"Recent posts
#81
Hardware and Performance / Re: N150 / N355 good fits?
Last post by dirtyfreebooter - November 28, 2025, 04:09:43 AMi recently ran some tests with
Protectli VP2440 - N150 with X710 10g
Odroid H4 Ultra - N305 with X710-DA2 10g via m.2 to PCIe adaptor
Supermicro X13SCL-iF - Intel Xeon 6325p with X710-DA2
OPNsense Business 25.10_2
Zenarmor 2.2 with a good amount of the blocking categories selected. I wasn't going for scientific results, just casual observations.
All X710's had firmware upgrade to 9.55 from the 30.5.1 intel driver pack.
WAN/LAN are ixl0 and ixl1 ports. I've tested various tunables, etc and using iperf3 to generate traffic.
iperf server is a Supermicro X13SAE-F with i7-13700t and Mellanox ConnectX-5 and iperf client is Lenovo P3 Tiny with i5-13400t and Mellanox ConnectX-3. Both running Linux.
All 3 could route 10g without much fuss. 9.46 Gbps iperf in both directions WITHOUT Zenarmor of course.
With Zenarmor, I have tried both emulated and native, since the X710 has pretty decent native netmap driver support. Both throughput and CPU usage was nearly identical between the driver modes. Enabling RSS definitely helped, especially in the 6325p. So all the results here have RSS enabled.
the slower speeds, i didn't see much difference in upload vs download directions. On the 6325p, i did see a measurable and consistence difference. Enabling RSS on the 6325p increased throughput by almost a 1 Gbps.
i don't have a faster cpu than the Xeon 6325p, so i was not able to achieve 10g with Zenarmor. that being said, in all these cases, Zenarmor is using 100% of 1 cpu and the rest of the system is pretty much idle. if zenarmor had decent multi-core processing, a N150 would maybe do 10g, a N305/N355 almost certainly.
zenarmor is dumb with their company tho, imo, saying they don't want to do multi-core for home edition because businesses will but home edition and pay for that. like whatever.
i wish protectli had an N355 version. the vp2440 setup is pretty neat. fanless. the memory/m.2/x710 heatsink built into the bottom of the chassis works amazing. great idea, simple but effective. very nice machine for home. also would be neat to see 1U from them, but they have never done a rack mount before.
--
This is my attempt at fitting Odroid in Supermicro 1U chassis (had to physically remove the audio ports lol) -> https://forum.odroid.com/viewtopic.php?f=168&t=50558
Protectli VP2440 - N150 with X710 10g
Odroid H4 Ultra - N305 with X710-DA2 10g via m.2 to PCIe adaptor
Supermicro X13SCL-iF - Intel Xeon 6325p with X710-DA2
OPNsense Business 25.10_2
Zenarmor 2.2 with a good amount of the blocking categories selected. I wasn't going for scientific results, just casual observations.
All X710's had firmware upgrade to 9.55 from the 30.5.1 intel driver pack.
WAN/LAN are ixl0 and ixl1 ports. I've tested various tunables, etc and using iperf3 to generate traffic.
Code Select
iperf3 --client <server> --no-delay --omit 5 --parallel 8 --time 900
iperf3 --client <server> --no-delay --omit 5 --parallel 8 --time 900 --reverseiperf server is a Supermicro X13SAE-F with i7-13700t and Mellanox ConnectX-5 and iperf client is Lenovo P3 Tiny with i5-13400t and Mellanox ConnectX-3. Both running Linux.
All 3 could route 10g without much fuss. 9.46 Gbps iperf in both directions WITHOUT Zenarmor of course.
With Zenarmor, I have tried both emulated and native, since the X710 has pretty decent native netmap driver support. Both throughput and CPU usage was nearly identical between the driver modes. Enabling RSS definitely helped, especially in the 6325p. So all the results here have RSS enabled.
