Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
OPNsense 24.7.8 Update Causing GUI and SSH to Become Unresponsive – Need Help!
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNsense 24.7.8 Update Causing GUI and SSH to Become Unresponsive – Need Help! (Read 203 times)
jetlagalex
Newbie
Posts: 2
Karma: 0
OPNsense 24.7.8 Update Causing GUI and SSH to Become Unresponsive – Need Help!
«
on:
November 17, 2024, 10:26:42 pm »
First of all, I’m very new to OPNsense. Everything was working fine until I updated to OPNsense 24.7.8. Since then, I’ve encountered some issues:
• The GUI (igc1) and SSH stop responding.
• The system becomes unresponsive to pings.
Interestingly, the bridge (ixl0/ixl1) remains fully operational, and my entire network functions as expected, with no impact on throughput or latency.
To temporarily regain access, I’ve resorted to hard restarts by unplugging the appliance and plugging it back in. This restores access to the GUI and SSH. As a band-aid solution, I’ve set up a CRON job to reboot the system regularly. However, the issue persists after a few hours, requiring further intervention. Sometimes, the GUI won’t load even after a manual reboot unless I SSH in and reload all services (Option 11). This resolves the issue for a short time.
I’m running OPNsense in Transparent Filtering Bridge Mode. I understand that some of my choices might seem unconventional, but I’m eager to learn and welcome constructive criticism. Networking is a hobby for me, and my setup is part of a Ubiquiti/UniFi home network. OPNsense sits between my UDM Pro SE and the first distribution switch (aggregation switch).
I followed this guide to set up the bridge:
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense
That said, my setup has some variations due to specific requirements:
• **DHCP**: Disabled on both the WAN interface (ixl0) and the Bridge interface to prevent conflicts with the UDM and the rest of the network.
Here are the relevant system details and settings:
System Information:
• **OPNsense Version**: 24.7.8
• **FreeBSD Version**: 14.1-RELEASE-p6
• **OpenSSL Version**: 3.0.15
• **CrowdSec**: 1.0.8\_1
• **Zenarmor**: 1.18.2
• **Hardware**: MinisForum MS-01, Intel i5-12600H, 32 GB RAM
• 10Gbps SFP+ LAN × 2 (Intel x710)
• 2.5Gbps RJ45 LAN × 2 (Intel i225-V, Intel i226-LM)
Interface Assignments:
• **\[WAN\]** ixl0 - DHCP disabled, Promiscuous Mode enabled
• **\[LAN\]** igc1 - DHCP enabled, IP from UDM Pro SE
• **\[OPT1\]** ixl1 - DHCP disabled, Promiscuous Mode enabled
• **\[OPT2\]** igc0 - Not in use
• **\[Bridge\]** ixl0 + ixl1 - DHCP disabled
Settings:
• **IDS/IPS**: Enabled on WAN (ixl0) in Promiscuous Mode
• **CrowdSec**: Enabled on OPT1 (ixl1)
• **Zenarmor**: Enabled on OPT1 (ixl1)
Administration Settings:
• Protocol: HTTPS
• HTTP Strict Transport Security: Enabled
• DNS Rebind Check: Disabled
• HTTP\_REFERER enforcement: Disabled
Firewall Rules:
All interfaces are set to PASS:
• Protocol: IPv4+6
• Source/Destination: \*
• Ports/Gateway/Schedule: \*
Tunables (all entered via GUI):
# Enable fast forwarding to speed up IP forwarding
net.inet.ip.fastforwarding=1
# Maximize ISR threads and bind them to CPU cores for improved network performance
net.isr.maxthreads=-1
net.isr.bindthreads=1
# Set ISR dispatching to deferred to offload processing
net.isr.dispatch=deferred
# Enable and configure Receive Side Scaling (RSS) for network load distribution
net.inet.rss.enabled=1
net.inet.rss.bits=3
# Use optimized version of soreceive() for better socket performance
net.inet.tcp.soreceive_stream=1
# Network Interface Settings
# Disable Energy Efficient Ethernet (EEE) for Intel ixl and igc interfaces
dev.ixl.0.eee.enable=0
dev.ixl.1.eee.enable=0
hw.igc.eee_setting=0
dev.igc.0.eee_control=0
dev.igc.1.eee_control=0
# Disable Flow Control for Intel ixl and igc interfaces
hw.ixl.flow_control=0
dev.ixl.0.fc=0
dev.ixl.1.fc=0
dev.igc.0.fc=0
dev.igc.1.fc=0
# Socket Buffer Configuration
# Increase maximum socket buffer size for long fat networks (LFNs)
kern.ipc.maxsockbuf=16777216
# Increase TCP send/receive space for performance
net.inet.tcp.recvspace=65536
net.inet.tcp.sendspace=65536
# Increase TCP buffer limits for high-throughput networks
net.inet.tcp.recvbuf_max=4194304
net.inet.tcp.sendbuf_max=4194304
net.inet.tcp.sendbuf_inc=65536
# PF Firewall Performance Optimization
# Increase PF source node hash size for large environments
net.pf.source_nodes_hashsize=1048576
# TCP Optimizations
# Set the default maximum segment size (MSS) for dual-stack networks
net.inet.tcp.mssdflt=1440
