Messages

Zenarmor team did verify the OPNsense installation and Zenarmor configuration. It came up during the investigation that the bandwidth drop was unaffected by Zenarmor either in Bypass mode or Stopped. This was not a Zenarmor issue.

Few hours of digging through all the devices, figured "Flow Control" was enabled on Switch to Firewall Port (PVID). Disabling flow control fixed the issue.

Its surprising that Iperf3 between the devices --> Switch --> FW was all showing no issue. Only across devices --> Switch --> FW --> Speedtest was showing drop in bandwidth, I was derailed by a misleading correlation.

Sure, done

I am able to get Technitium up and running, but getting following error while joining/creating a cluster. Obviously sqlite is missing from the installation, any idea how to fix this?

Tried installing the Query Log SQLite, but it also complains for missing sqlite libraries. It seems Technitium use os native sqlite

Code Select Expand

[2026-05-16 12:56:46 Local] [192.168.5.195:51369] System.TypeInitializationException: The type initializer for 'Microsoft.Data.Sqlite.SqliteConnection' threw an exception.
---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
---> System.DllNotFoundException: Unable to load shared library 'e_sqlite3' or one of its dependencies. In order to help diagnose loading problems, consider using a tool like strace. If you're using glibc, consider setting the LD_DEBUG environment variable:
C

Updated the Tunables, rebooted the firewall, but I am afraid it did not make much of a difference

Tunable: dev.netmap.generic_rings, Value: 6

Will the Technitium installation survive a OPNsense major upgrade?

Here is the details,  igb0 is WAN (pppoe) and igb1 is LAN (pvid1/untagged), igb2 is Trunk interface with multiple tagged VLAN

I see bandwidth issue with igb1 LAN interface only

Code Select Expand

sysctl -a | grep netmap
<6>[1] igb0: netmap queues/slots: TX 6/1024, RX 6/1024
<6>[1] igb1: netmap queues/slots: TX 6/1024, RX 6/1024
<6>[1] igb2: netmap queues/slots: TX 6/1024, RX 6/1024
<6>[1] igb3: netmap queues/slots: TX 6/1024, RX 6/1024
<6>[1] em0: netmap queues/slots: TX 1/1024, RX 1/1024
[92] 913.575921 [1167] generic_netmap_attach     Emulated adapter for igb1 created (prev was igb1)
[92] 913.575934 [1068] generic_netmap_dtor       Native netmap adapter for igb1 restored
[92] 913.575941 [1072] generic_netmap_dtor       Emulated netmap adapter for igb1 destroyed
[92] 913.576009 [1167] generic_netmap_attach     Emulated adapter for igb1 created (prev was igb1)
[92] 913.829018 [ 319] generic_netmap_register   Emulated adapter for igb1 activated
[92] 913.829113 [1167] generic_netmap_attach     Emulated adapter for vlan0.40 created (prev was NULL)
[92] 913.829124 [1072] generic_netmap_dtor       Emulated netmap adapter for vlan0.40 destroyed
[92] 913.829234 [1167] generic_netmap_attach     Emulated adapter for vlan0.40 created (prev was NULL)
[92] 913.829307 [ 319] generic_netmap_register   Emulated adapter for vlan0.40 activated
device netmap
dev.netmap.iflib_rx_miss_bufs: 0
dev.netmap.iflib_rx_miss: 0
dev.netmap.iflib_crcstrip: 1
dev.netmap.max_bridges: 8
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.port_numa_affinity: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size: 2048
dev.netmap.buf_curr_num: 1000000
dev.netmap.buf_num: 1000000
dev.netmap.buf_curr_size: 2048
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 1024
dev.netmap.ring_num: 1024
dev.netmap.ring_curr_size: 36864
dev.netmap.ring_size: 36864
dev.netmap.priv_if_num: 2
dev.netmap.priv_if_size: 1024
dev.netmap.if_curr_num: 100
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 1024
dev.netmap.if_size: 1024
dev.netmap.ptnet_vnet_hdr: 1
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 1024
dev.netmap.generic_mit: 100000
dev.netmap.generic_hwcsum: 0
dev.netmap.admode: 2
dev.netmap.fwd: 0
dev.netmap.txsync_retry: 2
dev.netmap.no_pendintr: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0


I am using Routed Mode (L3 Mode, Reporting + Blocking) with Emulated Netmap driver

I am running OPNsense on Lenovo P330 Intel i5-8500 CPU @ 3.00GHz, with Zenarmor Free tier, with basic default policy with few rules.

