Messages

I have been experimenting with the Unbound Block List (DEFAULT and USER DEFINED) functionality.

It appears that the DEFAULT list removes duplicate domain and domain pattern entries.

Example: If I select all OPNsense DEFAULT options, the logs indicate it loads over 6M individual entries and coalesces it down to @ 3.5M unique entries.  Unfortunately, this final list does not appear to be written to disk for final inspection.

It is not clear if the same thing happens with the USER DEFINED lists and it appears it does NOT remove duplicates between the DEFAULT and USER DEFINED lists.

Example: If I add some of the same lists that are in the DEFAULT lists into the USER DEFINED LISTS, the final aggregate number increases (should NOT increase because they are identical duplicate lists, URLs are identical). 

A simple strcmp() of the list URLs would eliminate such duplicates along with a possible warning log for the user to clean up his duplicate main lists.

Also, it would be nice if both DEFAULT and USER LISTS would have granular duplicate removals at the domain and domain pattern levels (e.g. sort -u).

The JavaScript code for the "Lobby > Firewall" widget (and other widgets) is located in the following directory:

/usr/local/opnsense/www/js/widgets

In Firewall.js, there are a few things you can change including the length of the top table entries and the threshold when the Firewall Widget transitions between a Pie Chart and a Table.

I was able to change the Cpu.js and the Traffic.js widgets to increase the duration of the X-axis to plot a longer duration history.

Since JavaScript is interpreted, you don't need to recompile it.

Code at your own risk.

A tip for newbies.  I used Perplexity.ai to answer a bunch of questions to setup and test the following OPNsense configuration. 

Perplexity is not always correct and you may have to restructure your question(s), but it can in many cases point you in the right direction, quickly locate the right menu option and the appropriate documentation pages.

Hope this tip might be of help to someone.  It helped me expedite the learning process in a timely fashion including learning I could use most of my existing Pi-Hole lists in OPNsense's Unbound blocking lists.  I have been able to eliminate my Pi-Hole server including redirecting all other DNS server requests through the block lists.

Was able to pen test the WAN interface and load test - saturate WAN/LAN and LAN/LAN Bridge connections with bi-directional/full-duplex iperf3 traffic to test the scalability and resource consumption of the configuration.

The factory reset must have blow away the coretemp package.

Using the ssh console, MANUALLY reloading the coretemp package restored the CPU temps.

Code Select Expand

kldload coretemp

Also appears to be a WEB GUI setting.

Code Select Expand

System > Miscellaneous > Thermal Sensors > Hardware > Intel Core CPU on-die thermal sensor (coretemp)


Code Select Expand

hwstat
Current Unit
[Coretemp]
CPU0: 23.0 C
CPU1: 23.0 C
CPU2: 24.0 C
CPU3: 24.0 C
CPU4: 23.0 C
CPU5: 23.0 C
CPU6: 22.0 C
CPU7: 22.0 C
[ACPI Thermal]
tz0: 27.9 C
[ACPI Thermal]
tz1: 29.9 C


Newbie question.  I am running OPNsense on a Dell Optiplex (6th Gen Intel) and had CPU temps working in the GUI.



I did a factory reset and switched from a "transparent network bridge" to a conventional "firewall router" config with Unbound block lists and Suricata.

During the process, I am no longer getting any CPU temps in the web GUI.



Running various CLI commands also only turns up 2 Zone temps.

Code Select Expand

root@OPNsense:/tmp # hwstat
Current Unit
[Coretemp]
CPU0: Cannot get temperature
CPU1: Cannot get temperature
CPU2: Cannot get temperature
CPU3: Cannot get temperature
CPU4: Cannot get temperature
CPU5: Cannot get temperature
CPU6: Cannot get temperature
CPU7: Cannot get temperature
[ACPI Thermal]
tz0: 27.9 C
[ACPI Thermal]
tz1: 29.9 C

root@OPNsense:/usr/local/etc/suricata # sh -c 'sysctl $(configctl system sensors)'
hw.acpi.thermal.tz0.temperature: 27.9C
hw.acpi.thermal.tz1.temperature: 29.9C
root@OPNsense:/usr/local/etc/suricata # sysctl -e `sysctl -aN | fgrep temperature` | sort
hw.acpi.thermal.tz0.temperature=27.9C
hw.acpi.thermal.tz1.temperature=29.9C
root@OPNsense:/usr/local/etc/suricata # sysctl -e `sysctl -N dev.cpu hw.acpi.thermal | fgrep temperature` | sort
hw.acpi.thermal.tz0.temperature=27.9C
hw.acpi.thermal.tz1.temperature=29.9C
root@OPNsense:/usr/local/etc/suricata # sysctl -aF | awk -F ": " '$2 ~ "^IK" { print $1 }' | grep -v "\._" | sort
hw.acpi.thermal.tz0.temperature
hw.acpi.thermal.tz1.temperature
root@OPNsense:/usr/local/etc/suricata # configctl system sensors
hw.acpi.thermal.tz0.temperature
hw.acpi.thermal.tz1.temperature


Anyone have any ideas what would case the loss ?

Currently running OPNsense 25.1_5_5-amd64, FreeBSD 14.2-RELEASE-p2

Thanks in advance for any ideas/suggestions.

I changed IPS>Administratiom>Settings Advanced and changed pattern matcher to Hyperscan
As pointed out by user geotek
And Detect profile to medium, may not have needed to change that
Its working for now

This is Suricata version 7.0.10 RELEASE running in SYSTEM mode

229,718 Rules

"Error   suricata   [100736] <Error> -- Just ran out of space in the queue. Please file a bug report on this"

Web GUI > Services > Intrusion Detection > Administration > Settings > Advanced:  (Hyperscan and Medium)

Thanks for posting the queue size work around. 

I am just learning OPNsense and the queue size error started today enabling/configuring Suricata. 

It looks like the Suricata rule processing is single threaded (had a ssh top window running). 

I have 8 threads and 32GB of memory and it still ran out of queue space.

The work around in your post resolved this.