Messages

I also would love to have a solution for this. I found out that my FW consumes a lot of power, even when there is no traffic, and after searching for a while, I came across netflow, which consumes 99.7% of a single core (Intel N100), with a SQL lite db of 6.1 GB size.

Turning off netflow resulted in a drastic reduction of the CPU power consumption, re-enabling in the observed behavior. After I manually resetted netflow data, enabling netflow didn't result in the cpu usage increase like before, so I am pretty sure the python process consumes a lot of power when writing to a big db (on a SSD, ZFS formatted, in case it is interesting).

So is there a function available to drop data after X days, reduce the db size and also cpu usage?

My solution in the end was to set up wg-easy on a NAS and use it as server instead of opnsense. Also had some issues, with the one causeing the most problems was to try to route all the traffic through traefik proxy first. I experienced timeouts and packet loss even while being at home. After moving the wg docker to it's own virtual network, everything is stable now. No data loss and ping is in the low single digit milliseconds all the time instead of having spikes up to 600ms.

I also moved the ddns service to the NAS, so it looks like I am ready for an upgrade to 23.1

Also had issues: https://forum.opnsense.org/index.php?topic=32110.msg155672#msg155672

Might be related to what another user posted in the thread:

It seems that after some indeterminate period of time, wireguard-kmod forgets what interface it should be replying on and ignores the NAT Reflection rules. If I disconnect the Android client and reconnect, everything goes back to normal and it no longer tries to send traffic out the wrong interface.

My solution was to move back to 22.7 for now. I also installed wg-easy on a machine on my home network, but here I also have strange issues with my box dropping the connection. I'll keep wg-easy for now, it offers some other advantages like QR code generation I can use to create the required settings on my phone by scanning it. Much easier than the manual copy&paste multi step process on opnsense.

[edit] Just saw the thread here: https://forum.opnsense.org/index.php?topic=32347.60

Looks like IPV4 dropped the route on DHCP refresh of the WAN interface. This might be the reason for wg also dropping the connection. Fix is out in latest opnsense version, so i would try that one first.

Anybody else having problems with Wireguard Kernel vs go?

Yes. Upgraded from 22.7 with WG being installed and used with my mobile phone as only client (so far). No issues on 22.7. After the upgrade I found out that any network access of my mobile phone is blocked/stopped if I don't use it for a while (around 15 mins or longer) while the WG client is active and I am connected to my home wifi network. I can't ping anything, my phone doesn't react to ping on the ip address assigned for WG but reacts to ping on the address used while connected to wlan without WG turned on. On top, the GUI of opnsense shows handshakes between server and client all the time long until I start using the phone after a break. Then the handshakes also stop.

I can resolve this by turning the WG client on my phone off and on again. Then my phone has a connection like before until I make another break.

I have switched back to the old module now and haven't run into any issues so far.

Additional note:

Add four new entries under system -> settings -> tunables:

Code Select Expand

dev.cpu.0.cx_lowest
dev.cpu.1.cx_lowest
dev.cpu.2.cx_lowest
dev.cpu.3.cx_lowest

and use C3 as value for each of them. Then the tunings survive a reboot.

Saw the last one today...

I have tested it (with the other options already enabled) but didn't see any differences.

I just upgraded opnsense to 22.1.7, checked the plugin page and found "os-adguardhome-maxit (orphaned)". Does this mean the package is no longer available, or is it discontinued and I either have to find a way on how to install Adguard home on opnsense or do I have to install it on a second machine now to keep it up to date?

For the settings in the server, set the allowed IP#s for the client to something else than x.x.x.1 if this is the address you normally use for the gateway/firewall:

Hello zerwes,

Thank you for your suggestion.

I have changed my server to 10.0.0.1/24 and my allowed IP to 10.0.0.5/32 but it seems to not connect to handshake as well.

I hope there are something else I could have done.

