Topics

Since installing 20.7 my SNMP monitoring is not working correctly. Interfaces which previously were delivering stats via SNMP are now showing zero utilisation, or only a few packets here and there.

I'm not sure if it's related to the new netstat functionality, but the os-net-snmp package isn't working well with 20.7.

Since upgrading from 20.1.7 to 20.1.8 I've seen increased latency on the WAN. I use thinkbroadband to monitor the WAN link, plus I have a ping which runs regularly from a monitoring platform on my network. After I performed the upgrade at 14:30 yesterday, my latency and jitter has gone up significantly.

Attached are two graphs. Were there any code changes or package updates that might have caused this? At this stage, I can't rule out my ISP but the timing is exactly when I performed the upgrade.

(the large red spikes in the first graph are outages when I restarted opnsense)

I've been looking at tuning some elements of my OPNsense system and whilst doing that I've noticed the the SNMP process is using over 5% of my CPU when idle (when no SNMP queries are being sent to it).

Code Select Expand

PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
67970 root             1  22    0 26004K 15188K select  2   0:17   5.04% /usr/local/sbin/snmpd -p /var/run/net_snmpd.pid

If you update 'top' manually with the space bar or set the interval to 1 second, the snmpd process spikes sometimes to 15-30% cpu when idle (no SNMP queries).

(the above was just after a reboot so the total CPU time was still low - I'll post an update once the server has been running for some time).

I don't see why SNMPD should be using quite so much CPU (for reference, this server is running on an i3-8300T).

I see a few errors in /var/log/snmpd.log but these only seem to written ever 30 seconds or so when idle:

Code Select Expand

error on subcontainer 'ia_addr' insert (-1)

When receiving an actual SNMP query (every 5 mins), quite a few of these get written to the log:

Code Select Expand

error on subcontainer 'swrun container' insert (-1)

There's very little configuration changes that can be done to Net-SNMP so was wondering if there was an issue in the implementation.

No matter which log file I try, I can't see any log entries in the GUI. The screen always shows 'loading...' (see attached pic).

This is true which log file I choose:

Firewall / Plain View
Services / Intrusion Detection / Log File
Unbound DNS / Log File
System / Log Files / General, Backend, Web GUI
etc. etc.

I tried removing all logs in /var/log and rebooting. There are log files in /var/log with data in them.

The sqlite3 process (/usr/local/bin/sqlite3 /var/netflow/src_addr_086400.sqlite.fix) has started thrashing my disk.
The disk light is on permanently and 'top -m io -o write -s 1' reports 100% utilisation all the time:

PID USERNAME        VCSW  IVCSW   READ  WRITE  FAULT  TOTAL PERCENT COMMAND
58129 root             610      2      0    762      0    762 100.00% sqlite3

I've tried 'Reset Netflow Data' and 'Repair Netflow Data'. I've also tried deleting everything in /var/netflow and rebooting. Every time the server comes back up, this process starts thrashing the disk. The only thing I can do right now is kill -9 the process.

Any ideas on what I can do to fix this?

I currently have 'Use PowerD' enabled in the GUI with all 3 settings set to Adaptive; but I don't think it's working.

From a console, I load up the CPUs and run 'powerd -v' and from the output it seems as though it wants to change the CPU frequency but it can't:

Code Select Expand


root@OPNsense:~ # powerd -v
powerd: unable to determine AC line status
load 400%, current freq  800 MHz (15), wanted freq 3200 MHz
changing clock speed from 800 MHz to 3100 MHz
load 400%, current freq  800 MHz (15), wanted freq 6200 MHz
changing clock speed from 800 MHz to 3100 MHz
load 400%, current freq  800 MHz (15), wanted freq 6200 MHz
changing clock speed from 800 MHz to 3100 MHz
load 400%, current freq  800 MHz (15), wanted freq 6200 MHz
changing clock speed from 800 MHz to 3100 MHz

Here's the output on idle:

