"
oh that worked perfectly! thank you very much! i will document this asap!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
High availability / Re: Not able to manage HA backup firewall through wireguard VPN.
January 20, 2025, 02:10:29 PM #2
High availability / Not able to manage HA backup firewall through wireguard VPN.
January 15, 2025, 04:10:58 PM
i'm running a 24.10.1 HA cluster with decisco HW applinces. I run them for quite some time and all works out OK with the CARP addresses on both LAN and WAN.
I'm using a Wireguard VPN to conntect to the cluster on the CARP WAN VIP address. This works fine and i can open up the Web GUI of the Master node and i can ping the internal CARP VIP of the management VLAN and the IP of the master node within that management VLAN.
However, i can't ping and/or use the webgui of the backup node and i can't figure out why. All is synced, config and interface configuration are the same.
If i failover from master to backup, wireguard reconnects perfectly to the backup unit and i can manage it on the Web GUI and ping it on it's management IPs.
i'm blind for ideas where to look for. Any hints/tips/questions to get me to manage the backup node through the WG tunnel as well?
I'm using a Wireguard VPN to conntect to the cluster on the CARP WAN VIP address. This works fine and i can open up the Web GUI of the Master node and i can ping the internal CARP VIP of the management VLAN and the IP of the master node within that management VLAN.
However, i can't ping and/or use the webgui of the backup node and i can't figure out why. All is synced, config and interface configuration are the same.
If i failover from master to backup, wireguard reconnects perfectly to the backup unit and i can manage it on the Web GUI and ping it on it's management IPs.
i'm blind for ideas where to look for. Any hints/tips/questions to get me to manage the backup node through the WG tunnel as well?
#3
General Discussion / Re: GeoIP using business edition coming from community edition
January 26, 2024, 10:10:52 AM
anyone?
#4
General Discussion / GeoIP using business edition coming from community edition
January 22, 2024, 09:47:22 PM
i converted a community edition to business edition today with a subscription. I'm on 23.10.1_2 now.
On the community edition, i used maxmind with a update URL + license key setup etc. as described in the docs. However, i now wish to use the built in GeoIP database. What are my steps? How to clear the maxmind usage? Where do the GeoIP updates come from when using the business edition?
On the community edition, i used maxmind with a update URL + license key setup etc. as described in the docs. However, i now wish to use the built in GeoIP database. What are my steps? How to clear the maxmind usage? Where do the GeoIP updates come from when using the business edition?
#5
Hardware and Performance / Re: [Solved] OPNSense heavily relying on one core?
January 27, 2022, 01:42:02 PM
looking into this as well. curious, was the fix you reported in addition to setting net.isr.maxthreads="-1" and net.isr.bindthreads="1" ?
Did you also have to change the default value of net.isr.dispatch tunable?
Did you also have to change the default value of net.isr.dispatch tunable?
#6
Hardware and Performance / Performance troubleshooting - 1 core used out of 2
January 27, 2022, 11:00:16 AM
i'm looking into a performance issue with OPNsense 21.7.7 running on a VMware VM on a relatively powerfull Dell R640 server. The VM uses vmxnet3 virtual adapters.
the OPNsense VM running with 2 cores and CPU core 2 maxes out on 400Mbit WAN throughput.
I'm monitoring (SNMP) the CPU usage during this load, and it seems one of the 2 cores (CPU2) assigned to the VM is maxed out and the other is idling away.
I'd really appreciate some help / pointers about where to look next to find out how i can determine where the bottleneck is and what can/cant be done about it.
Some questions i have:
How would i best monitor this to determine the bottlneck?
Would upgrading the VM with more cores help? Perhaps 2 is too low to multithread?
thanks in advance.
some more information.
Edit:
I found some tunables of possible interest
net.isr.maxthreads="-1"
net.isr.bindthreads="1"
hw.pci.honor_msi_blacklist="0"
I'm not sure if i would need to set all 3 of these or just the last one. Also the first two are mentioned together wit the need for setting net.isr.dispatch , but unclear for me if that only counts when the first maxthreads tunable would actually be set to a positive integer.
and then possible playing arround with values for:
hw.vmx.txnqueue (to be equal to the core-count?)
hw.vmx.rxnqueue (to be equal to the core count?)
hw.vmx.txndesc (not sure)
hw.vmx.rxndesc (not sure)
edit2:
below the vmstat output after setting
net.isr.maxthreads="-1"
net.isr.bindthreads="1"
hw.pci.honor_msi_blacklist="0"
AND rebooting. Had to do the reboot to see the change happen.
edit3:
so after adding all three tunables above (and reboot), both virtual cores were used more even. But under load (more sessions), the firewall would not respond well and was overloaded. 2 cores was not enough. I increased the core count to 6 and that gave it room to keep breathing AND reach throughput over 1Gbit/s instead of 400Mbit
I think i'm OK now with this, but i'm still unsure if i need these two tunables in addition to the hw.pci.honor_msi_blacklist="0" :
net.isr.maxthreads="-1"
net.isr.bindthreads="1"
comments welcome :)
the OPNsense VM running with 2 cores and CPU core 2 maxes out on 400Mbit WAN throughput.
I'm monitoring (SNMP) the CPU usage during this load, and it seems one of the 2 cores (CPU2) assigned to the VM is maxed out and the other is idling away.
I'd really appreciate some help / pointers about where to look next to find out how i can determine where the bottleneck is and what can/cant be done about it.
Some questions i have:
How would i best monitor this to determine the bottlneck?
