Messages

?

update on this.  my internet connection keeled over just now.  logged in to the GUI to find a huge memory leak, so had to cycle the power as even a reboot via serial wasnt working.

loggeg back in and thought i'd try switching Suricata from the igb's to lagg0 and found i can reliable get OPNSense to completly die within a minute with Suricata on the lagg.

i've got a copy of Putty's output if anyone's interested.

I am using vlans.
Judging from top and Suricata's logs it's filtering the parent int's.  Also uses a lot less CPU time compared to running on it on the LAGG.
However, I was torrenting (Ubuntu... obviously) and the LAGG collapsed and OPNSense died, had to cycle the power.
I've look through the logs but, tbh, nothing stood out; but i'm not sure what words to filter with / where to start.
I'm running the ET Pro Tele rule-sets, but i've only got a few enabled.

If you've got a LAGG interface, would you run Suricata on the parent interfaces in promisc mode, or the LAGG in promisc mode?

If my switch can handle flow control (disabled by default), would it be better to disable FC on OPNSense's parent LAN int's?

Suricata's running on the parent int's of a LAGG; got some VLANS...

Also, should I leave FC enabled on the WAN int?

Suricata and Sensei are likely having the greatest affect on throughput.

Careful what Suricata rule sets you enable.  'SSL Fingerprint Blacklist' is v.expensive.
'abuse.ch/URLhaus' can also get pretty huge, and there's other ways of using that, like AdGuard DNS blocking (don't use it with Unbound), but i think most browsers incorporate it anyway as part of Google's Safe Browsing stuff.  Quad9 use it to, so you could just use their DNS servers and get that filtering up-stream.

Also, assuming your nic supports it, try setting 'Pattern matcher' to 'Hyperscan', which is an Intel thing.

ignore me:  https://docs.microsoft.com/en-us/surface-hub/miracast-over-infrastructure

anyone figured out how to get Win10 miracast working?

I've got the relay running and can see it in action using tcpdump.
I've set rules on both my LAN and main WLAN (which is a vlan) allowing any traffic in both directions (cause i'm lazy).

Win10 can't see my Roku (which does have all the necessary services enabled)....?

Win10's on eth, but apparently 10's supported eth to wlan miracast sinced 1703...

think something's up with the miniupnp daemon.
i have to restart the servive about once a day for windows to it up.
not sure what logs to look at, but if you point me in the right direction i'll see what i can see.

Since the 132 can act a router itself, is it be possible to handle PPPOE auth and encapsulation on the 132 itself and have standard eth frames between the 132 and OPNSense?

Has anyone had the chance to test throughput with PPPOE based connections?

Could anyone in the know explain the benefits of ZFS over UFS with regards to OPNSense?
I did do some reading, but it looked to me like ZFS was more applicable within a virtualised environment...?
What are the benefits on a bare metal install?

Was hoping to get some clarification regarding a lazy config as I don't fully understand the implications of it.

Currently for the game I'm using hybrid outbound NAT with two manual wan rules (one UDP, one TCP) specifying; required port ranges via alias; a specific host; static ports checked (os-upnp isn't enabled).  This gets me an "open" NAT type in the game.

The bit I don't understand is, say I just full lazy and went with one manual rule on the wan, lots of any's, and static ports checked, then enabled upnp with default deny disabled, does this mean all connections from any hosts applications would then use static ports, or only connections triggered via upnp?

Correct if I'm wrong, but it seams even with upnp enabled when using automatic outbound NAT, port randomisation still occurs, which makes me wonder why even bother with upnp if you're not using hybrid outbound and static ports?

Hope that made sense...

Tempting to just sell it and recover some of the costs and going back to dd-wrt on a consumer router and get more performance, crazy right.
I digress.

I will try what you suggest. It'll be interesting to see what happens.
Much obliged Ricardo.

Give OpenWRT a go in that case.   APU's are fully supported.
https://openwrt.org/toh/pcengines/apu2
https://teklager.se/en/knowledge-base/openwrt-installation-instructions/

What I've heard is OpenWRT (being Linux based as appossed to BSD) is more performant due to better multi-threading (PPPOE's not an issue either).  The thing BSD has going for it is it's network stack, it just keeps going and going.  But then I've heard BSD13 has much improved multi-threading...

I've read Hardware LRO can actually introduce latency due to the way packets are aggregated, so if you use any latency sensitive apps you might want to leave it disabled.

This guide from Teklager covers the useful stuff for opnsense on an APU:  https://teklager.se/en/knowledge-base/opnsense-performance-optimization/

I did email them a while ago asking if it was up-to-date.  They said they'd check.
Interestingly they updated the pfsense guide, but left the opnsense guide untouched, so I'm guesing it's all still applicable despite a number of major releases.

The Intel nic's used in the APU series do support all these features though, so no harm in testing them.

opnsense docs:  https://docs.opnsense.org/manual/interfaces_settings.html

Maybe I'm not stressing my CPU for long enough periods.  I did think it was 1.4Gghz across all cores.

Either way you're going from 600/800/1000 to 1000/1200/1400.

Whether or not you disable throttling if up to you I guess, but since the CPU's a 7 to 12 watt device I just don't see the point in not locking it.

https://blog.3mdeb.com/2019/2019-02-14-enabling-cpb-on-pcengines-apu2/

Code Select Expand

sysctl dev.cpu.0.freq
dev.cpu.0.freq: 1400

Doesn't seam to matter when\how frequently\under what conditions, 1.4Ghz is always reported.