Messages

OpenIndiana or IllumOS might be interesting, too bad Apple stopped making their BSD flavor available (Darwin).

I'd agree that a Linux version would be nice to have, but the lift to get there is just monumental without a serious influx of very larger amounts of cash money to hire a team to make it happen. And if that happens, let me make people mad, I'd put it on openSuse Leap Micro.

So this is Proxmox... Can it handle the hardware offloading, or is this turned off? If you have it off, can you turn it on. Or the other way around depending on the circumstances.

With the 2.5g, Microtik doesn't really have any choices or I might have bought one. Knock the POE requirement away and the crs326-24s+2q+ and some 2.5g modules would do the trick. 2.5g modules are around $20 from Wiitek (I have a couple of these in service right now, not hot at all), hard to say if I'm getting real 2.5g speeds, but I'm getting more than 1.5g speeds through a Moca 2.5 pair of converters and about 100 feet of RG6, average 4ms ping times which is right in line with what the manufacturer says.

Now that said, I haven't priced any Mikrotik gear in a while, not since before the great AI wars, they might be goofy priced right now. Both of the crs326 that I have were under $600 new (one for my personal lab, and another for work because I liked it so much).

There are some Extreme Networks switches that fit your needs, but you are going to want to wait until you see a bounced of the truck sale. That's how I got my 5420m-48w-4ye (48 gigabit ports with 90 watts POE each port, and 4x25g, with 2x stacking that can be 2x10g, and dual 900 watt supplies) at $400 I couldn't resist. Was brand new in box, but I'm not going to register it.

Also look at some of the FS switches, again wait for a bounced off the truck sale on ebay.

Do you have any IDS/IPS or other filtering installed? Possible one of those changed.

Do you have ZFS and snapshots before and after the December updates? You could roll back to a previous and see if the speeds go back up and work forward from that point.

Glad you did a direct test on your modem, Spectrum was horrible when we had it, more down and than when we finally cancelled. Dealing with T-Mobile Home internet now (5g) and it's OK enough.

I have one with 2x10G AQ NICs + 4x2.5G i226V, and its rock solid. Still looking for a good 10G switch option thou....

Define good. I have a Mikrotik CRS 326-24s+2q+ that works well, 24 sfp+ and 2 qsfp+ ports (mine are broken out to 8 more 10g ports). I also have their smaller CRS309-1g-8s+in (or something like that) which also work very well but I outgrew it, needed more ports. Those are really the cheapest options I would personally look at. I don't have much for 10g copper, generally I don't like it due to module heat, a DAC or fiber works better for a lot of things. My NAS has an AQ copper 10g connection, so I do have a hot module in the CRS 326.

If the image is UEFI, then DD should produce a UEFI USB stick, correct? Pretty sure I've used this, but it's usually through Rufus and I do this when I get problems with linux versions mismatched to what Rufus thinks it should be doing. DD generally allows the thing to boot afterwards.

And I don't see why Debian wouldn't run, I doubt there are any major hardware pieces that wouldn't have drivers.

Ventoy also often works, there are a few times when it lets me down, but those are fewer and far(er) between with the latest version.

Thinking back to my first question, I think I'm right. I DD'd (in Rufus) the SUSE Harvester ISO to a USB and it boots UEFI, this install no longer uses BIOS boot as an option since (I think) v1.7.0 release. I'm positive this was the process I used on the v1.7.1 iso when I updated my lab with new hardware (sold my last kidney for some larger ssd for the OS).

Here's a stupid question... Have any of you that can actually use these "big" throughput speeds tried to DIY a server to test the speed of the software itself? I don't even have a lan to lan 10g connection available, but I definitely get gigabit between my lans. I may be able to change this and test 10g on a DIY server, but that's waiting to see what I have for year end funds to buy new hardware, and I may option for more 2.5g than a pair of 10g.

If I ever get time for some testing, I can set up a DIY based on intel x710 and try 10g to 10g lan connections with things like SMB shares, but that's a distant future unless I have an emergency failure and have to put things into motion quickly (lab equipment to production). (HP T740 with 8gb or 16gb, x710 quad port, and single i226v through a+e slot, uses AMD v1756b which is not the fastest)

I thought multithread was available in one of the paid versions?

The faster the clock speed, the better ZA will run, kind of the only rule of thumb we currently have. I'm looking at an n355 device for my next hardware, something with at least 6 i226 ports and maybe trade a couple for some SFP+ (10g lan to lan would be NICE). I only have gigabit out to wan, so don't need the i226, but it's what I'm finding because it's what most people want going forward.

Also looking at a different model with 8 i226 ports, not seeing anything with "cheaper" i350 ports anymore, and I'm not going to try Realtek for real work.

Eventually all the other devs will leave and back something else, or fork it again.

Prices being what they are, I'm having to think about what I can use to replace my current firewall. I wanted to go with a nice DEC2770, but my budget keeps being shrunk, and they are not allowing me to add $2k for that firewall.

So I'm looking at n355 powered "generic" boxes (probably CWWK inside) that have 6x i226 connections, dual nvme slots and a single DDR5 slot for either 16gb or maybe more.

Are the i226 drivers worked out to the point where I won't have to fool with things too much? Are these "generic" boxes even worth bothering?

On pf long ago, Suricata was multithreaded which gave a performance boost over Snort.

As far as performance impact, if every rule is turned on, every rule must be checked and that takes time and RAM. Pass it through Zenarmor too and down it does.

With both Suricata and Zenarmor on my old low power Xeon based system (4c8t) and 16gb of ram, my gigabit connection give me about 600mbps down and we still get nearly gigabit up. More cores, faster clock, plenty of RAM seems to be the way to go. With modern i3 or n305 processors, you should out perform my firewall by a lot.

Suricata should be multithreaded, it definitely was when I was running it on pfsense, and I'm guessing it is on OPNsense. Snort was single threaded for a long time, I think they may have fixed this by now (but not sure).

Is it really paying OPNsense or is it paying Microsoft? I could see a 50/50 split, but OPNsense better get something.

How long did it take Linux to really get rolling on x86? RISC-V is fairly new still.

I've generally found that blocking anything related to outlook.com will break stuff your users need. We are a Microsoft plant so this could break way too many things for me to even try. There are only a few Microsoft related things I can block (a couple of trackers) without getting problems in applications I actually need.