Nice to have... a lightweight OPNsense?

[fabianodelg]

I'm running the latest OPNsense on my APU4 with various optimisation (RSS and hardware offloading).

All in all I'm quite satisfied considering my current ISP speed (500 Mbit) and the 12 VLANs (I don't route traffic between them though).

I'm aware that the APU4 is not a super powerful but, with other Firewall OS (ie OpenWRT) it does route to gigabit between VLANs with zero effort and pretty much null CPU usage.

I've noticed that most of the time, processing hogging my APU4 with OPNsense are Python processes; I'm wondering if the graphical interface (and everything related to it) is actually stealing the most of the cpu power to route packets...

Hence my 'nice to have': what about having an OPNsense 'light' with minimal UI (and functionality) but pretty much focussed to packet routing, firewalling, VLANs, QoS etc? A sort of minimal distro...

what's your thoughts?

Thanks
F

[Monviech (Cedrik)]

So something like VyOS that doesn't have a GUI and does it all by command line?

[fabianodelg]

I think that would be a bit extreme (I mean it's already possible today if you chuck FreeBSD on a x86 appliance and do everything from there) and maybe will discourage many end users that prefer to have a more 'point and click' experience.

I was more thinking like an 'Home version' so with the UI still be the enabler for the final user but more simplified both in terms of capabilities offered and the technology used for the UI itself (the UI seems to be very heavy on the hardware - I believe Franco itself said in a post that the current UI is using a very old and inefficient backend, difficult to modify and update). Maybe re-write something from scratch, with modern technologies?
I know that Deciso is selling hardware for OPNsense (a bit expensive but on paper truly fantastic) but a 'lighter' version will definitely contribute to expand the OPNsense audience to those users that does not need all the enterprise capabilities and have reduced needs in terms of hardware (or better want to re-use their own hardware)? I would be of course happy to pay for such thing (or donate).

[franco]

Well... what is lightweight?

The only thing not lightweight about the default install OPNsense is that it comes with a lof of disabled services which may or may not need a lot of disk space... to make it "lighter" a lot of components could be removed from the default install, but is storage space an issue?

With that in mind what doesn't make it lightweight is deploying it for a certain use case.. it will use whatever the use case requires and the computing time with it.

The backend isn't great, but replacing it is difficult. It's been cleaned and slimmed a lot in the years past. The goal really is to make the backend only backend code not executed by the GUI.

And if someone thinks lightweight can be no GUI just API... you still need a (light) webserver like lighttpd for the API so you just end up deleting frontend pages and javascript. That's not really slimming it down significantly, because you still need all the software for the use case.



Cheers,
Franco

[franco]

One additional point which could be made... the software has gotten slower over the years.

So you still have that 10 year old hardware and it works well. The lightweight solution is to use the software from 10 years ago with it and it's instantly faster.


Cheers,
Franco

[fabianodelg]

Thanks Franco for your answer 

Thing is, my 10 years old APU (less than 10 watt at full load... what a joy for a 4 core SOC 1.4 GHz!) -that on paper should be perfectly fine- is spending lots of CPU time doing this (please note at this moment the UI is NOT loadad in my browser there just 1 Alexa playing the Radio..).

Those Python processes are taking lots of CPU time and they are completely unrelated to packet routing, firewall and whatnot 

It's absolutely not a matter of storage space, it's more that the CPU should be more busy managing the TCP/IP stack rather than the UI.

Hence my 'nice to have' of an home version, for poor people like me  that want to continue to use OPNsense and don't care too much of a nice shiny and wonderful Graphical interface (ie Luci on OpenWRT is absolutely SAD but its consuming next to nothing in terms of CPU and memory).

Is this just a dream? Or it's something that can become real, at some point?

Please note: I 'could' give up and use OpenWRT (or derivate)... I just DON'T want to, I like OPNsense and I'm a FreeBSD absolutely fanboy.


