OPNsense System Tunables Configuration

[yeraycito]

https://github.com/nightcomdev/opnsense/tree/main/tunables

[pfry]

It's an interesting reference, but you're going to get a number of "unknown OID" errors if you use them indiscriminately (e.g. net.inet.tcp.recvbuf_inc). Probably a good idea to check them before use. Also, defaults (seem to) change often.

[falken]

Some of those setting violate certain RFCs, and others could break intended behavior or make performance worse depending on circumstances.  I would make sure to only adjust what you know will bring your environment value.

[Seimus]

Tuning for the sake of tuning is never a great idea.

Tunables should be touched only in case to fix some particular problem or to achieve some specific goal.

Regards,
S.

[falken]

Tuning for the sake of tuning is never a great idea.

Tunables should be touched only in case to fix some particular problem or to achieve some specific goal.

Regards,
S.

This. I only adjusted a few settings, with a specific reason. I get full theoretical LAN and routing speed after TCP/IP overhead, and with a 2G symmetrical WAN link. Trying to optimize further would just invite problems with no additional gain.

[opnessense]

Thanks all for the feedback.

My box is an N5105 with 16 GB RAM and 4× i226‑V, and at the moment I don't have any real issues: CPU is around 7–10%, RAM ~37%, temps ~24 °C and I'm getting full line speed.

Initially I was looking at nightcomdev's tunables more as a reference to better understand what each sysctl does, not to blindly copy the whole list. Based on that, I decided to only test a very small, hardware‑oriented subset for the i226‑V NICs:

hw.pci.enable_aspm=0
dev.igc.0.eee_control=0
dev.igc.1.eee_control=0
dev.igc.2.eee_control=0
dev.igc.3.eee_control=0

dev.igc.0.fc=0
dev.igc.1.fc=0
dev.igc.2.fc=0
dev.igc.3.fc=0
net.inet.tcp.tso=0

The idea was just to harden NIC behaviour and avoid known i226 quirks (ASPM/EEE/flow control/TSO), without touching RFC compliance or radically changing the TCP/IP stack. However, as soon as I applied these tunables my LAN links started flapping (interfaces going up and down repeatedly) and I had to hard‑reset the firewall. After removing those tunables and rebooting, everything went back to normal and the system is stable again.

Given that my setup was already working fine and the extra tunables clearly caused instability on my specific hardware/switch combination, I've decided to stick with the standard OPNsense/FreeBSD settings and not apply additional i226 tunables or firmware updates unless I run into a clear, reproducible problem that actually requires them.

So for now I'll leave any further tuning aside and stick with "if it isn't broken, don't fix it". Thanks again for the cautions and explanations.