Messages

1

Intrusion Detection and Prevention / Re: FireHOL Block List ( Botnets, Attacks, Malware....)

« on: August 05, 2020, 12:28:11 am »

I have also been scratching my head over this. The system - general log show that DROP .txt file has been fetched, but not the EDROP file. If I on the other hand check under diagnostics and pfTables, both DROP/EDROP are there. The content of the two .txt files that is. Go figure.

miroco

2

Tutorials and FAQs / Re: Wireguard - tips for VPN newbies

« on: July 24, 2020, 01:32:08 pm »

Nice write-up.

May I suggest that you move it to "Tutorials and FAQs"?


miroco

3

20.1 Legacy Series / Re: Increased latency since 20.1.8 upgrade

« on: July 09, 2020, 09:59:57 pm »

Another Speedtest service gave a very different result. In hindsight, I should have done this from the very beginning. Gotten a second opinion that is.

Some pages still take longer to load, something I guess can be attributet to a different user pattern caused by the ongoing covid-19 pandemic.


miroco

4

20.1 Legacy Series / Re: health audit shows wrong version and missing shared library after upgrade

« on: July 05, 2020, 05:50:56 pm »

Me too

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
>>> Check installed kernel version
Version 20.1.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 20.1.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for and install missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Checking core packages: .
beep-1.0_1 has no upstream equivalent
Checking core packages: .
bsdinstaller-20.1 has no upstream equivalent
Checking core packages: .
ca_root_nss-3.53 has no upstream equivalent
Checking core packages: .
choparp-20150613 has no upstream equivalent
Checking core packages: .
cpustats-0.1 has no upstream equivalent
Checking core packages: .
dhcp6c-20200512 has no upstream equivalent
Checking core packages: .
dhcpleases-0.2 has no upstream equivalent
Checking core packages: .
dnsmasq-2.81_2,1 has no upstream equivalent
Checking core packages: .
dpinger-3.0 has no upstream equivalent
Checking core packages: .
expiretable-0.6_1 has no upstream equivalent
Checking core packages: .
filterlog-0.3 has no upstream equivalent
Checking core packages: .
flock-2.30.1 has no upstream equivalent
Checking core packages: .
flowd-0.9.1_3 has no upstream equivalent
Checking core packages: .
hostapd-2.9_2 has no upstream equivalent
Checking core packages: .
ifinfo-10.1 has no upstream equivalent
Checking core packages: .
isc-dhcp44-relay-4.4.2 has no upstream equivalent
Checking core packages: .
isc-dhcp44-server-4.4.2 has no upstream equivalent
Checking core packages: .
lighttpd-1.4.55_1 has no upstream equivalent
Checking core packages: .
monit-5.26.0 has no upstream equivalent
Checking core packages: .
mpd5-5.8_10 has no upstream equivalent
Checking core packages: .
ntp-4.2.8p15 has no upstream equivalent
Checking core packages: .
openssh-portable-8.2.p1_1,1 has no upstream equivalent
Checking core packages: .
openvpn-2.4.9_2 has no upstream equivalent
Checking core packages: .
opnsense-20.1.8_1 has no upstream equivalent
Checking core packages: .
opnsense-lang-20.1.4 has no upstream equivalent
