Recent posts

#1

26.1 Series / Re: Rule ID format affecting S...

Last post by Waldhaar_ - Today at 02:41:58 AM

In the meantime ;-) are you able to modify the grok expression to cater for both formats?

Trying to figure out how to do that very thing...

If you add a ticket on GitHub that's something to consider for improvement. I agree that it shouldn't differ but we need to isolate the code bits responsible first to make a meaningful plan forward.

https://github.com/opnsense/core/issues/10059

#2

Hardware and Performance / Re: Mono Gateway (an NXP-based...

Last post by Maurice - Today at 02:41:10 AM

I like to avoid YouTube whenever I can when it comes to this kind of stuff : Reading about it is more my style :)

https://docs.mono.si/gateway-development-kit/hardware-description
https://docs.mono.si/tutorials/development-set-up (note the references at the end)

So it's like my old Router with MIPS SoC like I thought.

Pretty sure that didn't run OPNsense. :)

Can you at least mix both things without the need to disable any of the Offloading Features first ?

Not sure what you mean by "mix both things". And it's all about the offloading, disabling it wouldn't make sense.

So with that kind of setup the issue with the FreeBSD Bootloader needing an upgrade from time to time can be ignored, right ?

Correct. That's not the reason why it was implemented this way, but I guess it could be considered a positive side effect.

Are there any AARCH64 Mainboards out there that can run FreeBSD or simply OPNsense without any big issues ?

Yes, this one. :)
(But seriously, I don't have any other recommendations. Other aarch64 SBCs which can run OPNsense might be nice for hobby projects, but not for serious networking.)

Since you are our AARCH64 Releases guy and all :)

I've only used it on VMs until recently. Gateway changed that.

#3

Zenarmor (Sensei) / Re: Zenarmor performance @ Int...

Last post by Seimus - Today at 02:09:48 AM

CRS326-24G-2S+IN > https://mikrotik.com/product/crs326_24g_2s_in

I like this one, I just wished it had 2.5G ports.

Regards,
S.

#4

Zenarmor (Sensei) / Re: Zenarmor performance @ Int...

Last post by Seimus - Today at 02:07:34 AM

Keep it that way if you are happy with the performance and stability ;)

I am, for me its perfect, the stuff it can do is above and beyond.

Honestly it never occurred to me to replace OpenWRT with anything else (yet). OpenWRT provides features that are on enterprise HW yet for fraction of the price lets say. Plus I like to mingle with OpenSource stuff and DIY.

So think about this VERY CAREFULLY before you buy anything... ;)

All of these are valid points, when I looked into the Management platform, at least the latest "revamp" sounded to me like a mess.

Mikrotik is great, IMHO. Cheaper, and very feature rich. And reliable, at least in my environment - using only layer 2, switches and APs. It's still called "Router OS" but I only use the layer 2 features. Plus, if you happen to live in the EU ... they are from Europe, too. Sovereignty, customer protection, GDPR, something something ...

This is kinda as well my mindset currently. And strongly plays into the decision making.

They lack a central management solution but if you actively seek to get rid of something like that ... SNMP works great and RANCID supports Mikrotik so you can automatically pull and version configurations in e.g. git.

Good to know!


Thank you both for your opinions and inputs!
Regards,
S.

#5

Hardware and Performance / Re: Mono Gateway (an NXP-based...

Last post by pfry - Today at 01:45:23 AM

And why suddenly use Offloading while it's always recommended to disable all of it for both OPNsense and pfSense ?!

Because it does not work reliably on generic AMD64 hardware and Intel/Broadcom/etc. network interfaces? [...]

Just to expand this a bit, there's a lot of odd, somewhat useless (in practice) capability built into PC network interfaces. If you're bored, look at DPDK's NIC overview.

Example: the Intel E810 has a tiny (8000 entry, IIRC) TCAM, and it (the chip, not the TCAM) is used in several Deciso boxes. It's really too small for a useful flow cache, but it could make a decent partial policy offload (basically everything but address - which it can handle, but something like a geoip db would overflow it a bit).

Another example: the Chelsio T5/6/7 NICs have a truly tiny (~500 entry IIRC) TCAM, and some have onboard RAM that can support exact-match filters, potentially good for flow matching. They have some header rewrite capability, too (e.g. for NAT). The T6/7 also have a crypto engine (with a FreeBSD driver).

