Messages

Nothing I tried helped. The only thing I could do is setup a cron job to exectue pfctl -F state every 4 hours.
See attached pics for the state info while the issue was at its worse. Does anything look off here?

Was even worse this morning. Took 2 minutes to load up WebGUI. But finally got to reset state tables and back to normal.
This time I looked at how many entries there were and it didn't look like enough to cause this issue. Maybe there were about 1500 entries. Seems to happen mostly at night. Resetting the state table seem to be good all day, so what I am going to do is run a cron job to reset the state tables at 8AM every morning. At this point it is the only thing I can think of to do. Now I just have to figure out how to setup the cron job.

No one is downloading torrents or doing network scans. This issue started when I put in the new box a week ago.
I also thoroughly checked the config file and nothing is in there that shouldn't be. The only hardware difference between the new box and old box is changing to igc from igb Intel NIC's, and a newer processor, J1900 to J4125.
Using the same new box at another location with no issues.

The other interesting thing I noticed is resetting the state tables happens instantly and doesn't seem to actually change the list of states. I noticed it does this on the other firewalls too. Resetting use to take 10-30 seconds. Now it doesn't seem to do anything except bring back the speed.

Reason I don't just start over is because this box is 300+ miles away with no IT people there. So I have to prepare the box and send it. The people there can swap cables, but that is the extent of their knowledge.

As far as the state table size, I actually reduced it to 250000 to see if it has an effect.  I don't know how to tell if it is full. Best I can tell there are about 1100 entries in there now. I also changed the Firewall Optimization from conservative to normal. It is still ok speed from the last reset about 6 hours ago.

So my questions are, would filling the state table actually cause a slowdown, and what causes the state table to fill up? To my knowledge the site does not have high volume internet usage.

Also why should the state table be an issue at all. The previous box, which had bad SSD sectors, worked fine with the same state table size. The issue with the old box is it gave errors when I tried to do updates, or anything with plugins. I even got an error when trying to get to the shell from the console. But the old box ran fine, just couldn't make any changes to it without an error popping up. Which is why I replaced it.

By the way I have three other sites with similar OPNsense hardware and configurations. They all work fine on the latest release.

Back to slow again this morning. I reset the state tables and back to full speed.
As I said before, this is a default installation with only flow control disabled added to the tunables.
The old box also was also a default config with no added tunables.
So far, don't see anything suspicious in the config file.

Works!
But still doesn't show Current IP or time updated in GUI.
Is it suppose to do this?

I will look at the config file again. I did change the igb's to igc's. That is the only hardware difference between the old and new box other than the old Intel CPU was J1900 and the new one J4125.
So far, speed hasn't slowed down since I disabled IPv6 and reset the state tables. But can't be sure until tomorrow morning.
What I found made the difference was resetting the state tables. Which may also be IPv6 related.

There is an ISP supplied modem. It is in pass-through mode. The previous OPNsense firewall, which had a degrading drive, worked fine. I imported the config file to the new box.

Not virtualized. Basic default installation with no plugins.
MiniPC Intel J4125 8GB, 128GB NVMe, 4-i225 NIC ports (igc)
So far speed ok after 1 hour. Usually takes a few hours

[Another important clue. speed comes back when I reset the states tables in firewall diagnostics.]

Anyone..........

Not sure what to do at this point. Tried adding flow control disabled to tunables.

Only thing I see is the higher the memory usage, the slower it gets. But I am only at 14% and near zero on CPU.
Takes a minute to load the WebGUI. If I reboot, speed goes back to normal. Logs are empty.
I also tired reloading all services in the console. Still slow. Memory is now @ 16% and even slower.
What causes the memory to increase like that? I am not using Suricata or VLAN's. Just a plain default config.

Another important clue. speed comes back when I reset the states tables in firewall diagnostics.
So I disabled IPv6 altogether to see if that affects the speed. I will know in a few hours.

HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!. Please.

Using 23.1.9. Very basic generic setup. One LAN, one DHCP WAN.
Internet speeds come to a crawl. If I reboot speeds come back, but withing a few hours, back to crawling. I can barely remote into the WebGUI when it is slow.
Resources look fine. Memory is at 14% when slow and 7% when rebooted.

Anything I should be looking at? Nothing meaningful in any logs.

This is a new box that I installed OPNsense on and just restored the config. The old box had a minor disk issue. This slowdown issue is since I put this new box in.

Ugh.. Thanks for quick response. That is what I was afraid of.
I will see if someone there can swap units. At least the backup XML downloaded.

I was doing updates on all my remote OPNsense firewall when one of them would not update so I started investigating.
I tried to do it via SSH and get Input/output error. Shell not working with same error.
Reboot doesn't work
When I try update from WebGUI I get
Checking integrity...Child process pid=30552 terminated abnormally: Bus error

Funny thing is, firewall is working. I just can't do anything.
Using ZFS, but can't run scrub from cron.

All services are running. This is a vanilla install with no additional features.
If I try a reboot via console I get
/usr/local/etc/rc.reboot: /sbin/shutdown: Input/output error

Any suggestions? This firewall is 300 miles away. I really do not want to make a trip there.

People complain when something doesn't work.
I just updated and ddclient doesn't update the Current IP or date in the GUI.
Also I get the logs filled with errors like this
2261-10-26T16:44:30-07:00   Notice   ddclient[87555]   43051 - [meta sequenceId="42"] FAILED: updating www.<xxx>.com: Could not connect to api.cloudflare.com/client/v4.   
2261-10-26T16:44:30-07:00   Notice   ddclient[87555]   42221 - [meta sequenceId="41"] WARNING: cannot connect to api.cloudflare.com:443 socket: Name does not resolve IO::Socket::IP configuration failed

I assume that will only affect new installs. If you already have the legacy installed, it should continue to function.
It is a huge mistake to remove it since the replacement has so many issues. Why are they doing this?

Scrap os-ddclient. Doesn't work. Use the legacy plug-in. Every time it gets updated it gets worse. I had to switch back. Going with ddclient is a losing battle. I heard next OPNsense release the devs are removing the legacy from the repository. Big mistake. Get it while you can.

Excuse me, but why are the devs getting rid of something that just works with a piece of garbage code that barely works. Doesn't make sense to me.