Checking core packages: .
opnsense-update-20.1.7 has no upstream equivalent
Checking core packages: .
pam_opnsense-19.1.3 has no upstream equivalent
Checking core packages: .
pftop-0.7_9 has no upstream equivalent
Checking core packages: .
php73-ctype-7.3.19 has no upstream equivalent
Checking core packages: .
php73-curl-7.3.19 has no upstream equivalent
Checking core packages: .
php73-dom-7.3.19 has no upstream equivalent
Checking core packages: .
php73-filter-7.3.19 has no upstream equivalent
Checking core packages: .
php73-gettext-7.3.19 has no upstream equivalent
Checking core packages: .
php73-google-api-php-client-2.4.0 has no upstream equivalent
Checking core packages: .
php73-hash-7.3.19 has no upstream equivalent
Checking core packages: .
php73-json-7.3.19 has no upstream equivalent
Checking core packages: .
php73-ldap-7.3.19 has no upstream equivalent
Checking core packages: .
php73-openssl-7.3.19 has no upstream equivalent
Checking core packages: .
php73-pdo-7.3.19 has no upstream equivalent
Checking core packages: .
php73-pecl-radius-1.4.0.b1 has no upstream equivalent
Checking core packages: .
php73-phalcon-3.4.5 has no upstream equivalent
Checking core packages: .
php73-phpseclib-2.0.23 has no upstream equivalent
Checking core packages: .
php73-session-7.3.19 has no upstream equivalent
Checking core packages: .
php73-simplexml-7.3.19 has no upstream equivalent
Checking core packages: .
php73-sockets-7.3.19 has no upstream equivalent
Checking core packages: .
php73-sqlite3-7.3.19 has no upstream equivalent
Checking core packages: .
php73-xml-7.3.19 has no upstream equivalent
Checking core packages: .
php73-zlib-7.3.19 has no upstream equivalent
Checking core packages: .
pkg-1.12.0_1 has no upstream equivalent
Checking core packages: .
py37-Jinja2-2.10.1 has no upstream equivalent
Checking core packages: .
py37-dnspython-1.16.0 has no upstream equivalent
Checking core packages: .
py37-netaddr-0.7.19_1 has no upstream equivalent
Checking core packages: .
py37-requests-2.22.0 has no upstream equivalent
Checking core packages: .
py37-sqlite3-3.7.7_7 has no upstream equivalent
Checking core packages: .
py37-ujson-3.0.0 has no upstream equivalent
Checking core packages: .
radvd-2.18_1 has no upstream equivalent
Checking core packages: .
rate-0.9_1 has no upstream equivalent
Checking core packages: .
rrdtool-1.7.2_3 has no upstream equivalent
Checking core packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking core packages: .
squid-4.11_2 has no upstream equivalent
Checking core packages: .
sshlockout_pf-0.0.2_2 has no upstream equivalent
Checking core packages: .
strongswan-5.8.4_1 has no upstream equivalent
Checking core packages: .
sudo-1.9.1 has no upstream equivalent
Checking core packages: .
suricata-4.1.8 has no upstream equivalent
Checking core packages: .
syslog-ng325-3.25.1_1 has no upstream equivalent
Checking core packages: .
syslogd-11.2 has no upstream equivalent
Checking core packages: .
unbound-1.10.1 has no upstream equivalent
Checking core packages: .
wpa_supplicant-2.9_7 has no upstream equivalent
Checking core packages: .
zip-3.0_1 has no upstream equivalent
***DONE***
miroco

