Messages

The network card in the Minisforum is an Intel X710-DA2.
I don't know which Intel driver is preinstalled in OPNsense. The latest driver available for FreeBSD and my network card is from late December 2025 on the Intel website.
FreeBSD driver for Intel X710
But I don't know how to install it...

My internet provider's modem (which also acts as an ONT) is connected via RJ45 cat.7 network cable

I am not sure what the current status is, but if you want 10 Gbps speed via RJ45 then CAT6a is actually the only Certified and Officially Acknowledged cable type, while everything above it still awaits official recognition so to speak.

from the 10Gbit output to the 10Gbit input of the DEC850 with the 10Gtek ASF-10G-T80 SFP+ module (I also used an Ubiquiti UACC-CM-RJ45-MG) and I created a DMZ for the IP address provided by the modem to the DEC850 firewall.

Since you are using a DMZ IP Address my first question would be : Private or Public range ?

Also please note that most modules that convert SFP+ to RJ45 or the other way around work up to 30 meters of cable !!

From the 10 Gbit output of the DEC850 I enter the 10 Gbit WAN port of a Ubiquiti UDM-PRO MAX with the 10G Direct Attach Cable (UACC-DAC-SFP10-1M).

Why ?!

The whole Ubiquiti UniFi UDM range is a mess and especially when messing around with 10 Gbps connections and even worse when there is buffering to 1 Gbps connections involved and the WAN uses PPPoE on top of that...
If you need the UniFi Controller part of it then just connect it as a Client to your Management VLAN and leave it like that in the future or replace it with a simple dedicated UniFi Controller device.

If I connect directly to the 10 Gbit LAN port of the internet provider's modem, I can reach the maximum speed (about 7.8-8.5 Gbit download and 1.8-2 Gbit upload.

This is with a PC connected to the ISP's ONT/Router combo device you mentioned in the DMZ setup part above I assume ?

Which OS and what kind of hardware does it have ?


Whatever you do from this point on please stick to testing with :
- DEC850
- Minisforum MS-A2
- The PC you used for the full speed 10 Gbps test.

There is no point in involving the Ubiquiti UniFi UDM Pro in this whole thing!

- iperf3 is by default single core. Look into the multithread option

Larger Window Sizes can improve the speed too! :)

- I've tried also with cat.6A, but doesn't change nothing.

- The DMZ IP address is private. I've removed all Bogons network blocks in OPNsense.

- The connection cables between the modem/firewall/Ubiquiti are 1 meter long

- I know that PPPoE connections (especially with Ubiquiti) can cause problems, but that's not the case with me, since the UDM receives the connection already established by the modem through the firewall. However, if that doesn't solve the problem, I'll try what you suggested with the controller.

- Yes, you're correct. I used both a desktop computer (and a mobile workstation) with Windows 11 and 10 Gbit network cards (both internal and external).

- The Ubiquiti UniFi UDM PRO MAX is the device to which all the devices are connected, so it is the one that must ultimately guarantee the final performance, but to try to understand who is the bottleneck I have to do the tests between the UDM and OPNsense and between OPNsense and the main modem.

Modem IP: 192.168.10.1
Minisforum MS-A2 IP: 192.168.1.1
Ubiquiti IP: 10.0.0.1

I've tried iperf3 -c (and -s) from and to Minisforum and Ubiquiti, with -P 1 (and 8) and -t 30
I've tried disabling Zenarmor, Crowdsec, and Suricata, but it makes virtually no difference in terms of throughput. The speed is still around ~3.5-4 Gbps, and the processor is practically idle. I'll have to try connecting directly to the Minisforum, bypassing the UDM, and see what results I get.

You did not say anything apart from the Zenarmor part about multithreading.

See this, point 10:

a. With speeds > 1 GBit, you need to enable multithreading for unimpeded measurements.
b. You also need to enable RSS to use all cores. It may also depend on how the FreeBSD NIC drivers are optimized, there may be special tuneables for yours.

That being said: With Zenarmor, you can only utilize one thread at this time. Period. Pinning a core does only make sure that this one core does not get utilized by anything else, but you will still be limited by it.

Yes, I also activated RSS through tunables.

