Messages

1

22.7 Legacy Series / Lower cpu load during idle in 22.7.5 when using suricata

« on: October 06, 2022, 04:23:09 pm »

This could be a continuation of this thread, as we are on 22.7 release now:
https://forum.opnsense.org/index.php?topic=24895.0

Version 22.7.5 was released with of course the security fix as most important change..
Suricata was upgraded too in this release, with a change that should revert cpu load while idle to levels knows before 21.7.3
I upgraded my system and the load drop was significant.

I wonder if other users that experienced this specific load issue have the same improvement after upgrading to 22.7.5.

See also:
https://redmine.openinfosecfoundation.org/issues/4421
https://github.com/opnsense/core/issues/6065

2

22.7 Legacy Series / Re: High CPU load [rand_harvestq] on hetzner cloud

« on: October 06, 2022, 04:00:18 pm »

If you were still on proxmox I would advise to ad a virtio rnd device, perhaps you had it already in your vm config.
Possibly related to lack of entropy and by adding this device you could switch the source providing entropy.
Perhaps there is such a thing in hetzner cloud, you could ask if they have something similar.
Seems that hetzner runs KVM hypervisor too, so probably qemu and virtio rng is a qemu feature.

3

Tutorials and FAQs / Re: LetsEncrypt - Whitelist

« on: September 18, 2022, 11:34:01 pm »

And another 3 to add:
54.245.176.12
3.136.27.87
3.73.52.92

4

Tutorials and FAQs / Re: LetsEncrypt - Whitelist

« on: April 20, 2022, 12:13:11 pm »

Thank you!

5

Tutorials and FAQs / Re: LetsEncrypt - Whitelist

« on: April 18, 2022, 10:14:50 pm »

Hi astromeier.
There are several new ip addresses, not yet included in your maintained list.
So I already created a github issue in your repo:
https://github.com/astromeier/LetsEncrypt_Serverlist/issues/2

Thanks if you add them to your list. For the moment I keep them in my own extra alias list, after witch the validation process went fine again.

6

21.7 Legacy Series / Re: 21.7.3_1 - higher system load after upgrade caused by Suricata

« on: October 13, 2021, 02:14:55 pm »

Same issue here after upgrading to 21.7.3, so I'm back on 21.7.2

Some searching gave this:

On suricata forum [1]
Also on Ipfire bugtracker [2]
And on suricata bugtracker [3] and [4] and [5]

Seems that the load increase is most noticeable on KVM, also on other type virtual machines, less increase on bare metal install, but there also an increase.

And if this is the same issue, it's not an OPNsense issue but a suricata one.
One of the last posts on [3]  was made by one of the core devs from ipfire offering help, creating [4] for tracking in the suricata 7.x branch as it appears.
But reading [5] still not solved in suricata 6.0.5, possible backport?

[1] https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
[2] https://bugzilla.ipfire.org/show_bug.cgi?id=12548
[3] https://redmine.openinfosecfoundation.org/issues/4096
[4] https://redmine.openinfosecfoundation.org/issues/4379
[5] https://redmine.openinfosecfoundation.org/issues/4421

7

General Discussion / Re: Please Make a Donation to OPNsense

« on: September 21, 2021, 10:04:48 pm »

Donated 25 EUR.
It was time to turn words into deeds.
Thanks for all your work so far, keep on going!
Off course thanks to community too!

And a year has passed, I support your decision  to rebase on freebsd 13.
Another donation of 25 EUR to you, kudos.

8

Tutorials and FAQs / Re: LetsEncrypt - Whitelist

« on: June 28, 2021, 11:10:48 pm »

I understand astromeier and already made the changes.
It's just that I want to monitor things that can change automatically on my firewall.
That's why I have also subscribed to the emergingthreats mailinglist so I keep an eye on that too.

9

Tutorials and FAQs / Re: LetsEncrypt - Whitelist

« on: June 28, 2021, 10:22:28 pm »

Even better, thanks.
I will keep an eye on the changes via my rss reader. I could ask for releases, but commits can be monitored just fine on github.

10

Tutorials and FAQs / Re: LetsEncrypt - Whitelist

« on: June 27, 2021, 11:13:53 am »

Thank you so much @astromeier.
Quite a list of ip numbers. The easiest way I found to add the full list, was to set all ip numbers in 1 line, separated by comma.
Then it's just a matter of clearing the list followed by copy pasting the line.

11

General Discussion / Re: KVM-Qemu Guest Agent

« on: March 22, 2021, 02:16:41 pm »

Posted this without looking at the repo:
https://github.com/opnsense/plugins/pull/2293

Great!

12

General Discussion / Re: KVM-Qemu Guest Agent

« on: March 22, 2021, 12:33:02 pm »

Since a few day it's available in freebsd ports, perhaps worth a look 
https://svnweb.freebsd.org/ports/head/emulators/qemu-guest-agent

13

20.7 Legacy Series / Tunables changed for igb driver

« on: August 07, 2020, 12:35:44 pm »

Hi, I'm rather new to opnsense, coming from sophos UTM, so I consider myself a beginner.
Recently I replaced my desktop nics by a i340-t4 card, so igb driver in opnsense 20.1.
I discovered that the tunables

Code: [Select]

hw.igb.txd="4096" and

Code: [Select]

hw.igb.rxd="4096" contributed in speed and stability.
In dmesg I could see that netmap applied the descriptot settings during boot.

Code: [Select]

igb0: netmap queues/slots: TX 2/4096, RX 2/4096
igb1: netmap queues/slots: TX 2/4096, RX 2/4096

A few days ago I upgraded to 20.7 and because there are major changes, like suricata 5 and bsd 12.1, it was somewhat harder to investigate issues, for example throughput being lower with IPS enabled.
During this investigation I thought it's always wise to check if certain custom settings are still being applied.
And they are not.
Apparently old descriptor settings have moved to iflib sysctl tunables. So now I have set for my two igb ports instead:

Code: [Select]

dev.igb.0.iflib.override_ntxds="4096"
dev.igb.1.iflib.override_ntxds="4096"
dev.igb.0.iflib.override_nrxds="4096"
dev.igb.1.iflib.override_nrxds="4096"

With these settings, the descriptor values are applied again to netmap.
I guess more tunables for igb have moved, so I think if you set "old" ones, you should doublecheck if they are actually applied.

P.S. In my opinion the actual current systctl tunables for igb are rather hard to find. Since bsd 12.1 the em driver is used for igb.
In the end I used a combination of the actual available values the my system displays for sysctl -a and:
https://www.freebsd.org/cgi/man.cgi?query=iflib&apropos=0&sektion=4&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html

14

General Discussion / Re: Please Make a Donation to OPNsense

« on: July 21, 2020, 02:36:44 pm »

Donated 25 EUR.
It was time to turn words into deeds.
Thanks for all your work so far, keep on going!
Off course thanks to community too!

15

20.1 Legacy Series / Monit doesn't list WAN interface for network service check

« on: July 21, 2020, 02:09:24 pm »

Hi,

When creating a new service setting to monitor link status for WAN, the interface drop down list only lists "none" and "LAN", no WAN.
My OPNsense system is a virtual KVM instance, 2 pass through nics, that are working fine.
ifconfig lists em0 and em1 interfaces nicely.
I already created a similar service setting for LAN (type network), that's working fine.
The monit proces shows it runs like /usr/local/bin/monit -c /usr/local/etc/monitrc{monit}
Opening the /usr/local/etc/monitrc from shell states, so I wont touch it:
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file

So I'm wondering what has to be done to get WAN in the list for Monit.