Messages

Some update after a long time trying different tweaks, BIOS-Updates, Firmware-Updates, several configurations from scratch and so on.

At first, thanks to opnfwb for the detailed tunables that helped to get more throughput.

The solution is a kind of "weird" but works. I've put two "dumb" gigabit switches between em0 and em1:

LAN (Zyxel managed switch)-> dumb switch -> OPNsense

WAN (FritzBox, branded by "Unitymedia", a german cable ISP)-> switch -> OPNsense


And the problems are solved. If I connect the firewalls nics directly, the stability problems occur again. I'm really curious how this solved the problem.

Thanks a lot for the detailed description of the tunables and the hint for hardware-testing. I will try all your suggestions tomorrow when I'm back at work and will report back if something helped!

The problem occurs on our site also under high load.
In the meantime I've found the error message documented in the em(4)driver in FreeBSD:

Code Select Expand


     em%d: watchdog timeout -- resetting  The device has stopped responding to
     the network, or there is a problem with the network connection (cable).
https://www.freebsd.org/cgi/man.cgi?em(4)

I've also replaced the cable connection with a new one but as expected that didn't solve the problem.

We seem to have the same problem: https://forum.opnsense.org/index.php?topic=7580.0

Some update:

I've found another thread describing the same problem with an intel nic:

https://forum.opnsense.org/index.php?topic=4918.0


I updated the BIOS to the latest version and disabled all power saving features in BIOS but the problem persists.
Any help is appreciated.

Dear community,

I'm facing a strange problem that has already been reported in this thread https://forum.opnsense.org/index.php?topic=7145.0. In my case, OPNsense does not run virtualized.

My setup:

HP Elitedesk 705 G1
AMD A8-6500b
8 GB RAM (2x4 Dual channel)
Intel EXPI9402PT Pro Dual 1000 (pciex)

My config is quite basic:
em0-> LAN (192.168.0.x) static
em1-> WAN (192.168.1.x) dhcp (connected to plastic crap cable router-> can't be changed)

Services I'm running:
Squid (transparent setup, SSL-Inspection enabled but only for filtering domains, shallalist as blocklist)
Suricata (in IDS-Mode, not IPS, Rules: ET-P2P, ET-Tor, ET-Malware)
100 users

Everything else is in default configuration.

When put in production, the firewall works as it should for a few hours. After a few hours in combination with higher load (100mbit routed through WAN), internet browsing becomes slow and a few minutes later completly inaccessible. The routing between LAN and WAN completly breaks down at this moment. The CPU and RAM load is always accetable.
In this situation, I'm able to access the webinterface, but can't ping out to WAN (even from the box itself).
On the attached LCD I can see (even without being logged in to the machine) the following output:

em0: watchdog timeout - reset.
(and some statistical data about packets ->if needed I'll take a screenshot)


I already tried:
-Disabled hardware offloading in interface settings (no change)
-completly reinstall and reconfigure OPNsense
-disabled squid


Nothing of these steps helped so far. I want to get this working, because I prefer OPNsense and are quite happy with it - great work, guys!
Do you have any idea what I can do to get this working? It seems to me like a driver issue with the nic, as far as is found out on various searches.

Kind regards

tmp

For the records:
I am unable to tell you what I configured wrong. After two restarts the device works as described in the tutorial.

Dear community,

currently I'm setting up an opnsense-appliance in a network where I am unable to change any network configuration except for the opnsense appliance.

Given setup:

Router (plastic crap-> 192.168.1.x) ->>>> OPNSENSE (Proxy + eventually IDS) ->>>>> Server / Wireless AP (192.168.1.x).


Actually i got opnsense running in transparent filtering bridge mode and can access the internet from the server without touching the network configuration.
But I'm stuck in setting the transparent proxy. I configured squid to listen on all interfaces (for testing). But this doesn't work because there are no log entries inside the squid-logfile so the traffic doesn't pass through it.
For which interface do I need to configure the NAT-/FW-Rules?

Actually I got 3 NICs and one software bridge inside the machine:
WAN
LAN (management interface)
OPT 1 (bridged to WAN interface)
and OPT 2 (Bridge between WAN and OPT1).


I tried to set the NAT-Rules for OPT1 / WAN and OPT2 but nothing is working. Is my configuration just wrong or does opnsense not support Transparent Proxy when the device is set up as a transparent filtering bridge?


Regards

tmp

Dear opnsense-community,

I'm new to opnsense and need some help in setting up opnsense as a transparent firewall bridge for content filtering. I'm using opnsense 18.

I followed the instructions given in this Wiki-Entry: https://docs.opnsense.org/manual/how-tos/transparent_bridge.html.
But now i'm facing the same issues as the user amithad in this thread:https://forum.opnsense.org/index.php?topic=5162.0.

My setup:


Router with DHCP and NAT (192.168.1.x) ------> OPNsense -------> (192.168.1.x) Server.
I have 3 Nics and followed the tutorial step by step, despite of defining a management ip as stated in Step 4, because I don't need this due to a dedicated managment nic.
I added an any->any rule to EVERY interface but I still cannot pass traffic through the new bridge. Do I need to set a gateway for the bridge interface pointing to the router that is doing dhcp etc? I'm really stuck at this point and tried everything that has been stated in this forum to transparent firewall configs.

Is there anything that has changed from version 17.x to 18.x so that the tutorial fails?

Regards

tmp