Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Gary7

Pages: [1] 2 3 4

23.1 Legacy Series / Re: Upgraded to 23.1.r2: no LAN ip after reboot

« on: January 27, 2023, 03:18:12 pm »

I was configuring my network optimization based on information from https://calomel.org/freebsd_network_tuning.html

I disabled flow-control (dev.igb.0.fc=0 # (default 3)) as described in this section of sysctl configuration:

# Intel i350-T2 igb(4): flow control manages the rate of data transmission
# between two nodes preventing a fast sender from overwhelming a slow receiver.
# Ethernet "PAUSE" frames will pause transmission of all traffic types on a
# physical link, not just the individual flow causing the problem. By disabling
# physical link flow control the link instead relies on native TCP or QUIC UDP
# internal congestion control which is peer based on IP address and more fair
# to each flow. The options are: (0=No Flow Control) (1=Receive Pause)
# (2=Transmit Pause) (3=Full Flow Control, Default). A value of zero(0)
# disables ethernet flow control on the Intel igb(4) interface.
# http://virtualthreads.blogspot.com/2006/02/beware-ethernet-flow-control.html
#
dev.igb.0.fc=0 # (default 3)

Admittedly, on my lightly-loaded home network, it probably makes no difference whether flow control is on or off.

I'm just trying to get best performance out of my little apu2d4 firewall.

23.1 Legacy Series / Re: Upgraded to 23.1.r2: no LAN ip after reboot

« on: January 27, 2023, 04:39:56 am »

I have an apu2d4.
Upgraded from 22.7.11 to 23.1 with no apparent errors.
However, after upgrade, networks (LAN/WAN) didn't work. No response.
Working on the console, I finally tried to manually stop and start the network interfaces.
"ifconfig igb0 down" then "ifconfig igb0 up". (same for igb1) Both interfaces started working.
After a reboot, I still needed to stop/start the interfaces to get working.

Previously, I did everything I could think of to optimize network performance including setting dev.igb.X.eee_control=0 in Tunables.
Using the recommendation earlier in this discussion, I deleted dev.igb.X.eee_control from Tunables.
Now, after reboot, network interfaces are starting and working normally. I'm keeping dev.igb.X.fc=0

Just telling my experience to possibly help others.

Hardware and Performance / Question about PC Engines Coreboot developer miczyg

« on: December 04, 2022, 10:01:19 pm »

My firewall is a PC Engines APU2 and I keep up with PC Engines on GitHub (https://pcengines.github.io/)

Does anybody know about miczyg, Michał Żygowski ?
There have been no updates for PC Engines since late August 2022.
The last activity on GitLab for Michał was on September 30, 2022.
I know that he has worked very hard on PC Engines CoreBoot.
Is he OK or is he taking some time away from PC Engines CoreBoot ?

Gary7

22.1 Legacy Series / Re: [Solved] Very slow internet after upgrade to 22.1

« on: February 21, 2022, 09:20:49 pm »

FWIW, today I saw that 'Reporting'->'Health'->'System'->'States' had the wrong display and it started when I upgraded to 22.1. I've had a couple of reboots since.

I searched the forum and found this discussion.
My home firewall is a very simple 1 WAN & 1 LAN on an APU2.
My speed is exactly the same as pre-22.1 ( a little over 200 Mbps, my full Internet speed )
I'm running Unbound with blocklists and a few Firewall:Rules:LAN, i.e.spamhaus_drop
Nothing inbound.
I've set several tunables to try to get max performance.

I just noticed that Reporting:Settings still has Round-Robin-Database enabled (from pre-22.1). Should I shut-off RRD graphing backend ?
Since I have only 1 WAN, I believe that I can safely shut-off RRD graphing backend.
[Update] Looks like I need to have RRD graphing enabled to display Health graphs.

As always, Franco, you do outstanding work.
Thanks

22.1 Legacy Series / Re: Appliance running hotter after 22.1 update?

« on: January 28, 2022, 05:48:40 pm »

Using a shell, can you run "top" and see if you have a process that running at 100% ?

On my little APU2 after upgrade, unbound was running at 100% and never dropped to idle.

In Unbound DNS: Blocklist, I removed all of the blocklists and even disabled DNSBL.
When I applied the changes, unbound started and dropped to idle right away.
Then, I enabled DNSBL and added blocklists.
I add several blocklists, apply, and unbound starts, adds the blocklists, and drops to idle relatively quickly.
However, there is one very large (50 MB) blocklist that seems to cause constant 100% load for unbound. I'll investigate further this weekend.

