"
I do not know about VPN. I can tell you opteron 6386 will handle 1gig with with out problem at 1gig speed. So will i7 4770k will handle it with 1 core no problem. I do not know how many VPN it can handle at 1 gig.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#16
17.1 Legacy Series / Re: good in a business environment 50-100 users?
March 27, 2017, 06:13:14 PM #17
17.1 Legacy Series / Re: Fatal trap 12
March 27, 2017, 11:22:56 AM
Well being very long time user of FreeBSD the kernel error you are getting is resources. That tells me FreeBSD can not get the resources needed. Dual OS that you are trying to do I think is a bad idea on what I call low end hardware. Hypervisor should be run on systems that have resources. 4 core @ 1ghz with 4gig of ram is low end hardware in my book. I only consider running hypervisor if systems have 100+ gigs of ram and more than 32 cores over 2+ghz per core. Then I will think about running dual os.
My opinion, you already have crippled opnsense by doing what you are trying to do by running a hypervisor then opnsense on top! My tests, I have done tells me opnsense needs some where around 4ghz total compute CPU to get near 1gig WAN<->LAN speed. I know J1900 intel cpu that is 2.0 ghz X 4 cores has a hard time going over 1gig WAN<->LAN throughput so 1/2 of the CPU in the board you are talking about. I can tell you running dual OS is a super super bad idea on that boad. From the test I have done with opnsense.
If you get it to run I would like to know that kind of throughput you get WAN<->LAN!
My opinion, you already have crippled opnsense by doing what you are trying to do by running a hypervisor then opnsense on top! My tests, I have done tells me opnsense needs some where around 4ghz total compute CPU to get near 1gig WAN<->LAN speed. I know J1900 intel cpu that is 2.0 ghz X 4 cores has a hard time going over 1gig WAN<->LAN throughput so 1/2 of the CPU in the board you are talking about. I can tell you running dual OS is a super super bad idea on that boad. From the test I have done with opnsense.
If you get it to run I would like to know that kind of throughput you get WAN<->LAN!
#18
17.1 Legacy Series / Re: Fatal trap 12
March 27, 2017, 10:57:23 AM
Why would you run a hypervisor on such low end hardware in the first place? I would guess the hypervisor has taken up all the resources needed for opnsense and when opnsense goes to get the resources needed. Then the hypervisor errors out and causing opnsense to error out because it cannot get the resources needed to run.
I would guess if you loaded opnsense direct on the board with out a hypervisor you should find opnsense will come up and run with no problems. Just my opinion.
I would guess if you loaded opnsense direct on the board with out a hypervisor you should find opnsense will come up and run with no problems. Just my opinion.
#19
17.1 Legacy Series / Re: Low internetspeed
March 27, 2017, 12:38:56 AM
Well I will give you my two cents. I have just started with Opnsense and my knowledge is only around 17.1.x
Their is a performance problem with network cards if it is not setup correctly. Intel if the settings are put into boot and sysctl it helps on throughput by over 400 Mbit to 300 Mbit ( my opinion these setting below should be installed when setting up opnsense because you know what network interface you are dealing with in the install program ). I took Qotom-Q190G4N-S08 which is just J1900 intel junk cpu @ 2ghz and intel network interface.
This was after using a high power 16 core 6386 Opteron with 64gb ram and intel network interfaces and loaded Opnsense on that to test out what kind of hardware is needed to do 1gig at full speed. I saw the cpu would not even go over 10% for 1 core ( sit around %5 to 7% of 1 core ) with everything turned on with Opnsense doing 1gig from WAN<->LAN constant for over 4 hours.
So, I decided to try as low end as I can go. I picked up Qotom-Q190G4N-S08 and loaded it with Opnsense and configure it with IPv6 & IPv4 with Intrusion Detection on but with IPS mode off ( If I turn IPS mode on then IPv6 will stop working for some reason. Why I do not understand but it but dose that on 17.1.1, 17.1.2 and 17.1.3 ). With the same Opteron config with IPS off vs on with Opteron the Qotom-Q190G4N-S08 dose 900 Mbit ( 50 Mbit + or - ) WAN<->LAN speeds. Only different between config was no IPv6 and IPS on vs J1900 with IPv6 on and IPS off but ID on.
I have the loader.conf.local with these 2 lines
legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1
Same lines has I had on Opteron box just move the file over. I can not make the J1900 CPU go above 2.0ghz even tho it should run 2.5ghz. powerd with "-a hiadaptive" dose not work on J1900 and I can not get the sysctl to push the clock rate up to see if that extra 100/150 of throughput is because of cpu at 2.0ghz or 2.5ghz would give the extra 100 Mbit to 150 Mbit missing for 1gig WAN<->LAN. Speeds of 850 Mbit to 900 Mbit the cpu runs near .8 to 1.2 on uptime on 4hr speed test. So one core of the 4 cores in J1900 is getting near or over 100% use with htop. Why I think it could be CPU on the J1900.
