Messages

In regards of waveform bufferblaost test,

Do you by chance use ZenArmor maybe? I have seen stalls as well but caused by ZA, as ZA started to block some of the the IPs behind which waveform is hosted. They btw moved the hosting, and since that time ZA started to block it.

Regards,
S.

With the 2.5g, Microtik doesn't really have any choices or I might have bought one. Knock the POE requirement away and the crs326-24s+2q+ and some 2.5g modules would do the trick. 2.5g modules are around $20 from Wiitek (I have a couple of these in service right now, not hot at all), hard to say if I'm getting real 2.5g speeds, but I'm getting more than 1.5g speeds through a Moca 2.5 pair of converters and about 100 feet of RG6, average 4ms ping times which is right in line with what the manufacturer says.

This is not a bad idea at all.

There are some Extreme Networks switches that fit your needs, but you are going to want to wait until you see a bounced of the truck sale. That's how I got my 5420m-48w-4ye (48 gigabit ports with 90 watts POE each port, and 4x25g, with 2x stacking that can be 2x10g, and dual 900 watt supplies) at $400 I couldn't resist. Was brand new in box, but I'm not going to register it.

I totally forgot there is as well Extreme. I had the pleasure with their switches 5-7years ago and I was not so pleased... That 5420m-48w-4ye how loud/noisy it is?

Also look at some of the FS switches, again wait for a bounced off the truck sale on ebay.

Not a bad idea as well will check FS too.

Regards,
S.

This test tool is very nice it provides a lot of statistic and tests a variation of traffic types & patterns.

Its created by the people that are involved in the bufferbloat community, basically people responsible for RFC of CoDel, CAKE and the latest iteration of CAKE for ISP LibreQoS.

For those who didnt know, Dave Täht one of the original creators of CoDel & CAKE (AQMs) sadly passed away in 2025. LibreQoS and the bufferbloat initiative is his legacy

In loving memory of Dave Täht

CRS326-24G-2S+IN > https://mikrotik.com/product/crs326_24g_2s_in

I like this one, I just wished it had 2.5G ports.

Regards,
S.

Keep it that way if you are happy with the performance and stability ;)

I am, for me its perfect, the stuff it can do is above and beyond.

Honestly it never occurred to me to replace OpenWRT with anything else (yet). OpenWRT provides features that are on enterprise HW yet for fraction of the price lets say. Plus I like to mingle with OpenSource stuff and DIY.

So think about this VERY CAREFULLY before you buy anything... ;)

All of these are valid points, when I looked into the Management platform, at least the latest "revamp" sounded to me like a mess.

Mikrotik is great, IMHO. Cheaper, and very feature rich. And reliable, at least in my environment - using only layer 2, switches and APs. It's still called "Router OS" but I only use the layer 2 features. Plus, if you happen to live in the EU ... they are from Europe, too. Sovereignty, customer protection, GDPR, something something ...

This is kinda as well my mindset currently. And strongly plays into the decision making.

They lack a central management solution but if you actively seek to get rid of something like that ... SNMP works great and RANCID supports Mikrotik so you can automatically pull and version configurations in e.g. git.

Good to know!


Thank you both for your opinions and inputs!
Regards,
S.

@meyergru many thanks for all of this awesome info.

Personally I use OpenWRT for APs.

If I already had some Unifi HW the decision would be simpler :D.
Anyway, I will consider all the great info you provided into my decision making.

Regards,
S.

I have the USW-Pro-HD-24-PoE, which offers more ports, 4xSFP+, 2*10 GbE, PoE. I like the centralised management for Unifi Gear. Their routers are crap, but you can have the network management on a VM.

There are smaller offerings available as well, with and without PoE:

https://geizhals.de/?cat=switchgi&xf=13283_2%7E16696_8%7E2270_Ubiquiti&sort=p#productlist

Woo thanks for the link! I will look thru it.

The CRS326-4C+20G+2Q+RM compared to yours USW-Pro-HD-24-PoE, has the same amount of ports 20+4 Combo, but it has extra 2xQSFP minus the PoE. From my point of view this Mikrotik switch is more targeted as a CORE/Aggregation where the Unifi is more of an access switch.

