Messages

If you need this feature, I'm sure you have considered Windows servers for this but I'll mention for completeness sake that DHCP failover https://technet.microsoft.com/en-us/library/hh831385(v=ws.11).aspx combined with AD integrated DNS will do the same, but for a price.

I'm not sure I'd use Windows for any kind of authoritative DNS role unless you really had to ;)   Far better open source options out there (PDNS / BIND / NSD / Knot etc.)

However, I would agree that if you are after a DHCP server that is capable of stateful failover and good HA and has a pretty GUI to configure it with Windows server is actually one of the cheapest commercial options you have.

If you're after some kind of authoritative server I would not use opnsnse for this, neither of the DNS packages installed are designed for that role.

That being said, Unbound can serve some local data and if it is just for a small / simple setup it may meet your needs, config sync via XMLPRC is supported.

As for DHCP, I had a feature request open for some time to add enhancement to allow the DHCP server to act as a stand alone appliance for situations where you are doing DHCP relay for multiple networks back to a single box.  Unfortunately I guess this is quite a niche application and so far nothing has been developed that can add these options.

At the moment opnsense only allows you to configure address ranges for subnets it has an interface configured in, if you don't mind trunking all your VLANs into opnsense and giving it an interface and IP in each VLAN then it can certainly do HA DHCP on a single interface like you are asking.

Hi Franco,

Just to confirm that applying the older version and rebooting has fixed both the RADVD and DHCPD6 issues I was seeing- my hosts now how IPv6 again and I can see RAs coming from the OPNsense box.

Hi,

Since upgrading last night to 17.1.r1 it seems that I no longer have working IPv6 on my LAN.

WAN Side is fine (PPPoE / DHCPv6) and if I ping from the OPNsense box itself from both LAN and WAN interfaces traffic flows just fine, similarly if i configure a host in my LAN with a static IPv6 address it also works so the underlying connectivity is not a problem.

Running tcpdump on the OPNsense box I can see router solicitations arriving from my clients both on my wired and wireless LANs but I do not see the OPNsense box sending any router advertisements.   DHCPv6 is also running but as my clients are mostly OS X / iOS at home it's hard to test if that is really working too.

Anybody else seeing the same behaviour? 

Just to add what I'm seeing for SNMP / Host resources:

With just SNMP enabled the process consumes 0.1-0.2% CPU.

With all modules except host resources enabled 0.2-0.3% CPU.

With just host resources module 20-30% CPU spiking up to 90% utilisation when the device is queried.


My test setup:
PC Engines APU
SNMP is listening only on one interface (LAN)
17.1.r1 though I noticed this behaviour was also present in 17.1.b

No it's not, but flushing the state table after making NAT changes is sometimes required and if the OP didn't do that then rebooting the firewall would have had the same effect.

Question: Why are you even putting this device behind NAT, a firewall is one thing but NAT should not be used here in my frank opinion.

Anyway, really what you are going to care about here is how fast your box can forward traffic in packets per-second (PPS), not bit/s because as you have discovered the actual throughput is very low.  Also small sized packets, which will be more taxing on the CPU.

A useful tool to hammer your box with here is something like Cisco TRex (https://trex-tgn.cisco.com).

Here are a few pointers though:

1) Run the OPNsense box on bare metal, or if you must use a VM then at least use some form of direct-io to attach the NICs directly.

2) OPNsense is a software router, performance is CPU and memory bound, get the fastest you can in both cases - the Atoms are great boxes but if outright pps is what you are chasing then an E3 or E5 Xeon is what you should be going for, look for the "frequency optimised" chips perhaps, more GHz less cores.

3) Set the firewall to expire state entries aggressively - Firewall > Settings > Advanced "Firewall Optimization - Aggressive"