Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Vilmalith

#1
I don't have experience with this particular model. These low-end mini pcs and their low end cpus aren't really meant for IDS/IPS, at least not if you need, want or are planning on getting speeds of 1Gbps or more.

The Protectli VP2420 does have 2.5GB ports and it comes with the Celeron J6412 (single thread rating 1371, multi thread rating 3831). 

Just a base OPNsense install and then installing Suricata. Most users turn on Suricata on WAN, go bananas with enabling shit and then never look back.  Suricata is not set it and forget it. The speed hit you get from Suricata will depend on what you enable and if you're actually monitoring it and make changes per your use case and what you are seeing.  Regardless, Suricata will cap you at less than 1Gbps on this hardware.  A quick search online shows benchmarks on this exact Protectli hardware ranging from 200Mbps - 800Mbps.

Just a base OPNsense install and then installing Zenarmor. Zenarmor will be a lower performance hit compared to Suricata. They are 2 different beasts after all. It's intended for LAN side. You should see somewhere between 1Gbps and 2Gbps....  maybe even port max.  Zenarmor is not multi threaded yet, they keep pushing it back but claim it will be out this year (2025). Currently, regardless of hardware, Zenarmor caps out around 5Gbps.


I run OPNsense on much more powerful hardware then this (I have 10Gbps fiber internet at home).  I do use Zenarmor Paid.  I do have services running behind a reverse proxy.  I do not use Suricata, it's too much work in a home environment and the performance hit even on high end hardware is too great for what you get in return.  I'd argue with the advent of services like Crowdsec (which I do use on WAN and Proxy) and Maltrail (I dabble on Proxy), Suricata isn't worth it anywhere. Except maybe as a means to torture yourself.
#2
Is there a way to import all of my static dhcp mappings from ISC to kea before I switch over to kea?
#3
Running the settimestamp command in cli brings it back as it did after the 1.15 upgrade.
#4
Restarted the service, still no gui
Ran the set time stamp command, gui is back

Sent feedback as requested
#5
As the subject says, have rebooted a couple times and have also done a clean install with the same result.
#6
TLS/SSL Inspection is now going to be business license only?

I noticed today that your features list, lists Policy based Transparent TSL/SSL Inspection as coming soon only for the Business license.  Granted I haven't looked at the feature list in awhile.  But the feature list doesn't list any other TLS/SSL inspection.  Are none of the other licenses for Zenarmor getting TLS/SSL inspection now?
#7
Zenarmor (Sensei) / Re: TLS inspection question
January 25, 2023, 03:47:03 PM
Will it work with a cert from let's encrypt or only with something we'd have to purchase from a different certificate authority?
#8
I've registered to get 10gb fiber at my house.  I don't yet have an install date.  Will OPNSense achieve line rate with an Intel X550-T2 and/or is there a better choice?  I will be running OPNSense + Zenarmor (no suricata).

Also, the various tuning guides out there, are they still relevant for OPNSense 22.x/23.x and FreeBSD 13.x?
#9
Zenarmor (Sensei) / TLS inspection question
January 24, 2023, 02:20:13 AM
I've asked this on other TLS inspection threads with no response.  Is your plan to still do TLS inspection without requiring certificates on client devices?
#10
I am back to using AdGuard Home on a Pi for DNS announced to my clients via dhcp on their various vlans.

OPNSense is still using my ISP DNS.

Does using AdGuard Home negatively impact Zenarmor or it's effectiveness in anyway for these same clients?
#11
I am testing RSS on my topton i5 2.5gbe device and have noticed in game/app decreases in latency.  But there is a Zenarmor warning about possible issues when it notices that RSS is enabled.  Though it doesn't go in to detail about what these issues could be.

Is Zenarmor fully functional and performant when RSS is enabled?
#12
Quote from: sy on June 06, 2022, 03:52:55 PM
Hi,

Yes, the 2.1 release will be shipped with TLS Inspection.

And it will do this without something like ssl inspector in Untangle and having to install certificates on all devices?
#13
Zenarmor (Sensei) / Re: Policy limit question
April 22, 2022, 08:08:55 PM
Must give props to Zenarmor's documentation team for reaching out to fix the discrepancies shown on their site.
#14
If I uncheck any of the disable hardware offload options in Interface > Settings the x550-T2 I'm using stops working.

However, if I leave the disable options checked and then change settings under the System tunables everything works as expected.

What's the difference and/or why do I have issues using the settings under interface vs the same settings under system tunables?
#15
Zenarmor (Sensei) / Re: Policy limit question
April 20, 2022, 06:44:36 PM
Right, the point is that literally in their marketing screenshots and their how too's screenshots they show:
My Wife
My Guests
My Kids
Default

Which is 3 user created policies + the default catch all.  So they either need to fix all of their screenshots or they need to rethink their policy on counting the default catch all against the paid count.  Unless all of the screenshots are an example of a Business setup that uses obvious Home policy names.......