This is correct. .1 is normally used for the GW/FW and anything above is for clients.

the next steps then are to exchange the public keys between the server and the client, and then to add the used IP (10.0.0.5) into the config settings of your client.

And then - restart the wireguard service! It doesn't automatically take over the config like other services, but yoiu need to go to the lobby, select the service button, stop it and restart it. This was something which caught me when I set the whole thing up.

What I can only recommend is to use the official docu here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html and follow it step by step. I also tried YT videos, but I always had the docu open to cross read so I didn't forget anything. As said, step 4 was the one which resulted in headaches on my end, because only by restarting the service all the details like new7change keys are really taken over and enabled.

Sorry if I can't help here as I am not the developper of powerd++ and I also don't have any other hardware to test it.  :-\

Just a small feedback: I have tested the settings now for the past days, including long sessions with stress tests (running Soulseek), and the initial results haven't changed: the system runs stable, even the frontend is pretty fast reacting to update/changes, I haven't had any disconnects, timeouts or network interruptions (like with powerd/min), and still the CPU cores are cooler than before. Core 0, the most stressed one, even goes down to 48°C for some seconds, something i haven't seen before since I bought the box 1y ago. Max temp under heavy load is 55-56°C on that core (before: 63-65°C).

I hope I finally have time to assemble the power monitor (ESP8266/INA219) I plan to use for all hardware pieces running on 12V and then find a timeframe I can shut down the FW without interrupting anyone.

I have corrected the link. The forum software changed my data when I first saved it.

You are welcome. I have enabled the settings on my box yesterday and haven't run into any issues. The FW4 runs stable, even when I try to fill up the bandwidth with various services, just to see how it behaves.

Combined with powerd++ which really makes a difference on an older CPU like the J3160 I use, just by looking at the temperature of the CPU (at least 5-7°C lower, especially under load), I am sure it makes a difference in the power consumption.

And another one....

Just like with the C-states, I also played around with powerd. Tried to run my sys with "minimum" as power profile which resulted in an immediate drop in the CPU core temp on the most used core 3 by 4°C (from 60°C down to 56°C), but ended in network discos due to the cpu being overrun when trying to push 20 MB data/sec over the firewall.

Then I tried some settings with powerd and fine tune adaptive mode on command line, but this resulted in nor eal improvements.

And here comes powerd++ (https://github.com/lonkamikaze/powerdxx) which - according to the author(s) offers a much better way in handling/scaling the CPU based on the load.

Installation is pretty easy:

1) open the opnsense frontend, and under system -> settings -> misc disable powerd.
2) Open a shell on the FW box, change to the home directory of root, then install git:

Code Select Expand

# pkg install git

3) Clone powerd++, change to the directory, compile and install it:

Code Select Expand


# git clone https://github.com/lonkamikaze/powerdxx.git
# cd powerdxx/
# make
# make install


4) change the config for powerd++ by editing /etc/rc.conf:

Code Select Expand

# nano /etc/rc.conf

rc.conf:
powerdxx_flags="-a adp -n adp -m 480 -M 1600" # set adaptive mode, min frequency to 480 and max freq to 1600 MHz


5) Enable powerd++ and start it:

Code Select Expand


# service powerdxx enable
# service powerdxx start



Results on my end:
When running powerd in combination with minimum as cpu profile, idle temp of core 0 was 55-56°C but I ran into network disruptions as soon as I tried to push 12 MB/sec or more data from WAN to LAN. With powerd/adaptive I ended up on 59-60°C SPU core temp and 63°C under load, but was able to push 20 MB/sec without issues.

With powerd++ / adaptive (no other changes applied), idle temp is at 57°C and I have no network problems pushing 20 MB/sec with core 0 reaching 59°C max.

As soon as I can shutdown the box and plug in a powermeter I can have a look at how much difference this makes, but based on the initial results you can save some energy.

