OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of combsbj »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - combsbj

Pages: [1]
1
24.7 Production Series / System: Trust: Certificates: Show certificate info
« on: November 10, 2024, 04:50:33 pm »
OPNsense 24.7.8-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

After generating a new cert using ACME Client service, it is immediately available in /var/etc/acme-client via SSH/SCP. It is also immediately listed in the trust certificate web ui. However, the info and download button will not work for hours, even after restarting all services.

Is this expected?
Is there a recommended way to download a cert from the web ui after generating in from ACME client?

2
High availability / Dealing with high load on a single instance
« on: November 06, 2024, 10:35:48 pm »
My question about high availability is more on the lines of making sure the management interface and traffic shaping is available on a single appliance.  If there is a more suitable area of the forum to ask, please let me know.

Situation:
I have a newly installed OPNSense appliance with an AMD Ryzen 5 8500G processor, 16gb ram, dual 2.5gb intel nic, and 256gb nvme disk. It has a WAN link of 1gbit down and 600mbit up.

It is running a very lightly used caddy reverse proxy, a wireguard vpn client, and Zenarmor. It is routing for 3 work from home users (light web browsing and steady Zoom and voip usage). One user has occasional large file downloads. I experienced yesterday that one LAN users/host which is routed through the wireguard vpn was pulling down about 700mbit/s for a very large file served by torrent protocol, so multiple sources.

Either the wireguard encrpytion, the Zenarmor inspection, or both were causing the CPU load on the router to hit 100%. This caused the Web management interface to become very unresponsive and two other LAN hosts to experience degraded service with web sites failing to load and voip to become unusable.

Questions:
1. Would a processor with more cores or a faster speed help?  What is recommended hardware specs for 10 devices with 1gbit bandwidth, using wireguard and zenarmor?
2. Is there a way to prioritize or put a resource limit on services so that one service (wireguard or zenarmor) doesn't cause the traffic shaper or web ui service to not work properly?
3. is there a way to look back at logs from yesterday to get to the bottom of whether wireguard or zenarmor was the cause of high cpu load?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2