Messages

We stopped using OPNSense for the same reasons for VPN.

Back to RRAS in windows and it works perfectly. Connects and keeps the connection no problems.

Anything terminating at the perimeter is way to sensitive when keeping thousands of VPN's running at any one time.

Thats normal. You are DDoS'ing yourself and the pipe cannot keep up. It builds a queue and eventually the connection dies.

You need to throttle the connection so vital traffic is kept alive.

If the hardware matches, the hypervisor can push 20gbit/s.

It adds almost nothing and if you are worried then use passthrough on the NIC's

Pfsense has the same issues on the later builds.

Both running 23.x and that got me curious.

Is it because of the base OS or just coincidence??

OMG, Supermule, you had much better posts in the past... :-D

I know but got me wondering.  ;D ;D

Both running 23.x and that got me curious.

Is it because of the base OS or just coincidence??

I'll bet you its CPU related.

Do you have option to run a XEON instead??

Use 172.16.1.0/24 instead.

I had a Fritzbox and replaced it with a converter since I didnt want double nat.

One thing of note here is that Greg was active in the forum in the early days. I think you can find the discussion about him wanting a firewall API (or complaining about lack of it), but unwilling to fund it directly but rather through workforce hired by him. This was (and still is) problematic for simple code review and audit reasons since the changes are possibly huge and a design document was also not being proposed at that time.

About the fork, if you can call a periodic full update of an older version discontinued by us that, what struck us as odd was the bold behaviour to base their releases on our business release branches that we open-sourced in order for people to look at the contents, but we have since decided to discontinued these branches for that single fact alone.

If you look at the commits you see that plugins were thrown into the core and the plugin repository itself scrapped creating a full UTM type software that is "easier to maintain". And if you take another look at the commits you see that operational issues and fixes are not being worked on as a steady stream of updates that make up most of your stable updates. For some reason it's enough to do a new version once or twice in a year and all users are happy.

Disclaimer: I'm not complaining. It is what it is. ;)


Cheers,
Franco

Its like a LTSC in Microsoft terms. Long Term Service Channel is the Enterprise branch of the updates users get and the troubles they have with them.

They are then merged in to the service channel on big commits every 6 mths making sure everything is running great and stable for production environments.

They have a huge testing community aká us... and then taking the best parts and merge them in their own releases.

Clever way of doing business.

ToDoo becomes DynFi and continues its development

ToDoo actively supports the creation of the pfSense software fork: OPNsense®, we were one of the first partners of the project in 2015.

In 2017 ToDoo started developing "DynFi® Manager" software, the first centralized management solution for open source firewalls, compatible with pfSense and OPNsense firewalls. DynFi believes that pfSense and OPNSense software should have a centralized management solution. That is why we have invested so much time, energy and money in developing this software.

We believe that with DynFi® Manager software, we have met a major challenge that neither player had the time or willingness to take on: enabling centralized firewall management in an efficient and seamless manner.

In 2019 the company decided to create a fork of the OPNsense software named "Dynfi Firewall", 100% based on a compilation of the sources and the FreeBSD kernel.

In 2020 the company ToDoo changes its name to DynFi and continues its development in France and Europe.
The DynFi brand is now a worldwide brand.

We continue to be very involved in the community of open source firewall users. Our CEO Grégory BERNARD regularly participates in international cybersecurity conferences as a speaker, notably in 2019 for the Paris Open Source Summit 2019, and in 2021 for Open Source Experience.

DynFi is dedicated to helping enterprises get the most out of their firewalls.

Running any kind of packages??

Piece of cake. Run more virtual appliances and load balance them.

You can do that in VmWare on the hypervisor itself.

We have pushed 80+ Gbit with full IDS/IPS in lab testing environments....

But with 10 Gbps network to scan as the OP asked, and 9X% of all traffic being irrelevant - do you really think SATA could ever become a bottleneck?

You don't log unsuspicious/permitted connections, do you?

It becomes a bottleneck when Suricata writes to the logs no matter the ruleset/traffic.

In "the other sense" as soon as it sees above the 200.000 PPS mark it becomes sluggish because of the disk subsystem and the logging...

What does disk bandwidth - though factually correct - have to do with IPS performance?

Primarily log writing to disk.... we used this as a guide.

https://redpiranha.net/news/High-speed-IDP/S-suricata-hardware-tuning-for-60gpbs-throughput

https://www.google.dk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjP_YvxsKb8AhUdRvEDHRqBCVIQFnoECD8QAQ&url=https%3A%2F%2Fuia.brage.unit.no%2Fuia-xmlui%2Fbitstream%2Fhandle%2F11250%2F2823637%2FF%25C3%25B8rde%2520Roar%2520%2528705%2529_78839715_2.pdf%3Fsequence%3D1&usg=AOvVaw2YPOejlIrJWikYDIc32L6E

Remember that your SATA bus doesnt push more than 6gbit/s no matter what.

So many of the systems sold cannot push more than that.

SAS pushes 12gbit/s and Nvme is limitless. (more depending on NIC's and CPU).

This thread is getting spammed by people who completely miss the topic.
Can the moderators close this topic?

It may take some cpu generations until 10gbps IPS are in reach. Until then this discussion goes nowhere.

So because you dont agree or dont like, then you ask for a closure....

It can easily be done. Servergrade hardware (Dual Xeon's) and I710-T4 nics. This is what we use. It just keeps tugging along at about 1,4MM PPS hardly breaking a sweat.