5

20.1 Legacy Series / Re: Increased latency since 20.1.8 upgrade

« on: July 05, 2020, 03:55:29 pm »

Thank you. I tried a reset and a subsequent restore of the latest config, but to no avail.

6

20.1 Legacy Series / Re: Increased latency since 20.1.8 upgrade

« on: July 05, 2020, 02:35:03 pm »

Your observation makes total sense. The further away the greater the latency. However, the only variables in my use case are the EdgeRouter X vs. the APU2C4. I ran the test several times and with four different browsers.

7

20.1 Legacy Series / Re: Increased latency since 20.1.8 upgrade

« on: July 05, 2020, 11:06:28 am »

I noticed and still notice that pages take longer to load after the 20.1.8 update. I therefore ran the speed test and searched the forum. I did not run a speed test with 20.1.7 because I didn't experience that there was something wrong with my setup; "health is silent" I presume. Can I revert to 20.1.7, if so how do I do it?

8

20.1 Legacy Series / Re: Increased latency since 20.1.8 upgrade

« on: July 04, 2020, 10:22:45 pm »

The prior version was 20.1.7. I just noticed that I got a little too enthusiastic with the numbering scheme 20.1.18 -> 20.1.8 

9

20.1 Legacy Series / Re: Increased latency since 20.1.8 upgrade

« on: July 04, 2020, 06:38:06 pm »

These are my results from a symmetric 100 mbit fibre connection after the 20.1.18 upgrade, with an EdgeRouter X as reference.

EdgeRouter X 1.10.11 - DL 107,92 UL 108,57 response time 3,32 ms

APU2C4 OPNsense 20.1.18_1 DL 32,16 UL 8,33 response time 12,73 ms

miroco

10

General Discussion / Re: OPNsense myteriously blocking OpenVPN traffic

« on: May 19, 2020, 12:34:36 am »

These are my settings.


miroco

11

General Discussion / Re: OPNSense in VirtualBox; No login

« on: May 09, 2020, 01:14:38 am »

If your CPU doesn't support long mode, the general consensus seems to be; Use a 32bit distribution. If it's not a BIOS issue, you should perhaps start looking for newer hardware. The upcoming 20.7 version will be 64bit only.

https://www.thomas-krenn.com/en/wiki/Activating_the_Intel_VT_Virtualization_Feature

miroco

12

General Discussion / Re: OPNSense in VirtualBox; No login

« on: May 08, 2020, 03:43:48 pm »

What if you try the amd64 image?

https://www.dell.com/downloads/emea/products/pedge/en/PE2900_Spec_Sheet_Quad.pdf

miroco

13

Hardware and Performance / Re: Hardware recomendatoins for a small form factory "rugged" device

« on: May 08, 2020, 12:07:39 am »

PC Engines APU2x4 is popular choice and it meets all four criteria.

The most recent revision is APU2e4

https://www.pcengines.ch

miroco

14

Tutorials and FAQs / Re: Best way to shutdown

« on: May 01, 2020, 03:45:23 pm »

This is how I do it. Depending on your hardware, you additionally might have to turn off the power physically like unplug a power supply from your OPNsense appliance or flick a switch. If there's a better way, I'm all ears.

miroco

15

Hardware and Performance / Re: PCENGINES APU[1-5] Coreboot SeaBIOS Open Source Firmware

« on: April 15, 2020, 12:40:39 am »

Unless you have these wireless adaptors (ipw, iwi) I see little use in agreeing to those license terms, and as far as I can tell there are no license terms to agree on regarding the igb driver in the Tunables section and consequently not in a /boot/loader.conf.local - file. These are my findings.

ipw -- Intel PRO/Wireless 2100 IEEE 802.11 driver
iwi -- Intel PRO/Wireless 2200BG/2225BG/2915ABG IEEE 802.11 driver
igb -- Intel(R) PRO/1000 PCI Express Gigabit Ethernet adapter driver

https://www.freebsd.org/cgi/man.cgi?ipw
https://www.freebsd.org/cgi/man.cgi?iwi
https://www.freebsd.org/cgi/man.cgi?igb

The Teklager "OPNsense performance optimization for gigabit speed" guide seems to have been based on OPNsense 19.1 or 19.7 judging from the copyright information at the bottom of the top screen shot (OPNsense (c) 2014-2019 Deciso B.V.)

https://teklager.se/en/knowledge-base/opnsense-performance-optimization/

The settings referring to "hardware checksum offload, hardware segmentation offload and large receive offload" are all found under the Interface - Settings section.

That leaves the "tx" and rx" receiving queues settings.
hw.igb.rx_process_limit="-1"
hw.igb.tx_process_limit="-1"

Enabling EEE seems to come with a penalty.
WARNING: enabling EEE will significantly delay DHCP leases and the network interface will flip a few times on boot. https://en.wikipedia.org/wiki/Energy-Efficient_Ethernet

https://calomel.org/freebsd_network_tuning.html
https://www.thomas-krenn.com/de/wiki/OPNsense_igb_EEE_Funktion_deaktivieren

I think the BIOS is the joker in the game, especially since the release of v4.11.0.5.