Messages

This could be a continuation of this thread, as we are on 22.7 release now:
https://forum.opnsense.org/index.php?topic=24895.0

Version 22.7.5 was released with of course the security fix as most important change..
Suricata was upgraded too in this release, with a change that should revert cpu load while idle to levels knows before 21.7.3
I upgraded my system and the load drop was significant.

I wonder if other users that experienced this specific load issue have the same improvement after upgrading to 22.7.5.

See also:
https://redmine.openinfosecfoundation.org/issues/4421
https://github.com/opnsense/core/issues/6065

If you were still on proxmox I would advise to ad a virtio rnd device, perhaps you had it already in your vm config.
Possibly related to lack of entropy and by adding this device you could switch the source providing entropy.
Perhaps there is such a thing in hetzner cloud, you could ask if they have something similar.
Seems that hetzner runs KVM hypervisor too, so probably qemu and virtio rng is a qemu feature.

And another 3 to add:
54.245.176.12
3.136.27.87
3.73.52.92

Thank you!

Hi astromeier.
There are several new ip addresses, not yet included in your maintained list.
So I already created a github issue in your repo:
https://github.com/astromeier/LetsEncrypt_Serverlist/issues/2

Thanks if you add them to your list. For the moment I keep them in my own extra alias list, after witch the validation process went fine again.

Same issue here after upgrading to 21.7.3, so I'm back on 21.7.2 :(

Some searching gave this:

On suricata forum [1]
Also on Ipfire bugtracker [2]
And on suricata bugtracker [3] and [4] and [5]

Seems that the load increase is most noticeable on KVM, also on other type virtual machines, less increase on bare metal install, but there also an increase.

And if this is the same issue, it's not an OPNsense issue but a suricata one.
One of the last posts on [3]  was made by one of the core devs from ipfire offering help, creating [4] for tracking in the suricata 7.x branch as it appears.
But reading [5] still not solved in suricata 6.0.5, possible backport?

[1] https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
[2] https://bugzilla.ipfire.org/show_bug.cgi?id=12548
[3] https://redmine.openinfosecfoundation.org/issues/4096
[4] https://redmine.openinfosecfoundation.org/issues/4379
[5] https://redmine.openinfosecfoundation.org/issues/4421

Donated 25 EUR.
It was time to turn words into deeds.
Thanks for all your work so far, keep on going!
Off course thanks to community too!

And a year has passed, I support your decision  to rebase on freebsd 13.
Another donation of 25 EUR to you, kudos.

I understand astromeier and already made the changes.
It's just that I want to monitor things that can change automatically on my firewall.
That's why I have also subscribed to the emergingthreats mailinglist so I keep an eye on that too.

Even better, thanks.
I will keep an eye on the changes via my rss reader. I could ask for releases, but commits can be monitored just fine on github. :)

Thank you so much @astromeier.
Quite a list of ip numbers. The easiest way I found to add the full list, was to set all ip numbers in 1 line, separated by comma.
Then it's just a matter of clearing the list followed by copy pasting the line.

Posted this without looking at the repo:
https://github.com/opnsense/plugins/pull/2293

Great!

Since a few day it's available in freebsd ports, perhaps worth a look  ;)
https://svnweb.freebsd.org/ports/head/emulators/qemu-guest-agent

Hi, I'm rather new to opnsense, coming from sophos UTM, so I consider myself a beginner.
Recently I replaced my desktop nics by a i340-t4 card, so igb driver in opnsense 20.1.
I discovered that the tunables

Code Select Expand

hw.igb.txd="4096" and

Code Select Expand

hw.igb.rxd="4096" contributed in speed and stability.
In dmesg I could see that netmap applied the descriptot settings during boot.

Code Select Expand

igb0: netmap queues/slots: TX 2/4096, RX 2/4096
igb1: netmap queues/slots: TX 2/4096, RX 2/4096


A few days ago I upgraded to 20.7 and because there are major changes, like suricata 5 and bsd 12.1, it was somewhat harder to investigate issues, for example throughput being lower with IPS enabled.
During this investigation I thought it's always wise to check if certain custom settings are still being applied.
And they are not.
Apparently old descriptor settings have moved to iflib sysctl tunables. So now I have set for my two igb ports instead:

Code Select Expand


dev.igb.0.iflib.override_ntxds="4096"
dev.igb.1.iflib.override_ntxds="4096"
dev.igb.0.iflib.override_nrxds="4096"
dev.igb.1.iflib.override_nrxds="4096"


With these settings, the descriptor values are applied again to netmap.
I guess more tunables for igb have moved, so I think if you set "old" ones, you should doublecheck if they are actually applied.

P.S. In my opinion the actual current systctl tunables for igb are rather hard to find. Since bsd 12.1 the em driver is used for igb.
In the end I used a combination of the actual available values the my system displays for sysctl -a and:
https://www.freebsd.org/cgi/man.cgi?query=iflib&apropos=0&sektion=4&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html

Donated 25 EUR.
It was time to turn words into deeds.
Thanks for all your work so far, keep on going!
Off course thanks to community too!

Hi,

When creating a new service setting to monitor link status for WAN, the interface drop down list only lists "none" and "LAN", no WAN.
My OPNsense system is a virtual KVM instance, 2 pass through nics, that are working fine.
ifconfig lists em0 and em1 interfaces nicely.
I already created a similar service setting for LAN (type network), that's working fine.
The monit proces shows it runs like /usr/local/bin/monit -c /usr/local/etc/monitrc{monit}
Opening the /usr/local/etc/monitrc from shell states, so I wont touch it:
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file

So I'm wondering what has to be done to get WAN in the list for Monit.