Messages

[System]

If you're WAN interface is PPPOE based, that'll cause issues; BSD's PPPOE daemon is single threaded unfortunately.

I use an APU2C4 with the following settings added via System > Settings > Tunables:

hw.igb.rx_process_limit  -1
hw.igb.tx_process_limit  -1
legal.intel_igb.license_ack  1
hint.acpi_perf.0.disabled 1
hint.acpi_throttle.0.disabled 1
hint.p4tcc.0.disabled 1

Also, update to the latest APU BIOS, reboot your router and via serial enter BIOS config and check Core Performance is enable (which it should be by default).

Next go to System > Settings > Miscellaneous and disable PowerD (you might need to reboot again).

This will disable all throttling and lock the CPU at 1.4GHZ, which can be confirmed with sysctl dev.cpu.0.freq.
The CPU's a SOC so I'm not worried about heat or electricity.

Can someone explain where the best place to put a DNS cache is?

My dns goes:

AdGuard Home  ->  Unbound  ->  DNSCrypt-Proxy (all within OPNsense across localhost).

All three of these services have caching options.

I would have thought the best place would have been DNSCrypt, or is it worth having caches at each stage?

Or is it best at just Unbound since it can refresh the cache based on the ttl?

if you can be bothered, the long answer would be appreciated; or at least directions to some relevant reading.
I get that netmap offloads processing on to the nic's themselves, but an encrypted flow is still an encrypted flow?
Clearly I don't understand this.

Just trying to understand this a little better.  Which of the rulesets require ssl mitm decryption?  I've noticed some of the rulesets are essentially IP based block lists, but others I'm guessing must require ssl mitm DPI to function?

Are there any penalties from not using powerd (otherwise said to not enable the powerd service)? I assume some hidden bugs may surface, if some system strongly assumes powerd is an always present component. Or at least I would be more careful to say too quickly that powerd is not necessary at all, and doesnt cause any issues.

Disabling PowerD and enable the core performance boost via the bios will lock the cores at 1.4Ghz.
The APU's are only ~10w devices, so you don't need to worry about power savings \ heat.

(Unsurprisingly) it's generally the porn lists that do it, I find.
Also, Unbounds performance and memory usages takes a big hit when using it for widescale blocking.
I've switched to using AdGuard by adding the 3rd party repo and it's waaaaaaaay better, and built for purpose.  Highly recommended if it's an option.

A ~12 watt device left running 24/7 is gonna cost you ~£10/year... so....

Thing I'd like to know is why, inspite of the newer BIOS's, the CPU still does boost to 1.4Ghz....?

Could you go in to a little more detail regards this setting?

I have a Unifi wap, and see these broadcasts arriving on my pppoe wan port, but never really gave them much though since they're non-routable...

Nope.  Have you?

Nope, the "EU-version" of the Vigor 130 (if there is such a thing) can act as router or modem (bridged mode), but as it is most often used as modem, it comes pre-configured in modem mode. Let the sense do the PPPoE and VLAN is the preferred configuration.

I emailed Draytek:

Regarding the authentication, the DrayTek UK Vigor 130 was designed to support bridge mode out of the box. You can consider the Vigor 2762 series that can handle PPP authentication.

They didn't outright say no I guess.

Couple of things you might want to do:

Update your BIOS:
https://pcengines.ch/howto.htm#bios
https://pcengines.github.io/

Teklager have some optimisations:
https://teklager.se/en/knowledge-base/opnsense-performance-optimization/

Also, if you're running a PPPoE based WAN interface, that can affect performance.

From what I understand this is a BSD thing.
APU's are capable of hitting gigabit throughput with Linux based OS's like IPFire (something to do with multi-threading), and BSD's PPPoE implementation kinda sucks apparently.

I wanted to try the same thing but it looks like the EU and US version of the Vigor 130 are actually different.
The US version can act as a router (enabling it to handle PPPoE auth and encapsulation itself), whereas the EU version doesn't have this functionality.

I recommend these setting to

Give this a go and see if it helps:

https://teklager.se/en/knowledge-base/opnsense-performance-optimization/

d'oh
that was obvious