- net.inet.rss.enabled = 1
- net.isr.bindthreads = 1
- net.isr.maxthreads = -1
- net.inet.rss.bits = 4
- dev.ixl.0.rss_enabled = 1
- dev.ixl.1.rss_enabled = 1
- net.isr.dispatch = deferred (also tried hybrid)
- kern.ipc.maxsockbuf = 16777216

I tried using powerD (both with the Hyadaptive and Maximum options), but then I disabled it because it didn't make any difference. In the BIOS, I also disabled all power-saving options for both the CPU and network cards.
The promiscuous mode is on.
The "pin core" on Zenarmor is off.

I am not quiet sure if I understand what you iperf or why you even have UDM and OPNsense. I would go with either one of them.
I also don't quiet get you setup or network topology, nor what speed exactly is your problem. And I can't give you good advise on why your Minisforum performs that bad. So I can just give you some general advise that applies to anyone. Maybe that helps.

- iperf3 is by default single core. Look into the multithread option
- make sure you have power savings disabled. I had mine on hiadaptive, got 5GB/s for the first thest, and when I ran the second test shortly after, I got my 9GBit/s because the CPU could not enter power saving yet. Disabling PowerD got me always 9GBit/s.
- Even my old 4-core i3-8100 is fast enough for 9GBit/s. But I don't run Zenarmor or Suricata, only Crowdsec.

I use OPNsense as a firewall because it has many more features and is much more secure than Ubiquiti, but I prefer Ubiquiti for its ecosystem (switches, access points, cameras, graphical interface, secure remote access, etc.), so I use both.
So, from the modem where the ONT is directly connected, I enter the OPNsense WAN port, and then the filtered connection passes from there to the Ubiquiti.

Yes, I am aware that the default iperf test is single core, in fact I have done several tests with the -P 4 (8, 16) commands

Hi all! I need your help.

I have a Deciso DEC850 (OPNsense Business, OPNsense 25.10.2_4-amd64) that limit the throughput at 1 Gbit with IDS/IPS. 1.2 without.
I use Zenarmor for the LAN, Suricata IDS/IPS for the WAN, Crowdsec, Q-Feeds (this has only been in place for 2 weeks), Unbound DNS, and the GeoIP rules included in the OPNsense Business package and those from MaxMind.
As long as I had a 200 Mbit internet connection I didn't have this problem, but now I've activated 10 Gbit FTTH (actual download speed 8 Gbit and upload 2 Gbit) I've found that I can't take full advantage of it.

My internet provider's modem (which also acts as an ONT) is connected via RJ45 cat.7 network cable from the 10Gbit output to the 10Gbit input of the DEC850 with the 10Gtek ASF-10G-T80 SFP+ module (I also used an Ubiquiti UACC-CM-RJ45-MG) and I created a DMZ for the IP address provided by the modem to the DEC850 firewall.
From the 10 Gbit output of the DEC850 I enter the 10 Gbit WAN port of a Ubiquiti UDM-PRO MAX with the 10G Direct Attach Cable (UACC-DAC-SFP10-1M).
I connected a Ubiquiti Pro Max 24 PoE switch to the UDM-PRO MAX, again using a direct 10 Gbit SFP+ cable.
All devices (access points, computers, printers, smartphones, etc.) are managed by the UDM-PRO MAX.
In the latter I do not use blocking rules, nor IDS/IPS module, but even if I activate it it has very little impact on the throughput (about 200 Mbit).

Well, if I run an iPerf3 test directly between the firewall and the Ubiquiti, the throughput rate is always around 1 Gbit.
If I disable IDS/IPS, Zenarmor, Crowdsec, and Q-Feeds on the DEC850, I only gain about 200 Mbit.

I also tried all the possible options through Tunables with the guides and advice I found in the forum and online, but the situation did not change.

So I bought a Minisforum MS-A2 with the AMD Ryzen 9 9955HX, 64GB (2x32) DDR5 5600MHz, Crucial T710 1TB SSD... and replaced the DEC850, connecting everything in the same way with the network card inside the new barebone (2 x 10G SFP+ Intel X710). I also updated the Intel network card's BIOS to the latest available version. Hardware offload is disabled. Tunables all done, but these make no difference.