Thanks!


last pid: 50690;  load averages:  0.97,  0.91,  0.85                                                             up 1+16:55:09  14:54:02
46 processes:  2 running, 44 sleeping
CPU 0: 65.5% user,  0.0% nice,  6.7% system,  0.0% interrupt, 27.8% idle
CPU 1: 34.9% user,  0.0% nice, 12.9% system,  0.0% interrupt, 52.2% idle
CPU 2: 37.3% user,  0.0% nice, 12.9% system,  0.4% interrupt, 49.4% idle
CPU 3: 23.5% user,  0.0% nice,  4.7% system,  0.0% interrupt, 71.8% idle
Mem: 63M Active, 825M Inact, 609M Wired, 323M Buf, 2452M Free
Swap: 8192M Total, 8192M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
42491 root          1  78    0    55M    39M CPU3     3   0:02  93.15% python3.9
  241 root          1  52    0    92M    43M accept   3  12:38   4.57% python3.9
62843 root          1  21    0    58M    30M accept   2   0:09   3.39% php-cgi
18856 root          1  20    0    21M  8668K kqread   1   0:39   0.23% lighttpd
19417 root          1  21    0    55M    22M wait     3   0:00   0.17% php-cgi
24848 root          3  20    0    49M    13M kqread   1   2:15   0.13% syslog-ng
73776 unbound       4  20    0    83M    44M kqread   2   7:57   0.05% unbound
40640 root          1  20    0    23M    12M select   1   1:03   0.04% python3.9
93814 root          1  20    0    12M  2144K select   3   1:01   0.04% powerd
52464 root          1  20    0    23M    12M select   1   0:57   0.04% python3.9
79149 root          1  23    0    13M  2608K wait     3   1:52   0.02% sh
77681 root          1  20    0    21M  6580K select   3   0:31   0.02% ntpd
75624 root          1  20    0    13M  2604K bpf      2   1:14   0.00% filterlog
59050 root          1  52    0    58M    30M accept   3   0:07   0.00% php-cgi
32044 root          1  52    0    58M    30M accept   2   0:06   0.00% php-cgi

[franco]

Well but again the python version is not what it used to be all these years ago

Can you do a "top -a | head -n 25" to see a little better.


Thanks,
Franco

[fabianodelg]

Sure! Here it is:

root@OPNsense:~ # top -a | head -n 25
last pid: 72174;  load averages:  1.05,  1.02,  0.97  up 1+17:22:00    15:20:53
46 processes:  3 running, 43 sleeping
CPU:  4.3% user,  0.0% nice,  6.8% system,  1.6% interrupt, 87.3% idle
Mem: 66M Active, 826M Inact, 609M Wired, 323M Buf, 2450M Free
Swap: 8192M Total, 8192M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
16040 root          1  52    0    58M    30M accept   1   0:09   1.76% /usr/local/bin/php-cgi
99298 root          1  20    0    58M    30M select   3   0:03   0.59% /usr/local/bin/php-cgi
38828 root          1  20    0    58M    29M select   2   0:01   0.59% /usr/local/bin/php-cgi
  241 root          3  52    0    92M    43M accept   3  13:18   0.49% /usr/local/bin/python3 /usr/local/opnsense/service/configd.py con
97243 root          1  20    0    58M    29M accept   2   0:05   0.49% /usr/local/bin/php-cgi
97389 root          1  52    0    58M    30M accept   0   0:09   0.29% /usr/local/bin/php-cgi
79149 root          1  52    0    13M  2608K wait     2   1:54   0.20% /bin/sh /var/db/rrd/updaterrd.sh
73776 unbound       4  20    0    83M    44M kqread   2   8:03   0.00% /usr/local/sbin/unbound -c /var/unbound/unbound.conf
24848 root          3  20    0    49M    13M kqread   3   2:18   0.00% /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -p /va
75624 root          1  20    0    13M  2604K bpf      1   1:15   0.00% /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
40640 root          1  20    0    23M    12M select   0   1:03   0.00% /usr/local/bin/python3 /usr/local/sbin/configctl -e -t 0.5 system
93814 root          1  20    0    12M  2144K select   0   1:01   0.00% /usr/sbin/powerd -b hadp -a hadp -n hadp
52464 root          1  20    0    23M    12M select   2   0:58   0.00% /usr/local/bin/python3 /usr/local/opnsense/scripts/syslog/lockout
18856 root          1  20    0    21M  8668K kqread   2   0:41   0.00% /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
77681 root          1  20    0    21M  6580K select   0   0:31   0.00% /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf
44223 root          1  52    0    58M    30M accept   2   0:06   0.00% /usr/local/bin/php-cgi
79030 root          1  20    0    12M  2124K piperd   2   0:05   0.00% daemon: /var/db/rrd/updaterrd.sh[79149] (daemon)
  235 root          1  52    0    24M    13M wait     1   0:04   0.00% /usr/local/bin/python3 /usr/local/opnsense/service/configd.py (p