Messages

For what it's worth, the i5-8500 in my Optiplex 3060 I use for OPNsense easily handles my 2100/200 connection. I usually peak at around 2.40 for CPU usage when downloading. Now granted I'm not doing any sort of IDS, but hopefully that should give you a good idea of what to pick.

Sounds like you made the same mistake I did, and forgot to tell Unbound about dnsmasq being the authoritative DNS server for your local domain. Make sure to follow the OPNsense hosted guide for setting up dnsmasq

Personally I use TP Link's Omada APs. They're quite good and can do fast roaming and mesh very easily, if you set up the Controller, which can run on any Windows/Linux machine, or you can use a dedicated hardware controller.

I don't understand, there's lots of mirrors right on the download page?

DHCP should be set to authoritative unless there is another DHCP server on the network. It won't fix it, but it should be set anyway so that new devices don't have to be known to get an IP address.
What do the firewall logs show?

@DEC670airp414user. Is there a downside to DNSSEC? From google:
"DNSSEC as securing the message content (authenticity)"
"DoT as securing the envelope (privacy/confidentiality)."
Both of these seem like it would be a benefit.

@Stormscape. I do not think your answer is accurate. I use kea for DHCP and unbound.
IPv4 LAN does get local name resolution.
IPv6 LAN gets resolution when a reservation is added after a restart of the unbound service.

Well Kea isn't dnsmasq, now is it?

screen shot 3.  i would turn off DNS within dnsmasq. change listen port to 0.      you also do not need dnssec enabled if using quad 9

i use unbound and it works 100% reliable.

i setup dns over tls for quad 9 or similar products though. 

Important caveat: You will NOT get name resolution for local DHCP clients if the dnsmasq DNS server is turned off, as Unbound will not read the dnsmasq DHCP client list automatically.

Like all software, best to assume it's safe to use unless and until you hear about a CVE.

I'd enable both (that is, EIST and ASPM) unless ASPM is known to cause issues on your specific system. As a comparison, I have both powerd and speedstep running on my box, which is an Optiplex 3060.

Is Port 80 and 443 open on the webserver itself? Is there a firewall enabled and active?

I'm not sure how you expect OPNsense to be able to determine the method that your ISP allocates public IPs.

Have you tried deleting the certificate from the UI and creating a new one with the same settings?

I've been running for 333 days on a MinisForum UN100D, with a 256GB "GOFATOO" NVMe SSD, with 28.4TB written so far, consuming 34% of the drive life.  If it dies I'll put another SSD in it, so no big deal, but I *did* turn off NetFlow and RRD as that's all I can figure would write that much data in that amount of time.

Honestly the best thing to do with OPNsense to extend drive lifetime isn't just to buy a higher quality drive, it's to buy a larger capacity drive. I bought a $50 512GB drive (at the time, it might be cheaper now) for my router not because I thought I would need that much space but because the TBW rating for 512GB is demonstrably higher compared to 256GB drives. I'm at 17% endurance used and 45 TBW after just over 3 years (1110 days power on time).

OPNsense isn't quite that modular. Services that "aren't needed" might be a dependency for what you are using. It's taking up minimal disk space and even if you removed them, they'll reappear when you install an update. The only things you can safely remove are anything listed under plugins.

Have you tried manually going to services_dhcp.php?if=lan to see if it's just a UI issue? that's the URL for the ISC DHCP configuration page. Replace "lan" with whatever you have called your LAN interface.