Messages

Hello everyone!

I just noticed in case dhcp registration is turned on and you add an entry to the host override page it would not work correctly. It only won't work for machines that are also registered by the dhcp registration option.
For example:
My main rig "192.168.1.110" is registered by the dhcp registration option as "HomePC". Now when I add "TestHomePC" with the same "192.168.1.110" IP as a Host override it won't resolve it.

Code Select Expand

nslookup HomePC
Server:  OPNsense.home
Address:  192.168.1.1

Name:    HomePC.home
Address:  192.168.1.110

were as

Code Select Expand

nslookup TestHomePC
Server:  OPNsense.home
Address:  192.168.1.1

*** TestHomePC wurde von OPNsense.home nicht gefunden: Non-existent domain.

All entries are correctly propagated to their config files. Two different hostnames with the same IP - both set in the host override page - work fine - it just won´t work when one is set by the dhcp registration option and the other one manually. In this case, both entries are in two different config files which seems to break it.

Is this supposed to be working?

Thanks! (:

(EDIT: I´m running OPNsense 22.1.6-amd64)

Historically it depends how old your installation is since the config.xml from that time contains the tunable

Just wanted to say thank you, Franco! (sorry for the late reply) Indeed the config.xml that does set it to 1 is from an install made in 2016. :)

May I ask what the default setting is right now in OPNsense 22.1? I updated two firewalls to 22.1 and both had a different value set. First 22.1 beta to 22.1 final - value set to 0, Second 21.7 to 22.1 final - value set to 1 - on both systems I have not changed anything in the "Tunables" tab.

[hw.ibrs_disable = 0]

Hello everyone,

I just wanted to give an update on a post I made almost a year ago. (https://forum.opnsense.org/index.php?topic=22477 - it´s archived, not possible to post there anymore) 
The issue was not getting the throughput I was able to get with pfsense on the same hardware. I thought this was related to the ixl driver not being up to date in OPNsense but this was probably not the case. Now I had time to have a look at it again and I found the culprit. It´s hw.ibrs_disable = 0 which activates the IBRS-based mitigation. When set to "= 1" (pfsense default value, IBRS-based mitigation disabled) 10gbit throughput was easily achievable with the E3 1230v5 on OPnsense 22.1 (Netflow disabled, no Suricata). I never thought that the SpectreV2 mitigation would impact performance that much but well... I hope this helps someone with the same problem!

Setup:

Code Select Expand

[Linux PC1 - iperf client] <---"LAN - 10g"---> [OPNsense] <---"WAN - 10g"---> [Linux PC2 - iperf server]

Even the docs mention the huge performance hit! -> https://docs.opnsense.org/troubleshooting/hardening.html

Maybe your (hardware) clock is out of sync. I had this once on my machine, where the bios clock was out of sync (battery was empty), after setting it up again, everything worked again. If you don´t run bare metal, in hyper-v there is an option called "clock-sync" make sure it says "enabled".

okay, well I tried with netflow disabled and indeed it improved performance. Going from 4.5 Gbps to 6.0 Gbps but still "far" from 10g. Something I also noticed is when I head over to the "Traffic Graphs" tab while the iperf test is running throughput drops to about 5.5 Gbps but strangely having a traffic graph widget on the dashboard does nothing. (tried with it being there and not being there - no change). Also, the dropped package count in iperf is relatively high compared to the same test done with pfsense.

yes, basically a default install - only netflow enabled but no suricata running nor is sensei installed. I will try with netflow disabled. Is netflow so resource-hungry?

Hello everyone,

I have a performance issue with my X710. I installed OPNsense 21.1.x which uses a quite outdated ixl iflib driver (2.1.0k) on my dell r330 (E3 1230v5 - 16gb RAM) and ran an iperf test. (setup below) The results were pretty low for what I´ve expected. => 4.52 Gbps In another console, I monitored the cpu utilization with top -aSH. There was one wcpu pegged at 100% with a process [kernel{if_io_tqg_2}]. Presumably something wrong with interrupts and therefore slowing down the test. Just for testing purposes, I´ve tried pfsense 2.5 (lol) with their freebsd 12.2 kernel and a newer ixl iflib driver (2.3.0k). iperf => 10 Gbps! --- with the same [kernel{if_io_tqg_x}] process with a slightly lower CPU usage. Is there something I cloud do or should I just wait for the opnsense devs to update to the newest (upstream) ixl driver?