Code Select
N150 - Max throughput with Zenarmor - 3.1 Gbps
N305 - Max throughput with Zenarmor - 3.4 Gbps
6325p - Max throughput with Zenarmor - 8 Gbps upload, 6.8 Gbps downloadthe slower speeds, i didn't see much difference in upload vs download directions. On the 6325p, i did see a measurable and consistence difference. Enabling RSS on the 6325p increased throughput by almost a 1 Gbps.
i don't have a faster cpu than the Xeon 6325p, so i was not able to achieve 10g with Zenarmor. that being said, in all these cases, Zenarmor is using 100% of 1 cpu and the rest of the system is pretty much idle. if zenarmor had decent multi-core processing, a N150 would maybe do 10g, a N305/N355 almost certainly.
zenarmor is dumb with their company tho, imo, saying they don't want to do multi-core for home edition because businesses will but home edition and pay for that. like whatever.
i wish protectli had an N355 version. the vp2440 setup is pretty neat. fanless. the memory/m.2/x710 heatsink built into the bottom of the chassis works amazing. great idea, simple but effective. very nice machine for home. also would be neat to see 1U from them, but they have never done a rack mount before.
--
This is my attempt at fitting Odroid in Supermicro 1U chassis (had to physically remove the audio ports lol) -> https://forum.odroid.com/viewtopic.php?f=168&t=50558
#82
25.7, 25.10 Series / Re: Unable to boot after updat...
Last post by HourWithHobbit - November 28, 2025, 02:11:10 AMYeah, I should have looked more into the update before jumping in and updating.
I am running this in hardware but do not have the plug in mentioned installed. Instead, I needed to completely remove the WAN interface and reconfigure. After that, internet returned.
I work in IT I know I should have looked into issues! Oops. Thankfully its my home lab!
I am running this in hardware but do not have the plug in mentioned installed. Instead, I needed to completely remove the WAN interface and reconfigure. After that, internet returned.
I work in IT I know I should have looked into issues! Oops. Thankfully its my home lab!
#83
German - Deutsch / Re: Opnsense DNS Warum funktio...
Last post by meyergru - November 28, 2025, 01:05:14 AMNein, Patrick, das müsstest Du doch wissen!
https://www.rfc-editor.org/rfc/rfc2606.html
https://www.rfc-editor.org/rfc/rfc6761.html
;-)
Wir wissen ja nur zu gut, dass manche Leute alles wörtlich nehmen - und andere eben nicht... die Kunst ist zu unterscheiden, wann etwas wörtlich zu nehmen ist und wann nicht. Aber um das zu wissen, muss man leider schon Experte sein - ein wichtiger Aspekt des Dunning-Kruger-Effekts.
https://www.rfc-editor.org/rfc/rfc2606.html
https://www.rfc-editor.org/rfc/rfc6761.html
;-)
Wir wissen ja nur zu gut, dass manche Leute alles wörtlich nehmen - und andere eben nicht... die Kunst ist zu unterscheiden, wann etwas wörtlich zu nehmen ist und wann nicht. Aber um das zu wissen, muss man leider schon Experte sein - ein wichtiger Aspekt des Dunning-Kruger-Effekts.
#84
German - Deutsch / Re: Opnsense DNS Warum funktio...
Last post by bamf - November 28, 2025, 12:59:46 AMDas schon. Aber auch in einem Platzhalter sollte man doch Beispiele verwenden, die sich zumindest an gängigen Standards orientieren. meinedomain.internal oder meinedomain.home.arpa wären da als Platzhalter besser geeignet, finde ich 😉
#85
General Discussion / Re: new setup cannot reach lin...
Last post by meyergru - November 28, 2025, 12:55:08 AMThe CPU should not be of concern, at least on bare metal, it is way faster than you need.
You say you use a modem. What connection type is that? DSL over PPPoE? Could it be that the MTU is sub-optimal for your ISP?
If the packets must be re-fragmented, you could experience lesser speeds. Did you try to lower MTU sizes on both LAN and WAN?
The "usual" approach would be to limit the MTU size to a value that does keep OpnSense from refragmenting via MSS clamping. And BTW: OpnSense is not very good at determining the correct size automatically.
Sometimes, ISPs allow for "mini jumbo frames", this is all explained here: https://forum.opnsense.org/index.php?topic=45658.0
Note, however, that this is for non-VM installations. With a VM, you would have to enlarge the MTU on the physical WAN device and the bridge for this to work, too - but I never actually tried that.
You say you use a modem. What connection type is that? DSL over PPPoE? Could it be that the MTU is sub-optimal for your ISP?
If the packets must be re-fragmented, you could experience lesser speeds. Did you try to lower MTU sizes on both LAN and WAN?
The "usual" approach would be to limit the MTU size to a value that does keep OpnSense from refragmenting via MSS clamping. And BTW: OpnSense is not very good at determining the correct size automatically.