My upstream bandwidth is around 1Gbps, get around 900+mbps on interface/VLAN excluded on Zenarmor

The bandwidth I get on Zenarmor monitored VLAN doesn't exceed 650mbps at all

Is this the expected penalty of running a single core single thread zenarmor?

Did someone did a benchmark of Zenarmor performance on different CPU? What is your bandwidth perfomance with zenarmor enabled?

Any chance a fix would be upstreamed in FreeBSD 15.1/OPNsense 26.7 ?

Thanks for looking into this, but I am afraid the patch did not work, I am still encountering kernel panic

Code Select Expand

root@OPNsense:~ # uname -ar
FreeBSD OPNsense.local.lan 14.3-RELEASE-p9 FreeBSD 14.3-RELEASE-p9 in6_selecthlim-n272036-8c8ffb05214b SMP amd64


Code Select Expand

[296]
[296]
[296] Fatal trap 12: page fault while in kernel mode
[296] cpuid = 5; apic id = 0a
[296] fault virtual address = 0x0
[296] fault code = supervisor read data, page not present
[296] instruction pointer = 0x20:0xffffffff80e15bc9
[296] stack pointer         = 0x28:0xfffffe0145bf28b0
[296] frame pointer         = 0x28:0xfffffe0145bf2aa0
[296] code segment = base 0x0, limit 0xfffff, type 0x1b
[296] = DPL 0, pres 1, long 1, def32 0, gran 1
[296] processor eflags = interrupt enabled, resume, IOPL = 0
[296] current process = 46103 (tailscaled)
[296] rdi: fffff80233b26b00 rsi: fffffe0145bf2788 rdx: 0000000000000000
[296] rcx: fffff801e1139c00  r8: 00000000ffffffbd  r9: fffffe0145bf29a0
[296] rax: 0000000000000000 rbx: 0000000000000000 rbp: fffffe0145bf2aa0
[296] r10: fffff80433b539c0 r11: fffff80691d6b000 r12: fffff802820ec370
[296] r13: fffff803909cfbb8 r14: 0000000000000000 r15: fffff801d5026800
[296] trap number = 12
[296] panic: page fault
[296] cpuid = 5
[296] time = 1774462917
[296] KDB: stack backtrace:
[296] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0145bf2600
[296] vpanic() at vpanic+0x161/frame 0xfffffe0145bf2730
[296] panic() at panic+0x43/frame 0xfffffe0145bf2790
[296] trap_pfault() at trap_pfault+0x3da/frame 0xfffffe0145bf27e0
[296] calltrap() at calltrap+0x8/frame 0xfffffe0145bf27e0
[296] --- trap 0xc, rip = 0xffffffff80e15bc9, rsp = 0xfffffe0145bf28b0, rbp = 0xfffffe0145bf2aa0 ---
[296] ip6_output() at ip6_output+0xdf9/frame 0xfffffe0145bf2aa0
[296] tcp_default_output() at tcp_default_output+0x1e74/frame 0xfffffe0145bf2c70
[296] tcp_usr_disconnect() at tcp_usr_disconnect+0x77/frame 0xfffffe0145bf2cb0
[296] soclose() at soclose+0x75/frame 0xfffffe0145bf2d10
[296] _fdrop() at _fdrop+0x11/frame 0xfffffe0145bf2d30
[296] closef() at closef+0x24a/frame 0xfffffe0145bf2dc0
[296] closefp_impl() at closefp_impl+0x58/frame 0xfffffe0145bf2e00
[296] amd64_syscall() at amd64_syscall+0x117/frame 0xfffffe0145bf2f30
[296] fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0145bf2f30
[296] --- syscall (6, FreeBSD ELF64, close), rip = 0x49c1bf, rsp = 0x86c2718b0, rbp = 0x86c2718b0 ---
[296] KDB: enter: panic
panic.txt0600001215161023705  7131 ustarrootwheelpage faultversion.txt06000010015161023705  7602 ustarrootwheelFreeBSD 14.3-RELEASE-p9 in6_selecthlim-n272036-8c8ffb05214b SMP


I can test this if an OPNsense patch is made available.

