Messages

1

Hardware and Performance / Re: Packet retransmission

« on: May 28, 2022, 09:20:05 pm »

I would like to know what are the TCP and UDP connections limit values.

Hello luiz.souza,

are you referring to the OPNsense traffic shaping options?
Or do you mean the maximum amount of states?

Regards

2

Hardware and Performance / Re: Can ZFS mirror install boot with 1 failed drive?

« on: May 28, 2022, 09:13:56 pm »

My question is, are both drives bootable when using the installer mirror option by default, Or do I need to mess with the partition tables?

Hello ender526,

I just installed OPNsense 22.1.2 on a spare PC (Biostar J3160NH) with two Seagate 2TB SATA HDDs (zfs mirror) and tried booting with both, only the first and only the second HDD.

This were my results:

• Both HDDs: Boots just fine, as expected
• Only the first HDD (ada0): Boots just fine
• Only the second HDD (ada1): Boots just fine, but the CLI is broken (the screen hangs at the Kernel loading messages)

The Web GUI could be reached in all three cases.

Some more System information (the system time can be ignored):

Both HDDs

Code: [Select]

root@OPNsense:~ # zpool status
  pool: zroot
 state: ONLINE
  scan: resilvered 4.80M in 00:00:01 with 0 errors on Wed Jul 29 00:52:21 2015
config:

NAME          STATE     READ WRITE CKSUM
zroot         ONLINE       0     0     0
  mirror-0    ONLINE       0     0     0
    ada0p4    ONLINE       0     0     0
    gpt/zfs1  ONLINE       0     0     0

errors: No known data errors
root@OPNsense:~ # camcontrol devlist
<SEAGATE ST2000NM0033 NS01>        at scbus0 target 0 lun 0 (pass0,ada0)
<SEAGATE ST2000NM0033 NS01>        at scbus1 target 0 lun 0 (pass1,ada1)
root@OPNsense:~ # opnsense-version
OPNsense 22.1.2_2 (amd64/OpenSSL)

First HDD only

Code: [Select]

root@OPNsense:~ # zpool status
  pool: zroot
 state: DEGRADED
status: One or more devices could not be opened.  Sufficient replicas exist for
the pool to continue functioning in a degraded state.
action: Attach the missing device and online it using 'zpool online'.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-2Q
  scan: resilvered 5.70M in 00:00:01 with 0 errors on Wed Jul 29 00:43:16 2015
config:

NAME          STATE     READ WRITE CKSUM
zroot         DEGRADED     0     0     0
  mirror-0    DEGRADED     0     0     0
    ada0p4    ONLINE       0     0     0
    gpt/zfs1  UNAVAIL      0     0     0  cannot open

errors: No known data errors
root@OPNsense:~ # camcontrol devlist
<SEAGATE ST2000NM0033 NS01>        at scbus0 target 0 lun 0 (pass0,ada0)
root@OPNsense:~ # opnsense-version
OPNsense 22.1.2_2 (amd64/OpenSSL)

Second HDD only

Code: [Select]

root@OPNsense:~ # zpool status
  pool: zroot
 state: DEGRADED
status: One or more devices could not be opened.  Sufficient replicas exist for
the pool to continue functioning in a degraded state.
action: Attach the missing device and online it using 'zpool online'.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-2Q
  scan: resilvered 4.80M in 00:00:01 with 0 errors on Wed Jul 29 00:52:21 2015
config:

NAME          STATE     READ WRITE CKSUM
zroot         DEGRADED     0     0     0
  mirror-0    DEGRADED     0     0     0
    ada0p4    UNAVAIL      0     0     0  cannot open
    gpt/zfs1  ONLINE       0     0     0

errors: No known data errors
root@OPNsense:~ # camcontrol devlist
<SEAGATE ST2000NM0033 NS01>        at scbus1 target 0 lun 0 (pass0,ada0)
root@OPNsense:~ # opnsense-version
OPNsense 22.1.2_2 (amd64/OpenSSL)

I hope this answered your question.

3

Hardware and Performance / Re: hardware calculation

« on: May 28, 2022, 07:44:48 pm »

Hello, if the calculator for calculating the equipment
from the included services and modules and the maximum traffic in the network?
Thank you!

Hello sergggggg,

looking at your other post ,it seems like you want to know if there is a formula to calculate how much system resources (CPU, RAM, Disk, ...) is needed with IPS, depending on the traffic.
As far as I know, there aren't really any formulas, since the type of traffic and the number of active rules (e.g. with Suricada) can heavily influence how much performance is needed.
Using a CPU with lots of cores and high clock speed will always help though.

4

Hardware and Performance / Re: larger downloads fails

« on: May 28, 2022, 07:32:20 pm »

Hello arnoldg,

it seems that your post has way too few information for us to be able help you with your problem.

