Messages

I've looked and couldn't find any microcode updates AMD only deliver these for this CPU via bios updates and the bios update for this model is only delivered by HP.

That is only partially correct. AMD may deliver what they want. The updates contained in BIOSes are being extracted and put into separate packages, such as os-cpu-microcode-amd for OpnSense, to be applied apart from BIOS updates. BTW: There are similar packages for Linux / Proxmox as well using the same extracted firmwares.

I repeatedly tried to tell you. Had you looked at https://forum.opnsense.org/index.php?topic=42985.0, point 23 and followed the link to the official docs there, you should have noticed.

The only question is if there is actually an update available in that package for you specific CPU and if it fixes your problem. You will find out only if you try, not by discussing if this is possible at all, so please do as Patrick said.

Microcode updates are applied via a BIOS update, there aren't any separate updates. It's running the lasted BIOS L43 1.16.

Some things to clear up here:

1. I am not saying that there is a newer microcode update - what I do say is that IMHO, manufacturers are slow to adapt the newest microcode updates.

2. The BIOS you are using is at least 3 years old: https://h30434.www3.hp.com/t5/Desktop-Operating-Systems-and-Recovery/HP-T730-Bios-update-failed/td-p/8453495

3. Yes, the microcode updates delivered as OS packages are separate updates, which can be significantly newer than those delivered in your BIOS. And they are needed for some platforms, like the N1x0 and other 12th gen Intel chips with OpnSense from 25.7. upwards, see: https://forum.opnsense.org/index.php?topic=42985.0, point 23.

That being said, IDK if there actually are any updates available or if they change anything for your symptoms. I just would not shrug this off if I were you.

RealTek NICs are known to work badly with FreeBSD / OpnSense. If at all, you can try the os-realtek-re plugin.

I also do not know if the latest BIOS is up to par w/r to microcode updates (or if there are still updates from AMD for this old platform).

And, yes of course it can be a compatibility issue. FreeBSD does not support as many hardware types as Linux and some of the FreeBSD drivers are abysmal.

Hast Du Firewall-Regeln definiert, die den Zugriff erlauben? Die Eintragungen im Wireguard selbst reichen dafür nicht.

Damit kommst Du nur bis zur Tunnel-IP - damit kannst Du übrigens auch checken, ob die WG-Verbindung wirklich funktioniert.

IDK if zenarmor has finally made the jump to being multithreaded, there was a long ongoing discussion about that. If not, then an N355 will probably do nothing at all over an N150, because it only has more cores.

Any type of IDS/IPS will stress the CPU way more than pure routing. With an N150 and without IDS, you should get 10G routing throughput (or close to it, because most 82559-based devices cannot really reach full 10G speed.

I really do not know.

Did you try installing the microcode updates? It does not look like it from the report...

There is definitely something off in the Power Management in your firmware:

[1] Firmware Warning (ACPI): Optional FADT field Pm2ControlBlock has valid Length but zero Address: 0x0000000000000000/0x1 (20221020/tbfadt-796)

If the uptime is exactly 20 Minutes, I would look for a BIOS watchdog. When you look at the forum search for HP T730, you will find a few other reports of systems freezing or crashing.

[after]

It does not become any more true by repeating this. As pointed out, the PHP vulnerabilities were detected after the 25.1.10 release, so there never was "a release ship with fresh vulnerabilities still present" like you say.

The sudo vulnerabilities are not applicable to OpnSense, so they were a false alarm.

Anyway, 25.1.10 was long ago succeeded by 25.7.x, were the referenced vulnerabilities have been fixed.

So, what is your actual complaint? Not having updating to 25.7.7_4? That would be on you, I guess.

Try using the tuneable "hw.pci.enable_aspm = 0" to disable ASPM if your BIOS does not support it. Those freezing issues often point to ASPM issues.

With certain Intel CPU series, there were hangups from 25.7 on, especially when you use UFS instead of ZFS, which is now recommended. The symptoms are much like yours, so I suggest that this is your problem - even more so, because it seems reproducible.

You can avoid them by applying the tuneables that are described in the links I gave you. Also, on most platforms, the firmware does not have the latest CPU microcode updates, so you should install the appropriate packages.

You should do this before the upgrade to 25.1. If you want a clean install on 25.7.x, use ZFS (but still apply the tuneables).

Ich würde mal die MTU auf den Clients aus die üblichen 1500 Bytes reduzieren. Das bringt sowieso so gut wie nichts mit der Jumbo MTU.

Look at this. It is also mentioned here: https://forum.opnsense.org/index.php?topic=42985.0, point 23.

That is strange. If a TLS client does not send the hostname any more, how would name based access in HAproxy work? It serves as the selector for the presented certificate in the first place. Of course, there is a fallback that you can create in HAproxy, but this would only be used for really ancient clients, IP-based access or a catch-all for unknown hostnames.

It that something "new" for IOS 26? If so, it will sure break things.

I have never encountered any compatibility problems with 10G DAC cables.

Ah, verstehe. Du verwendest gar nicht die OpnSense CA. Normalerweise sollte curl alle Zertifikate, die in System: Trust: Authorities eingetragen sind, akzeptieren. Bei mir tut es das, ich verwende auch eine eigene, externe CA.