Messages

1

23.7 Legacy Series / ddclient screen not updating

« on: October 28, 2023, 06:45:47 pm »

Using os-ddclient.  Was having a hard time troubleshooting as the screen in service -> Dynamic DNS -> Settings never updated with an IP.  Also, under ..-> Log File, it was empty.  Restarted several times, no luck.  reinstalled, no change either. 

But it is working.  in /var/log/ddclient/latest.log (linked file) it shows it was running and being updated.  Verified with my provider and yes it was. 

So, for some reason the interface is not pulling the logged information so I cannot verify with the gui.

2

Intrusion Detection and Prevention / External Block Lists - Firehol

« on: March 03, 2022, 05:00:21 pm »

Besides IPS, having a quick and very current block list of current events like Firehol is great.   

But, I was testing a setup I did a long time ago and noticed the Networks in Firehol (1,2,3) do not seem to get applied in the ruleset.
   

For example I take any of the single IP's in the current Firehol2 and see it is blocked while monitoring the rules for my label.

When I take a IP from a subnet in the list (x.x.x.x/24) It does not block it.   It seems that anything with network notation is not loaded.

I tried both URL IP(s) and URL Table IP(s).

I turned on statistics and went into the alias table.   I see the networks listed i.e. x.x.x.x/24, but even though I curl, http, ping an IP in that network range the counts do not increase.  But for any single IP in the list without a / mask works fine and the counters increase. 

3

General Discussion / Class of Service or APID routing

« on: February 15, 2022, 01:31:13 am »

Is there process in OPNSense to use class of service or APID (using IPS AppDetection) to route traffic to another gateway and/or tag it for a lower priority?   

I used this on PaloAlto and Cisco and want to see if OPNSense for smaller environments can do the same or if there are any tricks you have discovered. 

Example, SocialMedia and music streaming would route to a dedicated gateway.  Cannot use NAT rules as there is no setting but source/destination IP.   Would love to pick the service from OpenAppid or Sourcefire's list for this.

4

22.1 Legacy Series / Re: Update from 22.1.b_5 to 22.1.b1

« on: November 18, 2021, 02:20:13 am »

I see the same issue - Under Update it states I need to update from 22.1.b_5 to 22.1.b1.

The base is 22.b1, but upgrades pops up and it download ~500gb reboots and is still showing it needs an upgrade.

But even more confusing is the message that pops up when checking for an update.

OPNsense 22.1 "Not Yet" has reached its end of life. As such it will not receive any more updates, but the upgrade to the new 22.7 series is seamless and can be performed right here from the web GUI.

I think it's just a type and should be 21.7

But the real question, does this mean this beta will not get any more updates and we have to go back to 21.x (HardenBSD 12)?

Or is there a way to stay on the 22.bx path to get the updates for FreeBSD 13

5

21.1 Legacy Series / Re: Logging targets stopped after 21.1.3 upgrade

« on: March 10, 2021, 08:33:34 pm »

@Franco, from 21.1.1 to 21.1.3.

Resolved - deleted the existing target and created a new one. 

6

21.1 Legacy Series / Logging targets stopped after 21.1.3 upgrade

« on: March 10, 2021, 04:52:26 pm »

After the upgrade and reboot I notice my ELK server did not get any new records.  I stopped and started the syslog-ng service and still nothing.  Did tcpdump on the target server and do not see anything for the port I am sending udp log packets on.  Then did tcpdump on the opnsense server (tcpdump -Q out udp port 5140)  No traffic is going to the ELK server. 

I also have Sensi installed with remote ELK (same elk cluster) and it is still fine (TCP port 9200).

Any logs or setting that may help troubleshooting?

7

21.1 Legacy Series / Re: netmap performance

« on: March 06, 2021, 08:58:58 pm »

Attached is a screenshot showing the strange behavior of slowing down about 5 minutes later. What I did was turn of IPS,  then started IPS.  Waited 3 minutes for it to be fully up and settled down.  Then started iperf.  You will notice it was a consistent 3gbs but at 59 seconds something stopped traffic.  About 5 seconds later we started getting the 600mbs speed.

This network is a test network and idle so no other loads.   This test is easily reproduceable.

8

21.1 Legacy Series / netmap performance

« on: March 06, 2021, 08:35:54 pm »

Revising several threads from the 20.7 forum. Please refer to for details sample of iperf runs:  https://forum.opnsense.org/index.php?topic=17363.msg93234#msg93234

So with 21.1.1 the performance of ix0 and vnet drivers dropped even more without netmap.  But with netmap (turned on with IDS) is unbearable .  I have noticed something really strange when I toggle IDS of then on again.   I drop from just over 3.5gbs to 2.9gbs after I wait 30 seconds for the IDS to enable. But about 5 minutes later is drops down to 600mbs.  I can't even get 1gbs through. The em0 interface goes from 980mbs to about 940mbs which is much better than I expected.  I can leave the machine idle for 10 minutes and still same results with no other traffic flowing.