22.1 Legacy Series / Re: Single core usage spike cause intermittently by ifconfig

« on: January 23, 2022, 07:57:26 pm »

Just a couple of thoughts based on my sysadmin experience.
1)This will require some manual monitoring of CPU load, but could you see if the CPU spikes are occurring randomly or. possibly, almost exactly on the minute? i.e. a cron job running on the minute.
2) Is your WAN interface connected to anything? Did you give it a static address? Is it possible that the O/S is trying to configure your WAN interface with DHCP at regular intervals?

Good luck.

Hardware and Performance / Re: Do we need to load certain kernel modules if we don't use the modules?

« on: December 19, 2021, 10:56:46 pm »

I thought that if_bridge was required for OPNsense routing and/or firewall functions.

I am only using a single WAN and a single LAN interface.

Hardware and Performance / Do we need to load certain kernel modules if we don't use the modules?

« on: December 19, 2021, 10:36:40 pm »

In my (misguided) attempts to get maximum performance out of OPNsense, I have a some questions about the need for certain loaded kernel modules.

I have a VERY simple home configuration: no in-bound traffic, no high-availability(CARP), no iPSEC, no tunneling of any kind, no LAGG, no PPP, and no VLAN

Is there any advantage (or disadvantage) to not loading certain modules since I won't be using them?

carp_load="NO" #Common Address Redundancy Protocol (CARP)
if_enc_load="NO" #encryption needed for IPSEC
if_gif_load="NO" #generic tunnel interface
if_gre_load="NO" #Generic Routing Encapsulation
if_lagg_load="NO" #link aggregation and link failover
if_tap_load="NO" #Ethernet tunnel software network interface (for virtualization?)
if_tun_load="NO" #tunnel driver (user process ppp)
if_vlan_load="NO" #IEEE 802.1Q VLAN network interface

As a test, I added this to /boot/loader.conf.local and rebooted.
I know that it's reading these local settings because the order of modules displayed by kldstat changes.
kernel modules moved down in the list:
13 1 0xffffffff82a2e000 6890 carp.ko
14 1 0xffffffff82a35000 d7a if_enc.ko
15 1 0xffffffff82a36000 4bba if_gre.ko
16 1 0xffffffff82a3b000 a230 if_lagg.ko
17 1 0xffffffff82a46000 30c1 if_tap.ko
and modules not loaded
if_gif_load
if_tun_load
if_vlan_load

Apparently, carp, enc, gre, lagg, and tap are getting loaded later during boot.
On the dashboard, I'm getting a CARP error. Since I don't use CARP, I'm ignoring it.

Is there any possibility there would be lower kernel overhead by not loading these modules? Other, than some slight reduction of in-memory kernel size?

As a side note, FreeBSD 13 has the possibility of a VERY nice performance increase due the improvements in if_bridge and other optimizations.

21.7 Legacy Series / Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"

« on: December 13, 2021, 06:17:09 am »

I took a look at the cloudflare.com SSL certificates.
Here is the list of addresses, Common Names, and Subject Alternative Names (SAN)

Cloudflare SSL certificates

Addresses: 1.1.1.1 & 1.0.0.1
Common name: cloudflare-dns.com
SAN: DNS Name=cloudflare-dns.com
DNS Name=*.cloudflare-dns.com
DNS Name=one.one.one.one
IP Address=1.1.1.1
IP Address=1.0.0.1
IP Address=162.159.36.1
IP Address=162.159.46.1
IP Address=2606:4700:4700:0000:0000:0000:0000:1111
IP Address=2606:4700:4700:0000:0000:0000:0000:1001
IP Address=2606:4700:4700:0000:0000:0000:0000:0064
IP Address=2606:4700:4700:0000:0000:0000:0000:6400

Addresses: 1.1.1.2 & 1.0.0.2
Common name: security.cloudflare-dns.com
SAN: IP Address=2606:4700:4700:0000:0000:0000:0000:1112
IP Address=2606:4700:4700:0000:0000:0000:0000:1002
DNS Name=security.cloudflare-dns.com
DNS Name=*.security.cloudflare-dns.com
IP Address=1.1.1.2
IP Address=1.0.0.2