Looks like the issue reported here https://forum.opnsense.org/index.php?topic=49131.msg249523#msg249523 is back in 26.1.4 . I have a working IPv6 setup with /64 prefix delegation from ISP (PPPoe), but any attempt to change "Prefix delegation size" with "Send prefix hint" crashes the firewall. I am able to consistently reproduce this, every time I attempt to change these values, router crashes and reboots.

Code Select Expand

Versions
OPNsense 26.1.4-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19

Code Select Expand

[969470]
[969470]
[969470] Fatal trap 12: page fault while in kernel mode
[969470] cpuid = 4; apic id = 08
[969470] fault virtual address = 0x10
[969470] fault code = supervisor read data, page not present
[969470] instruction pointer = 0x20:0xffffffff80e0d175
[969470] stack pointer         = 0x28:0xfffffe0149887a80
[969470] frame pointer         = 0x28:0xfffffe0149887ab0
[969470] code segment = base 0x0, limit 0xfffff, type 0x1b
[969470] = DPL 0, pres 1, long 1, def32 0, gran 1
[969470] processor eflags = interrupt enabled, resume, IOPL = 0
[969470] current process = 10545 (tailscaled)
[969470] rdi: fffff8000244f000 rsi: 000000000000001c rdx: fffff806f7d2f078
[969470] rcx: fffff8000244f000  r8: 00000000ffffffbd  r9: 0000000000000000
[969470] rax: 0000000000000000 rbx: 0000000000000000 rbp: fffffe0149887ab0
[969470] r10: fffffe0149887a30 r11: 0000000000000008 r12: fffff80398e23298
[969470] r13: 0000000000000000 r14: fffffe0149887a8c r15: 0000000000010200
[969470] trap number = 12
[969470] panic: page fault
[969470] cpuid = 4
[969470] time = 1773944620
[969470] KDB: stack backtrace:
[969470] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01498877d0
[969470] vpanic() at vpanic+0x161/frame 0xfffffe0149887900
[969470] panic() at panic+0x43/frame 0xfffffe0149887960
[969470] trap_pfault() at trap_pfault+0x3da/frame 0xfffffe01498879b0
[969470] calltrap() at calltrap+0x8/frame 0xfffffe01498879b0
[969470] --- trap 0xc, rip = 0xffffffff80e0d175, rsp = 0xfffffe0149887a80, rbp = 0xfffffe0149887ab0 ---
[969470] in6_selecthlim() at in6_selecthlim+0x95/frame 0xfffffe0149887ab0
[969470] tcp_default_output() at tcp_default_output+0x1ca4/frame 0xfffffe0149887c70
[969470] tcp_usr_disconnect() at tcp_usr_disconnect+0x77/frame 0xfffffe0149887cb0
[969470] soclose() at soclose+0x75/frame 0xfffffe0149887d10
[969470] _fdrop() at _fdrop+0x11/frame 0xfffffe0149887d30
[969470] closef() at closef+0x24a/frame 0xfffffe0149887dc0
[969470] closefp_impl() at closefp_impl+0x58/frame 0xfffffe0149887e00
[969470] amd64_syscall() at amd64_syscall+0x117/frame 0xfffffe0149887f30
[969470] fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0149887f30
[969470] --- syscall (6, FreeBSD ELF64, close), rip = 0x49c1bf, rsp = 0x86d1814f8, rbp = 0x86d1814f8 ---
[969470] KDB: enter: panic
panic.txt0600001215157037454  7144 ustarrootwheelpage faultversion.txt0600007515157037454  7550 ustarrootwheelFreeBSD 14.3-RELEASE-p9 stable/26.1-n272033-b4ddb3e0f150 SMP


Created a feature request on plugin repo https://github.com/opnsense/plugins/issues/5042

Now that Tailscale team have implemented a standard mechanism to blacklist interfaces/network that tailscale should use, what would be the best way to configure this on OPNsense?  https://github.com/tailscale/tailscale/pull/17762

I guess the best way would have been if implemented on the Plugin GUI, but till this is possible.

No more crashes anymore...