Messages

[Context]

Context:

So I got a Sophos 210 Rev3 box that comes with an Intel G3900 2/2
I wanted something more........ suitable so I upgraded the CPU to an Intel  i7-6700T 4/8 --- LGA1151
Also, the stock fan is freaking loud so I downgraded to a Noctua 4020 FLX, we cannot manage the speed so PWM is useless, FLX runs at full speed at all time.

Problem:

I can see the overall temperature on the BIOS but that is all.
Out of the box, there is no way to check all the cores temperature on OPNSense.
I needed to be able to see how hot the i7 is running with a weaker fan.



Solution:
FreeBSD requires the tempcore module loaded on boot: System > Settings > Tunables

Intel: coretemp_load = YES
AMD: amdtemp_load = YES

Now I can see all the cores' temperature.

Unless I am missing something, this seems a harmless settings change and should be default.
All the baremetal I have used to run OPNSense, they only displayed one core temp and both zones with nothing else, but until then I didn't bother much.
So this is not a Sophos hardware thing.

Yes, I have checked the backup files and all the rules are there but 24.7 refuses to restore them all.

[Restore from 24.1 to 24.7:]

I thought I was going crazy after 24.7 clean install but there are indeed 2 bugs.
Clean install due to it being a major release and to avoid problems, I noticed that:

1. WireGuard crashes for no reason without error. I have a cron job to restart the WireGuard every 0:00AM.
2. Backups aren't restored like 24.1 used to.

This post will cover backups only.

When I restored the backup from 24.1 to 24.7, I picked section by section to be restored, NIC name and a few things won't be the same if swapping to another hardware so why.

Restore from 24.1 to 24.7:


1. Does not recognize "Firewall Groups" with error messages.
2. All the Outbound rules were not imported with no error. I had to manually enable "automatically generated rules are applied after manual rules" and create them.

I got a new box to clean install and as usual, restore section by section, DHCP, VPN and Firewall since these are the only ones I care.
I have done this process countless times with the previous version as I have tested 2 boxes and Proxmox, it always worked, no issue, no dramas.

Restore from 24.7 to 24.7:


1. The entire Firewall section does not restore no matter what.

I have so many rules and NAT to force all my devices to both DNS ( Pi-Hole + Unbound ) and block DoT and DoH among other rules, and hard coded DNS on IoT.
I had to put the older box back because I am not screenshotting all those rules to manually create them haha

Has anybody else who have performed a clean 24.7 install noticed that their backups were not imported in full??

Thank you

Hi everyone,
I am new to Opnsense. I use Dell Optiplex 7050 and Realtek RTL8125 PCIe card for my firewall/router project.
After install Opnsense, only the onboard nic (Intel) is detect and use as LAN.
I ran the command pciconf -lev that show the Realtek card in the PCIe, I am guessing that it is missing driver.
I am new to Opnsense and FreeBSD, could anyone and someone have same issue help me which driver should i download and instructions or command to install the driver
appreciate all the help.

The legend says OPNSense does not deal well with RTK ( idk if it has anything to do with FreeBSD driver, very likely ).
Atm I am running it on a Dell Precision Tower with a Dell Quad Intel NIC to avoid problems.

For what it is worth it, I have been running OPNSense on a Zotac barebone miniPC with Duo RTK and never ever experienced any issue.
Because it is a hit and miss, I strongly suggest you to buy Intel PCIe NIC instead.

But double check the hardware support to avoid more surprises.

[Hardware specifications rev 1]

I would like to pitch in since this is about Sophos in general.

Just ordered a Sophos 210 and will probably get it in a couple of weeks. Meanwhile I am looking in to installation tutorials and hardware specs.

It seems the 210 is enough to use in a small home office (and a lot more) with about 100 devices an GbE lan. but I am having some issues finding the exact specifications... searching...

I found this, but not entirely sure it applies to the one I get, no confirmation of the hardware revision.

Hardware specifications rev 1
CPU: Intel Celeron G1820 (Haswell, 53W) 2c, 2.70GHz
RAM: 8GB 1600MHz-DDR3 in 1 DIMM, 2 DIMM slots (easy to add/replace ram)
HDD: 320GB HGST HTE725032A7E630  (Travelstar Z7K500 2.5", 7.2k/32MB cache, AF, 1 platter, 24x7 certified model) mounted in rubber stands
NICs: 6 Intel i210 NICs

I will have to verify this of course when I get it, but looks promising for RAM/HDD upgrade. From images I see I may be getting an earlier HW revision. Hoping to be able to dig in and replace/upgrade a few things.

All the SG's are listed here: https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-sg-series-appliances-brna.pdf

Same, Sophos 210 rev3.
Since I have seen folks mentioning about upgrading its CPU and memory, I am hopping it is socket and not soldered.
Sophos 210 rev3 allegedly comes with an Intel Celeron G3900 2.8Ghz 2/2 and 8GB of memory.
That CPU is an LGA1151 with 51W TDP ( thermal design power).

I am assuming the CPU is not soldered but socket so I got an i5-8500T 6/6 35WTDP.
In the worst case scenario if the CPU is soldered, I have a CPU for another project lol

Not sure about the NTOPNG as I do not use it, but give it a try.

