Topics

OPNsense 24.7.5
This update also disables NUMA by default which can bring a boost in network throughput on affected systems. 
system: default to vm.numa.disabled=1


OPNsense 25.1.1
execute: sysctl vm.numa.disabled and the value is vm.numa.disabled: 0
I've added "vm.numa.disabled" to Tunables and verified that vm.numa.disabled="1" is in /boot/loader.conf
After reboot, the value is still vm.numa.disabled: 0

Since I have an APU2D4, I would like to explicitly disable NUMA.
Am I missing something?

I've been using an APU2D4 since OPNsense 19.1 and upgrading OPNsense along the way to 25.1 (current). Still working fine, but FreeBSD hardware support might be questionable in the relatively near future.

possible OPNsense hardware:
   maybe Intel N150 CPU - starting to be available and would be a huge improvement (maybe, "overkill" but the same CPU power usage)
   4 port i226 network
   serial port or USB for console access
   don't need (or want) WiFi
   no cooling fan

Does anybody have experience with the (inexpensive) Chinese mini PC manufacturers?  Topton, CWWK/Changwang, HUNSN, SJRC, HKUXZR, etc
Many of the models from different manufacturers appear to be identical, at least, the cases and specs look the same.

quality of hardware?   decent or the typical low-quality chinese stuff?
updating BIOS?   requirement to be able to update BIOS to either AMI or Coreboot (preferred)

I was thinking that I would buy a barebones box, purchase decent quality memory and SSD, flash BIOS to current AMI or Coreboot. I really don't trust software coming from China even though it's probably the generic AMI BIOS.

If anybody has better recommendations, I'm very interested.

My firewall is a PC Engines APU2 and I keep up with PC Engines on GitHub (https://pcengines.github.io/)

Does anybody know about miczyg, Michał Żygowski ?
There have been no updates for PC Engines since late August 2022.
The last activity on GitLab for Michał was on September 30, 2022.
I know that he has worked very hard on PC Engines CoreBoot.
Is he OK or is he taking some time away from PC Engines CoreBoot ?

Gary7

In my (misguided) attempts to get maximum performance out of OPNsense, I have a some questions about the need for certain loaded kernel modules.

I have a VERY simple home configuration: no in-bound traffic, no high-availability(CARP), no iPSEC, no tunneling of any kind, no LAGG, no PPP, and no VLAN

Is there any advantage (or disadvantage) to not loading certain modules since I won't be using them?

carp_load="NO"      #Common Address Redundancy Protocol (CARP)
if_enc_load="NO"    #encryption needed for IPSEC
if_gif_load="NO"     #generic tunnel interface
if_gre_load="NO"    #Generic Routing Encapsulation
if_lagg_load="NO"   #link aggregation and link failover
if_tap_load="NO"    #Ethernet tunnel software network interface (for virtualization?)
if_tun_load="NO"    #tunnel driver (user process ppp)
if_vlan_load="NO"   #IEEE 802.1Q VLAN network interface

As a test, I added this to /boot/loader.conf.local and rebooted.
I know that it's reading these local settings because the order of modules displayed by kldstat changes.
kernel modules moved down in the list:
13    1 0xffffffff82a2e000     6890 carp.ko
14    1 0xffffffff82a35000      d7a if_enc.ko
15    1 0xffffffff82a36000     4bba if_gre.ko
16    1 0xffffffff82a3b000     a230 if_lagg.ko
17    1 0xffffffff82a46000     30c1 if_tap.ko
and modules not loaded
    if_gif_load
    if_tun_load
    if_vlan_load

Apparently, carp, enc, gre, lagg, and tap are getting loaded later during boot.
On the dashboard, I'm getting a CARP error. Since I don't use CARP, I'm ignoring it.

Is there any possibility there would be lower kernel overhead by not loading these modules? Other, than some slight reduction of in-memory kernel size?

As a side note, FreeBSD 13 has the possibility of a VERY nice performance increase due the improvements in if_bridge and other optimizations.

Upgrade to 20.7 went relatively smoothly. Now, I'm spending too much time optimizing loader.conf.local and sysctl.conf.local.
Previously, I was using some scripts to generate the blacklist and put it in a conf file.
Now, with DNS Blacklist integrated into Unbound DNS, I'm using the predefined lists and will probably add a few additional lists.

