Messages

it is quite disappointing. have been running a unifi gateway fiber (UXG) for 3 weeks now, the one without the network controller built-in. using the cybersecure subscription, which is $99 a year, so similar cost to zenarmor. unifi gateway basically uses suricata + dns filtering using cloudflare.

i have no problem getting 5gbps+ in my lab testing (sfp+ wan and lan) with all the suricata categories on + geo filtering + cloudflare content filtering, using this $279 unit. connecting it to my 1gbps fiber ISP,  idles at 7w and uses at most 9w when using the full 1 gbps connection.

zenarmor's categories and filtering is by far superior. especially since it filters at the firewall / packet level. unifi's relies on dns for content filtering, so if you wanted to block traffic at the firewall, you need to do old school firewall rules, which have different options than the cloudflare categories. which are also very broad and not really tunable.

unifi's gatetway software has definitely improved greatly over the past 2 years. 2 years ago unifi gateway software was so unstable and unuseable.

is opnsense a better firewall/gateway then unifi?

yes, without a doubt

is zenarmor better than the cybersecure for content filtering?

yes, without a doubt

but unifi is certainly not far behind and then zenarmor just does the most annoying things to its customers because it can't figure out how restrict businesses from using home licenses??? other than making it a bad experience for home licenses. lol.

my kids are getting to the age now that extreme content filtering is not really needed, so for me the zenarmor advantage is less and less attractive. i plan on sticking with the unifi unit for a couple of months to fully give it a shot. hopefully go through a few software updates as well. see if that is a disaster or not.

dmesg shows multiple boots. so if you just dmesg | greg, and some of your boot logs before the firmware update was done will show the older firmware of course. its easiest to verify with sysctl

Code Select Expand

sysctl dev.igc.0.fw_version
sysctl dev.igc.1.fw_version
sysctl dev.igc.2.fw_version
sysctl dev.igc.3.fw_version
etc


the answer is in the output

Code Select Expand

[589] 040.632011 [1363] netmap_config_obj_allocator requested objtotal 2048 out of range [2, 1024]

maybe stop setting sysctls you don't understand?

Instead of ridiculing me and making assumptions, why not just help by providing a solution. Just a thought...
Sometimes misconfigurations occur for various reasons...

I do not see a tunable for 'netmap_config_obj_allocator', can someone actually provide some helpful guidance please?

Code Select Expand

2048 out of range [2, 1024]
it says 2048 is out of range and gives you the min/max, so from that, what sysctl did you set to exactly 2048. that tells you the answer

i would agree on 3, the new top level menu item is a bit much. annoyed that zenarmor does it, annoyed that qfeeds does it. just put your service/plugin in the services menu imo

i had success with my protectli vp2440, both the X710 and i226v nics. first i updated the X710

https://kb.protectli.com/kb/how-to-update-intel-nic-nvm-firmware-on-protectli-vaults/

downloaded the complete driver pack.

Code Select Expand

fetch https://downloadmirror.intel.com/869912/Release_30.5.1.zip
unzip'd the 700 series, for freebsd, ran nvmupdate64e and for the x710, everything was automatically detected and updated to 9.55

for the i226, downloaded the 2.32 2MB firmware. mine had 2.17 to begin with.

Code Select Expand

fetch https://github.com/BillyCurtis/Intel-I226-V-NVM-Firmware/raw/refs/heads/main/I226-V/2.32/FXVL_125C_V_2MB_2.32.bin

then setup the nvm.cfg.. i had to modify the EEPID and REPLACES sections to match my setup (got that info from dmesg and trying to update, failing and looking at the log output).

