Messages

I dont have any proxy. Can be a bug on opnsense side?

It worked fine before what?

What changed that made it not work? Did you update? What was your last version, what your current version.

Give some more info please.

Nothing changed.

Current Version   25.7.11_9

why you dont recommend?

Thats problem not setup related. About traffic graph. It was working before.

yes it looks reverse now.

That ip makes scraping so all traffic comes from wan -> bridge -> lan

there is traffic that comes from wan interface to bridge , it looks like Lan in. But it is not. It was working properly before now there is a problem.

Also traffic that comes from lan servers looks like wan out.

it must show reverse, wan in and lan out.

It was normal but now it shows coming traffic from wan  as lan in, and lan traffic as wan out

Hello,

I have a r210 II-1240v2 server as a opnsense firewall with "Intel(R) I350 (Copper)" ethernet card. I use transparent bridge mode
I have got packet loss problems.
I have tried many things.

I make all offloads disabled and this tunables:
dev.igb.0.eee_disabled 1
dev.igb.0.fc 0
net.isr.bindthreads 1
hw.igb.tx_process_limit -1
hw.igb.rx_process_limit -1
net.isr.dispatch deferred 
net.link.bridge.pfil_onlyip 1
net.inet.udp.checksum 1
net.inet.tcp.tso 0
No hardware acceleration

That settings not worked much. I have tried these and it is much better now nearly solved:

all interfaces mtu 1450, mss 1412
firewall normalization-> mss clamping 1410
use powerd and maximum setting for all
dev.igb.0.eee_control 0
hw.igb.enable_aim 0
legal.intel_igb.license_ack 1
 
But it gives 1-2/1000request timeouts(timeout threshold 5sec) in country network. (https request)

And it gives nearly 1 ssl connect error on global network per hour at better stack(uptime checker)(https request)


And gives no error for ping requests at global network for now.
Any idea?

It was 60k pps, I thought granularity(1 minute) is base time. I have closed ips mode and I use a script to inspect logs and block ips via firewall. Now cpu usage looks better. May handle 300k-500k pps

[...]
Actually these are default rulesets thats available on download page. I select most of them.[...]

Ah, IPS rules. Thanks - I should have figured that out. It's been a while since I (actively) used an IPS - they keep growing...

Do you have suggestion? Also I want to block ips on firewall that droped by suricata

What does this fw do?
Load seems high. Why not press SHIFT+P and then take pic? 1.87 is not terrible for that xeon, but you need to look at each core usage, my guess is cpu0 is probably pegged.
And you are very close to swap when you took that pic, maybe watch 'vmstat 1' for a bit?

Does this fw have hyperT disabled?

I use this firewall only for instrusion detection. May be I select many rules but pps is very low. HyperThread is enabled.

I prefer the load averages as seen at the top of top.

SHIFT P

Pic that down to the 1st PID

I couldnt find a settings for suricata core usage.

SSH on in, run 'top'
Suricata is sure to be at top of the list.

Which version of OPNsense are you running?

I look wrong by the way. It is 60k per minute. 1k pps is very low I think. Version is 25.7.6. This cpu usage means suricata using one core?

Well, the E3-1240 v2 is a pretty good analog to the Deciso DEC2600/2700 (somewhere in there), which are quoted at 50kpps/85kpps and 500Mb/1Gb respectively. So 60% CPU doesn't sound too bad, especially for a 13 year old mid-range platform. It's the packet rate that kills you - bandwidth is much easier to handle. I wouldn't expect the large number of rules to be an issue (although I'd question what you are attempting to address with 170k of them), but others here would have more experience with that.

How even (across cores) is that CPU utilization?

Thank you for answer

I couldnt find a settings for suricata core usage.

Actually these are default rulesets thats available on download page. I select most of them.

I try many config and at the end I lower maximum states and maxiumum table entry counts to 1m. Now cpu usage between 13%-20%. And Gemini suggests closing the flow control.

I am virtual machine service provider (vds-vps). There may be big attack, I am not sure. But I want to handle 2-3Gbits attacks. I think this is small attack with 60k pps and 30mbits or we can say that is a good attack too? If I think lineer, it will handle 300k pps and 150 mbits with one cpu. Will it be okay for attacks? Will it be 1m maximum entry and 1m table entry okay for 300k pps?

Hello everyone,

I have a e3-1240v2 as cpu on my firewall server. Intel 1gbit NICs.

I get a 30mbit attack with 60k pps. And cpu usage is 60%. I wasnt expecting this much cpu usage with this bandwidth. I try hypersan, it is better but not much change.

I make many rules open on ids/ips. Can It cause problem this much? Or this hardware is not enough for 500mbit ips/ids handling with 1 cpu?

I use opnsense as transparent brdige.

There are 170k rules bytheway

Hello everyone,

I have a main server and I want to place it behind opnsense. My main server has virtual machines which have different wan ips.

I find transparent bridge mode is suitable for me. I followed this tutorial but it doesnt work. Any opinions?

My placement:

Wan: just empty wan
has no ip
no dhcp

Lan: just empty lan
has no ip
no dhcp

Bridge0 : wan,lan
has gateway and ip
no dhcp
I can access bridge0 opnsense panel from my browser

wan port<->opnsenser server<->lan port<-> main server

Firewall:

wan-> open any to any
lan-> lan to any open
bridge-> open any to any

outbound nat rule generation disabled
pfil.member 0
pfil.bridge 1