Also do you have any HW offloading (CRC, TSO & LRO) enabled?
After you removed ZA, did you reboot the device?

As I mentioned this error you see is usually due to the fact that Suricata fights with some other system for the NMAP on that specific interface.

Regards,
S.

HW offloading are disabled.
To be honest with you, I have been dealing with this drama for awhile, I just disabled Suricata and removed ZA.
I will try to mark this post as solved.

Thank you so much for the help.

Yup, I got a few of those while trying to import my backup into a fresh install.
It does mention what it doesn't understand so I had to load the file again and remove the offending settings for the restore to work.

From memory, Firewall Groups was one it refused to import.

Hopefully you can get your setup back on track now.

Just installed OPNsense 24.7 on a SG230 r2 appliance smoothly.
The CPU is a G4400 (2c/2t) that can be replaced by another LGA1151 socket CPU if required.

Could you provide more update on this??
I found a SG230 R2 but I cannot find much if any info about CPU and memory.
It allegedly comes with a SSD which is awesome, it will be replaced anyway.

Atm I have a Dell SFF running an i7-6700 4/8 which is a FCLGA1151 platform, it would be the perfect CPU although I might need to do something regarding cooling because it goes "warm"
I have been playing with fq_codel and it goes heavy on CPU.
I would like to have at least 8GB, preferably 16GB of memory running on it even if I don't need it.

Thank you so much.

I'm just testing a SG230 v2 appliance w/ 6+2 ports installed.
Installation went smooth, CPU can be changed, memory can be expanded.
If the LCD and the buttons are working need to be tested, but I woun't need that at all.

I found one fairly cheap but it has been an adventure to find hardware info such as memory and CPU.
It seems to have an SSD which is great since I will be replacing it anyway to install OPNSense.

LCDProc can be set, it just requires some tweak with Sophos hardware.

If you want to use Suricata with ZA together they do not stack on top of each other. ZA was developed to protect the LAN. The Co-deployment should be done Suricata on WAN and ZA on LAN.

I believe this is the part I got wrong, I had Suricata on LAN to see what my devices are doing instead of using ZA, ZA is already out so it isn't it causing that.

Suricata on WAN seems to work but I don't run any business or anything so I don't know if that will add any value.
Either way, this appears to be an user error rather than tool.

Thank you so much for the help.

Same here but my logs have zero errors.

I have it to send all the traffic going via my home network ( Pi-Hole + Unbound ) and out of the sudden I had no internet service.
After restarting the service, it is working again but something is off and my logs aren't helping.

EDIT: OPNSense has Cron so I did set it to restart WireGuard service everyday at 0:00AM until I find out what is happening, my logs are clean so I cannot use them to help.

If you want to use Suricata on interfaces where is ZA used, you need to disable ZA on them first.

Thank you for the help.
I guessed as such and with ZA removed, Suricata still showing the same error message.
Unless NTOPNG could also give that error, I am not sure.

I will review it again.
Please, let me know if any other process like NTOPNG could cause that.
I have crossed some posts that mentioned the NIC driver being the culprint, I never notices that message on the bakup box running RTK NIC for example.

Thanks again.

This is the type of update that you wanna performe a clean install to avoid headaches, or you will spend endless time dealing with problems because of the major release.

IIRC, OPNSense team was preparing a "how-to" to make the upgrade, that alone was a clear "there are a lot of things to go wrong, fresh install it instead" message!!
No other major upgrade required that.

I was forced to fresh install it and it has been flawless but I did notice that some firewall stuff were not migrated over.
Still, zero problems.

It has been almost 2 weeks since you posted this and you are still having problems.
Backup the config and fresh install it!!

I have been using Zenamor and even paying for the home subscription but based on Pi-Holes log, the last thing I need is a service sending the smell of my fart to the cloud. Cancelled!!

So I am trying to test Suricata instead of Zenamor, but its logs keeps showing this "opening devname netmap:igb0/R failed: Device busy".

I did some digging but I don't fully understand it to make changes and break what is working.
Some possibilities include driver incompatible because of the igb0 driver.

The NIC is a Dell Intel I350-T4 Quad Port PCIe on a Dell SFF PC.

What could be possibly the reason and/or the fix??

The now OPNSense backup box, a miniPC with 2x onboard RTK NIC never displayed this message even tho RTK NIC are rated as bad NIC, I never really experienced issues with it.

If that matters, this is a small home network, that miniPC had crashed because Suricata's log was 150GB leaving no disk space so I have a mixed feeling touching it.

Thank you

I got similar experience on my Samsung Tablet ( Android )
On my phone ( GrapheneOS ) thankfully everything worked like a dream.

I used to have a dedicated WireGuard VPN VM coz it was a nightmare to get it working on OPNSense, with the latest release things are a lot smoother.

The workaround for me would be:

• Save the content of Config tab into a text file
• Install a package called qrencode on your pc assuming you are usiing Linux of course
• Then run: qrencode -t ansiutf8 -r "config_file_you_saved.conf"

It will generate the QR code for you.
If this is a OPNSense thing, it will work.
That is how I used to generate the QR code for the self hosted WireGuard before moving to OPNSense.