Code Select Expand

CURRENT FAMILY: 1.0.0
CONFIG VERSION: 1.14.0

; NIC device
BEGIN DEVICE
DEVICENAME: Intel(R) Ethernet Controller I226-V
VENDOR: 8086
DEVICE: 125C
SUBVENDOR: 8086
SUBDEVICE: 0000
NVM IMAGE: FXVL_125C_V_2MB_2.32.bin
EEPID: 80000422
RESET TYPE: REBOOT
REPLACES: 80000303
END DEVICE
then for each i226 nic by mac address, i ran

Code Select Expand

./nvmupdate64e -b -l nvm-6462662505A5.log -m 6462662505A5 -u -c nvm.cfg
./nvmupdate64e -b -l nvm-6462662505A6.log -m 6462662505A6 -u -c nvm.cfg
reboot

Code Select Expand

# sysctl dev.igc.{0,1}.fw_version dev.ixl.{0,1}.fw_version
dev.igc.0.fw_version: EEPROM V2.32-0 eTrack 0x80000422
dev.igc.1.fw_version: EEPROM V2.32-0 eTrack 0x80000422
dev.ixl.0.fw_version: fw 9.155.78849 api 1.15 nvm 9.55 etid 8000fe27 oem 0.0.0
dev.ixl.1.fw_version: fw 9.155.78849 api 1.15 nvm 9.55 etid 8000fe27 oem 0.0.0
edit: this also worked on my Odroid H4 ultra, i226v shipped with v2.22

How do you feel about their i3/i5/i7 line (VP66xx)?  They are not fanless and of course cost more, but idle TDP is 12W (100W max) per the product sheets. Also dual channel, though not sure if that makes a big difference.

Would you still take the VP2440 over a VP6650 if price were the same?

yea, i didn't want the fan. idle maybe similar, but zenarmor basically keeps 1 cpu at 3-5% on idle, so the cpu is never in that lowest idle state with zenarmor. i am sure the vp6xxx series is good too.

for me, zenarmor annoying AF. they keep removing features saying customers are abusing the free/home tiers, and their solution is to put previous features behind business fees, or not bring multi-core to home license. then the software upgrades, since moving to opnsense business its been better, but for a while zenarmor would break on every opnsense update. then the constant SSL certificate errors on the freebsd repository. like if you can't even get SSL certs correct, do i even trust your software, lol... anyway, long rant, but i am looking at just using adguard home or pihole and some firewall aliases to just replace zenarmor. its not the same, but it would be good enough. and then, the n150 would be overkill, even running wireguard at 2 Gbps (easily).

the answer is in the output

Code Select Expand

[589] 040.632011 [1363] netmap_config_obj_allocator requested objtotal 2048 out of range [2, 1024]

maybe stop setting sysctls you don't understand?

i recently ran some tests with

Protectli VP2440 - N150 with X710 10g
Odroid H4 Ultra - N305 with X710-DA2 10g via m.2 to PCIe adaptor
Supermicro X13SCL-iF - Intel Xeon 6325p with X710-DA2

OPNsense Business 25.10_2
Zenarmor 2.2 with a good amount of the blocking categories selected. I wasn't going for scientific results, just casual observations.

All X710's had firmware upgrade to 9.55 from the 30.5.1 intel driver pack.

WAN/LAN are ixl0 and ixl1 ports. I've tested various tunables, etc and using iperf3 to generate traffic.

Code Select Expand

iperf3 --client <server> --no-delay --omit 5 --parallel 8 --time 900
iperf3 --client <server> --no-delay --omit 5 --parallel 8 --time 900 --reverse
iperf server is a Supermicro X13SAE-F with i7-13700t and Mellanox ConnectX-5 and iperf client is Lenovo P3 Tiny with i5-13400t and Mellanox ConnectX-3. Both running Linux.

All 3 could route 10g without much fuss. 9.46 Gbps iperf in both directions WITHOUT Zenarmor of course.

With Zenarmor, I have tried both emulated and native, since the X710 has pretty decent native netmap driver support. Both throughput and CPU usage was nearly identical between the driver modes. Enabling RSS definitely helped, especially in the 6325p. So all the results here have RSS enabled.