I have not tried this with realtek network interfaces so I can not say the speed difference. I would guess the throughput you are having issues with could be the network interface of realtek. Even this J1900 junk cpu can do almost 1gig. I think it is all about network interface not the CPU. This is just my opinion so far on what little I have played around with opnsense. I have been a FreeBSD person from before FreeBSD when it was called 386BSD. So I know FreeBSD very good. Can get the most of of FreeBSD normally.
I think the problem is realtek in your case not opnsense. You could hit up ebay really fast with a 20 or 30 dollars and pick up a 4 or 2 port intel network card from ebay. Would be my suggestion to you. Swap out interfaces and try putting everything across intel network ports and set the loader.conf.local and see if the speed moves up. That would tell you if it is realtek network or some other kind of IO or CPU or MEMORY issues you could be having.
Their is a performance problem with network cards if it is not setup correctly. Intel if the settings are put into boot and sysctl it helps on throughput by over 400 Mbit to 300 Mbit ( my opinion these setting below should be installed when setting up opnsense because you know what network interface you are dealing with in the install program ). I took Qotom-Q190G4N-S08 which is just J1900 intel junk cpu @ 2ghz and intel network interface.
This was after using a high power 16 core 6386 Opteron with 64gb ram and intel network interfaces and loaded Opnsense on that to test out what kind of hardware is needed to do 1gig at full speed. I saw the cpu would not even go over 10% for 1 core ( sit around %5 to 7% of 1 core ) with everything turned on with Opnsense doing 1gig from WAN<->LAN constant for over 4 hours.
So, I decided to try as low end as I can go. I picked up Qotom-Q190G4N-S08 and loaded it with Opnsense and configure it with IPv6 & IPv4 with Intrusion Detection on but with IPS mode off ( If I turn IPS mode on then IPv6 will stop working for some reason. Why I do not understand but it but dose that on 17.1.1, 17.1.2 and 17.1.3 ). With the same Opteron config with IPS off vs on with Opteron the Qotom-Q190G4N-S08 dose 900 Mbit ( 50 Mbit + or - ) WAN<->LAN speeds. Only different between config was no IPv6 and IPS on vs J1900 with IPv6 on and IPS off but ID on.
I have the loader.conf.local with these 2 lines
legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1
Same lines has I had on Opteron box just move the file over. I can not make the J1900 CPU go above 2.0ghz even tho it should run 2.5ghz. powerd with "-a hiadaptive" dose not work on J1900 and I can not get the sysctl to push the clock rate up to see if that extra 100/150 of throughput is because of cpu at 2.0ghz or 2.5ghz would give the extra 100 Mbit to 150 Mbit missing for 1gig WAN<->LAN. Speeds of 850 Mbit to 900 Mbit the cpu runs near .8 to 1.2 on uptime on 4hr speed test. So one core of the 4 cores in J1900 is getting near or over 100% use with htop. Why I think it could be CPU on the J1900.
I have not tried this with realtek network interfaces so I can not say the speed difference. I would guess the throughput you are having issues with could be the network interface of realtek. Even this J1900 junk cpu can do almost 1gig. I think it is all about network interface not the CPU. This is just my opinion so far on what little I have played around with opnsense. I have been a FreeBSD person from before FreeBSD when it was called 386BSD. So I know FreeBSD very good. Can get the most of of FreeBSD normally.
I think the problem is realtek in your case not opnsense. You could hit up ebay really fast with a 20 or 30 dollars and pick up a 4 or 2 port intel network card from ebay. Would be my suggestion to you. Swap out interfaces and try putting everything across intel network ports and set the loader.conf.local and see if the speed moves up. That would tell you if it is realtek network or some other kind of IO or CPU or MEMORY issues you could be having.
#20
17.1 Legacy Series / Re: LAN DNS update / change IP address not DynDNS Services
March 24, 2017, 09:45:41 PM
How would you configure opnsense to do this?
#21
17.1 Legacy Series / LAN DNS update / change IP address not DynDNS Services
March 24, 2017, 09:59:23 AM
Just wondering if this is already built into opnsense. Lets say you have the lan dns server handing out local ip to 192.168.1.x network for dhcp clients. In that dhcp block everything is dynamic. Outside of that block lets say 50-100 is dynamic and 101-200 is static address.
Lets say we have a system with 192.168.1.150 call abc.xyz.com and that system goes down. Is their a way with opnsense to update the ip address of abc.xyz.com to 192.168.1.175??? Outside no one would know about abc.xyz.com because it is not on the public side of DNS or WAN addressable since it is private network. I am only talking about private network side not the public side when everyone thinks about DynDNS that is public network. I am not talking about public networks.
