Messages

1-2 years ago I bought a DEC740. I usually run custom builds, but I wanted to support the project. I thought it would last me for a while, and this seemed like a (for me) future-proof purchase.

Today, I decided to plug my Mikrotik CRS305 into one of the SFP ports and run an iperf test from my Linux workstation to the DEC740.

This was unfortunately rather disappointing, at barely over 2 Gbits/sec. Following (fully) https://docs.opnsense.org/troubleshooting/performance.html and (loosely) https://binaryimpulse.com/2022/11/opnsense-performance-tuning-for-multi-gigabit-internet/ got me to a reasonably stable 2.58 Gbits/sec (both in iperf server and client mode). DEC740 'CPU Usage Total Host' is at 96.28 during the test. Interface speed is shown at 10Gbps in the GUI and shell.

I first thought this was a single-thread iperf problem, but I got the same speed via an SFTP upload (NVMe to NVMe).

All other physical machines/VMs connected to each other via the CRS305 operate at the expected ~10Gbps.

Could this be a compatibility problem with my Mikrotik Active Optics Direct Attach Cable, am I missing some setting, or is the DEC740 simply too weak to drive full 10Gbps speeds?

I remember this from last year:

https://forum.opnsense.org/index.php?topic=45652.msg229064#msg229064

That fixed it for me on Version 138.0.7204.96 (Official Build, ungoogled-chromium), though weird that it used to work with it enabled until about a week or so ago.

This seems to be related to having experimental features enabled in chrome or its derivatives.

Go to

Code Select Expand

chrome://flags/#enable-experimental-web-platform-features and click Disable.

That fixed it for me on Version 138.0.7204.96 (Official Build, ungoogled-chromium), though weird that it used to work with it enabled a few versions ago.

Why would anyone enable "experimental web platform features"? Don't tell me that's (enabled) the default? Wiiilmaaa ...!

OTA flashing my BlueRetro controllers via Bluetooth. I manually enabled it a few years back specifically for this feature.

'Apply' is the next step, which I am not even able to get to given the 'Save' button is non-functional.

Clearing browser cache did not help, still same issue.

After updating from 24.7.12_2-amd64 to OPNsense 25.1.10-amd64, I am no longer able to save firewall rules. The 'Save' button does nothing.

This only happens with (Ungoogled) Chromium, Firefox works fine.

Not sure if this is a 'me' problem only, but thought I'd raise it :)

//EDIT:

Some more details:
- Version 138.0.7204.49 (Official Build, ungoogled-chromium)
- Console gives the following error:

Code Select Expand

firewall_rules_edit.php:1 Form submission failed, as the <SELECT> element named '' was implicitly closed by reaching the end of the file. Please add an explicit end tag ('</SELECT>')


This doesn't directly answer your question, but I've been running the below script for years and it has yet to fail me:

Code Select Expand

#!/usr/bin/env bash

IP="$(curl -s http://ipv4.icanhazip.com)"

curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID_GOES_HERE/dns_records/$RECORD_ID_GOES_HERE" -H "Authorization: Bearer $API_KEY_GOES_HERE" -H "Content-Type: application/json" --data '{"type":"A","name":"$DOMAIN_GOES_HERE","content":"'"$IP"'","proxied":false}' 1>/dev/null

Likely best to use one of the many scripts available on the Internet for this. For example, https://steven-chau.github.io/2016-03-30-howto-detect-notify-ip-change/

[modem]

(...)
My modem broke and I thought (since it used to work) I would connect the OPN-PC. It did not.
(...)

You mentioned 'NBN' previously.

If your NBN modem broke, you lost all Internet until NBN replace it, with or without OPNsense.

If your ISP-provided router broke, OPNsense can replace it.

As per @cookiemonster's suggestion, if it's the router, you should take some pictures of your equipment to provide more clarity.

Please remember what @meyergru mentioned:
This is not a safe way and the NAS GUI is reachable for anyone (this includes hackers / bonets). This is probably a Synology NAS I am not really firm with, so I don't know how much attacks are running to those devices... Having a QNAP NAS your data will be lost within a few months or weeks, depending on how intense attacks are run.

To add to the above, which is 100% correct (and based on your port it sounds like it's a Synology device), you might want to use something user-friendly like Tailscale (see https://tailscale.com/kb/1131/synology) to connect to your NAS from outside your network.

This allows you to access everything, without opening it up to the world.


Also, instead of NAT reflection, you can override the DNS for that host with 'Services: Unbound DNS: Overrides : Host Overrides'.

Thanks, appreciate the additional context.

With RRD/Netflow disabled and RAM disk for tmp/logs, I'm at about 2GB/day, which given my NVMe's 500TBW rating I am happy with.

First of all for your question to make sense you need to say if you mean on UFS or ZFS...


Cheers,
Franco

ZFS :)

Indeed, when I switched from pfSense to OPNsense I was surprised by the huge amount of disk writes that OPNsense makes.  My gateway was averaging ~3.5GB writes/day, which I found to be rather excessive.  I did a bit of digging and with a few small changes I reduced the daily writes significantly (it's averaging 50MB/day now with no loss in functionality or stability). (...)

And I thought I was doing well with my 2GB/day! I'll have to look into this more to see what else I can reasonably disable. I'd prefer to stick to OOTB settings vs 'hacks', but might have to go down that path by the looks of it...

(...) There are a number of contributors to writes, one of the largest of which is the RRD data for the Reporting + Health dashboard in the OPNsense control panel.  This is actually straightforward to address - you can simply add an entry in your fstab for "/var/db/rrd" as a tmpfs volume (I use a 64MB volume size for this, also a reboot will be necessary to enable this).  Then go  to System + Settings + Miscellaneous in the OPNsense control panel, then in the "Periodic Backups" section, and change the "Periodic RRD Backup" to "Power off" for maximum write savings (or pick a backup time period you would like). (...)

I actually have 'Periodic RRD Backup' set to 'Disabled'. I believe the system did this automatically when I turned off 'Round-Robin-Database' in 'Reporting: Settings'.

I just noticed that I might have discovered a bug related to this setting too, as my 'Health' dashboard is showing a blank page. Seems to be related to https://github.com/opnsense/core/issues/3141.

Console shows

Code Select Expand

systemhealth:1462 Uncaught TypeError: Cannot read properties of undefined (reading '0')
    at systemhealth:1462:67
    at Object.complete (opnsense.js?v=4567372b83d8bd1e:298:21)
    at c (jquery-3.5.1.min.js?v=4567372b83d8bd1e:2:28294)
    at Object.fireWith (jquery-3.5.1.min.js?v=4567372b83d8bd1e:2:29039)
    at l (jquery-3.5.1.min.js?v=4567372b83d8bd1e:2:79928)
    at XMLHttpRequest.<anonymous> (jquery-3.5.1.min.js?v=4567372b83d8bd1e:2:82254)

Probably best to start reading the official documentation, or various Internet tutorials before going any further.

OPNsense is 'deny by default', so unless you explicitly set allow rules for your newly created LAN2/LAN3 interfaces, nothing will get out.

(...)
I do not see the source in the outgoing rule as it is NAT protocol.
(...) Because of NAT the original sender would not make sense as the destination server would not know how to reach my client behind the firewall.
(...)

Apologies, missed that on the first read.

Does enabling 'Log packets matched by automatic outbound NAT rules' under 'Firewall: Settings: Advanced' possibly help with that?

Good to hear.

You might want to redact your personal (public) IP from these logs/screenshots, unless yours is dynamic and changes in the next few hours anyway.