Addresses: 1.1.1.3 & 1.0.0.3
Common name: family.cloudflare-dns.com
SAN: IP Address=2606:4700:4700:0000:0000:0000:0000:1113
IP Address=2606:4700:4700:0000:0000:0000:0000:1003
DNS Name=family.cloudflare-dns.com
DNS Name=*.family.cloudflare-dns.com
IP Address=1.1.1.3
IP Address=1.0.0.3

Tutorials and FAQs / Re: [Tutorial] Compile network driver

« on: August 08, 2021, 07:36:31 pm »

As an experiment on my home OPNsense firewall, I compiled the updated Intel network drivers for my APU2 system (I210 NIC)

Intel® Network Adapter Gigabit Base Driver for FreeBSD
   version 7.7.8   released 04/07/2020
Intel® Network Adapter Driver for 82575/6 and 82580-Based Gigabit Network Connections under FreeBSD
   Version 2.5.19   released 07/21/2021

I followed the instructions in this tutorial:
   pkg install git
   git clone plugins, ports, & src
   compiled both drivers

Everything went smoothly.
Copied if_igb.ko and if_em.ko to /boot/kernel (renamed the original files for backup)
Modified /boot/loader.conf.local: #if_em_load="YES" & if_igb_load="YES"
If loading the if_igb.ko driver failed, I could modify loader.conf.local to load if_em.ko and reboot again.

Rebooted and everything appeared to start normally. "if_igb.ko" was loaded without error.
Using kldstat, I verified that "if_igb.ko" was being used: 14 1 0xffffffff82968000 397a8 if_igb.ko

So far, networking on my firewall is working normally without error.
Now, some "hw.igb" tuning variables are available ( sysctl hw.igb ).
Performance appears to be normal. I still get my full ISP speed, 200+ Mbps.

I also see that the igb driver is smaller.
   if_igb.ko   223272 bytes
   if_em.ko   407664 bytes

Sharing my experience.

21.7 Legacy Series / Re: Massive performance drop with 21.7 on APU2

« on: August 05, 2021, 07:37:55 pm »

All names of default tunables should be fine.

I would just look at the tunables that you've added.

In my attempts to improve throughput, I've added several tunables.
My internet speed is 200 Mbps (236 Mbps actual). I get full speed with no problem.
Maybe, I would get full 200 Mbps speed without any tuning.
If I ever go to Gigabit speed, I might need to upgrade from my APU2.

21.7 Legacy Series / Re: Massive performance drop with 21.7 on APU2

« on: August 05, 2021, 06:56:04 pm »

With 21.7, some of the tunables have changed.

For instance, "hw.igb" doesn't exist anymore. Look at "hw.em"

Replace hw.igb.rx_process_limit="-1" with hw.em.rx_process_limit="-1"
Neither hw.igb.tx_process_limit or hw.em.tx_process_limit exist.

There are a lot of values for "dev.igb"

Unfortunately, you will need to check all your configured tunables to verify that the names haven't changed.
At the console, enter "sysctl tunable-name" to verify the name and value.

21.1 Legacy Series / Re: Traffic graph on dashboard broken

« on: March 04, 2021, 05:45:31 am »

I have only been using Chrome for the OPNsense GUI.
As an experiment, I finally used Firefox for the GUI.
For me, the traffic graph worked correctly for both Chrome and Firefox.
I did notice one detail: I only have 2 interfaces, LAN & WAN
On your traffic graph, it looks like you have 3 interfaces. Do you have a DMZ or VLANs, etc ?
I don't know if that's a factor or not concerning the traffic graph when using Firefox.

21.1 Legacy Series / Re: Traffic graph on dashboard broken

« on: March 03, 2021, 10:50:18 pm »

To apply the patch is very easy.
Login with root to the shell. You may want to be out of the GUI.
I have a serial connection to the console.
In the shell, just execute "opnsense-patch 8b9764fa86"
Then, login to the GUI and see if the traffic widget works better.

21.1 Legacy Series / Re: Traffic graph on dashboard broken

« on: March 03, 2021, 06:18:49 pm »

See if this patch fixes your problem with the traffic widget in OPNsense 21.1.2
New traffic widget broken in Firefox
https://forum.opnsense.org/index.php?topic=21726.msg102444#msg102444

Pages: [1] 2 3 4