Now, with the same configurations, compared to before I can reach 4 Gbit of transfer between UDM and Firewall, even if they are not constant and the speeds fluctuate a lot. Sometimes it is below 3 Gbit, other times it reaches 4-5 Gbit, but not more. I ran the iPerf tests both with the UDM set as a server and as a client (same thing with the OPNsense firewall).
Now, when I run a internet speed test directly from the UDM, I can actually reach peaks of 4 Gbps download and 1.2 Gbps upload. Still too far from the maximum values ��of my internet connection. If I connect directly to the 10 Gbit LAN port of the internet provider's modem, I can reach the maximum speed (about 7.8-8.5 Gbit download and 1.8-2 Gbit upload.

Even in this case, leaving Zenarmor and Suricata enabled/disable makes no difference. The processor (base clock 2.5 GHz and max boost clock up to 5.4 GHz) peaks at 6% utilization during use. The RAM, with all settings enabled, sits at around 16GB (out of 64 total).
Zenarmor doesn't yet support multicore, but even pinning a core to it doesn't make any difference, and the processor isn't being fully utilized. The processor literally yawns, and I don't understand what's creating this bottleneck that's preventing me from reaching 10 Gbit/s of throughput.

I'm asking for help in trying to understand and resolve what may be causing this problem and limitation.

Thank you in advance.

Thanks for the reply, Franco.
Having an official DEC850 device with OPNsense, I would like to know which would be the correct forum to report problems and any discussions related to OPNsense. I thought I was in the correct forum. I made a mistake in the thread, and I apologize, but I think the forum is correct.

[first problem]

Hello Franco!
I have a DEC850, Business subscription.
Today I've upgraded the firewall from 24.10.1 to the latest 24.10.2
The upgrade process completed without errors, but...

The first problem: I don't have the os-tailscale on Plugins section and also other new plugings added with the lates 24.10.2
The second problem: when I run an audit for connectivity, I receive this log:

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 24.10.2 (amd64) at Wed Feb  5 00:47:39 CET 2025
Strict TLS 1.3 and CRL checking is enabled.
Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=52 time=40.363 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=52 time=40.109 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=52 time=40.930 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=52 time=40.262 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 40.109/40.416/40.930/0.310 ms
Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 874 packages processed.
Updating SunnyValley repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: ... done
Processing entries: ....... done
SunnyValley repository update completed. 66 packages processed.
All repositories are up to date.
Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/meta.txz: No route to host
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.pkg: No route to host
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.txz: No route to host
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:14:amd64/24.7/${SUBSCRIPTION}/meta.txz: No route to host
repository SunnyValley has no meta file, using default settings
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:14:amd64/24.7/${SUBSCRIPTION}/packagesite.pkg: No route to host
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:14:amd64/24.7/${SUBSCRIPTION}/packagesite.txz: No route to host
Unable to update repository SunnyValley
Error updating repositories!
Checking server certificate for host: opnsense-update.deciso.com
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS ECC CA G1
verify return:1
depth=0 CN = opnsense-update.deciso.com
verify return:1
DONE
Checking server certificate for host: updates.zenarmor.com
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R4
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WE1
verify return:1
depth=0 CN = zenarmor.com
verify return:1
DONE
***DONE***

What is problem?

I have an OPNsense DEC850 configured like this:

- On port 1 (WAN1), TIM Business modem (192.168.9.1)
- On port 2 (WAN2), Vodafone Business modem (192.168.10.1)
- On port x0 (LAN), connect an Ubiquiti UDM-PRO
The Ubiquiti UDM-PRO have 192.168.1.1 ip.
The DEC850 have the 192.168.3.1 ip.

The DEC850 is configured to handle the two wan connections in load balancing.
In both modems I created a DMZ for the IP address that is assigned to the DEC850. The modems are only used to provide the internet connection to the firewall.
Then, through the x0 port of the firewall, I connected it to the WAN port of the Ubiquiti UDM-PRO (with static IP 192.168.3.20).
All the various network devices (access points, computers, NAS, smartphones, printers, etc. etc.) are connected to the UDM-PRO.

