Messages

As others have said or implied, it depends on your use case.
Is this a mission critical network or your personal at home plaything?
A few users or many dozens of users?
Traffic from a few internal users or services for many external users?

The devil is always in the details.

With that said, I have been using a Topton N5105 with 4 2.5Gbe Intel nics for about 2 years.  I needed to clean, smooth and re-paste the heat sink on it, and still have a slow USB fan to keep it cool.  (May be overkill, as they will run hot without issues, but I prefer it cool.)  Network is my home and lab playground, move a lot of data around, a number of services running, several VLAN in network, cameras and home automation stuff, etc.  OPNsense runs on it bare metal, and I haven't had any issues and the system never seems to be overworked by what I ask of it.

If a needed to support it for someone else, I probably would use it in a home or few person office.  But for a larger or more mission critical application, I would step up to something better.

EricPerl is correct.  First thing I noticed in your post is that it looks as one of the devices has their NIC negotiating at 100Mb speed.  Check the cabling and reboot (power off/on) both devices.

Do you mean this?  It is in the Gateway config.

Interesting.  Nearly the same combination I've been running my server for the past 18 months without a single issue.

Without seeing the actual MCA errors it is impossible to start issuing blame.  Hardware not working as expected could have many root causes - CPU, motherboard, RAM, BIOS settings or BIOS code itself, the list could go on.

But sometimes it is best to move on to different hardware, especially if you don't have a compelling reason to stick with the one giving issues.

Early Ryzen CPUs (ZEN/ZEN+) had some issues running Linux OS, though it typically manifests as system lock up vs rebooting.  Later CPUs seem to work much better, as there are many data centers running the same processor die (EPYC).

Some immediately say "Disable C-States" but that is a very drastic solution, one of last resort.  It basically disables one of the best features of modern AMD CPUs - its power management.  Unless you have hundreds of active clients being routed on your bare metal system, you will appreciate the power savings over time.

The two things I've found to be effective on my Ryzen based servers (my OPNSense is on a Intel N5105) are:

-- In the BIOS, set Power Supply Idle Control to Typical Current Idle (or some equivalent wording in your particular BIOS)
--Don't use XMP or any overclocking timing for your DRAM.  Your 2400G is a 1st gen ZEN processor, so your memory speeds should be set to a much lower timing than the marketing "DDR4 3200" would make you think.  (See below)

I initially had issues running a 1st gen Ryzen 1500X in an Unraid server.  After changing these two parameters in my BIOS, that system has run flawlessly for a couple of years.

I picked up a cheap domain and use Cloudflare Tunnel in front of my reverse proxy (NPM).

Some additional benefits using free Cloudflare services are you can also do geo-blocking, get some threat/bot protection, and user authentication.

Routers and switches are technically two different things.  In a home network, what people commonly call a "Router" is actually a combined router, switch, basic firewall and wireless access point.

In the simplest terms/view:
A router connects different networks.
A switch connects devices on a single network, and directs packets to the addressed device.

OPNsense is more accurately a router and firewall.  It does have the ability to also handle LAN switching tasks, but it is more efficiently handled by use of dedicated switch hardware (as OPNsense needs to handle switching tasks by using CPU resources).

Another +1 for Telegram notifications.

People do not watch their email (unless sitting at a desk in their work environment) like the once did 15 years ago.  I use Telegram nearly exclusively for my network and server notifications, be it those generated by OS itself, applications running on servers, or even in my self generated bash scripts.  I use two different Telegram bots (one for system stuff, one for applications) that have different notification tones.  This is much more useful, as I can immediately know which are notifying me even before I take my phone out of my pocket.  With email, you get one ding, be it from your system or the third email about sales at Best Buy.

Thanks franco.  I tried again, but end up with the same result.  Working with ddclient as backend.  Not working with native.

