OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of Sirius1 »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - Sirius1

Pages: [1]
1
19.7 Legacy Series / NUT, apcsmart driver, and cable type
« on: October 21, 2019, 02:58:07 am »
Question about setting/changing NUT parameters: Is there any way to specify the 'cable type'? NUT documentation for the 'apcsmart' driver says:

This driver expects to see a 940-0024C cable or a clone by default. You can switch to the 940-0095B dual-mode cable support with the 'cable=' definition described below.

https://networkupstools.org/docs/man/apcsmart.html

I have an older BP1400 (circa early 2000s Backups Pro) which I believe does expect the 940-0095B cable. I have that, and also ordered the noted 940-0024 cable, but I cannot get any communication. There may be other issues, but to me it seems trying to resolve the cable first makes the most sense. My serial/adapter should be good, as I am seeing this in the logs, so it is recognized: kernel: ugen0.2: <Prolific Technology Inc. USB-Serial Controller D> at usbus0

I tried setting 'cable=940-0095B' as an 'Argument', but still did not work. Neither does connecting using the noted 940-0024 cable, but I'm not sure if that pinning will work with the BP1400.

I had seen other more detailed posts and replies about the problems with users being able to set more extensive configuration parameters, and I understand the concerns. But, is there a work-around, or could there be a way to at least select the cable type?

Or am I missing something else entirely?
Thanks

2
General Discussion / Converted laptop build user : Just do it. Make that move to newer hardware.
« on: June 29, 2019, 08:46:42 pm »
Unexpectedly I ended up with a new hardware build after fighting a WAN connectivity issue with my laptop OPNsense setup:
https://forum.opnsense.org/index.php?topic=12864.msg59623#msg59623

As other historical posts suggested, these 'hotplug' errors and WAN cycling events did end up being a physical issue, but not at all as expected: rather than USB or the USB-Ethernet adapter, it was faulty Ethernet/failing ports on my apparently dying Arris TG862G gateway.

In the process, I learned that running an older laptop as a cost saving option may not be as efficient as originally thought. In addition to the potential stability issues of running Ethernet via USB, the performance and power efficiency just can't compete with newer hardware, even against low-cost desktop PC hardware.

Old build: 19.1.8
HP ProBook 4245s AMD Athlon II P340 (25W TDP), 6GB RAM, and Plugable USB2.0 Gigabit adapter as outside WAN. Onboard Realtek as 'LAN' interface (with 8 internal VLANs).
Without any dedicated metering, and depending on the LCD display and adding and subtracting load on my TrippLite UPS, I determined the idle load to be around 28W, with peaks up to 35W. And it ran HOT. Always near 70C or above.

New build: 19.1.9
* First I fixed the gateway issue with a Netgear CM500V modem (need voice support).

* Next a Dell Optiplex 3020 off-lease refurbished from Dell Financial. https://www.dellrefurbished.com/ For just over $100 USD, this included an i3-4160 CPU and 4GB of DDR3L RAM. Replaced the included 250GB HDD with an OCZ Vertex4 128GB SSD from the parts drawer.

* From Ebay: HP NC360T dual-port Gigabit Intel-chipset PCIe (same 8 VLANs on inside): $16 USD. Lower power LGA1150 Pentium G3250T CPU: $17 USD.

All in, I was under $150 USD for the Dell, dual Gig-ethernet, and low-TDP CPU, and already have a future upgrade path by going back to the original i3-4160.

Key lessons learned:
Off-lease just can't be beat IMO. I usually build or upgrade my own, but I've had very good luck with Dell Financial. After 5 home laptops, this was my first desktop purchase. Stock can change rapidly and they have promotions frequently, so decide what you want and watch for the best builds and deals. The off-lease are business models, and typically just past their initial 3-year warranty coverage.

* Look for SFF 'small form factor' models: They are, typically, the smallest enclosures with PCIe slots (half-height). The smaller USFF (Ultra-small) and micro-Desktops don't have expansion slots for ethernet cards. I'm not a fan of WAN as a VLAN on a single Ethernet interface, or trying to kludge together a solution with a micro expansion slot for another interface.