So it is still an issue with the ix drivers in hardenbsd 12, so I though.  On a whim, I installed the new pfsense 2.5 which has moved to HardenBSD 12 just like OPNsense.  No netmap on ix0 is about 6.7gbs, with suricata on IPS mode (netmap enabled) I get 3.7gbs.  Did same test and let data stream for 10 minutes and saw no change in that number.

@Franco - Is there a test kernel that has netmap or ix driver updates I can test with for 21?  Also, based on that slowdown after 5 minutes and differences between the two bsd distros, do you think there is anything in OPNSense tunable we can look at.

Bottom line, I need get the 10G nics to work at least at 4gbs for our workload. 

9

20.7 Legacy Series / Re: Call for testing: netmap on 20.7

« on: December 11, 2020, 07:42:41 pm »

Hi Franco, does 20.7.4-next work with the 20.7.6 release?   If so I can install it?  But as per the other thread (no traffic monitoring), it's both 20.7.4-next and 20.7.6.   Traffic works fine with 20.7.4 base kernel. 

One item I have noticed since 20.7, ix(i) and vmxnet take a lot of cpu in heavy loads as compared to 20.1.   But most of that is all the Harden BSD 12 code and not opnsense. 

10

20.7 Legacy Series / Re: Traffic Rate zero - sometimes

« on: December 11, 2020, 06:09:08 am »

@mimugmail - Thanks, I shut down the IDS and solid traffic monitoring now.  As per my other posts, IDS/Netmap is really not working on my environment, a 10G card is down to about 1.2-1.5gbs.  Now with IDS off, I get traffic monitoring and 3.9gbs.

11

20.7 Legacy Series / Re: Call for testing: netmap on 20.7

« on: December 11, 2020, 05:16:09 am »

Not going to post all the detail stats but the 20.7.6 updated kernel performs slightly less than the 20.7.4-next kernel on the ix 10G cards.   I am getting about 1.5gbs. 

Please let me know when an updated kernel is available, but I know you are awaiting the BSD code to drop.

12

20.7 Legacy Series / Re: Traffic Rate zero - sometimes

« on: December 11, 2020, 05:04:54 am »

Just confirming, the 20.7.6 upgrade I have the same results.   Seems after every reboot the traffic monitors shwo activity on the network but about 2 minutes later it stops. Telegraph is sending data to a influx server and I see the same there. 

13

20.7 Legacy Series / Traffic Rate zero - sometimes

« on: December 06, 2020, 04:33:09 am »

Please see attached traffic graph.   Traffic graphs (widgets, reporting - traffic, telegraf - influx - grafana...) stop collecting data from time to time.  It will last about 1 to 4 hours, then start showing traffic for about an hour and then stop again. 

Has anyone seen this before?
Interfaces are vmx (ESXI 7.0)

No performance issue, traffic is flowing great.
https://1drv.ms/u/s!AusIvymxSsVCkPcNWDKj-6LFlxgkjA?e=xyiivy

14

20.7 Legacy Series / Re: Netmap cap for all or just 10G ix nics?

« on: November 20, 2020, 04:53:45 pm »

Looks like the Call for Netmap testing thread picked up a new kernel for ix nics so moving my results over there:
https://forum.opnsense.org/index.php?topic=17363.0

By the way, as a preview it helps but brings CPU usage way up.

15

20.7 Legacy Series / Re: Call for testing: netmap on 20.7

« on: November 20, 2020, 04:50:23 pm »

New kernel (20.7.4-next) helps ix 10G cards but some very strange results, seems like each thread has a cap but does parallel process much better.

20.7.4
IDS off  (CPU shows around 5%)
Send
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec  3.41 GBytes  5.85 Gbits/sec    0           
Receive (-R)
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.14  sec  4.42 GBytes  3.74 Gbits/sec    0           

IDS On - Hyperscan (CPU  40 - 50%)
Send
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec   742 MBytes  1.25 Gbits/sec    0
Receive (-R)
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.14   sec   455 MBytes   742 Mbits/sec    0

20.7.4-next
IDS off  (CPU shows around 30%)
Send
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  5.17 GBytes  4.44 Gbits/sec    0
Receive (-R)
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.13  sec  2.45 GBytes  2.08 Gbits/sec    0

IDS On - Hyperscan (CPU  60 - 80%)
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-60.00  sec  16.1 GBytes  2.30 Gbits/sec
Receive (-R)
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.13  sec  2.43 GBytes  2.06 Gbits/sec    0

But running iperf3 in parallel mode to simulate real multiple streams, it really picks up performance.  In previous kernel sum of parallel was about the same as 1 stream.
20.7.4
IDS On  (CPU shows around 80%)
Send + Parallel 10 (-P 10)
[ ID] Interval           Transfer     Bitrate         Retr
[SUM]   0.00-10.13  sec  7.79 GBytes  6.61 Gbits/sec
Receive (-R) + Parallel 10 (-P 10)

Almost same results for Receive and only about 10% less than with IDS Off.

Overall results with this kernel on an ix 10G interface
1) Double speed increase with netmap enabled
2) Multiple connections increase total throughput
3) New kernel with ix interface - CPU spikes way up both with and without netmap.  Note, if network throughput  is under 1g, then CPU stays around 5%, only when going over 1g does the CPU start to take a hit.