Code Select Expand


root@OPNsense:~ # powerd -v
powerd: unable to determine AC line status
load   0%, current freq  800 MHz (15), wanted freq  800 MHz
load  42%, current freq  800 MHz (15), wanted freq  896 MHz
changing clock speed from 800 MHz to 1000 MHz
load  18%, current freq  800 MHz (15), wanted freq  868 MHz
changing clock speed from 800 MHz to 1000 MHz
load   0%, current freq  800 MHz (15), wanted freq  840 MHz
changing clock speed from 800 MHz to 1000 MHz
load   4%, current freq  800 MHz (15), wanted freq  813 MHz
changing clock speed from 800 MHz to 1000 MHz
load   0%, current freq  800 MHz (15), wanted freq  800 MHz
load  16%, current freq  800 MHz (15), wanted freq  800 MHz
load   0%, current freq  800 MHz (15), wanted freq  800 MHz


I've checked the BIOS, there's nothing obviously wrong (e.g. power management is turned on). I've also checked the CPU frequency using sysctl whilst under load repeatedly, and freq never changes:

Code Select Expand


root@OPNsense:~ # sysctl -a | grep dev.cpu.0.freq:
dev.cpu.0.freq: 800

Any ideas on getting this working? I've tried the other settings in the GUI (max,min,hiadaptive) - the behaviour does not change.

I have Opnesense set up with a LAN interface (192.168.1.0/24) and a WAN Internet interface - standard NAT setup etc.

I added another new router to my LAN (192.168.30.0/24) that default gateways to Opnsense. On Opnsense I've added a new gateway for the new router, and added a static route to 192.168.30.0/24 - plus did the NAT rules etc. Outcome, hosts on 192.168.30.0/24 can access the Internet on the WAN, plus I can access the Opnsense web portal on 192.168.1.0/24.

However, hosts on 192.168.30.0/24 cannot access hosts on the 192.168.1.0/24 network. In a network trace on a .30 host, I can see packets coming in - but no packets going out (TCP connection won't establish). If I look on Opnsense, I can see in the Live Firewall logs that Opnsense is blocking the return traffic by the 'default deny rule':

   lan      Oct 31 17:50:53   192.168.1.198:22   192.168.30.12:52372   tcp   Default deny rule

The .30 host default gateway points to Opnsense. If I add a static route to the .30 host (e.g.  route add -net 192.168.30.0/24 gw 192.168.1.250 then magically it all works, and Opnsense doesn't block at the firewall level. I've tried adding in firewall rules to allow all the traffic on the LAN interface but nothing works.

My question: how do I get this to work? Why does adding a manual static route to a host magically let the traffic through the firewall?

This would be a really useful feature. We can already define schedules for firewall rules, could we look at providing the same support for the firewall rules in the traffic shaper?

There will be circumstances where traffic needs to be prioritised differently at different times of the day, e.g. work hours prioritise certain interactive traffic, evening prioritise more bulk or backup traffic etc.

I'm running 18.1.5.

I've been having problems getting the traffic shaper to work. As an example, I have two simple pipes - one set to 400Mbps which I apply to download traffic on my subnet via rules, and another pipe set to 20Mbps which I apply to upload traffic on my subnet (not using queues in this example).

The interfaces on the device a gigabit - and I test using an iperf client and server on either side. The upload pipe works as expected, no problems there. However, the download pipe I only get around 250Mbit/s (when its set to 400Mbps) - no matter what settings I try for the pipe. In some circumstances, shortly after resetting the rules I see 395Mbit/s for about 4-5 seconds, and then it settles back down to around 250Mbits/s again. I've tried no mask, source, destination, codel, different scheduler types - just can't seem to get past the 250Mbit/s.

If I set the download pipe to 800Mbit/s I then get around 600Mbit/s of traffic through the interface. With no other traffic on the network, I'm struggling to see why I don't get the full speed? With no traffic shaping enabled I get around 940Mbit/s.

Any ideas why this is happening? Ultimately I'd like to start using queues to prioritise traffic but I'm just trying to get the basic pipes working for the moment - I just can't get close to the configured speed. I could fudge it by upping the bandwidth configured, but that makes no sense to me.

Hi all,

I'm unable to start the DHCPv6 Relay service.

My WAN and LAN interfaces have IPv6 addresses - I'm not running DHCPv6 Server on any of them, I have Advertisments turned off - but I just can't start the service.

I click on start, and nothing, no errors - does anyone know where I can find logs to debug this further or have any ideas what could be causing the issue?

Thanks!