* Alternate lower-TDP CPUs: Pay close attention to the CPU benchmark ratings, both within the low-TDP models, and comparing to your existing CPU. With the LGA1150 models I was looking at in the Pentium G class, there was a fairly substantial cost differential, but insignificant performance difference IMO. I ended up going with the lowest-cost option to reduce the payback time, maybe as low as 1 year. Low TDP, but more powerful Core-class i3 CPUs just weren't worth the cost for me, at 2-3 years recovery minimum, or significantly more. Figure out the cost/benefit for your scenario and even if swapping a lower power CPU is worth it.

Yes I did look, but also didn't really consider any of the micro cases or SoC-type models from Zotac, PCEngines, QOTOM, etc, for both cost and CPU performance reasons. I really didn't want performance in the range of the AMD P340 I was moving from, and at $1 per watt, per year, the payback for anything substantially more power efficent, like nearer current-gen low-TDP Core mobile CPUs, just isn't there until years out.

Power results:
Again using the LCD on the TrippLite, the Opti3020 with the original i3-4160 (54W TDP) appeared to idle at 28W, and peaked out around 50W, with CPU temps in the low 40C range. PowerD was set to Minimum.

* I switched to the G3250T (35W TDP) and also see idle around 28W, with minimal increase under load (no change within the minimum sensitivity delta of the UPS metering, apparently +/- approx 7 watts). Temps running in the mid-30C range. Now the i3 was running 0-10% most of the time, and the Pentium is running 10-20%, but will likely not see any performace hit with my 150/10 Comcast cable connection and 4 home users. Both are far more powerful than the AMD I ran previously. Turning on IDS/Suricata on WAN, the G3250T is in the 20% range, and running ~40C. PowerD is set to Adaptive.

The verdict:
For now I plan to run the Pentium, and will swap the i3 back in if need a performance boost, or AES.
As widely reported, the 4th gen Haswell desktop CPUs seem to run very efficently, and mine is using the same (or less) power than the older laptop CPU under idle. The more efficient G3250T, even though a desktop CPU, appears to be matching the power efficiency of the old AMD mobile CPU under both idle and load....with more than 2x the CPU performance rating, and at nearly half the temp.

So in the end I may not even have needed to replace my build. But it took the same WAN failures with the newly configured Opti3020 and Intel NICs to realize the issue was the gateway, and not USB Ethernet. Now I have a new and higher performance build with zero WAN errors, and none expected with the Intel-based NICs. I even ended up matching the power efficiency of the old HP laptop I had in place with substantially better performance. Win, win.

If this scenario sounds familiar, hopefully this gives a few more options and some data bits to think about as you consider new or replacement builds.

3
19.1 Legacy Series / Monit script to reboot firewall - WAN drops and repeated newwanip runs
« on: May 26, 2019, 11:56:48 pm »
Currently running 19.1.8. I have had continued issues with WAN failing as noted in numerous other posts ever since the 19.1 version train. Same setup with an ASIX-based USB ethernet on WAN that had no issues previously.  As others have noted, I am also unfortunately behind a cable gateway (Xfinity X1) that is set in bridge mode, rather than a simple cable modem. So lots of variables I have done my best to step through over the past 2-3 months.

Sometimes the WAN is clean for days, other times UP/DOWN in less than 15-30 minutes, and can't get connection again until the firewall is restarted.

Logging (System > Logging > General) indicates same content as in other posts:
WAN interface link state changed UP/DOWN messages, repeated running of rc.newwanip setting and keeping the same default gateway, and requesting and being assigned the same provider host WAN IP address repeatedly.

I have tried every recommended 'fix', inlcuding disabling all the NIC offload options, changing the default tunable net.inet.tcp.tso to '0' from the default, trying to hard-set the WAN as 1000TX-full instead of auto-negotiate, and even a complete new 19.1 install scratch-configured on a different laptop (rather than 18.x to 19.x configuration migration).