# Adjust the ABC congestion control parameter to 45 segments
net.inet.tcp.abc_l_var=45
# Set the minimum TCP segment size
net.inet.tcp.minmss=536
# Fortuna PRNG Optimization
# Increase the minimum pool size for Fortuna random number generator
kern.random.fortuna.minpoolsize=128
# Network ISR Queue Optimization
# Increase the default ISR queue limit for high packet throughput
net.isr.defaultqlimit=2048
# Queue Settings for NICs
# Set the number of queues for Intel ixl and igc interfaces
hw.ixl.num_queues=12
hw.igc.num_queues=4
# Enable MSI-X interrupts for ixl and igc NICs
hw.ixl.enable_msix=1
hw.igc.enable_msix=1
# Interrupt rate tuning for ixl and igc NICs
hw.ixl.tx_itr=128
hw.ixl.rx_itr=128
hw.igc.tx_itr=128
hw.igc.rx_itr=128
# Increase maximum interrupt rate for ixl and igc NICs
hw.ixl.max_interrupt_rate=16000
hw.igc.max_interrupt_rate=16000
# Disable RX/TX process limits for igc NICs
hw.igc.rx_process_limit=-1
hw.igc.tx_process_limit=-1
# Interrupt Storm Threshold
# Set interrupt storm threshold for high-throughput NICs
hw.intr_storm_threshold=9000
# Override RX and TX queue settings for Intel ixl and igc interfaces
dev.ixl.0.iflib.override_qs_enable=1
dev.ixl.1.iflib.override_qs_enable=1
dev.ixl.0.iflib.override_nrxqs=6
dev.ixl.0.iflib.override_ntxqs=6
dev.ixl.1.iflib.override_nrxqs=6
dev.ixl.1.iflib.override_ntxqs=6
dev.igc.0.iflib.override_nrxqs=4
dev.igc.0.iflib.override_ntxqs=4
dev.igc.1.iflib.override_nrxqs=4
dev.igc.1.iflib.override_ntxqs=4
# Descriptor Settings for NICs
# Override RX and TX descriptor settings for ixl and igc NICs
dev.ixl.0.iflib.override_nrxds=4096
dev.ixl.0.iflib.override_ntxds=4096
dev.ixl.1.iflib.override_nrxds=4096
dev.ixl.1.iflib.override_ntxds=4096
dev.igc.0.iflib.override_nrxds=1024
dev.igc.0.iflib.override_ntxds=1024
dev.igc.1.iflib.override_nrxds=1024
dev.igc.1.iflib.override_ntxds=1024
# Set RX budget for NICs to maximum for improved performance
dev.ixl.0.iflib.rx_budget=65535
dev.ixl.1.iflib.rx_budget=65535
dev.igc.0.iflib.rx_budget=65535
dev.igc.1.iflib.rx_budget=65535
# Increase the maximum send queue length for interfaces
net.link.ifqmaxlen=8192
# TCP Performance Tweaks
# Increase the TCP initial congestion window to 45 segments for better throughput
net.inet.tcp.initcwnd_segments=45
# Disable Hyper-Threading for security and performance
machdep.hyperthreading_allowed=0
# Disable TCP host cache for performance improvements
net.inet.tcp.hostcache.enable=0
net.inet.tcp.hostcache.cachelimit=0
# Syncache Hash Table and Bucket Limit\
# Increase TCP syncache hash size and bucket limit for performance under heavy loads
net.inet.tcp.syncache.hashsize=1024
net.inet.tcp.syncache.bucketlimit=100
# TCP Congestion Control
# Enable TCP Alternative Backoff with ECN to reduce congestion window by 20% on ECN events
net.inet.tcp.cc.abe=1
# Enable Explicit Congestion Notification (ECN) for congestion management
net.inet.tcp.ecn.enable=2
# Enable TCP Selective Acknowledgement (SACK) for better loss recovery
net.inet.tcp.sack.enable=1
# Security and Performance Enhancements
# Disable TCP syncookies for performance, but at the cost of reduced SYN flood protection
net.inet.tcp.syncookies=0
# Increase the ISN reseed interval for enhanced TCP security
net.inet.tcp.isn_reseed_interval=4500
# Disable TCP Segmentation Offload (TSO) for better performance in router/NAT environments
net.inet.tcp.tso=0
# Harvest Mask Settings
# Set the random harvest mask for performance tuning on high packet throughput systems
kern.random.harvest.mask=33119
I’m looking for insights or suggestions to resolve this issue. I’d greatly appreciate any advice, whether it’s troubleshooting tips or ways to optimize my setup. Again, everything was working perfectly until I updated to OPNsense 24.7.8.
Thank you for taking the time to read and help out!
Logged
meyergru
Hero Member
Posts: 1687
Karma: 165
IT Aficionado
Re: OPNsense 24.7.8 Update Causing GUI and SSH to Become Unresponsive – Need Help!
«
Reply #1 on:
November 17, 2024, 10:56:22 pm »
Did you disable ASPM in the BIOS for your NICs? See
this
.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
jetlagalex
Newbie
Posts: 2
Karma: 0
Re: OPNsense 24.7.8 Update Causing GUI and SSH to Become Unresponsive – Need Help!
«
Reply #2 on:
November 18, 2024, 02:23:48 am »
I’m gonna take a look in a few days when I get back home. Thanks for the tip. I’ll update here with results.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
OPNsense 24.7.8 Update Causing GUI and SSH to Become Unresponsive – Need Help!