Code Select Expand

[Linux PC1 - iperf client] <---"LAN - 10g"---> [OPNsense] <---"WAN - 10g"---> [Linux PC2 - iperf server]

Hello everyone,

I have a problem with my suricata config. I installed OPNsense 21.1.4 on my dell r330 (E3 1230 v5 - 16gb Ram - X710) and setup suricata. After running an iperf test I was "only" seeing a throughput of about 1.8 Gbps and a surciata cpu utilization of about 135%, but with top -aSH I could see one suricata process with WCPU pegged at 100%. The process had a {W#01-ixl1} at the end (Working thread?), a second process with {W#01-ixl1^} was only using 35% cpu. I tried changing the worker's mode to autofp, which made things even worse. I also tried running two iperf instances, but this changed nothing. The cumulated throughput was still about 1.8 Gbps. I thought suricata is multithreaded? Or is there something missing in the suricata.yaml? Is iperf even the right thing to test suricata throughput?

testing setup

Code Select Expand

[Linux PC1 - iperf client] <---"LAN - 10g"---> [OPNsense] <---"WAN - 10g"---> [Linux PC2 - iperf server]


Thanks! :)

Dankeschön für deine Antwort! Ich muss ehrlich gestehen ich habe mich dann doch gegen die ConnectX-4 entschieden, habe letztendlich eine X710-Da2 (auch günstiger) gewählt die netmap nativ über den ixl Treiber unterstützt. Zu meiner Ausgangfrage kann ich nun nach weiterer Recherche ergänzen, dass eine ConnectX-4 funktionieren müsste, da der netmap treiber , so wie ich das verstanden habe auch für nicht-netmap-treiber emuliert werden kann. (also auch für den mlx5en Treiber?) (Performance bei einem 10g setup natürlich fragwürdig)

Hallo alle zusammen,

Ich hätte eine frage bezüglich des Themas netmap und Mellanox Netzwerkkarten. Ich habe irgendwie mal gelesen, dass sowohl suricata als auch sensei netmap benötigen. Nun meine Frage, da ich relativ preisgünstig in den Besitz einer ConnectX-4 kommen könnte, ob solch eine Netzwerkkarte mit dem mlx4 treiber überhaupt mit suricata und sensei funktioniert? Im Netz findet man dazu leider kaum etwas, nur das unter Linux der mlx4 netmap unterstützen würde. Wie schaut das bei den Mellanox NICs unter BSD aus?


Danke :)

Grüße

Hi,
Es gibt ja die Möglichkeit mit dem Traffic Shaper die Bandbreite unter den Usern gleich aufzuteilen -> https://docs.opnsense.org/manual/how-tos/shaper.html#share-bandwidth-evenly. Es ist eigentlich auch genau das was ich suche aber wie funktioniert das, wenn ich zB als einziger im Netz bin und etwas herunterlade, habe ich dann die volle Bandbreite oder nur die Hälfte? Und wenn 10 User bei einer 100Mbit Leitung im Netz sind hat dann jeder "nur" 10Mbit zur verfügung oder versteh ich da was falsch?  :-\
Ich hoffe ihr könnt mir helfen bzw mich aufklären! Danke :)

Ja, daran liegts! Danke. Ist einwenig komisch aber es erklärt einiges.
Danke! :)

[nicht]

Hi,

Heute habe ich meine OPNsense-box (OPNsense 17.1.2) an's Netz gehängt und den alten KabelDE Router auf Bridge gestellt, hat auch soweit funktioniert. Normalerweise kann man ja bei Routern/Firewall's das WebUI von außerhalb, also auf WAN, nicht aufrufen, aber irgendwie geht es schon, wenn ich meine öffentliche IP im Browser eingebe öffnet sich der Login von OPNsense.  :o 
Das ist irgendwie strange und es macht ja den ganzen Vorteil einer Firewall zunichte...  :'(  Es gibt noch jemanden, der zufälligerweise auch bei KabelDE ist, der das gleiche Problem hat.  https://github.com/opnsense/core/issues/1384
Jedoch ist da nicht viel rausgekommen, Leider

Habt ihr eine Idee woran das liegen könnte?
Kann es an KabelDE liegen?


Danke! :)
MfG