Would upgrading the VM with more cores help? Perhaps 2 is too low to multithread?
thanks in advance.
some more information.
Code Select
# vmstat -i
interrupt total rate
irq1: atkbd0 2 0
irq18: uhci0 2247772 2
cpu0:timer 137996878 107
cpu1:timer 198828337 154
irq256: ahci0 858812 1
irq258: mpt0 9736309 8
irq260: vmx0:irq0 1148453361 891
irq268: vmx1:irq0 1803966729 1400
irq277: vmx2:irq0 162289982 126
irq286: vmx3:irq0 823455667 639
Total 4287833849 3328
#
Edit:
I found some tunables of possible interest
net.isr.maxthreads="-1"
net.isr.bindthreads="1"
hw.pci.honor_msi_blacklist="0"
I'm not sure if i would need to set all 3 of these or just the last one. Also the first two are mentioned together wit the need for setting net.isr.dispatch , but unclear for me if that only counts when the first maxthreads tunable would actually be set to a positive integer.
and then possible playing arround with values for:
hw.vmx.txnqueue (to be equal to the core-count?)
hw.vmx.rxnqueue (to be equal to the core count?)
hw.vmx.txndesc (not sure)
hw.vmx.rxndesc (not sure)
edit2:
below the vmstat output after setting
net.isr.maxthreads="-1"
net.isr.bindthreads="1"
hw.pci.honor_msi_blacklist="0"
AND rebooting. Had to do the reboot to see the change happen.
Code Select
# vmstat -i
interrupt total rate
irq1: atkbd0 2 0
irq18: uhci0 1370 2
cpu0:timer 94246 129
cpu1:timer 102043 140
irq256: ahci0 524 1
irq258: mpt0 62743 86
irq260: vmx0:rxq0 22699 31
irq261: vmx0:rxq1 49248 67
irq270: vmx1:rxq0 15597 21
irq271: vmx1:rxq1 26109 36
irq281: vmx2:rxq0 58672 80
irq282: vmx2:rxq1 11467 16
irq292: vmx3:rxq0 5856 8
irq293: vmx3:rxq1 9690 13
Total 460266 630
edit3:
so after adding all three tunables above (and reboot), both virtual cores were used more even. But under load (more sessions), the firewall would not respond well and was overloaded. 2 cores was not enough. I increased the core count to 6 and that gave it room to keep breathing AND reach throughput over 1Gbit/s instead of 400Mbit
I think i'm OK now with this, but i'm still unsure if i need these two tunables in addition to the hw.pci.honor_msi_blacklist="0" :
net.isr.maxthreads="-1"
net.isr.bindthreads="1"
comments welcome :)
#7
18.1 Legacy Series / Re: TLS Error: TLS handshake failed
June 01, 2018, 08:56:24 PM
hmmz this is weird. I got it working again.
Things i did to make it work:
1.) change the vpn server from udp to tcp and changed the firewall rules (wan and openvpn tabs) from udp to tcp too.
After that, it did not work yet.
2.) i tried to export the client configuration (as archive) again.
It still did not work.
3.) i noticed the client export procedure did not update the configuration file to reflect the new setting (tcp). It also kept the filename of the configuration zip file with "UDP" in it, even though it was now set to TCP.
4.) in the client export window, i changed "host name resolution" from the default "interface ip address" to "other" and then hardcoded my WAN address there
5.) this seems to trigger creation of a new config filename with upon exporting again. This time it had TCP in the filename and the ovpn file was reconfigured to use TCP.
I'm good :)
Things i did to make it work:
1.) change the vpn server from udp to tcp and changed the firewall rules (wan and openvpn tabs) from udp to tcp too.
After that, it did not work yet.
2.) i tried to export the client configuration (as archive) again.
It still did not work.
3.) i noticed the client export procedure did not update the configuration file to reflect the new setting (tcp). It also kept the filename of the configuration zip file with "UDP" in it, even though it was now set to TCP.
4.) in the client export window, i changed "host name resolution" from the default "interface ip address" to "other" and then hardcoded my WAN address there
5.) this seems to trigger creation of a new config filename with upon exporting again. This time it had TCP in the filename and the ovpn file was reconfigured to use TCP.
I'm good :)
#8
18.1 Legacy Series / Re: TLS Error: TLS handshake failed
June 01, 2018, 08:14:43 PM
today i got the same problem, only after upgrading to 18.1.9. It was working on 18.1.8!
i tried everything: recreate all certs, ca, openvpnserver etc.
From my openvpn client on windows:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
i tried everything: recreate all certs, ca, openvpnserver etc.
From my openvpn client on windows:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
#9
18.1 Legacy Series / ECMP - does it work like multi-wan loadbalancing?
May 30, 2018, 04:45:28 PM
our service provider wants us to use two gateways and says they have been setup to require our router/fw to do Equal cost routing (ECMP) to those two gateways (two different subnets).
I could not specifically find information about opnsense and ECMP. But i did find the multi-wan documentation.
https://wiki.opnsense.org/manual/multiwan.html
Can i implement a ECMP equivalent with multi-wan load balancing using same tier for both gateways in the gateway group on the opnsense firewall?
I could not specifically find information about opnsense and ECMP. But i did find the multi-wan documentation.
https://wiki.opnsense.org/manual/multiwan.html
Can i implement a ECMP equivalent with multi-wan load balancing using same tier for both gateways in the gateway group on the opnsense firewall?
Pages1
