OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of arkanoid »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - arkanoid

Pages: 1 2 [3]
31
General Discussion / Re: Rules table on mobile shows only couple of columns and doesn't scroll right
« on: March 23, 2022, 01:38:16 pm »
Quote from: tiermutter on March 23, 2022, 12:08:14 pm
It's the same here, but I don't really care about, cause making changes with small mobile touch-displays often causes problems due to misconfiguration. I had a case where I inadvertently unticked the "active" checkbox for LAN interface and then saved the config :o

So I advise to not configure opnsense with mobile devices :)

It's like saying:
please don't drive a car, it's sufficient a wrong turn of the wheel by a value of 1 degree to kill yourself or other people.

The DPI of a smartphone is generally higher than the DPI of a screen due to it's size and the average distance from your eyes. This makes usable area of the display *larger* than the one of a desktop monitor (just push this concept to the limit and you find Virtual Reality displays)

You might say the input is less precise, but actually is not. I'm using the smartphone with a touchscreen pen, and you can ask artists if they feel better drawing with a pen on a recent smartphone, or with a mouse on a fullhd screen. Again here it's a broad topic and brings in a lot of usability concepts.

Apart from that. It's 2022 and mobile browsers knows the concept of "desktop mode", horizontal scroll, and landscape mode. The rules tables is just "shooting itself in the leg" and has never been tested on device.

I do understand not all pages can be easily optimized for mobile, but the rule table in a firewall is pretty important, I'd say.

It's not opnsense responsibility to care if the user has a larger finger than average or is operating on his firewall while drunk. Desktop and mobile should make no difference. And also this happens on tablets too.

32
General Discussion / Rules table on mobile shows only couple of columns and doesn't scroll right
« on: March 23, 2022, 11:46:54 am »
Hello

Whenever I need to change a firewall rule table while using a mobile device (over vpn, of course  :P) I find myself struggling with a web page that refuses to work properly.

I am using a mobile device that has a higher resolution (and obviously higher DPI) than my fullhd desktop, but no matter if I use the "desktop mode" on mobile, or different mobile browsers, or landscape mode, the rules table shows only "Protocol", "Source" and "Description" and buttons columns and doesn't scroll to the right.
I end up having to guess the right rule according to only these info.

Apart from that, it works, but please I'd be happy to exchange "Description" with "Destination" column, at least.  :'(

Is there anything I can do? Thanks

33
22.1 Legacy Series / Re: OPNsense 22.1 catastrophic failure: "out of swap space", all processes killed
« on: March 14, 2022, 02:47:12 pm »
After some testing, I can confirm that the issue was caused by excessive system load and not due to ram shortage.

reading CPU % usage is not enough, if system load (first line in `top`) reaches <num processors>, it is very possible that out-of-memory could be triggered due to process reaching excessive waiting

34
22.1 Legacy Series / Re: OPNsense 22.1 catastrophic failure: "out of swap space", all processes killed
« on: March 06, 2022, 02:25:15 am »
just base firewall. As I stated in post, no IPS, no IDS. All I have is a wg0 interface forwarding data between peers. NetFlow is also disabled.

The more I dive into the problem, the more I fear is linked to CPU usage.

By looking at zabbix (external monitor) logs, I noticed that while kernel+user average cpu usage is below 70%, the system load average has been dangerously near 1.0 during last month, and that drills down to the definition of system load vs cpu load: I had many waiting processes.
This could have triggered the oom and started a killing spree when "perfect storm" condition arrived, leaving a process waiting for more than oom limit.

I see only one element against this theory: why killing ALL processes, and not just some keeping the system busy? By killing he wireguard-go one the system load would have drop to near zero, but it went on killing ssh and webgui too.

Still scratching head.

In the meantime, I've installed the experimental wireguard-kmod package, and I'm experiencing MASSIVE improvements in cpu usage (and also some for memory usage). I've attached initial charts where it's clear how user cpu went to near zero.

35
22.1 Legacy Series / OPNsense 22.1 catastrophic failure: "out of swap space", all processes killed
« on: March 05, 2022, 06:57:37 pm »
I've been trying to track down a problem that causes my OPNsense box *Intel(R) Xeon(R) Gold 6130 CPU @ 2.10GHz (1 cores, 1 threads), 4GB ram* running in VMware to suddenly go into killing spree and kill all processes (including ssh access), forcing me to hard reboot it.

The problem is impossible to predict: it happened today at 4:45 AM (GMT+1) when load was relatively low compared to daytime.
Before this event, I had it twice one month ago. After that I doubled the amount of ram (2GB -> 4GB), disabled swap (to exluded if from causes), and upgraded OPNsense to last version. But the problem is still here.

Please find attached a screenshot of the terminal before hard-restarting the virtual machine that clearly shows the killing spree. This is the only proof I have of the event, as the logs have no track of the problem:
Code: [Select]
# grep -r swap /var/log/ returns nothing, and manual exploration of log files both via terminal and web gui shows no relevant events before the time of the incident, but the VGA screenshot shows it (I guess the killing spree kills the logging too?)

The firewall has swap file disabled (System: Settings: Miscellaneous)
This is /etc/fstab:
Code: [Select]
# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/gpt/rootfs /               ufs     rw,noatime      1       1
No IDS, no IPS, just wireguard running and many peers connected and exchanging data.

The firewall is externally monitored by:
- hypervisor (VMware)
- zabbix
So I have minute-by-minute graphs of the memory usage for weeks from both sources, that clearly confirm the firewall uses <1GB ram the whole time. Please find attached both memory charts for the day of the incident (zabbix shows a large hole, that's just zabbix agent not starting automatically at boot so I executed manually later).

The single CPU has an average idle time > 40% according to zabbix ad web gui (but always 100% according to hypervisor, yet to understand why). Please find attached the relative chart.

This is what I've found so far that seems linked to the problem, but actually I've zero clue:
- https://lists.freebsd.org/pipermail/freebsd-current/2019-September/074310.html
  - and this mail in particular: https://lists.freebsd.org/pipermail/freebsd-current/2019-September/074322.html
- https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241048
- https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231457

I've no clear idea about what's happening here, so I'm just guessing and applying potential solutions. What I'm trying now is:
Code: [Select]
# sysctl vm.pfault_oom_attempts=10
vm.pfault_oom_attempts: 3 -> 10
Any idea? Thanks

Pages: 1 2 [3]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2