Messages

first of all, i like opnsense and i am an absolute supporter, my comment was meant to be absolutely constructive... i personally wasn't aware that a rather simple looking feature can have a nearly 50% performance impact and i have a feeling as if i couldn't be the only one, so i just wanted to share information.

can you give as some information about your usecase and the services you want to use (IPS, Proxy, Tor....).
If your requirements are not to high maybe this hardware may suite your needs:
https://www.supermicro.com/en/products/system/Box_PC/SYS-E50-9AP-N5.cfm

i personally use a e100-9ap and i am quite happy with it

A quick follow up. I am routing about 20 vlans. I read a lot about performance tuning and in one post the captive portals performance impact was mentioned. Recently i changed my WiFi setup and at some point i have tried the captive portal function for a guest vlan. So i gave it a try and disabled the captive portal (was active for one vlan) . I could not beliefe my eyes when i tested the throughput again.

captive portal enabled for one vlan:
530 Mbit/s

captive portal disabled:
910 Mbit/s

just for the record. i am also experiencing degraded throughput. lan routing between different vlans only with firewall enabled, no IPS etc. is around 550 Mbit/s. the setup is switch -> 1Gbit trunk -> switch -> 1Gbit trunk -> opnsense fw. Low overall traffic.

Have you checked the watchdog settings in your bios?

these are standard messages.
The opnsense gui shows the servertime and the sync source under dashboard\lobby in the section network time.

for me to work correctly, i had to set kern.timecounter.hardware in the system\settings\tunables
i have set the value to "HPET"

t.

happend to me too.
The very short version:

Download image (vga version)
sha256 check
Unzip
Take usb stick and clean with:
diskpart,list disks,select disks (‼ be sure its the USB stick), clean

Use rufus to create bootable image: dd image (the extracted opnsense file), GBT UEFI, 8192(default),fat32

Login with installer and pw opnsense
Install

Connect via cable to 192.168.1.1
Login with root and your pw from the install process
Restore backup
Modify your needed variables in tunables via the GUI or set in /boot/loader.conf.local

t.

Just in case someone is on the same hardware.
Upgraded my firmware for the supermicro E100-9AP to 1.2.
For some strange reason and to my surprise the system bootet into an sdhci pci X-slot 0  timeout.
After several timeouts the system continous to boot.

#I had to set the following in /boot/device.hints - looks like the file is overwritten by the latest update
So i set the following in /boot/loader.conf.local

hint.sdhci_pci.0.disabled="1"
hint.sdhci_pci.1.disabled="1"
hint.sdhci_pci.2.disabled="1"

t.

[restart unbound]

today i was able to take a closer look at the problem.
after i found out about /usr/local/opnsense/scripts/dns/unbound_dhcpd.py i looked into the scipt.
unbound_control is used to list and read the local data.
So to further isolate my problem i started with:

Code Select Expand

unbound-control -c /var/unbound/unbound.conf list_loca_data
I was greeted by an error message:

error: SSL handshake failed
2586055198312:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verfify failed:s3_clnt.c:1269:

the reason my /var/unbound/dhcpleases.conf is empty, is because the command (unbound_control) that wants to read my local data fails.

so i asked my second best friend google and found:
https://forum.ipfire.org/viewtopic.php?t=18906

inspired by this post and after reading https://www.unbound.net/documentation/unbound-anchor.html i:

sshed into the opnsense box

Code Select Expand


cd  /var/unbound
mv root.key _root.key
mv unbound_control.key _unbound_control.key
mv unbound_control.pem _unbound_control.pem


restart unbound in the opnsense gui under System/Diagnostics/Services

unbound restarts and the files root.key, unbound_control.key and unbound_control.pem get regenerated.

Now # unbound-control -c /var/unbound/unbound.conf list_loca_data works and /var/unbound/dhcpleases.conf can be written.

i now can resolve my local dhcp-clients.

Jupidu!

thanks for your reply. yes the dns-server the clients via DHCP is the opnsensebox.

Hi,

i have setup dhcp and unbound.
Under System/General/Domain, a domain is set.

