Messages

Hard to tell how much throughput can be archived over one of the 10 Gbit ports when the WAN side (1 Gbit port? (igbx)) is running with IDS/IPS enabled. I think it depends on the throughput on the WAN interface, the used rules and the type of traffic overall. But for sure it will be far away from 10 Gbit/s on a DEC750.

If you want 1 Gbit/s throughput on the WAN interface with IDS/IPS enabled and full 10Gbit/s throughput on the LAN side at the same time, you should take a look at more powerful appliances. Likely a DEC840 or DEC850 could handle that, I don't know. Maybe an owner of a DEC840/850 can run a benchmark or maybe the Deciso team has more information about that.

Can you share more details about your configuration and test procedure? With dpi you mean IDS/IPS? The threat protection throughput is listed at about 1 Gbit/s for the DEC740/750.

You have to manually install the needed plugins before restoring the backup config. The config restore doesn't install plugins.

There are new images available and it looks like you have to disable "legacy UART support" in the BIOS. Maybe that is the reason for your problems. Please have a look at https://forum.opnsense.org/index.php?topic=27432.msg133502#msg133502

Thanks for your answers - looks like it was my fault. I thought the config import would also install the depending plugins. Good to know for the next restore :)

Yesterday I had to reinstall 22.1.3 on a DEC690 with broken UFS filesystem (multiple power outages). The reinstall (ZFS) followed by a config import went without any problem - except the wireguard setup. Wireguard was broken afterwards - the plugins page listed "os-wireguard" as missing and the only visible wireguard related thing was it's (inactive) interface in the corresponding list.

After installing the wireguard plugin, the former configuration from the backup (local & endpoint) showed up in the GUI but was not applied to the plugin. I had to edit and save each configuration (without changes) to get it working. Afterwards the configured wireguard tunnel started working again.

Maybe you should take a look on the DEC740/750 or DEC840/850 from the opnsense shop :)

Finally I was able to (re-)install 22.1 via serial connection. The key to success was indeed the deactivation of legacy UART support. Afterwards the console worked without any issues - same for the new image. Thanks again Franco :)

Which rulesets do you use? ETPRO telemetry? If yes, have a look at the different available categories and choose what fits best to your needs -> https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf

Thank you very much franco - I'll test the new image tomorrow after work.

After switching the appliance, the problem does not longer exists for me. Maybe it's related to my former used hardware - Protectli fw6b (already sold).

The linked DAC cable works like a charm  :)

Thank you Franco - I'll test the new image as soon as it is available  :)

After trying to install 22.1 on a new DEC740 for about an hour, I'm giving up for now - it seems to be impossible. At the beginning, the console works as expected until I reach the menu to choose the keyboard layout. When using the arrow keys to navigate down the available keyboard layouts, the menu navigation suddenly gets slower until it freezes completely (the tab key still works at this point). A few seconds later, the installer skips the whole menu to the next menu - same again there.

Used the original usb console cable and the image OPNsense-22.1-OpenSSL-serial-amd64.img.bz2. Tested via screen on a macbook (Monterey) and putty on a windows laptop (Windows 10 pro) - same results. Console speed was set to 115200.

Am I doing something wrong?

....
Gibt es hier bei KD eigentlich eine Alternative Lösung, so dass man die IP ohne Fritzbox an die Firewall knüpfen kann?

Ja die gibt es grundsätzlich. Das Kabelmodem TC4400-EU macht docsis3.1. Ist mit gut 200 (T)Euronen nicht eben preiswert und zumindest in der Vergangenheit nur bei wernerelectronic.de zu bekommen gewesen.  Kann aber selbst dazu nichts sagen. Habe das Teil nie benutzt und mitttlerweile wegen des ganzen HickHack bei KDG/VF auf einen "normalen" DSL-Anschluß umgestellt.

Das kdgforum.de / vodafonekabelforum.de kennst du ja vielleicht schon. Weinn nicht, schau einfach mal dort rein. Da findet sich alles rund um VF / Kabel und natürlich auch zu dem Modem.

Soweit ich das von anderen Modems als Bridge bei VF noch in Erinnerumg habe, bekommst du mit der OpnSense hinter dem Modem die IP direkt per dhcp.

Man kann bei KD/Vodafone die Fritzbox einfach gegen die Vodafone Station tauschen. Diese lässt sich dann einfach im Kundeninterface auf den Bridge-Mode umschalten. Ist dann quasi nur noch ein Modem. Und man verliert nicht den Supportanspruch.