Messages

And IMHO that is a good thing!

I don't think that "random" behavior is a good thing. Reproduceability is a good thing.

A lot of software has become a resources hog while OPNsense apparently got more efficient! :)

This logic I cannot follow. It is the same software version with the same settings (assuming after restore from backup). So I would expect the same behavior. Ony the hardware has changed.

Since you were considering a change in default values or failure to restore, are these settings the same:

Firewall: Settings: Advanced -> Miscellaneous -> Firewall Maximum States and Firewall Maximum Table Entries
System: Settings: Miscellaneous -> Disk / Memory Settings (reboot to apply changes)

I do not have a memory on all setting I might have tweaked over the last years. But I assumed that all setting are the same after a full system restore from backup.

ZFS likes to cache things, and after a reboot its cache is empty. I expect the RAM usage to increase to slightly below maximum over time.

Even with UFS or Ext4 every modern Unix system will eventually put all memory which is not otherwise used to cacheing.

Thank you.But maybe you got me wrong.

It is not about ZFS using RAM. My old and my new system were configured in the same way (restore of backup). The new system has double amount of RAM but still is using less: 4,5 GB instead of 6,5 GB. This somehow I cannot explain.

I ran OPNSense on an 8 GB mini PC for years. With Zenarmor on the LAN side and Suricata IPS on the WAN side, the RAM usage was almost at its limit at around 80%. I recently upgraded to a 16 GB system, reinstalled all the services and restored a backup. However, on the 16 GB system, it now only uses about 4.5 GB of RAM, whereas it used 6,5 GB on the 8 GB system.

Can anyone explain this?
Could it be because of the latest OPNSense software?

You cannot view this attachment.

Solved.
I am not sure if this was the reason, but I deleted some non-standard characters in the descriptions fields.
Now all rules are imported.

I successfully updated opnSense to version 26.1_4.
I want to to migrate the firewall rules to the new menu with the migration wizard. Export is working. But when I try to import nothing happens. I can select a file and I can click the green hook. The window disappears. But no rules are imported and no error message I get.

Is this a know issue and I just need to wait till it is solved?

You cannot view this attachment.

Solved.

I did not figured out what rule exactly cause the issue. But when I placed the pass rule before my standard blocking rules, it worked. (Spamhaus drop, Spamhaus edrop, crowdsec)

I would refrain from using SFP adapters for GPON at all and use external ONTs with a 2.5 Gbps ethernet connector (I do that).

It looks like this will be the best idea. I thought I could save one device by using a SFP GPON. But going with the mainstream solution of an external device seems to be the best way to go.

1. To not introduce a single-point of failure in the Proxmox machine. If something goes wrong with that, I would like to keep internet access.

Basically this I see in the same way. That's how I started over a decade ago. And that's where I am again today after an excurse up to a full blown server. Today, again I would be willing to do a little compromise.

2. For security reasons.

Yes. I am home user. Using pci passthrough for at least the WAN NIC would give to me enough confidence in security.

3. Because Opnsense under Promox has its limitations and pitfalls, see this.

Proxmox is what I am familiar with. For several reasons my primary choice is XCP-ng for this plan. (Or bare metal)

I did not even know that SGMII works with the adapters built into the DEC 750 at all - I once owned one and back then, it did not work with SFP-GPON modules at SGMII speed.

Thank you.

It looks like that I have to re-think my complete idea. I am undecide if I go with OPNsense on bare metal or if I will go for a little bit higher spec, run opnSense under Proxmox VE or XCP-ng and use the idle recourses or some small VMs. The devices so far on my comparison list are: Protectli VP2440, Protectli VP6630, Protectli VP6650, Deciso DEC750, Netgate 6100, Netgate 8200. If Intel X710-BM2 has the same limitation it looks like only the Netgate devcies will be left over in my list.

Hello,

when I look in the datasheet of Deciso DEC750 I will find the following limitation:

When using SFP+Modules, do not mix 2.5/5Gbps and 10Gbps link-speed as the hardware does not support mixing these due to different frequencies.

What does it mean exactlty? Can I not use one of the ports for a 1 GBit SFP GPON fiber modem and one port for a 10 GBit SFP+ module to connect to a switch?

Have you seen the Teklager TLSense C3758R which appears to be a rebadged Qotom Q20331G9-S10?

Thank you. Yes, I found. But at a differnt price than the Aliexprewss offers.
Same for this German shop. https://eckstein-shop.de/QOTOM-Q20331G9-1U

@jde1000 , I got the Qotom Denverton Q20300G9-S10 Atom C3808 to run my OpnSense and some firewall apps like Traefik and Authentik.

Let us know how it performs.
Especially I would be interested in the difference between C3808 and C3758R/C3758 when running OPNsense on bare metal.

I am interested in the Qotom Q20331G9-S10 or Q20331G9-1U with C3758R. But so far I cannot find an OK offer in Europe. The Amazon and Aliexpress vendors currently are not shipping to Europe, or at least to my country.

Thank you.

Hello,

what is the advantage of using "Proxy TCP/UDP on Layer 4" by Caddy instead of using port forwarding in OPNsense?

I just migrated from HAProxy to Caddy. Reverse proxy with TLS termination and TLS (SNI) Multiplexing on HTTPS Port with TLS passthrough were easy to set-up and just work fine. It was a pain to get this combination running in HAProxy.

Not clear to me is what a use case for "Proxy TCP/UDP on Layer 4" could be where it is better to use Caddy instead of just do port forwarding.

Thank you. This helps.

Somehow I missed your replays on my question.