Just wondering if this it already in opnsense or its better to turn of LAN DNS in opnsense and setup a unix box with DNS Server to handle private dyndns updates and do all of what opnsense is doing for dhcp?
If anyone has done this in opnsense then I would like to see a config or setup of how you went about getting it working.
Lets say we have a system with 192.168.1.150 call abc.xyz.com and that system goes down. Is their a way with opnsense to update the ip address of abc.xyz.com to 192.168.1.175??? Outside no one would know about abc.xyz.com because it is not on the public side of DNS or WAN addressable since it is private network. I am only talking about private network side not the public side when everyone thinks about DynDNS that is public network. I am not talking about public networks.
Just wondering if this it already in opnsense or its better to turn of LAN DNS in opnsense and setup a unix box with DNS Server to handle private dyndns updates and do all of what opnsense is doing for dhcp?
If anyone has done this in opnsense then I would like to see a config or setup of how you went about getting it working.
#22
17.1 Legacy Series / Re: 17.1.2 new re driver + suricata + IPS = kernel panic
March 22, 2017, 07:45:53 PM
I am using J1900 with Intel Ethernet drivers and when you turn on IPS in Suricata, then IPv6 goes away! IPv6 stops working but IPv4 stays working. As soon as you turn off IPS in Suricata then IPv6 starts working again. IPv4 works with IPS on or off. If Suricata is enabled but with IPS off then both IPv4 and IPv6 work. This holds true for 17.1.2 and also in 17.1.3!
#23
17.1 Legacy Series / Re: How to prevent SSH bruteforce, DOS attacks
March 14, 2017, 07:04:27 PM
If the router is being port scanned or the router is being ssh then the router has access to all the packets since it is the end point. Their for, opnsense should be able to notice those attacks and block them. Kind of basic 101 firewalls from ones I have used in the passed.
I have not yet been able to figure out how to make suricata or opnsense block / ban IPv4 & IPv6 address that appear to port scan or try ssh the router in break in attempts. I would figure this would be a very basic thing that is easy todo. Have not found a easy solution to this problem with opnsense!
I have not yet been able to figure out how to make suricata or opnsense block / ban IPv4 & IPv6 address that appear to port scan or try ssh the router in break in attempts. I would figure this would be a very basic thing that is easy todo. Have not found a easy solution to this problem with opnsense!
#24
17.1 Legacy Series / Re: How to prevent SSH bruteforce, DOS attacks
March 14, 2017, 08:39:33 AM
I did not see fail2ban in packages or plugins.... how would one go about installing fail2ban if you only have installed opnsense.... If I had installed the normal freebsd OS and some how added opnsense on top of freebsd then I would be using something like sshguard...what I use on my servers that dose a good job at dealing with that stuff... like port scanning and ssh...
I with opnsense had a few simple tools that everyone needs in a section called KISS = keep it simple stupid
1. would be block port scanning
2. would be block ssh / telnet / etc hacking attempts
3. VoIP QOS so you can set 64k or 128k or just put all VoIP traffic at the front of the queue...
4. IPv6 only or IPv4 only or IPv6 & IPv4 config for WAN
That would make this opnsense very useful by a ton of people. Me personally I like being at the OS Level. When you are up at the Web Interface level lots of items are stripped to make the config uniform and easy to deal with. I get that... but presets would go a long way to dealing with simple tasks that almost all need to happen.
I with opnsense had a few simple tools that everyone needs in a section called KISS = keep it simple stupid
1. would be block port scanning
2. would be block ssh / telnet / etc hacking attempts
3. VoIP QOS so you can set 64k or 128k or just put all VoIP traffic at the front of the queue...
4. IPv6 only or IPv4 only or IPv6 & IPv4 config for WAN
That would make this opnsense very useful by a ton of people. Me personally I like being at the OS Level. When you are up at the Web Interface level lots of items are stripped to make the config uniform and easy to deal with. I get that... but presets would go a long way to dealing with simple tasks that almost all need to happen.
#25
17.1 Legacy Series / Re: How to prevent SSH bruteforce, DOS attacks
March 13, 2017, 06:28:10 PM
Like to see a working example of that suggestion because I have the same issue about SSH login attempts and I would love to do something to block the ip address....
#26
17.1 Legacy Series / Re: QOS with nDPI possible?
March 13, 2017, 05:15:41 PM
What I would like to find is not pipes but how can you just prioritize packets. IE VOIP packet gets put in front of the other packets not just force it down a certain pipe. Anyone know how to do that with out using pipes?
#27
17.1 Legacy Series / Re: [RESOLVED] FreeDNS (dyndns) DNS Tools not working??
March 12, 2017, 10:58:45 PM
Were you able to get it to also update IPv6? I have only been able to make it do IPv4...or IPv6 but I can not get it doing both IPv6 & IPv4 so you have both A and AAAA attached to the same name.