I deleted all accounts then removed and reinstalled plugin.  Set a bogus IP address in the duckdns website for my testing domain.  Reinstalled plugin.  Set Backend = native (it defaults to ddclient).  Hit Apply and restarted service.  Created account, Save, Apply.  Result was failue message in log and no update recorded on duckdns website.

Next I deleted account, set backend = ddclient.  Hit Apply and restarted service.  Created account, Save, Apply.  Success message in log and updated IP address shown in duckdns website.

Very strange.  I understand where you were going with your last post, makes perfect sense.  But I guess I'll stay on the ddclient backed for now.  It isn't mission critical for my setup, as it is only used as an ISP/firewall watchdog (all of my true domains are managed via Cloudflare tunnels).

Sorry to have dropped off the radar for several days.  I had been reading your responses (and much appreciate them).  My work has me doing four 12 hour days, then followed by family emergency.

I tried what was suggested previously, none of it giving much success.  I have finally received a positive result from both my logs and duckdns, by doing the unexpected - I set the Backend to ddclient, not native.

I'm not one to argue with success, but I thought that native was developed specifically to work with OPNSense?

franco, CJ and newsense - Thank you all for your input.  I keep on learning with it all.  As for my flash drive collection, old habits die hard.  But still a good choice - portable, can usually get it to boot on any system, and lives in the desk drawer where my servers and network live, so I (usually) can find what I need.

CJ is right - Duckdns uses a token in the password field.  I cut/past it right from my duckdns.org account page.  What is interesting (and probably a good thing?) is while the string from the log is similar in format to my token, they are not the same.  (same 8-4-4-4-12 char cadence)

As I wrote earlier, I set things up based on a recent post from here.  Not really all that much to configure, so unsure if it is dumbness on my end or ...?  Screenshots attached.

[DuckDNS update failed for 0da****1-4d80-4820-b**d-b83***6f3815 [duckdns - TEST] with ip 67.246.*3.*6 for domains qwertytest.duckdns.org, response: KO]

I did.  Set up per this post, from 2023-09-02:
https://forum.opnsense.org/index.php?topic=34575.msg173857#msg173857

Created a test domain, manually gave it an incorrect address (to see if it changed by ddclient).  I get nothing but KO in my logs:

DuckDNS update failed for 0da****1-4d80-4820-b**d-b83***6f3815 [duckdns - TEST] with ip 67.246.*3.*6 for domains qwertytest.duckdns.org, response: KO

(some data obscured by me)

Thanks, I had both.  Some may laugh at my key ring full of flash drives, but I have on hand what I need to get myself out of most situations.  Along with my aversion to any software version that ends in .0 (or even .1, for that matter) is why I waited for 23.7.4 to be released.

Well, that and os-ddclient to work properly with duckdns.  Which it still isn't for me.   >:(

Opnsense is currently running on a N5105 with 16GB RAM. Currently <25% RAM is used and most of the time CPU usage is below 20%... and the device acts as a heater... Would there be a more efficient solution in my context ?

What exactly are you trying to remedy?  It seems that your N5105 is performing all the tasks you specified, and is not overtaxed.  If your goal is to use less power, you will likely find that the current sweet spot for power/performance is the N5105.  The older and newer CPUs both tend to use a bit more wattage, which you will especially see if you move down one generation (as the CPU will be working harder and on an older technology node).

You may want to see if tweaking your P-State values may help power usage.  Some systems, out of the box, don't clock down as low as they could.  Your savings with this would still be minimal, and dependent on how much traffic is going through your firewall.

If it is the heat that's bothering you (and I may be incorrectly assuming you are using one of the Chinese 4 port appliances, as I run), that's just a function of a fanless system.  Without a fan, it takes more time for heat to slowly dissipate.  If you are okay with using another watt or two, there are USB fans with speed control available.  I put one which just sits on top of the case heatsink, and keeps my temps between 32-38C.

Done, and completely painless.  You were right smack on the money, just about 6 minutes to having the login screen back.  Updated again to 23.7.4, ran a quick audit and all is good.