Messages

Do you have some constraint that would not allow you to apply or copy (depending on your version and rule architecture) your management interface ruleset to an additional interface?

[...]Opnsense appliances should always be passive machines with no moving parts.[...]

Opinions are like... (There's a "one size fits all" joke in there somewhere.)

There's nothing wrong with a good passive system. It just costs money. (Note the "good".) (And, going off-topic a bit, it's particularly hard to passively cool a 100+W CPU in an 86+F (30+C) environment.)

[...]I dont want to think about this. I want to setup my firewall and forget that its there.

Understandable. A tradeoff I wasn't willing to make. My firewall is not my loudest device, but even if it was, I'd still make the same choice.

Speaking of thermal testing, mprime is generally more appropriate than memtest, but I don't know of a bootable package that contains a newer version (the UBCD's is a bit old). It's easy enough to fire up a live Linux or FreeBSD image and execute it - it just takes a bit more effort than a bootable package.

Help me understand that. Atom based mobo? Vendor-locked NVM?[...]

I could have been more clear. Atom-based integrated system.

As far as the vendor lock, some (most) of my discrete Intel (Intel branded, not OEM) NICs (specifically x710 and e810) only support Intel-branded (in firmware) optics. It's not a driver issue; it appears to be built into the NVM. There is no vendor lock for DAC cables; I haven't tried a UTP SFP+ (I only have one, which sits in a drawer because it's a burning weenie roaster). (Shouldn't be an issue for the original poster.)

IIRC, the ix in kernel tree lists specific models of hardware, much of it being Intel stuff.[...]

I wouldn't expect third-party Atom-based devices to have network interfaces with a vendor-locked NVM... but you never can tell. My one actual Intel 82599 (= x520) is not, but most (but not all) of my x710s are. So as you pointed out, a recommended device is a safe bet. Before Patrick chimes in, there's always fs.com for compatibles.

Have you checked the console?

[...]If you access the GUI by HTTP you will be redirected to HTTPS automatically.[...]

On the same or a different port? With the redirect option "Disabilita la regola di reindirizzamento..." checked and port 443 specified I would expect port 80 to be unavailable. On my own system, "netstat -a" shows no HTTP port listening. HTTP to my HTTPS port gets no response. (I can't conveniently test port 80 because it's blocked by pf, but with no agent listening, I would expect a closed port response, as I have that enabled.)

[...]My CPU is an i9[...]

If you don't mind saying, what hardware precisely (I believe the first "i9" was a Kaby Lake and the last a Raptor Lake)? Also, NIC and RAM.

[...]
I live alone and I generally use only one device to surf the Internet.

At 25Gb/s? That's some surfing.

Something the Fortinets had that was rather nice was "session-helper" (ALG or protocol parsing) control - you could enable specific ALGs by protocol and port. (Interestingly, I don't see SCTP in my old config template.) Killing the SCTP ALG might be of limited use, though.

In which way? The devices connecting through the firewall to the other default gateway don't notice the FW.[...]

Just being pedantic. I suppose if well-filtered and on a switched network, it's effectively transparent. ARP requests don't count as discovery, and replies can be filtered if so desired.

...which makes it a bit less transparent. Of course, the utility of transparency in a bridging firewall is questionable, particularly in a private address scheme.

That's a very odd pair of rules. They may be outside of my experience, as I don't use any static NAT. As is, they do not appear to match the marked flows in your logs (source and destination ports and destination address do not match). For more info (e.g. "reason"), hit the "i" to the right of the log entries.

The only things I can think of would be stratum (too high) or auth... but those aren't enumerated as a status. "Not Considered" does not appear in the NTP source. I assume it's a text representation of an ntpq peer status. So... what symbol ("Select Field" code from the URL) appears on the left edge of "ntpq -p"?

Largely a guess, but I figure you'd need something like ig4 (depending on your hardware), either instead of or in addition to the base driver(s) (I don't know what all is required). Interestingly, this is loaded (not explicitly by me) on one of my AMD systems (but no igbus).

Something like superio might also allow monitoring and control, but I don't know of an appropriate utility package.

ACPI may be an option as well... I have a Gigabyte board that exposes some temperature sensors, but no apparent fan monitoring or control (it has no fans).

To correct myself, the new rules allow ruleset sharing.