Code Select Expand

N150 - Max throughput with Zenarmor - 3.1 Gbps
N305 - Max throughput with Zenarmor - 3.4 Gbps
6325p - Max throughput with Zenarmor - 8 Gbps upload, 6.8 Gbps download
the slower speeds, i didn't see much difference in upload vs download directions. On the 6325p, i did see a measurable and consistence difference. Enabling RSS on the 6325p increased throughput by almost a 1 Gbps.

i don't have a faster cpu than the Xeon 6325p, so i was not able to achieve 10g with Zenarmor. that being said, in all these cases, Zenarmor is using 100% of 1 cpu and the rest of the system is pretty much idle. if zenarmor had decent multi-core processing, a N150 would maybe do 10g, a N305/N355 almost certainly.

zenarmor is dumb with their company tho, imo, saying they don't want to do multi-core for home edition because businesses will  but home edition and pay for that. like whatever.

i wish protectli had an N355 version. the vp2440 setup is pretty neat. fanless. the memory/m.2/x710 heatsink built into the bottom of the chassis works amazing. great idea, simple but effective. very nice machine for home. also would be neat to see 1U from them, but they have never done a rack mount before.

--

This is my attempt at fitting Odroid in Supermicro 1U chassis (had to physically remove the audio ports lol) -> https://forum.odroid.com/viewtopic.php?f=168&t=50558

in /usr/local/etc/pkg/repos/SunnyValley.conf i changed 25.7 to 25.10 and it seemed to get pass the pkg update and allow the 2nd half of the 25.10 to continue

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.10 (amd64) at Wed Oct 15 09:56:42 MDT 2025
Strict TLS 1.3 and CRL checking is enabled.
Fetching subscription information, please wait... done
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 911 packages processed.
Updating SunnyValley repository catalogue...
pkg: Repository SunnyValley has a wrong packagesite, need to re-create database
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

blocking ip 149.154.175.55. its blocking all telegram.

yea i guess i was hoping to be able to use N-series intel boxes, like N100/N150 or N-305/N-350 with Zenarmor + Wireguard at 1-2 Gbps. Wireguard is very good at going across cores, but Zenarmor will peg 1 cpu so you can't have both, Zenarmor + Wireguard, even though there is CPU leftover.

the whole businesses trying to use the home subscription is absolute bullsh*t. meanwhile, you get tons of free testing from home users. The whole SASE stuff, i don't care about any of that as a home user. i want to use low powered device without sacrificing my internet connection.

i picked up a UniFi Fiber gateway and $99/year Cybersecure subscription. This has come a long way in 1 year with regard to content filtering. Its still in pre-release software, but its very close to Zenarmor in terms of content filtering, etc. Using suricata, content filter, is all multi-threaded, no limits, so this is getting interesting at least.

i prefer OPNsense as a router. zenarmor is nice, even with its upgrade warts. As a home user, i just want some decent content filtering, be able to use my full fiber home connection, and do it on the lowest possible power device. zenarmor makes this easy in some ways and extremely difficult in others.

is it possible for unbound to support blocklist in this format or similar?

Code Select Expand

server:
local-zone: "doh.dns.apple.com." always_nxdomain
local-zone: "mask.apple-dns.net." always_nxdomain
local-zone: "mask.icloud.com." always_nxdomain
local-zone: "mask-h2.icloud.com." always_nxdomain
local-zone: "mask-api.icloud.com." always_nxdomain
local-zone: "use-application-dns.net." always_nxdomain
most blocking i want to return 0.0.0.0 but for a handful of domains, i want to return NXDOMAIN. right now i do this by putting a custom file in

Code Select Expand

/usr/local/etc/unbound.opnsense.d/
but that not ideal as it doesn't get backed up or restored with normal config.xml tools. i would like to provide unbound with an custom URL for a blocklist that also specifies the response type, like NXDOMAIN instead of the global setting.

thx. that fixed it for me.

this also makes all the plugins and packages "orphaned", preventing you for adding or removing any other packages, even ones not related to zenarmor.. if we aren't going to get a fix, can we at least get updates? like why its not getting fixed or taking longer than expected, so we aren't left in the dark?