I have read and followed various guides I found online, but I have not been able to solve the problem.
I need your help to configure rules to access a Synology NAS through Tailscale from mobile app's (Synology Drive, Synology Photos, Synology Note, etc etc) with a direct connection. Now it always works only through DERP.

Given that both modems have a DMZ for the IP assigned to both WANs of the firewall and therefore there are no blocks, now how can I allow the Synology-Tailscale NAS, with IP address 192.168. 1.50 (and connected to the UDM-PRO) to be reachable from my external devices (such as iOS and Android with Tailscale client) directly and not through DERP? What additional configurations do I need to do?

[Source:]

Hi all.
I have an OPNsense DEC850 configured like this:

- On port 1 (WAN1), TIM Business modem (192.168.9.1)
- On port 2 (WAN2), Vodafone Business modem (192.168.10.1)
- On port x0 (LAN), connect an Ubiquiti UDM-PRO
The Ubiquiti UDM-PRO have 192.168.1.1 ip.
The DEC850 have the 192.168.3.1 ip.

The DEC850 is configured to handle the two wan connections in load balancing.
In both modems I created a DMZ for the IP address that is assigned to the DEC850. The modems are only used to provide the internet connection to the firewall.
Then, through the x0 port of the firewall, I connected it to the WAN port of the Ubiquiti UDM-PRO (with static IP).
All the various network devices (access points, computers, NAS, smartphones, printers, etc. etc.) are connected to the UDM-PRO.

I need your help to configure rules to access a Synology NAS through DDNS for mobile app's (Synology Drive, Synology Photos, Synology Note, etc etc).

On the Synology NAS everything is already configured with its own DDNS service "myname.synology.me" with the relative Let's Encrypt certificate.
On the UDM-PRO to which the NAS is connected, I created a port-forwarding:
Source: Any - Protocol: TCP - Forwarded IP: 192.168.1.49 (nas IP) - Port: 5001 (the port for Synology Drive)

At this point my problem is to create the necessary rules on the DEC850 firewall so that when I have to access remotely through the link myname.synology.me, this points towards the NAS and allows me to connect to the various services.

Thanks in advance for your help

Regarding Zenarmor, will I need to export and then import its backup or will the OPNsense configuration file restore everything exactly as it was?

I have a DEC850 (64GB ram and 256GB ssd) with a Business license, updated to the latest version opnsense-business 24.10_7 and a Zenarmor license v1.18.3 with Elasticsearch DB.
Having purchased the hardware in 2022, the file system is UFS, but I would like to switch to ZFS.
Is there a way to switch to the new file system without reinstalling everything? If so, what is the procedure?
If not, how do I reinstall my DEC850 so that it boots with ZFS and then restore all the configurations, packages and licenses currently installed?

Thank you in advance

[DECISO DEC850]

Hello everyone.
I have a DECISO DEC850 with the Business license, updated to the latest release 23.10.2.
I installed the Maltrail plugin from the repository, currently in version 1.10. This plugin installs version 0.60 of Maltrail, but is currently up to version 0.67 ( https://github.com/stamparm/maltrail/releases ), but I don't know how to update it manually from the website. Also, why aren't the repositories updated within OPNsense?

My problem is that, although Maltrail (sensor and server) is active, the alias "BlocklistMaltrail" within Firewall - Aliases, does not load any lines for the fail2ban list. It always remains with the value zero. I attach some screenshots.
Also, how can I change the default password "changeme!" ?

I hope someone can help me.

Thank you in advance.

[DECISO DEC850]

Hello everyone.
I have a DECISO DEC850 with the Business license, updated to the latest release 23.10.2.
I installed the Maltrail plugin from the repository, currently in version 1.10. This plugin installs version 0.60 of Maltrail, but is currently up to version 0.67 ( https://github.com/stamparm/maltrail/releases ), but I don't know how to update it manually from the website. Also, why aren't the repositories updated within OPNsense?

My problem is that, although Maltrail (sensor and server) is active, the alias "BlocklistMaltrail" within Firewall - Aliases, does not load any lines for the fail2ban list. It always remains with the value zero. I attach some screenshots.
Also, how can I change the default password "changeme!" ?

I hope someone can help me.

Thank you in advance.

I always have 0 lines of Maltrail/Fail2ban. Why don't download any lists?