Messages

@FullyBorked: I'm having the issues #3 and #4 (both) too.

I've reported issue #3 some minutes ago (https://github.com/opnsense/core/issues/4272)
Regarding syslog-ng there are several reports of users which having the same or other issues (https://github.com/opnsense/core/issues/4263)

I updated my post.  The syslog service issue is resolved in 20.7.1.  If you haven't yet it's worth updating.  Hasn't made anything worse at least.

Edit: I can't read....  This worked for me.

This should help guide you for adding a second disk. Once the disk is added and mounted you would just need to point your logs to it.  I've not done it per say but doesn't look too bad. 

https://www.freebsd.org/doc/handbook/disks-adding.html

"amongst others" references the full change log below. It's intentionally ambiguous in the sense that the actual changes are listed below. If you don't see your issue there it's probably just that.

The second paragraph is more loose in terms of content from release to release. It is meant to hint at past and future events. In this case it unambiguously states that Sensei and IPS issues are not yet resolved in the release.

I'm not sure how to make this any clearer other than: don't panic and use 20.1 if you must. ;)


Cheers,
Franco

No panic here :)  I just read it wrong, initially.  Thought maybe someone else did too.  No need to rewrite anything at all.  I'm patiently waiting on 20.7 and figure it'll work when it works and it will be great as usual. 

[amongst others]

@mb

Is 20.7.1 fixing the netmap issues adressed in the test kernel or would it set me back to the state before?

No, read the changelog. That is not fix the netmap issues.

To be a little fair the change log opening sentence seems a bit ambiguous.  I don't think it was intended that way but the first time I read it I thought it was saying there were other changes that weren't noted in the log.

Small update here with security advisories, multicast fixes and logging reliability patches amongst others.

Also I think he is asking if it will revert his changes, not if it has been fixed in the release. 

So its back to normal or not? I'm not upgrading until it is fixed. I may wait for a point release before I upgrade. 20.7 seems to be full of bugs.

Mine still seems fine, I'm very confused on why it's working now.  I don't know if changing power fixed it or one of the other 5 billion things I've tried.  In my opinion you should wait till the first point release before upgrading.  Let most of the larger bugs get sorted.  Wish I had waited...

So as @Mondmann mentioned power settings.  I set mine to maxiumum and tested and my speeds were back to 100% what I would expect.  Then set it back to hiadaptive and speeds are still fine.  Wonder if it's a powerd bug causing the performance issue.  Gonna keep testing this.

Hello All,
Test the energy management setting once
on Hightadaptive! All others reduce the transfer rates to about 50%.
Greetings from Germany

Thanks for the idea, I've been in hiadaptive.  Wonder if setting to max might help. 

Grüße aus den USA (best I can do ;) )

I'm on chip=0x150e8086 and my graphs don't work with IPS enabled.  Also having some very poor throughput with or without IPS.  If this helps at all.

Edit: intel nic using the igb (i think that designates the drivers being used?)

[Edit: Messing with my power settings https://forum.opnsense.org/index.php?topic=18450.0 seemed to "fix" this somehow. Very confused, maybe it was stuck in a low power mode? No idea but my speed is fine now, maybe try cycling your power settings.]

This isn't comprehensive by any means, but outlines what I am experiencing.  I've not found any workarounds for these issues.  I consider 1 and 2 more serious than the others.  I'll try and keep this up to date as issues are resolved or more are encountered. 

1. WAN throughput is very slow IPS on or off doesn't matter, I'm only getting about 15% of my actual WAN bandwidth.  A reboot fixes the issue temporarily but at some point it will drop back to being slow.  >:(

Edit: Messing with my power settings https://forum.opnsense.org/index.php?topic=18450.0 seemed to "fix" this somehow.  Very confused, maybe it was stuck in a low power mode?  No idea but my speed is fine now, maybe try cycling your power settings.

2. GEO IP Alias simply doesn't work, the zip file is being downloaded from maxmind.com but the alias won't populate, so any rules containing the alias fail to correctly function.

Workaround (Credit: @Goldorak92 pointed out @Julien who detailed it in https://forum.opnsense.org/index.php?topic=18628.0): Setting Firewall > Settings > Advanced > "Firewall Maximum Table Entries" set to 400,000 allows the table to fill and GeoIP filtering to function correctly.

3. Dashboard traffic graphs don't show data with IPS enabled.  I'm on an Intel NIC, some have suggested it's driver related.  Worked ok in 20.1.9 though maybe there is a bug in the latest driver?  No workaround has resolved the issue as of yet.

Fixed in 2.1

4. Syslog-NG service doesn't start on it's own after reboot.  Starting it manually does seem to work, but is inconvenient after reboot.  

This appears to be fixed with 20.7.1.

4. Restarting suricata service sometimes stops the ntpd service for some reason.  It can be manually started. 

This appears to be fixed.

5. Bogons alias is inexplicably empty at times.  Firewall > Diagnostics > pftables > bogons > "update bogons" does populate the list. 

This appears to be fixed.

6. Seeing log spam just like https://forum.opnsense.org/index.php?topic=18480.msg84175#msg84175 constantly in the log.  Not sure if this is cause of issue #1 or not.

Code Select Expand


kernel: pflog0: promiscuous mode enabled
kernel: pflog0: promiscuous mode disabled


Can't seem to locate the source for the WAN slowdown.  I disabled IPS and tried a download and I still can't get over 120-130 Mbps on a gigabit connection.  If I reboot the box I can get ~950Mbps for a short time, then it falls back down.  CPU and RAM usage very low.  So strange and frustrating. 

the re-saving the alias it did NOT work for me. The GEOIP does NOT work properly for me after the upgrade.

Same for me, I've seen solved on two of these reports.  I can't get mine to add a thing to my rules, key hasn't expired as the URL works fine in a browser and even shows that it's updated on 8-04.  I've deleted aliases and started from scratch, I've tried manually adding IP's clearing and re-saving the alias, rebooting, nothing will bring it back to life on my install. 

Of all the problems I've had with 20.7 getting rules loaded isn't one of them.  Did you do the "download and update rules" on the download tab?  I don't think simply enabling actually does anything until they are downloaded. 

I'm glad you're able to get it to add anything to the alias, no amount of anything I seem to be able to do will add a single address to that file.  Even the bogons is empty until i click the "update bogons" and at some point even it will clear out and require pressing the "update bogons" again.  Something is goofy with these alias's right now.  The only ones that appear to work is a manual alias with two networks I made. 

Hello,

please always mention if you are using IPS/IDS or Proxy.
It is a total different setup if you make use of that technology or if you are just doing Firewalling/NAT.

The speed and throughput can differ depending on configuration and active ruleset of any IPS/IDS.

Share details so others can verify your setup with their setups.

Regards,

Dominik

Fair point, I'm using IPS, my speeds seem fine even with IPS for a bit then it degrades to near nothing.  Seemed ok before 20.7 not sure if its the Suricata update or what.

Sent from my GM1917 using Tapatalk