Messages

IDK if zenarmor has finally made the jump to being multithreaded, there was a long ongoing discussion about that. If not, then an N355 will probably do nothing at all over an N150, because it only has more cores.

Any type of IDS/IPS will stress the CPU way more than pure routing. With an N150 and without IDS, you should get 10G routing throughput (or close to it, because most 82559-based devices cannot really reach full 10G speed.

I really do not know.

Did you try installing the microcode updates? It does not look like it from the report...

There is definitely something off in the Power Management in your firmware:

[1] Firmware Warning (ACPI): Optional FADT field Pm2ControlBlock has valid Length but zero Address: 0x0000000000000000/0x1 (20221020/tbfadt-796)

If the uptime is exactly 20 Minutes, I would look for a BIOS watchdog. When you look at the forum search for HP T730, you will find a few other reports of systems freezing or crashing.

[after]

It does not become any more true by repeating this. As pointed out, the PHP vulnerabilities were detected after the 25.1.10 release, so there never was "a release ship with fresh vulnerabilities still present" like you say.

The sudo vulnerabilities are not applicable to OpnSense, so they were a false alarm.

Anyway, 25.1.10 was long ago succeeded by 25.7.x, were the referenced vulnerabilities have been fixed.

So, what is your actual complaint? Not having updating to 25.7.7_4? That would be on you, I guess.

Try using the tuneable "hw.pci.enable_aspm = 0" to disable ASPM if your BIOS does not support it. Those freezing issues often point to ASPM issues.

With certain Intel CPU series, there were hangups from 25.7 on, especially when you use UFS instead of ZFS, which is now recommended. The symptoms are much like yours, so I suggest that this is your problem - even more so, because it seems reproducible.

You can avoid them by applying the tuneables that are described in the links I gave you. Also, on most platforms, the firmware does not have the latest CPU microcode updates, so you should install the appropriate packages.

You should do this before the upgrade to 25.1. If you want a clean install on 25.7.x, use ZFS (but still apply the tuneables).

Ich würde mal die MTU auf den Clients aus die üblichen 1500 Bytes reduzieren. Das bringt sowieso so gut wie nichts mit der Jumbo MTU.

Look at this. It is also mentioned here: https://forum.opnsense.org/index.php?topic=42985.0, point 23.

That is strange. If a TLS client does not send the hostname any more, how would name based access in HAproxy work? It serves as the selector for the presented certificate in the first place. Of course, there is a fallback that you can create in HAproxy, but this would only be used for really ancient clients, IP-based access or a catch-all for unknown hostnames.

It that something "new" for IOS 26? If so, it will sure break things.

I have never encountered any compatibility problems with 10G DAC cables.

Ah, verstehe. Du verwendest gar nicht die OpnSense CA. Normalerweise sollte curl alle Zertifikate, die in System: Trust: Authorities eingetragen sind, akzeptieren. Bei mir tut es das, ich verwende auch eine eigene, externe CA.

Ich denke, es ist Zenarmor - auch ohne Blocking. Die Hardware sollte locker 1 GBit/s schaffen, siehe meine Signatur.

1. Wie und von wo aus gemessen? Nicht von der OpnSense selber messen, immer "drüber". iperf mit -Pn nutzen.
2. Rahmenbedingungen: IDS/IPS aktiv oder reines Routing?
3. RSS aktiv?
4. Hardware-Offloading konsequent aus?

Alles klar, Du hast es aber falsch verstanden: Du kannst entweder eigene Zertifikate direkt in der UI selbst erzeugen oder Dir per ACME.sh solche von einer offiziellen ACME-CA holen. Die interne OpnSense-CA beherrscht das ACME-Protokoll nicht, also sind diese Wege nicht kombinierbar, wie ich oben bereits erklärte.

Beide Typen von Zertifikat kannst Du u.a. für das OpnSense Web UI nutzen.

I use Uptime Kuma only for all of my services being basically "up / present", which are quite a lot, so I also put them into groups. The services do not even have individual alerts, those are only enabled at the group level. Actually, I use a HomeAssistant alert to sent a voice notice to my Amazon Echo Dot.

This is a health check only.

On top of this, for real monitoring purposes, I use the well-established telegraf/influxdb/grafana combo. For most Linux boxes, there is a dashboard and also for OpnSense and many more, like for Proxmox.