I reviewed the list of predefined blacklists in the python code, dnsbl.py, and there are a couple of details that could be updated.

Ransomware Tracker is no longer available. Go to the link and you get the text "# Ransomware Tracker has been discontinued on Dec 8th, 2019"

AdAway List is set to https://adaway.org/hosts.txt. In the comments of this file, it says
# Fetch the latest version of this file:
# https://raw.githubusercontent.com/AdAway/adaway.github.io/master/hosts.txt

Maybe change AdAway to use https://raw.githubusercontent.com/AdAway/adaway.github.io/master/hosts.txt

Blocklist.site Ads, Fraud, Phishing get re-directed to https://raw.githubusercontent.com
Maybe change:
Blocklist.site   Ads      https://raw.githubusercontent.com/blocklistproject/Lists/master/ads.txt
Blocklist.site   Fraud   https://raw.githubusercontent.com/blocklistproject/Lists/master/fraud.txt
Blocklist.site   Phishing   https://raw.githubusercontent.com/blocklistproject/Lists/master/phishing.txt

My home firewall is an APU2D4 and I use a RAM disk for /var and /tmp.
So, the /var directory is recreated at boot and many of the Unbound files are under /var.
I've added System:Settings:Cron "Download Unbound DNSBLs and restart" to run each morning.
Do I need to add another Cron "Download Unbound DNSBLs and restart" to run at boot time?

It doesn't appear that the blacklists are enabled after a reboot. Since the combined blacklist file is /var/unbound/etc/dnsbl.conf, how does it get created at boot?

Maybe, I just don't know where the documentation for Unbound blacklist is located. Maybe, github.com ?

Thank you all.

There was some discussion about having having DNS blacklist available at the next major release (20.1).

I've been using scripts to download blacklists, re-format into a conf file, and feed into Unbound each morning.
It works, but it would be nice to have something better integrated into OPNsense.

Is there any approved/recommended package or plugin for Unbound DNS blacklist?
Thanks

I block ad servers and tracking servers using Unbound.
I have an app on a Roku that needs to access a specific ad server or else if fails.
I can add an override for that specific ad server (or take that DNS entry out of my black list) and the Roku app works. Of course, that would apply to all clients.

Is it possible for Unbound to override a DNS entry for requests coming from a specific address.
Specifically, my Roku gets the real address and all other devices still get 0.0.0.0
Thanks.

I've configured Unbound to block advertising (and tracking) URLs. I followed the setup from https://devinstechblog.com/block-ads-with-dns-in-opnsense/ and added some more blacklists.

I have a slight Unbound problem when my firewall boots.
I'm using an APC2D4 with RAM disks for /tmp and /var and I'm using Unbound custom option "include:/var/unbound/ad-blacklist.conf". I could like to continue using the conf file in /var since I'm updating the list daily.
At boot, the /var/unbound/ad-blacklist.conf doesn't exist and Unbound won't start.
I'm using a somewhat crude method at startup: using a boot cron script, sleep for a length of time, touch /var/unbound/ad-blacklist.conf, start Unbound, sleep for a little while longer while Unbound starts, then run the rest of the script to download blacklists and create ad-blacklist.conf and restart Unbound again.

Is there any good way to create an empty file, /var/unbound/ad-blacklist.conf or any custom .conf, as Unbound starts ? That way, Unbound starts normally and I only have one re-start of Unbound?

I've recently upgraded my home network from a consumer-grade router to OPNsense. So far, so good. I'm using an APU2D4. I've been a Sys Admin managing servers for years.

Just a really basic question about WAN rules.
Since this is for my home network, there will be nothing inbound from the WAN. Default drop for everything on the WAN.
Is there any down-side for having no additional WAN firewall rules (i.e. spamhaus_drop)?
Do I even need to block private networks and bogon networks since default drop should take care of everything?

I have a Sys Admin mentality of doing everything needed, but don't do tasks that you don't need or duplicated tasks for performance reasons. Is there any benefit for processing any WAN rules when I'm going to default drop anyway?
Now, if I were allowing anything inbound (i.e. inbound VPN or inbound to a DMZ), then WAN rules would be needed.
My LAN side has multiple IP blacklists and URL blocking. I'm going to be adding more in the future. I switched to OPNsense to have blacklists and ad-blocking.