I will not lie, I did look on the Unifi switches, they have good performance/cost ratio and lot of variations.
But the main beef I have, and I know this is sounding stupid, is the central management/orchestration. I do not own any other Unifi product, thus I would have to run the Management platform for only one device which sounds to me unreasonable.

So basically I am bit torn apart between getting Mikrotik or getting Unify.

Regards,
S.

Define good.

I need a 24P switch with at least 2x10G ports and with at least 8x2.5G ports.

The only switch that did fulfill this is Mikrotik CRS326-4C+20G+2Q+RM, but its expensive. But on the other hand it was QSFP support which makes it bit future proof.

Regards,
S.

Correct, the MultiCore is still not available for ZA.
Correct, the Multicore if released will be most likely a paid feature (Higher paid tiers) per the roadmap. Even tough several times people asked ZA to clear this point they did not. and only side tracked the question. But assuming whats on the roadmap this looks like the case.

I'm looking at an n355 device for my next hardware, something with at least 6 i226 ports and maybe trade a couple for some SFP+ (10g lan to lan would be NICE).

I have one with 2x10G AQ NICs + 4x2.5G i226V, and its rock solid. Still looking for a good 10G switch option thou....

Regards,
S.

Code Select Expand

$uname -a
FreeBSD OPNsense.local 14.3-RELEASE-p10 FreeBSD 14.3-RELEASE-p10 stable/26.1-n272044-ff0b11e0a4a4 SMP amd64
Looks good, many thanks!

Regards,
S.

Hi Robin,

we have the same performance issues with 25.10.4 running on DEC3862 Hardware. Using Inter-Vlan Routing, we can't get more than 1.40 GBit/s.
We were wondering why our backups couldn't be finished. We had a time schedule in the policy for this Traffic

We are using Zenarmor. Adding the destination device to the exempt list will gain 200Mbit/s. So 1.60 Gbit/s through the firewall connected via 10G.

Here are some Log-Entries regarding netmap-driver:
2026-03-26T07:32:17Noticekernel[1075847] 737.276528 [4335] netmap_transmit ax0 full hwcur 632 hwtail 710 qlen 945
2026-03-26T07:32:17Noticekernel[1075847] 737.269384 [4335] netmap_transmit ax0 full hwcur 632 hwtail 710 qlen 945
2026-03-26T07:32:16Noticekernel[1075846] 736.190199 [4335] netmap_transmit ax0 full hwcur 789 hwtail 20 qlen 768
2026-03-26T07:32:16Noticekernel[1075846] 736.183147 [4335] netmap_transmit ax0 full hwcur 789 hwtail 20 qlen 768
2026-03-26T07:32:10Noticekernel[1075840] 730.368528 [4335] netmap_transmit ax0 full hwcur 400 hwtail 400 qlen 1023
2026-03-26T07:32:08Noticekernel[1075838] 728.309931 [4335] netmap_transmit ax0 full hwcur 692 hwtail 547 qlen 144
2026-03-26T07:32:08Noticekernel[1075838] 728.302799 [4335] netmap_transmit ax0 full hwcur 692 hwtail 547 qlen 144
2026-03-26T07:32:06Noticekernel[1075836] 726.260388 [4335] netmap_transmit ax0 full hwcur 693 hwtail 718 qlen 998

Best regards

This performance is expected when using ZA.
Those logs are basically in your case saying that the CPU can not handle more & you are hitting a queue and TAIL dropping packets.

Regards,
S.

This is the second time (at least under this current profile) you opened a topic with "I got hacked/OPNsense got hacked" without any proofs and with very weird reasoning.

What you even describe does not give sense.

Regards,
S.

lightweight testing through stress-ng through a cron job.

Yea, careful with this. At the end this tool is a stress test, you can really hammer down the system if you desire so.

Regards,
S.

At least from my point of view the visual aspect is very good.
Its simple and eye catching. Basically providing a simple understanding of whats going on. It looks very natural as well to the other widgets.

For the transfer rates, if you could do bit/s as well pps I would be thankful. PPS is a metric important to troubleshooting for performance, and lot of time omitted and forgotten.

Regards,
S.

That would be be great.

It may seem stupid but I miss to see per interface transfer rates.

Regards,
S.