"Recent posts
#1
Intrusion Detection and Prevention / Re: Suricata logs ignoring rot...
Last post by WandaBKay - Today at 07:32:58 AMQuote from: fastboot on November 12, 2025, 01:32:33 PMThanks, but I don't rely on local log retention.Thank you for sharing
My setup includes a centralized logging system cluster with redundancy – if one SIEM node fails, another one takes over. Logs are streamed live via UDP, so there's no need to store old logs locally.
That's exactly why I use a RAM disk for /var/log: to minimize wear on the NVMe and avoid unnecessary local writes.
The issue is not about log availability – it's about Suricata ignoring the log rotation and retention settings, which causes the RAM disk to fill up.
#2
General Discussion / Re: new setup cannot reach lin...
Last post by muusemuuse - Today at 05:50:26 AMDrunk and tired from Thanksgiving, I went and tried one more thing before stumbling off to bed. I turned off ASPM. To my surprise it made absolutely no difference.
So tomorrow after work I will try the MTU link, different NICs, and using a similarly configured VM running openWRT instead of opnsense.
Maybe this hardware is just cursed. There is no reason my firewalla purple should be running laps around it.
So tomorrow after work I will try the MTU link, different NICs, and using a similarly configured VM running openWRT instead of opnsense.
Maybe this hardware is just cursed. There is no reason my firewalla purple should be running laps around it.
#3
Virtual private networks / Re: VPN Site-to-Site + LDAP
Last post by ludarkstar99 - Today at 05:07:14 AMOlá John. seja bem vindo ao fórum do OPNsense.
Vai usar OPNsense nas duas pontas?
IP fixo em ambas as pontas?
Conexões de Internet redundantes?
De forma geral, recomendo usar wireguard roteado, com túneis redundantes e roteamento dinâmico (bgp) para alta disponibilidade do túneis.
Também pode aproveitar o bgp e enviar a rota/prefixo 0.0.0.0/0 para a filial.
Não esquece de criar um NAT de saída na matriz, mascarando os endereços de origem da filial ao saírem pelo(s) links de internet.
Tenho o procedimento do wireguard/bgp. se quiser, envia o teu e-mail no pv que envio o procedimento.
Vai usar OPNsense nas duas pontas?
IP fixo em ambas as pontas?
Conexões de Internet redundantes?
De forma geral, recomendo usar wireguard roteado, com túneis redundantes e roteamento dinâmico (bgp) para alta disponibilidade do túneis.
Também pode aproveitar o bgp e enviar a rota/prefixo 0.0.0.0/0 para a filial.
Não esquece de criar um NAT de saída na matriz, mascarando os endereços de origem da filial ao saírem pelo(s) links de internet.
Tenho o procedimento do wireguard/bgp. se quiser, envia o teu e-mail no pv que envio o procedimento.
#4
General Discussion / Re: new setup cannot reach lin...
Last post by muusemuuse - Today at 04:51:08 AMWell macvtap is used on the wan for the vm to ensure a misconfigured host can never claim it. The host does whatever virtuoso tells it. So if MTU is screwy, that could explain why it was messed up in bare metal as well.
I have a spectrum cable internet connection. I'll look at that thread tomorrow after work. See you then.
I have a spectrum cable internet connection. I'll look at that thread tomorrow after work. See you then.
#5
Hardware and Performance / Re: N150 / N355 good fits?
Last post by dirtyfreebooter - Today at 04:09:43 AMi recently ran some tests with
Protectli VP2440 - N150 with X710 10g
Odroid H4 Ultra - N305 with X710-DA2 10g via m.2 to PCIe adaptor
Supermicro X13SCL-iF - Intel Xeon 6325p with X710-DA2
OPNsense Business 25.10_2
Zenarmor 2.2 with a good amount of the blocking categories selected. I wasn't going for scientific results, just casual observations.
All X710's had firmware upgrade to 9.55 from the 30.5.1 intel driver pack.
WAN/LAN are ixl0 and ixl1 ports. I've tested various tunables, etc and using iperf3 to generate traffic.
iperf server is a Supermicro X13SAE-F with i7-13700t and Mellanox ConnectX-5 and iperf client is Lenovo P3 Tiny with i5-13400t and Mellanox ConnectX-3. Both running Linux.