No idea if it can be implemented, but powerd++ ( https://github.com/lonkamikaze/powerdxx ) might be interesting. It offers a better way to adjust the speen and power consumption of a cpu than powerd which ships with opnsense, and with hardware running 24/7/365 even a small improvement in conserving energy is worth the work to implement it.

I have a protectli Fw4 clone, running 22.1.6. While playing around with methods to reduce power consumption, I spotted the following:

Code Select Expand


root@OPNsense:~ # sysctl dev.cpu |grep cx
dev.cpu.3.cx_method: C1/mwait/hwc C2/mwait/hwc C3/mwait/hwc
dev.cpu.3.cx_usage_counters: 304429829 0 0
dev.cpu.3.cx_usage: 100.00% 0.00% 0.00% last 312us
dev.cpu.3.cx_lowest: C1
dev.cpu.3.cx_supported: C1/1/1 C2/2/500 C3/3/1000
dev.cpu.2.cx_method: C1/mwait/hwc C2/mwait/hwc C3/mwait/hwc
dev.cpu.2.cx_usage_counters: 352002831 0 0
dev.cpu.2.cx_usage: 100.00% 0.00% 0.00% last 47us
dev.cpu.2.cx_lowest: C1
dev.cpu.2.cx_supported: C1/1/1 C2/2/500 C3/3/1000
dev.cpu.1.cx_method: C1/mwait/hwc C2/mwait/hwc C3/mwait/hwc
dev.cpu.1.cx_usage_counters: 288856368 0 0
dev.cpu.1.cx_usage: 100.00% 0.00% 0.00% last 305us
dev.cpu.1.cx_lowest: C1
dev.cpu.1.cx_supported: C1/1/1 C2/2/500 C3/3/1000
dev.cpu.0.cx_method: C1/mwait/hwc C2/mwait/hwc C3/mwait/hwc
dev.cpu.0.cx_usage_counters: 268697840 0 0
dev.cpu.0.cx_usage: 100.00% 0.00% 0.00% last 529us
dev.cpu.0.cx_lowest: C1
dev.cpu.0.cx_supported: C1/1/1 C2/2/500 C3/3/1000



My machine is able to support C1, C2 and C3 states, but the lowest C-state set by the OS is C1, and therrfor all cores run on C1 for 100% of the time.


Then I ran the commands to change this:

Code Select Expand


# sysctl dev.cpu.0.cx_lowest=C3

# sysctl dev.cpu.1.cx_lowest=C3

# sysctl dev.cpu.2.cx_lowest=C3

# sysctl dev.cpu.3.cx_lowest=C3





and now I can see the following:

Code Select Expand


root@OPNsense:/usr # sysctl dev.cpu.0.cx_usage
dev.cpu.0.cx_usage: 49.94% 20.18% 29.86% last 7798us


So core 0 suddenly only keeps C1 for 50% of the time but drops to C2/C3 for the rest. This should reduce power consumption at least a bit.


As far as I understand, I can also add the settings in the tunables in opnsense and make them permanent. I just had no time to run some tests with my FW to confirm this. I also lack a method to monitor the power consumption at the moment but will do this as soon as I can shut down the FW and plug in a power meter.


Maybe someone else wants to try this and test if he can save some energy by enabling unused C-states of his hardware?

Can someone who's using the AdGuard plugin with the new 22.1 release confirm that it works properly.
I saw some changes to Unbound in the release notes.

TY

AG home works. Installation is straight forward if you don't use ubound. just install the plugin, head to port 3000 of your firewall to finish the installation and you are done. You might want to change the port of the Adguard web front end to another one. For this you need a console on the FW and change /usr/local/AdGuardHome/AdGuardHome.yaml with a text editor (chage the bind port which is set to 80 as default).

If you have unbound running, first log into the FW, change the port ubound runs (service tab -> ubound), eg. to port 5335 and restart ubound. Then install Adguard like mentioned above and put 127.0.0.1:5335 as upstream DNS server into the Adguard section.