Messages

Hello,

I have a r210 II-1240v2 server as a opnsense firewall with "Intel(R) I350 (Copper)" ethernet card. I use transparent bridge mode
I have got packet loss problems.
I have tried many things.

I make all offloads disabled and this tunables:
dev.igb.0.eee_disabled 1
dev.igb.0.fc 0
net.isr.bindthreads 1
hw.igb.tx_process_limit -1
hw.igb.rx_process_limit -1
net.isr.dispatch deferred 
net.link.bridge.pfil_onlyip 1
net.inet.udp.checksum 1
net.inet.tcp.tso 0
No hardware acceleration

That settings not worked much. I have tried these and it is much better now nearly solved:

all interfaces mtu 1450, mss 1412
firewall normalization-> mss clamping 1410
use powerd and maximum setting for all
dev.igb.0.eee_control 0
hw.igb.enable_aim 0
legal.intel_igb.license_ack 1
 
But it gives 1-2/1000request timeouts(timeout threshold 5sec) in country network. (https request)

And it gives nearly 1 ssl connect error on global network per hour at better stack(uptime checker)(https request)


And gives no error for ping requests at global network for now.
Any idea?

It was 60k pps, I thought granularity(1 minute) is base time. I have closed ips mode and I use a script to inspect logs and block ips via firewall. Now cpu usage looks better. May handle 300k-500k pps

[...]
Actually these are default rulesets thats available on download page. I select most of them.[...]

Ah, IPS rules. Thanks - I should have figured that out. It's been a while since I (actively) used an IPS - they keep growing...

Do you have suggestion? Also I want to block ips on firewall that droped by suricata

What does this fw do?
Load seems high. Why not press SHIFT+P and then take pic? 1.87 is not terrible for that xeon, but you need to look at each core usage, my guess is cpu0 is probably pegged.
And you are very close to swap when you took that pic, maybe watch 'vmstat 1' for a bit?

Does this fw have hyperT disabled?

I use this firewall only for instrusion detection. May be I select many rules but pps is very low. HyperThread is enabled.

I prefer the load averages as seen at the top of top.

SHIFT P

Pic that down to the 1st PID

I couldnt find a settings for suricata core usage.

SSH on in, run 'top'
Suricata is sure to be at top of the list.

Which version of OPNsense are you running?

I look wrong by the way. It is 60k per minute. 1k pps is very low I think. Version is 25.7.6. This cpu usage means suricata using one core?

Well, the E3-1240 v2 is a pretty good analog to the Deciso DEC2600/2700 (somewhere in there), which are quoted at 50kpps/85kpps and 500Mb/1Gb respectively. So 60% CPU doesn't sound too bad, especially for a 13 year old mid-range platform. It's the packet rate that kills you - bandwidth is much easier to handle. I wouldn't expect the large number of rules to be an issue (although I'd question what you are attempting to address with 170k of them), but others here would have more experience with that.

How even (across cores) is that CPU utilization?

Thank you for answer

I couldnt find a settings for suricata core usage.

Actually these are default rulesets thats available on download page. I select most of them.

I try many config and at the end I lower maximum states and maxiumum table entry counts to 1m. Now cpu usage between 13%-20%. And Gemini suggests closing the flow control.

I am virtual machine service provider (vds-vps). There may be big attack, I am not sure. But I want to handle 2-3Gbits attacks. I think this is small attack with 60k pps and 30mbits or we can say that is a good attack too? If I think lineer, it will handle 300k pps and 150 mbits with one cpu. Will it be okay for attacks? Will it be 1m maximum entry and 1m table entry okay for 300k pps?

Hello everyone,

I have a e3-1240v2 as cpu on my firewall server. Intel 1gbit NICs.

I get a 30mbit attack with 60k pps. And cpu usage is 60%. I wasnt expecting this much cpu usage with this bandwidth. I try hypersan, it is better but not much change.

I make many rules open on ids/ips. Can It cause problem this much? Or this hardware is not enough for 500mbit ips/ids handling with 1 cpu?

I use opnsense as transparent brdige.

There are 170k rules bytheway

Hello everyone,

I have a main server and I want to place it behind opnsense. My main server has virtual machines which have different wan ips.

I find transparent bridge mode is suitable for me. I followed this tutorial but it doesnt work. Any opinions?

My placement:

Wan: just empty wan
has no ip
no dhcp

Lan: just empty lan
has no ip
no dhcp

Bridge0 : wan,lan
has gateway and ip
no dhcp
I can access bridge0 opnsense panel from my browser

wan port<->opnsenser server<->lan port<-> main server

Firewall:

wan-> open any to any
lan-> lan to any open
bridge-> open any to any

outbound nat rule generation disabled
pfil.member 0
pfil.bridge 1

Hello everyone,

I have a main server and I want to place it behind opnsense. My main server has virtual machines which have different wan ips.

I find transparent bridge mode is suitable for me. I followed this tutorial but it doesnt work. Any opinions?

My placement:

Wan: just empty wan
has no ip
no dhcp

Lan: just empty lan
has no ip
no dhcp

Bridge0 : wan,lan
has gateway and ip
no dhcp
I can access bridge0 opnsense panel from my browser

wan port<->opnsenser server<->lan port<-> main server

Firewall:

wan-> open any to any
lan-> lan to any open
bridge-> open any to any

outbound nat rule generation disabled
pfil.member 0
pfil.bridge 1

Thanks a lot, then better the go with bridge mode and l3-l4 security.

Dude why did you get angry? I have just asked for solutions. Its suggestion looks logical to me but if its wrong please correct. Here is complete explanation:

Map Public IPs to OPNsense: Your internet provider or data center will route your entire block of public IPs to your OPNsense WAN interface. In OPNsense, you'll configure these as Virtual IPs (Interfaces > Virtual IPs). This tells OPNsense that it is responsible for handling all of those IPs.

Assign Private IPs to VDSs: Inside your Proxmox server, you'll need to configure each VDS to have a static private IP address (e.g., 10.0.0.1, 10.0.0.2, etc.). This is a crucial step to ensure the IP-based routing works correctly, as the VDS's private IP won't change.

Configure 1:1 NAT: This is the most important part. You'll set up 1:1 NAT (Network Address Translation) rules in OPNsense (Firewall > NAT > 1:1). Each rule will create a permanent, one-to-one mapping between a public IP and a private VDS IP. For example:

Public IP 203.0.113.10 is mapped to private IP 10.0.0.1.

Public IP 203.0.113.11 is mapped to private IP 10.0.0.2.

Manage SSL and WAF: With the traffic routed correctly, you can now manage SSL certificates and WAF rules for each VDS in the reverse proxy settings. OPNsense's ACME client will automatically issue and renew certificates for each domain, and the WAF will inspect traffic for each VDS separately.

Gateway -> Opnsense server -> Proxmox Server(VDSs)

multiple ips -> Opnsense -> VDSs

Gemini suggests 1:1 Nat routing for waf and multiple ips. But I need to assign MAC adresses manually.

Actually it must be possible but probably there is no configurations for that and I will not be able to configure this. When I talk gemini, Its says routing public ips to private ips of vps as reverse proxy. Not domain based but ip based proxy.

OPNsense dont need to use Customers certificates. But VDSs has different IPs. OPNsense will be bridge not proxy, will it differ? OPNsense can terminate different ips for different domains and use auto issued certificates?