4: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus3
ada0 at ata2 bus 0 scbus0 target 0 lun 0
ada0: <WDC WD3200AAJS-65M0A0 01.03E01> ATA8-ACS SATA 2.x device
ada0: Serial Number WD-WMAV23845335
ada0: 150.000MB/s transfers (SATA, UDMA5, PIO 8192bytescd0 at ata2 bus 0 scbus0 target 1 lun 0
cd0: <PLDS DVD+-RW DH-16ABS PD11> Removable CD-ROM SCSI device
cd0: Serial Number CN085KRY736390AP51LM
cd0: 150.000MB/s transfers (SATA, UDMA5, ATAPI 12bytes, PIO 8192bytes)
cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closed
)
ada0: 305245MB (625142448 512 byte sectors)
SMP: AP CPU #1 Launched!
Timecounter "TSC-low" frequency 1463029265 Hz quality 1000
Trying to mount root from ufs:/dev/ufs/OPNsense [rw]...
uhub1: 2 ports with 2 removable, self powered
uhub4: 2 ports with 2 removable, self powered
uhub0: 2 ports with 2 removable, self powered
uhub2: 2 ports with 2 removable, self powered
uhub3: 8 ports with 8 removable, self powered
ugen1.2: <Dell> at usbus1
ukbd0: <Dell Dell USB Keyboard, class 0/0, rev 1.10/3.01, addr 2> on usbus1
kbd2 at ukbd0
-
CPU rarely hit more than 50%
Attached is the ruleset.
WAN on PPPoE.
-
another ruleset
-
Try to not use IPS mode or buy new hardware.
And are you running i386 on amd64 hardware? It is limiting the effectiveness of ASLR and friends.
Cheers,
Franco
-
And are you running i386 on amd64 hardware? It is limiting the effectiveness of ASLR and friends.
Hi,
I ran this code and here is the result :
root@OPNsense:~ # sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu'
hw.machine: i386
hw.model: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
hw.ncpu: 2
hw.machine_arch: i386
Btw, in regard to your previous suggestion buy a new hardware, is that really bad? ;current hardware.
-
'fraid so - that's eight year old 45nm silicon. Have a look at the hardware section for suggestions on a more recent platform.
Bart...
-
@interkrome, based only on my own experience/ use case, if your CPU rarely hits 50% and in the mean time you didn't activate other services that take a toll on CPU (like VPN or other services that use encryption) you may rest assured that the hardware configuration is not the culprit. (Except if something is broken/ damaged: physically or as supported firmware/ drivers).
I do have a virtual config on a VMware host with 1 socket, 2 kernels on that socket, so 2 CPU, 2 GB RAM and 20 GB HDD. No AES-NI instructions hardware support on my CPU either, and it works like a charm with S2S VPN (OpenVPN: AES-256-CBC; SHA 256; 2048 bit static key) + IPS/ Suricata. Used RAM is less than 1 GB of 2012 MB total, CPU rarely and shortly hits 50% or a bit more.
Medium traffic is about 10 GB/h (intranet + internet + VPN), cca. 100 clients.
OPNsense is a very optimized platform already, and it simply works even on 10 year or so old HW, given the hardware is not faulty, nor the firmware/ drivers unsupported.
-
(Except if something is broken/ damaged: physically or as supported firmware/ drivers).
Strong emphasis here. A system performs as well as the weakest of its components.
Cheers,
Franco
-
And are you running i386 on amd64 hardware? It is limiting the effectiveness of ASLR and friends.
Installed and running the amd64 version. Got worse. DNS failure. Loading time to web GUI was terrible. Constant LAN disconnection.
-
Ok, that explains why i386 was installed and further indicates the hardware is not adequate for your current use cases.
Cheers,
Franco
-
Hi everyone,
Updated to :
OPNsense 17.7.3-i386
FreeBSD 11.0-RELEASE-p12
OpenSSL 1.0.2l 25 May 2017
.. and everything seems ok now.