Unbound is enabled and "Register DHCP leases in the DNS Resolver" and "Register DHCP static mappings in the DNS Resolver" is set.

My clients do get an ip, dns-server,gateway, dns suffix... via dhcp
I can see the leased IPs under DHCPv4/Leases

However i cant resolve the hosts in my environment.
I have noticed that /var/unbound/dhcpleases.conf is empty!

What i have already tried ist:
set "System\Settings\Administration\Disable DNS Rebinding Checks"
set "Unbound DNS\General\Local Zone Type\static"

Any ideas?

Thx t.

offensichtlich ein bekanntes Verhalten und die Art und Weise wie der PF arbeitet:
https://forum.pfsense.org/index.php?topic=39895.0
http://freebsd.1045724.x6.nabble.com/PF-quot-keep-state-quot-for-ICMP-td4183717.html

LG
t.

Hallo Leute,

zu meinem Setup:
Ein supermicro E100-9AP als Opnsensebox mit einem Wan und einem Lan interface.
Am Lan Interface hängt über einen Trunk ein Cisco SG300 switch der wieder über einen Trunk mit einem zweiten SG300 verbunden ist. Auf beiden switches liegen Vlans an, die über die Trunks zur Opnsensebox geführt werden.
Zum Testen habe ich zwei Clients an einen switch angeschlossen. Die Ports für die Clients habe ich für jeweils ein Vlan als access-port definiert; also einmal access-port vlan10 und einmal access-port vlan 20.

In Opensense sind die vlans, interfaces,nat.... für die vlans definiert.
Prinzipiell funktioniert der Zugriff der Clients ins Internet.

Zu meinem Problem:
Um die Konfiguration zu testen habe ich für vlan10 und vlan20 die FW-Rules so definiert, dass aus dem jeweiligen Netz in das andere Netz icmp zugelassen ist.

Ein Ping von vlan10 nach vlan20 und vlan20 nach vlan10 hat wie erwartet wechselseitig funktioniert.

Dann habe ich für vlan20 die Rule für icmp auf reject gesetzt. Und dann hatte ich folgendes Phänomen:

Ein Ping aus vlans20 nach vlan10 hat nicht funktioniert, ein Ping aus vlan10 nach vlan 20 hat funktioniert; so weit so gut.
Wenn allerdings ein Ping von vlan10 nach vlan20 läuft funktioniert plötzlich auch das Ping aus vlan20 nach vlan10. Das ganze ist zeitabhängig, wenn ich das Ping von vlan10 nach vlan20 beende, ist nach kurzer Zeit auch das Pingen aus vlan20 nicht mehr möglich.

Mir ist klar das icmp stateless ist, das lösen aber andere FWs auch; eigenlich ist ja Echo und Echo Reply ganz gut auseinander zu halten.

Kann mich bitte jemand aufklären, wass genau hier passiert und wie ich das gegebenenfalls unterbinden kann.

LG
t.

i can confirm that setting this variables also works for the supermicro e100-9ap (motherboard a2san-e) with an installed sata m.2 samsung 860 evo! without the settings, the ssd is not recognized by the installer (ssd is visible in the bios)

To recap the steps needed for 18.1 and my hardware:

* boot usb pendrive (amd64_vga image  prepared with dd) - booth a 2GB usb 2 and a 16GB usb 3 key worked
* press escape as soon as the boot logo appears
* cursor blinks beside the OK prompt
* type:
set machdep.disable_msix_migration=1 (press return)
set hint.hpet.0.clock=0 (press return)
set hint.ahci.0.msi=2 (press return) ahci.0 for channel 0 ahci.1 for channel1 or juste set it for both channels
set hint.ahci.1.msi=2 (press return)
* boot (press return)

* at the login prompt login as root with the password you have set during the installation process
choose 8.) shell

* with your favourite create the file /boot/loader.conf.local
you can also put it in the existing /boot/loader.conf, but this file will be overwritten with the next upgrade

* insert the lines :
machdep.disable_msix_migration=1
hint.hpet.0.clock=0
hint.ahci.0.msi=2
hint.ahci.1.msi=2

* write the file and reboot

hope it helps someone

t.