All 3 could route 10g without much fuss. 9.46 Gbps iperf in both directions WITHOUT Zenarmor of course.
With Zenarmor, I have tried both emulated and native, since the X710 has pretty decent native netmap driver support. Both throughput and CPU usage was nearly identical between the driver modes. Enabling RSS definitely helped, especially in the 6325p. So all the results here have RSS enabled.
the slower speeds, i didn't see much difference in upload vs download directions. On the 6325p, i did see a measurable and consistence difference. Enabling RSS on the 6325p increased throughput by almost a 1 Gbps.
i don't have a faster cpu than the Xeon 6325p, so i was not able to achieve 10g with Zenarmor. that being said, in all these cases, Zenarmor is using 100% of 1 cpu and the rest of the system is pretty much idle. if zenarmor had decent multi-core processing, a N150 would maybe do 10g, a N305/N355 almost certainly.
zenarmor is dumb with their company tho, imo, saying they don't want to do multi-core for home edition because businesses will but home edition and pay for that. like whatever.
i wish protectli had an N355 version. the vp2440 setup is pretty neat. fanless. the memory/m.2/x710 heatsink built into the bottom of the chassis works amazing. great idea, simple but effective. very nice machine for home. also would be neat to see 1U from them, but they have never done a rack mount before.
--
This is my attempt at fitting Odroid in Supermicro 1U chassis (had to physically remove the audio ports lol) -> https://forum.odroid.com/viewtopic.php?f=168&t=50558
Protectli VP2440 - N150 with X710 10g
Odroid H4 Ultra - N305 with X710-DA2 10g via m.2 to PCIe adaptor
Supermicro X13SCL-iF - Intel Xeon 6325p with X710-DA2
OPNsense Business 25.10_2
Zenarmor 2.2 with a good amount of the blocking categories selected. I wasn't going for scientific results, just casual observations.
All X710's had firmware upgrade to 9.55 from the 30.5.1 intel driver pack.
WAN/LAN are ixl0 and ixl1 ports. I've tested various tunables, etc and using iperf3 to generate traffic.
Code Select
iperf3 --client <server> --no-delay --omit 5 --parallel 8 --time 900
iperf3 --client <server> --no-delay --omit 5 --parallel 8 --time 900 --reverseiperf server is a Supermicro X13SAE-F with i7-13700t and Mellanox ConnectX-5 and iperf client is Lenovo P3 Tiny with i5-13400t and Mellanox ConnectX-3. Both running Linux.
All 3 could route 10g without much fuss. 9.46 Gbps iperf in both directions WITHOUT Zenarmor of course.
With Zenarmor, I have tried both emulated and native, since the X710 has pretty decent native netmap driver support. Both throughput and CPU usage was nearly identical between the driver modes. Enabling RSS definitely helped, especially in the 6325p. So all the results here have RSS enabled.
Code Select
N150 - Max throughput with Zenarmor - 3.1 Gbps
N305 - Max throughput with Zenarmor - 3.4 Gbps
6325p - Max throughput with Zenarmor - 8 Gbps upload, 6.8 Gbps downloadthe slower speeds, i didn't see much difference in upload vs download directions. On the 6325p, i did see a measurable and consistence difference. Enabling RSS on the 6325p increased throughput by almost a 1 Gbps.
i don't have a faster cpu than the Xeon 6325p, so i was not able to achieve 10g with Zenarmor. that being said, in all these cases, Zenarmor is using 100% of 1 cpu and the rest of the system is pretty much idle. if zenarmor had decent multi-core processing, a N150 would maybe do 10g, a N305/N355 almost certainly.
zenarmor is dumb with their company tho, imo, saying they don't want to do multi-core for home edition because businesses will but home edition and pay for that. like whatever.
i wish protectli had an N355 version. the vp2440 setup is pretty neat. fanless. the memory/m.2/x710 heatsink built into the bottom of the chassis works amazing. great idea, simple but effective. very nice machine for home. also would be neat to see 1U from them, but they have never done a rack mount before.
