[solved]I switched to OPNsense from pfSense,share my thoughts and observations

[bsdfans]

Advantages:

    OPNsense follows the operating system's kernel and software package model, making it easy to expand and install additional software.
    It allows for Wi-Fi configuration through the web user interface (WEBUI).
    OPNsense supports bridging functionality.
    Configuring IPv6 is straightforward and user-friendly.
    When binding static IPs in DHCP, you can conveniently select IPs from the DHCP pool, eliminating the need to find IPs outside the pool.
    The overall user interface and user experience in OPNsense are better compared to pfSense.
    Netdata can be easily installed and configured through the web interface, and it maintains the latest version, making it a great tool. Installing FreeBSD software on pfSense can be complex and may introduce other issues, not to mention kernel compilation.
    The backup functionality in OPNsense is highly practical and flexible.
    OPNsense's software repositories have global mirrors, resulting in fast software installation and updates.

Drawbacks:

    The DHCP daemon in OPNsense listens on "*", which is not necessary; it should only listen on the LAN interface.
    The unit for "reporting-traffic" is in bits per second (bit ps), whereas "health-traffic" uses bytes per second (Byte ps). It is recommended to use bit ps consistently.
    Enabling the "Enable HTTPD" option for Monit in OPNsense prevents the 2812 port's web interface from opening.
    Gateway IP monitoring in OPNsense does not display round-trip time (rtt) and loss in widgets and "System: Gateways: Single." This may be a bug.
    The "os-netdata" package information displays version 1.2, while the installed version is the latest, 1.4. However, this is not critical.
    OPNsense does not offer a "home/lab" edition, but the community version appears to be sufficient. Is the business edition based on FreeBSD 14?
    There is no built-in support for bandwidthd or pmacct, which would allow monitoring traffic for each internal IP. Ntop requires a paid subscription.

Final Question:

I mentioned that CPU usage increases significantly every 60 seconds. I'm not sure what's causing this issue and want to know how to identify and disable the corresponding service or process. The process is "python."How can I solve the problem?

Thanks!

[meyergru]

    OPNsense follows the operating system's kernel and software package model, making it easy to expand and install additional software.

You should refrain from that because enabling FreeBSD repositories can lead to unexpected results. Currently, you might inadvertedly install a newer version of pkg which may break things.

    It allows for Wi-Fi configuration through the web user interface (WEBUI).

While it may do that, FreeBSD in itself does not offer great functionality for WiFi APs, you should use a specialized appliance for that.

    OPNsense supports bridging functionality.

It does, but this puts load on the CPU, so YMMV.

    OPNsense does not offer a "home/lab" edition, but the community version appears to be sufficient. Is the business edition based on FreeBSD 14?

No, the business edition is slightly behind the community edition, so it tends to have a lower FreeBSD origin.

Final Question:

I mentioned that CPU usage increases significantly every 60 seconds. I'm not sure what's causing this issue and want to know how to identify and disable the corresponding service or process. The process is "python."How can I solve the problem?

You can use the CLI to look at what script is actually called via 'ps auxwww', because python is an interpreter that is used for multiple things.

[CJ]

    When binding static IPs in DHCP, you can conveniently select IPs from the DHCP pool, eliminating the need to find IPs outside the pool.

Don't do this.  You'll end up with address conflicts.  Static IPs should be set outside of the pool.

[mimugmail]

60 second Spikes may came from ntop?

[bsdfans]

root    52551  55.1  2.2 122172  89776  -  R    21:28      0:02.89 /usr/local/bin/python3 /usr/local/opnsense/scripts/filter/update_tables.py (python3.9)
/usr/local/opnsense/scripts/system/rrd_pfstate_info.py

How can I solve the problem ?
I just simplely disable the update_tables.py and rrd_pfstate_info.py scripy ,it seems fine.
I guess the rrd(report) module will be broken, but I'm not sure the impact of disable the update_tables.py script.

[franco]

Slow hardware? RRD susbsystem hardly ever gets complaints of excessive CPU, certainly not after rewriting the pfstate fetch using rrd_pfstate_info.py.

And how big are your alias sets?

BTW:

> The DHCP daemon in OPNsense listens on "*", which is not necessary; it should only listen on the LAN interface.

You do realise that's the same for pfSense and that DHCP works with broadcast traffic so it cannot bind to a single interface IP? It actually does listen to the configured LAN interface, but I think it discards the traffic from non-matching interfaces. That's also why only one process for DHCP exists... again same for everyone else.


Cheers,
Franco

[bsdfans]

yes,slow hardware.
about 10 alias.
After I chmod 000 rrd_pfstate_info.py and update_tables.py,everything run fine.

For the DHCP question,I'm clear,thanks for your information.

[franco]

> After I chmod 000 rrd_pfstate_info.py and update_tables.py,everything run fine.

I'd recommend to disable RRD completely as the workaround will be removed on the next update. Uncheck Reporting: Settings: "Enables the RRD graphing backend".

As for aliases if you don't want it you can't really use it (on slow hardware).


Cheers,
Franco

[bsdfans]

Got it,thanks man.