Recent Posts

1

Virtual private networks / Re: Slow Kernel-based WireGuard Performance

« Last post by branin on Today at 06:10:17 am »

Thank you for this!  I was able to go back a few generations and try older versions of wireguard-kmod.  Unfortunately, my speed remained slow throughout, so I assume the issue isn't due to wireguard-kmod but some other OPNsense change.

I'll plan on purchasing a support plan, if you think it will be helpful to diagnose this.

Thanks!

Branin

2

Hardware and Performance / Re: 2.5 Gig NICs and OPNsense

« Last post by etaggart65 on Today at 03:59:42 am »

I just installed an Intel 550-T2 which supports 2.5gbe.

My cable modem status light indicates a 2.5gbe link (Secomm ES2251 - Spectrum)

However, Opnsense (21.7.1) reports link state of - Unknown <rxpause,txpause>

It seems to be working fine but it would be nice to get the link state reporting correctly

3

Virtual private networks / Re: Wireguard tunnel not staying up

« Last post by Mantis314 on Today at 01:07:54 am »

I removed 192.168.19.0/24 from the Endpoint.
There is now only the relevant LAN subnet at each end.
I restarted the tunnel at 11:00 this morning.
When I returned home from work this afternoon at 4:00 it was down again in the same manner as before.
Going to Endpoints and clicking Apply Lights it back up again.
Are there any logs for Wireguard which might provide a clue as to what is happening?

Mantis314

4

General Discussion / Re: Allow traffic from IOT to Lan on specific host and port.

« Last post by slusk on Today at 12:10:30 am »

I changed to /32 and that worked

5

German - Deutsch / Re: Netzwerkdurchsatz Frage

« Last post by Redundanz on August 05, 2021, 11:41:50 pm »

iperf test mit zusätzlichem parameter -u   (udp) getestet? gleiche CPU auslastung? oder niedriger?

wo stehen denn server und client im verhältnis zur firewall. ist da noch "cloud" dazwischen? bzw. geht es via VPN?
oder spielt sich das nur innerhalb eines heterogenen heimnetzwerks ab?

welches dateitransferprotokoll wird verwendet? cifs/smb? nfs? scp?

bei so einem - sagen wir mal fairerweise - "relativ" schwachen prozessor können encapsulation und/oder breitbandiger tcp traffic schwer ins gewicht fallen.
falls das über vpn geht, sicherstellen dass openvpn auf udp läuft. wireguard dürfte m.w. nur udp unterstützen.

6

General Discussion / Re: Allow traffic from IOT to Lan on specific host and port.

« Last post by Greelan on August 05, 2021, 11:15:49 pm »

If you want one host to one host you need a /32 CIDR

7

21.7 Production Series / Re: Firewall log live view does not update

« Last post by maldenvik on August 05, 2021, 10:14:02 pm »

After I flushed the log it seems to work again. I'm sorry.

8

Hardware and Performance / Re: Lack of multi-core working?

« Last post by Gnomesenpai on August 05, 2021, 10:12:24 pm »

In the default settings, all network traffic is handled by core 0 only; this is done to enforce strong ordering for protocols requiring it, while keeping cpu affinity. You can set the following sysctl tunables: net.isr.maxthreads="-1" and net.isr.bindthreads="1" to enable traffic to be handled by all cores.

See this https://calomel.org/freebsd_network_tuning.html to find all kind of tunables to play with

This appears to have made very minimal difference in my case, most of the loading is still sitting on that core, is their any other way to balance it?

9

21.7 Production Series / Firewall log live view does not update

« Last post by maldenvik on August 05, 2021, 09:59:02 pm »

I restored my firewall and now I do not have firewall live view in Opnsense webgui. It's is rolling as it should when doing a tcpdump -nettti pflog0.
Have i done someting wrong?

10

21.7 Production Series / Re: igb on APU4 with OPNS 21.7

« Last post by cookiemonster on August 05, 2021, 09:54:54 pm »

Hi lynxix. My fresh install naturally wiped out my tunables in rc.conf.local and only kept the ones from the gui.
There I only have
hw.igb.rx_process_limit = -1
hw.igb.tx_process_limit = -1
legal.intel_igb.license_ack = 1
I've left those and monitoring but unfortunately I haven't had the opportunity to plug a machine into the WAN side to test NAT throughput. It's in my to-do list.
I've done iperf tests to public iperf servers and the throughput seems unchanged from 21.7 with tunables for igb.
The problem for me is that these I can't tell if they're limited on the public servers. I really need to do the test internally by myself.
My ISP service is just over 500 mbps down. I'd love to know how close or far from it I am.
Also I need to research what it means for the APU with the change to em that I think 21.7 changed to.
How are your tests going?