At any rate, the problems tend to arise when you globally enable features in a mixed-NIC system. The failure mode for unsupported features should be graceful...

[Outbound NAT]

#6

25.7, 25.10 Series / Re: Router not having WAN acce...

Last post by nero355 - Today at 01:11:20 AM

There is nothing in any NAT section.

Outbound NAT is either Automatic NAT or Hybrid NAT and if not then that's why you don't have any connectivity !!



Like I said : Maybe just start with a fresh install again and follow the Setup Wizard after the first boot would be easier ?

#7

Tutorials and FAQs / Re: IPv6 Control Plane with FQ...

Last post by OPNenthu - Today at 01:07:54 AM

Necro bump-

Are you guys seeing regressions in 26.1.x?  The upload portion of my speed tests has started stalling a lot to where the tests never start (Waveform Bufferbloat) or finish (Cloudflare speedtest).  In the case of the Bufferbloat test it stays stuck on "Warming up" for that portion of the test.

There were some ISP changes in my area recently as they upgraded their infrastructure.  I noticed that my latencies increased a little bit, and I need to redo the pipe widths.  But, I don't know if this had anything to do with the shaping instability.

I also found some posts online where others notice this behavior only with Firefox (?).  I don't have any Chrome based browsers at the moment to try but maybe I should install one and compare.

#8

Hardware and Performance / Re: Mono Gateway (an NXP-based...

Last post by nero355 - Today at 01:02:05 AM

And why suddenly use Offloading while it's always recommended to disable all of it for both OPNsense and pfSense ?!

Because it does not work reliably on generic AMD64 hardware and Intel/Broadcom/etc. network interfaces?

There is nothing wrong with offloading, only that the features supported by generic server hardware don't buy you much in the first place in terms of forwarding speed and sometimes plain don't work in FreeBSD as soon as pf, NAT and friends come into play.

So to avoid bugs just like I remember from a very long time ago :)

But who says this will always work correctly ?
Or not need "in-chip" fixing that can't be done via firmware updates ?

Tricky...

I really recommend Tomaž's videos for the hardware offloading deep dive. He's the expert on this, I'm not.

I like to avoid YouTube whenever I can when it comes to this kind of stuff : Reading about it is more my style :)

It has 4 Cortex A72 cores. But most packets never touch these cores.

Still old hardware then basically...

What you're probably thinking of is offloading basic packet processing like checksums to the NICs.

Gateway doesn't have NICs in the traditional sense. The PHYs connect directly to the SoC, which handles routing and other frame and packet processing (VLANs, NAT, PPP, ...) in dedicated hardware. This means routing at wire speed with essentially no CPU load, like on a switch. The CPU cycles are available for other stuff that can't be offloaded.

So it's like my old Router with MIPS SoC like I thought... Not a fan to be honest...

Can you at least mix both things without the need to disable any of the Offloading Features first ?

Or simply put don't have to deal with this kind of nonsense : https://old.reddit.com/r/Ubiquiti/comments/k5j2y4/why_would_i_enable_smart_queues_when_it_disables/

The 64 MB NOR flash is for U-Boot and a small recovery Linux. The main OS (originally OpenWrt, now OPNsense) is installed on the 32 GB eMMC.
The OPNsense image we've just made available uses GPT and ZFS, but Gateway currently doesn't use FreeBSD's UEFI kernel loader. Instead, U-Boot loads the kernel directly.

Keep in mind that this is ongoing development and things may and probably will change in the final production version.

So with that kind of setup the issue with the FreeBSD Bootloader needing an upgrade from time to time can be ignored, right ?



And now something that I wanted to ask you for some time now since we are talking about this kind of hardware anyway :

Are there any AARCH64 Mainboards out there that can run FreeBSD or simply OPNsense without any big issues ?

Since you are our AARCH64 Releases guy and all :)

#9

Hardware and Performance / Re: Mono Gateway (an NXP-based...

Last post by OPNenthu - Today at 12:57:15 AM

Cool, then I can stop avoiding them :)

#10

Hardware and Performance / Re: Mono Gateway (an NXP-based...

Last post by Maurice - Today at 12:36:10 AM

The SFP+ cage is there, but how much latency does the RJ45 transceiver add?

Essentially none (less than a microsecond?), that's just a PHY.