Please provide some further information, for example:

• What Operating System are you using (Windows, MacOS, Linux, etc.)?
• What Device are you using to download files (PC, Laptop, Smartphone, etc.)?
• Are you using a Web Browser (Google Chrome, Mozilla Firefox, etc.) or some other software?
• What kind of device are you using to run OPNsense on?
• Are you shure that your Internet connection (ISP Modem / Router, etc.) is working correctly?
• What is the speed (in Megabit per second) and type of your Internet connection (DSL, Cable, Fibre) you use?
• ...

5

Hardware and Performance / Re: Poor routing performance on DEC3840

« on: May 28, 2022, 07:22:58 pm »

If you run iperf3 from a OPNsense interface to a client, your only limiting factor is the single core performance of your CPU(s).

If you run iperf3 from client 1 to client 2 and have OPNsense in the middle, it has to do a lot of work routing the Packets with pf(4), which uses lots of CPU time.

Afaik iperf3 usually only creates one tcp stream, which isn't really a real world load on a firewall.
You could try to run multiple parallel streams with the -P flag:

-P, --parallel n
              number of parallel client streams to run. Note that iperf3 is single threaded, so if you are CPU bound, this will not yield higher throughput.

6

Hardware and Performance / Re: Individual sshd processes run with 100% CPU after a while

« on: May 28, 2022, 07:05:12 pm »

We use SSH tunnels at this point.

What are the SSH tunnels used for?
And how did you configure them (manually/GUI)?

7

Hardware and Performance / Re: OPNsense vs. Proxmox Bridge with LAGG

« on: May 28, 2022, 06:53:52 pm »

Depending on the NIC, passing it through to the OPNsense VM (less overhead from Proxmox VE) and using Hardware offloading might be faster.

8

22.1 Legacy Series / Re: wrong negociation on Network speed on vmware

« on: May 26, 2022, 12:26:50 pm »

What exactly does OPNsense show you as the interface speed?

I have OPNsense running on Proxmox VE and it shows "10Gbase-T <full duplex>" on all interfaces.
I also have one OPNsense VM running on ESXi 6.7 U3d, but can't access it right now (it also uses VMXNET3 NICs).

If you use the Intel E1000e NICs for your OPNsense VM, they will be limited to 1Gbit/s btw - make shure to use vmxnet3.

9

22.1 Legacy Series / Re: Since 22.1.6< zerotier eats one cpu fully

« on: May 26, 2022, 12:19:03 pm »

Have you tried uninstalling and reinstalling the os-zerotier Plugin?

10

22.1 Legacy Series / Re: OS-ddclient Plugin Question

« on: May 26, 2022, 12:13:24 pm »

AFAIK these are just package messages and can be ignores, since you configure ddclient from the GUI in OPNsense.

Other than that, have you got the plugin to work?

11

22.1 Legacy Series / Re: Firewall Rules | InterVLAN Traffic

« on: May 26, 2022, 12:10:45 pm »

What kind of devices / Hosts are in the LAN and VLAN2 Network?
What Services (Port, Protocol) in the LAN Network are you trying to access from the VLAN2 Network?
Are there multiple Gateways?
...

Some additional information would probably help with solving your Problem

12

22.1 Legacy Series / Re: IPsec site-to-site VPN loses connection after upgrade to 22.1.8

« on: May 26, 2022, 12:03:28 pm »

The fastest way would probably be to revert back to 22.1.7 for the time being.

Do you see any errors in "VPN --> IPSec --> Log File" ?

13

22.1 Legacy Series / Re: Cannot Access File Shares after upgrading to 22.1.8

« on: May 26, 2022, 11:56:04 am »

In the 22.1.8 Changelog the only things about the Firewall I could find is this:

• firewall: various usability and visibility improvements for aliases
• firewall: performance improvement for large numbers of port type aliases
• firewall: simplify sort and add natural sorting in alias diagnostics

I suppose your Network looks something like this?

Code: [Select]

[SMB Clients] <-- 172.16.33.x --> [OPNsense 1] <-- IPSec (WAN) --> [OPNsense 2] <-- 10.3.32.x --> [SMB Server]
Can you show how your Firewall Rules Look like? And do you have multiple Gateways?
I haven't used IPSec with OPNsense yet, only with OpenVPN and WireGuard, but from the other recent Posts, it seems like there might be issues with both IPSec and Aliases in 22.1.8.

14

22.1 Legacy Series / Re: [CALL FOR TESTING] FreeBSD 13.1 / 22.7 operating system preview

« on: May 26, 2022, 11:32:47 am »

Same for me, my OPNsense VMs also report being still on 22.1.8, but "freebsd-version -kru" reports 13.1-RELEASE - so I guess the Updates still works

15

22.1 Legacy Series / Re: Unable to update to 22.1.8

« on: May 26, 2022, 11:21:49 am »

Updating your packages will likely do nothing, since the FreeBSD Base and Kernel are updated via freebsd-update (opnsense-update) instead of pkg.

Can you send the output of "opnsense-version -O" and "freebsd-version -kru" ?