--
This is my attempt at fitting Odroid in Supermicro 1U chassis (had to physically remove the audio ports lol) -> https://forum.odroid.com/viewtopic.php?f=168&t=50558
#6
25.7, 25.10 Series / Re: Unable to boot after updat...
Last post by HourWithHobbit - Today at 02:11:10 AMYeah, I should have looked more into the update before jumping in and updating.
I am running this in hardware but do not have the plug in mentioned installed. Instead, I needed to completely remove the WAN interface and reconfigure. After that, internet returned.
I work in IT I know I should have looked into issues! Oops. Thankfully its my home lab!
I am running this in hardware but do not have the plug in mentioned installed. Instead, I needed to completely remove the WAN interface and reconfigure. After that, internet returned.
I work in IT I know I should have looked into issues! Oops. Thankfully its my home lab!
#7
German - Deutsch / Re: Opnsense DNS Warum funktio...
Last post by meyergru - Today at 01:05:14 AMNein, Patrick, das müsstest Du doch wissen!
https://www.rfc-editor.org/rfc/rfc2606.html
https://www.rfc-editor.org/rfc/rfc6761.html
;-)
Wir wissen ja nur zu gut, dass manche Leute alles wörtlich nehmen - und andere eben nicht... die Kunst ist zu unterscheiden, wann etwas wörtlich zu nehmen ist und wann nicht. Aber um das zu wissen, muss man leider schon Experte sein - ein wichtiger Aspekt des Dunning-Kruger-Effekts.
https://www.rfc-editor.org/rfc/rfc2606.html
https://www.rfc-editor.org/rfc/rfc6761.html
;-)
Wir wissen ja nur zu gut, dass manche Leute alles wörtlich nehmen - und andere eben nicht... die Kunst ist zu unterscheiden, wann etwas wörtlich zu nehmen ist und wann nicht. Aber um das zu wissen, muss man leider schon Experte sein - ein wichtiger Aspekt des Dunning-Kruger-Effekts.
#8
German - Deutsch / Re: Opnsense DNS Warum funktio...
Last post by bamf - Today at 12:59:46 AMDas schon. Aber auch in einem Platzhalter sollte man doch Beispiele verwenden, die sich zumindest an gängigen Standards orientieren. meinedomain.internal oder meinedomain.home.arpa wären da als Platzhalter besser geeignet, finde ich 😉
#9
General Discussion / Re: new setup cannot reach lin...
Last post by meyergru - Today at 12:55:08 AMThe CPU should not be of concern, at least on bare metal, it is way faster than you need.
You say you use a modem. What connection type is that? DSL over PPPoE? Could it be that the MTU is sub-optimal for your ISP?
If the packets must be re-fragmented, you could experience lesser speeds. Did you try to lower MTU sizes on both LAN and WAN?
The "usual" approach would be to limit the MTU size to a value that does keep OpnSense from refragmenting via MSS clamping. And BTW: OpnSense is not very good at determining the correct size automatically.
Sometimes, ISPs allow for "mini jumbo frames", this is all explained here: https://forum.opnsense.org/index.php?topic=45658.0
Note, however, that this is for non-VM installations. With a VM, you would have to enlarge the MTU on the physical WAN device and the bridge for this to work, too - but I never actually tried that.
You say you use a modem. What connection type is that? DSL over PPPoE? Could it be that the MTU is sub-optimal for your ISP?
If the packets must be re-fragmented, you could experience lesser speeds. Did you try to lower MTU sizes on both LAN and WAN?
The "usual" approach would be to limit the MTU size to a value that does keep OpnSense from refragmenting via MSS clamping. And BTW: OpnSense is not very good at determining the correct size automatically.
Sometimes, ISPs allow for "mini jumbo frames", this is all explained here: https://forum.opnsense.org/index.php?topic=45658.0
Note, however, that this is for non-VM installations. With a VM, you would have to enlarge the MTU on the physical WAN device and the bridge for this to work, too - but I never actually tried that.
#10
General Discussion / Re: new setup cannot reach lin...
Last post by muusemuuse - Today at 12:21:09 AMI can't do passthru on this board because I'm cheap and it sucks. But I did try booting into a live instance of opnsense. It was better but still nowhere near line level.
