Messages

Thank you for sharing this!
Maybe next year I will buy new hardware.
Regards

Hi all,
when downloading big files from internet the firewall's CPU goes to 90 - 100% on APU2C4 (with Intel network cards).

SYSTEM: DIAGNOSTICS: ACTIVITY
root   93   0   43M   28M   CPU2   2   795:57   76.86%   /usr/local/bin/python3 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py (python3.9)

I've read many topic (eg. https://forum.opnsense.org/index.php?topic=31999.0), tried to clear logs and disable Netflow but no luck.
Any ideas?

"when downloading big files from internet"

Whats your throughput?
APU uses really very very very old SOC (I have one APU at home) and I can tell you such behaviors are kinda now normal on that SOC and more prominent the more throughput + features configured you have.

APU performs OK with OPNsense at 200Mbit/s with around 6VLANs + Shaper + basic rules. Anything above that and you will see performance degradation.

Regards,
S.

My throughput is about 170Mbit/s, 2 VLANs, Shaper, Monit, Wireguard and 15/20 rules. In your signature you have APU2D2, mine is APU2C4. So do you think this is normal behavior?
Thank you

 :)

If you're not experience any performance issues, I'd just leave it alone.  If this isn't the norm for you and something has changed, we'll need more data to help diagnose.

It happens mostly with torrents, I'm trying to download 4 Linux Mint and the CPU usage is at 100%

Hardware offload active ?

No

Hi all,
when downloading big files from internet the firewall's CPU goes to 90 - 100% on APU2C4 (with Intel network cards).

SYSTEM: DIAGNOSTICS: ACTIVITY
root   93   0   43M   28M   CPU2   2   795:57   76.86%   /usr/local/bin/python3 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py (python3.9)

I've read many topic (eg. https://forum.opnsense.org/index.php?topic=31999.0), tried to clear logs and disable Netflow but no luck.
Any ideas?

In Interfaces - Other types - VLAN5 I've set LAN as Parent interface and 5 as VLAN tag. Next I've set a static IP in the newly created interface VLAN5 in Interface Assignments. And lastly there is the LAN-block rule.
Connected at this port there is a trunk port of a managed switch. It has a 802.1Q VLAN configuration with some ports PVID1 and others PVID5 and another one set to trunk connected to an access point multi SSID.
What is wrong in this configuration?

I've tried on a fresh install on different hardware, same problem.
WAN - LAN - VLAN5
VLAN5 with only one rule that blocks all traffic to LAN
Printer discovered by WSD on Win10.
Can someone explain why this happens?

mDNS repeater is not installed.

But this could not be the default behavior... How can I block it?

None of them, they are not installed...

Packet capture:
IPv4, length 76: 192.168.110.116.5353 > 224.0.0.251.5353: UDP, length 34


Live view:
action: [pass]
dir: [out]
dst: 192.168.110.116
dstport: 5353
interface_name: VLAN5
ipversion: 4
label: let out anything from firewall host itself
protoname: udp
reason: match
src: 192.168.199.76
srcport: 5353


This is probably the reason why it doesn't apply the rule from my previous post, because a pass rule is already set among the "Automatically generated rules". How can I block it?

Added between them or as first rule, same problem.

1.
Action: Block
Interface: VLAN5
Direction: in
TCP/IP version: IPv4+6
Protocol: UDP
Source: any
Destination: any
Destination port range: 5353 - 5353

1.
Action: Block
Interface: VLAN5
Direction: in
TCP/IP version: IPv4+6
Protocol: any
Source: VLAN5 net
Destination: LAN net

2.
Action: Pass
Interface: VLAN5
Direction: in
TCP/IP version: IPv4+6
Protocol: any
Source: VLAN5 net
Destination: any

Same problem, printer is still there