Sometimes, ISPs allow for "mini jumbo frames", this is all explained here: https://forum.opnsense.org/index.php?topic=45658.0
Note, however, that this is for non-VM installations. With a VM, you would have to enlarge the MTU on the physical WAN device and the bridge for this to work, too - but I never actually tried that.
#86
General Discussion / Re: new setup cannot reach lin...
Last post by muusemuuse - November 28, 2025, 12:21:09 AMI can't do passthru on this board because I'm cheap and it sucks. But I did try booting into a live instance of opnsense. It was better but still nowhere near line level.
#87
Hardware and Performance / Re: Network behind a double NA...
Last post by Maurice - November 28, 2025, 12:04:37 AMQuote from: Patrick M. Hausen on November 27, 2025, 10:17:47 PMWiFi client mode is very actively being worked on so people can run current laptops with FreeBSD as their day to day OS.
Thanks for the clarification. Though it's debatable whether newly introducing limited support for 802.11ac in 2025 counts as "very actively". ;-) That's more than a decade behind Linux.
But since client mode is what @kernew wants (WAN via WiFi), this might actually be reasonable (when using a supported Intel WiFi module and being okay with good old 802.11ac + WPA2).
#88
German - Deutsch / Re: Opnsense DNS Warum funktio...
Last post by Patrick M. Hausen - November 27, 2025, 11:49:21 PMQuote from: JeGr on November 27, 2025, 10:26:03 PMQuote from: Patrick M. Hausen on November 18, 2025, 03:55:37 PMWas ist denn die eingestellte Domain der OPNsense? Da solltest du nicht .local benutzen sondern z.B. meinedomain.lan oder so etwas. Unter dieser Domain werden die Hostnamen Test1 und Test2 dann ins DNS eingetragen.
Patrick, sag doch sowas nicht, das bleibt ewig online ;) und dann heißt es wieder "das hat aber jemand gesagt ich soll das so machen". Bitte nicht irgendwelche ausgedachten TLDs für internen Betrieb nehmen.
Du meinst, es ist nicht offensichtlich, dass "meinedomain.lan" ein Platzhalter ist? 🤯
#89
25.7, 25.10 Series / Re: Unable to boot after updat...
Last post by meyergru - November 27, 2025, 11:00:08 PMDo not look any further...
Let me guess: UFS install, 25.7.x installed, not having read or followed the advice here: https://forum.opnsense.org/index.php?topic=42985.0, point 23, or more specifically: https://forum.opnsense.org/index.php?topic=48343.msg244891#msg244891
The microcode updates by themselves do no harm, but rather help. There are known instabilities with newer FreeBSD kernels with certain Intel generations (i.e. Alder Lake, Twin Lake and Nxxx).
The problems turn up mostly on UFS installs. They can be avoided by certain tuneables that are explained in the postings above.
And this thread was about a VM install where microcode updates have been applied inside the VM - which is wrong and will probably not work (or cause problems). All of this is mentioned in the READ ME FIRST post as well.
Let me guess: UFS install, 25.7.x installed, not having read or followed the advice here: https://forum.opnsense.org/index.php?topic=42985.0, point 23, or more specifically: https://forum.opnsense.org/index.php?topic=48343.msg244891#msg244891
The microcode updates by themselves do no harm, but rather help. There are known instabilities with newer FreeBSD kernels with certain Intel generations (i.e. Alder Lake, Twin Lake and Nxxx).
The problems turn up mostly on UFS installs. They can be avoided by certain tuneables that are explained in the postings above.
And this thread was about a VM install where microcode updates have been applied inside the VM - which is wrong and will probably not work (or cause problems). All of this is mentioned in the READ ME FIRST post as well.
#90
25.7, 25.10 Series / Re: Unable to boot after updat...
Last post by kweetwel - November 27, 2025, 10:45:12 PMI have the same issue on a Qotom box Q1076GE. On bare metal, so no VM's.
Uninstalling the 'os-cpu-microcode-intel' plugin fixed it. Thanks for the suggestion @AnnaRenee87!
Now searching for logs to see why it failed with the plugin installed... hmmm...
Uninstalling the 'os-cpu-microcode-intel' plugin fixed it. Thanks for the suggestion @AnnaRenee87!
Now searching for logs to see why it failed with the plugin installed... hmmm...