The issue persists. As an alternative to the recommended cron scripts to ping IPs and restart the firewall, I have tried to use the Monit plugin, and am really close: I have a 'Service Setting' that successfully restarts my WAN interface after public IP ping failures, but I can't get a 2nd Service Setting that will restart/reboot the firewall after a 2nd ping cycle failure. Once I have this working, I'll post up if it helps anyone else out. >>> The issue that I'm having is that I can't get the firewall to reboot. For the Monit Service Setting script, I've tried these combinations with no luck: /etc/rc.reboot -r, etc/rc.reboot -r now, and /sbin/shutdown -r. It will not let me enter just /etc/rc.reboot as gives an error about needing the 'absolute path' or other arguments.

If anyone can help with the Monit script syntax I need, that would be great. Then I'll post those up. Otherwise, I'm in the same boat with the WAN flapping since the BSD 11.2/OPNSense 19.1 versions.

Thanks

4
Hardware and Performance / Ethernet USB NIC support - ASIX chipsets
« on: December 20, 2017, 03:44:30 pm »
New OPNsense user after being stranded by coming pfSense AES-NI requirement. Over the years have tried many different firewall/router distros going all the way back to Coyote Linux/Wolverine, Smoothwall/IPCop, Endian Community, and stock Cisco/Linksys routers. I did also look at OPNsense in later 2015, but decided to run pfSense at the time. Now I see OPNsense being a much more polished and complete product.

I agree with many other comments that I found the pfSense community unhelpful and opinionated. I planned to, and did, run pfSense on a small Asus notebook for size and power considerations, so had no choice but to use a USB NIC for one side. This option was dismissed in nearly every single forum post, so it was hard to find any good information going in.

That being said, I do now have recommendations for anyone looking for solid USB NIC options: Adapters using the ASIX chipsets seem to perform very well, and are stable. I used a Gigabit StarTech USB 31000S with AX88179 chipset for 2 years as my "inside" on pfSense with 8 802.1q VLANs. Among other options I now see that Amazon appears to offer this chipset in their "Basics" USB 3.0 adapter AE3101X1.

For my OPNsense install I moved to a nearly 7-year old HP ProBook 4525s that has a Gigabit RJ45 connection, but only USB 2.0. OPNsense recognized the AX88179 StarTech adapter, but the laptop would never pass traffic with the 3.0 adapter in a 2.0 slot. I bought Amazon Basic USB2.0 item AES2233X2 which has an AX88772B chipset and is recognized by OPNsense as a ‘generic 10/100’ USB adapter. It is passing traffic on my WAN side at 100Mbit speeds.

I thought the adapter I ordered was GigE but it wasn’t, so going at this again I’d make sure to look for USB 2.0 adapters with the AX88178A Gigabit chipset. They are out there but I don’t have a need right now until my cable bandwidth goes over 100Mbit. These adpaters should pass traffic up to 480Mbit USB2.0 limit, assuming there is a driver for it, or can force OPNsense to load the AX88179 driver instead. Having USB 3.0 would've resolved this with my original Gigabit adapter.

The ProBook has Athlon II P340 CPU, 6GB RAM, OCZ Vertex2 40GB SSD, onboard wired GigE with 8 VLANs on inside, and the 10/100 USB2.0 adapter on the WAN side. As a network admin, my home setup is a little more than the usual: Cisco Catalyst 2960 with 8-port Gigabit NetGear and TPLink ‘smart’ switches that are configurable and VLAN capable. WiFi is Ubiquiti UniFi controller (VirtualBox) and both AC-Pro and Lite access points running 4 wireless SSID/VLANs. Having more RAM, SSD, and slightly more powerful CPU than my original firewall laptop, this is running very nicely and feels subjectively faster for 4 home users (2 teenagers) with nearly 2 dozen network devices.

Yes you can run OPNsense on a laptop with 2 physical Ethernet interfaces! VLANs too! Thanks to all the OPNsense developers and contributors.The growth and improvement in the interface and features over the past 2 years is remarkable. Great product!

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2