Messages

I40e driver on VmWare for the X710 is heavily flawed when offloading and using jumbo frames.

Disable all offload and run 1500MTU, then its rocksolid.

My Opnsense in on bare metal, not virtualized. This 10G link is trunked with multiple VLANs.

I already have all offload disabled by default.

Recently I upgraded the link between Opnsense router and switch to 10G, the NIC is X710-DA2. Since then I've had bad network experience: Kicked out of online games, "broken pipe" SSH connection to local server on another VLAN, local streaming and file operations from NAS are interupted.....

Occurrence of these drops can vary from 0 in whole day to consistent disconnect every several seconds.

I believe the switch is not issue because i tried replacing it with another 10G switch laying around, so it must be Opnsense router.

I'm not sure if this is 21.1.5 issue because I had this NIC briefly before upgrading OpnSense to 21.1.5.

Is there any thing I can do to fix this? System turntables? Another driver instead of default one? Or just buy another NIC (X520 ???).

Thanks!

@134 - As Maurice said we are looking at tracking aliases which should work with statically assigned devices on the LAN. However at the moment I'm looking at an issue with dhcp6c client where I think it's not correctly updating the addresses and prefixes on the LAN side when the prefix changes. I need full dhcp6 logs though, if your prepared to share your logs with me that would be really useful. PM them to if you wish to keep them private. Firstly you'll need to go to Interfaces->Settings and set dhcp6c logging to debug and then reboot. I don't know how often your ISP changes your prefix, but a couple of cycles worth of system logs would be useful. To anyone else reading this I'm really looking for the debug info from dhcp6c when the prefix changes, does the address on your WAN and the LAN change correctly too? My initial debugging seems to suggest that dhcp6c is ( or was ) not removing the existing prefix(es) from the interfaces and in some cases is adding the new prefix on top. If we can get some concise answers to exactly what's going on with dhcp6c  then it will be more likely that when we start work on the prefix aliases it will work properly.

Not sure if this is what you're looking for but I tried rebooting Opnsense twice to get some logs. If i remember correctly my prefix never change unless i reboot router or ISP provided modem (which is in bridge mode). I will pay more attention to the logs in future:

https://pastebin.com/Wtk6Pife

https://pastebin.com/HMMw7cRR

Most ISPs delegate new IPv6 prefixes to router (and subsequently to all clients that track interface) upon reconnection, this creates problem that firewall rules with existing prefixes become useless once new prefixes are pushed.

This is also a much desired feature in pfSense for years, but it seems they are targeting 2.6.0:

https://redmine.pfsense.org/issues/6626

For me this is the only feature currently preventing me from deploying full dual-stack for all internal hosts. Does OPNsense plan to implement similar feature that allows users to input only 64bit suffix of the hosts in rules and forget about the prefix? Hopefully the answer is yes because i don't want to go back to pfsense  :).

Thank you!

... got this message from Paypal:

https://imgur.com/e82fUzk

I chose donating with credit/debit card because I don't have a Paypal account. Is this on OPNsense's or Paypal's end.

Cant speak to the atom directly. But i have a Celeron J1900 which is...similar if not slightly more performant.

http://cpuboss.com/cpus/Intel-Celeron-J1900-vs-Intel-Atom-C2558

My network can run gigabit non-routed without issue. aka switches arent an issue.

Pure routing mine does ~500-550 Mbits/s on standard iperf test (theres other streams routing while i run this test...maybe 15-30 Mbps). Both with and without -d (dual)

note: sorry for the external link, i dont know how to attach images inline here.

https://imgur.com/a/LxEVhhz

Throw Suricata in the mix and I'm closer to 130 inter-vlan as it inspects the traffic both ingress and egress.

https://imgur.com/a/XgS6ZIm

Though i can push my ISP tier (240 Mbps) across the WAN (where Suricata is only inspecting the traffic once)

Ultimately WAN is all I care about. Anything I want faster than 130 Mbps I'll stick on my main LAN.

It's C3558 not 2558 and it's noticeably beefier than J1900. It can do LAN routing at 1G, i'm just wondering what's the reasonable limit so I could make my decision on whether upgrade to 10G link between hosts.

I'm planning to build my home network around router-on-stick fashion with Opnsensen installed on a C3558 board, but i don't now what's the throughput Opnsense can route between network segments, mainly from my workstation to NAS in another VLAN.

I looked at performance of Netgate XG-7100 because it has same CPU and both projects probably are similar in routing capability. It says 18 Gbps routing and 6 Gbps firewall but i'm not sure what those number means. With several simple access/deny rules I have in each VLAN, can I reach 10 Gbps? Or perhaps the number will just be 5-6 Gbps as XG-7100 advertised? Would increasing amount of RAM from 8GB to 16GB improve this routing performance?

Is there any estimate on when OpnSense will have Jason's implementation of WG ? I'm currently fine with OpenVPN, but looking toward WG.