OPNsense System Tunables Configuration

[yeraycito]

https://github.com/nightcomdev/opnsense/tree/main/tunables

[pfry]

It's an interesting reference, but you're going to get a number of "unknown OID" errors if you use them indiscriminately (e.g. net.inet.tcp.recvbuf_inc). Probably a good idea to check them before use. Also, defaults (seem to) change often.

[falken]

Some of those setting violate certain RFCs, and others could break intended behavior or make performance worse depending on circumstances.  I would make sure to only adjust what you know will bring your environment value.

[Seimus]

Tuning for the sake of tuning is never a great idea.

Tunables should be touched only in case to fix some particular problem or to achieve some specific goal.

Regards,
S.

[falken]

Tuning for the sake of tuning is never a great idea.

Tunables should be touched only in case to fix some particular problem or to achieve some specific goal.

Regards,
S.

This. I only adjusted a few settings, with a specific reason. I get full theoretical LAN and routing speed after TCP/IP overhead, and with a 2G symmetrical WAN link. Trying to optimize further would just invite problems with no additional gain.

[opnessense]

Thanks all for the feedback.

My box is an N5105 with 16 GB RAM and 4× i226‑V, and at the moment I don't have any real issues: CPU is around 7–10%, RAM ~37%, temps ~24 °C and I'm getting full line speed.

Initially I was looking at nightcomdev's tunables more as a reference to better understand what each sysctl does, not to blindly copy the whole list. Based on that, I decided to only test a very small, hardware‑oriented subset for the i226‑V NICs:

hw.pci.enable_aspm=0
dev.igc.0.eee_control=0
dev.igc.1.eee_control=0
dev.igc.2.eee_control=0
dev.igc.3.eee_control=0

dev.igc.0.fc=0
dev.igc.1.fc=0
dev.igc.2.fc=0
dev.igc.3.fc=0
net.inet.tcp.tso=0

The idea was just to harden NIC behaviour and avoid known i226 quirks (ASPM/EEE/flow control/TSO), without touching RFC compliance or radically changing the TCP/IP stack. However, as soon as I applied these tunables my LAN links started flapping (interfaces going up and down repeatedly) and I had to hard‑reset the firewall. After removing those tunables and rebooting, everything went back to normal and the system is stable again.

Given that my setup was already working fine and the extra tunables clearly caused instability on my specific hardware/switch combination, I've decided to stick with the standard OPNsense/FreeBSD settings and not apply additional i226 tunables or firmware updates unless I run into a clear, reproducible problem that actually requires them.

So for now I'll leave any further tuning aside and stick with "if it isn't broken, don't fix it". Thanks again for the cautions and explanations.

[nightcom]

Hello everyone,

I'm the author of repository and thank you for noticing my work. Purpose of this repository is describing all functions in tunables with provided examples based on my hardware and network setup. Like I wrote in repository, you can't copy paste all settings since it's tuned for my needs, hardware, ISP and network setup.

@opnessense port flapping is well know issue with i226 ethernet cards and ASPM, mostly affected firmware v2.13, v2.14, v2.17 with the partial fix released in v2.22 but still some issues with ASPM. Full fix was released in firmware 2.32/2.34, in my case I upgraded firmware of i226-V to v2.34 v2.32 and I don't have any issues with settings I provided in repository.

Edit:
Topic related to firmware upgrade of i226 cards is here on Opnsense forum
https://forum.opnsense.org/index.php?topic=48695.0


Thanks,
nightcom

[RobertoZ]

Hello everyone,

I'm the author of repository and thank you for noticing my work. Purpose of this repository is describing all functions in tunables with provided examples based on my hardware and network setup. Like I wrote in repository, you can't copy paste all settings since it's tuned for my needs, hardware, ISP and network setup.

@opnessense port flapping is well know issue with i226 ethernet cards and ASPM, mostly affected firmware v2.13, v2.14, v2.17 with the partial fix released in v2.22 but still some issues with ASPM. Full fix was released in firmware 2.33/2.34, in my case I upgraded firmware of i226-V to v2.34 and I don't have any issues with settings I provided in repository.


Thanks,
nightcom

Where did you find v2.34?  I have v2.32 but unable to find v2.34. 

[nightcom]

Where did you find v2.34?  I have v2.32 but unable to find v2.34. 

Sorry, my mistake (typo), I meant 2.32 and I got it from here

https://github.com/BillyCurtis/Intel-i226-V-NVM-Firmware/blob/main/README.md

[RobertoZ]

Where did you find v2.34?  I have v2.32 but unable to find v2.34.

Sorry, my mistake (typo), I meant 2.32 and I got it from here

https://github.com/BillyCurtis/Intel-i226-V-NVM-Firmware/blob/main/README.md

v2.36 is supposedly out there somewhere. I haven't had any issues with v2.32 but v2.36 is a higher number and thusly more gooderer. :) 

[nightcom]

v2.36 is supposedly out there somewhere. I haven't had any issues with v2.32 but v2.36 is a higher number and thusly more gooderer. :) 

Yea that is true, but from this what BillyCurtis wrote, even Intel is not providing release notes. When I started this project I was searching information's for v2.32 but I couldn't find anything, not even mentioning that I couldn't find v2.34 firmware....I bet it will be same story with v2.36

There are more information's about upgrading i226 and people involved including BillCurtis, if you have some more info about v2.36 I encourage you to write it in here:
https://forum.opnsense.org/index.php?topic=48695.0

[opnessense]

[GUIDE] Updating Intel I226‑V NVM firmware (1MB) to 2.32 on N5105 mini‑PC (OPNsense)

This guide explains how to update the NVM firmware of Intel I226‑V NICs (1MB PROM) from problematic versions (e.g. 2.14 / 2.17) to 2.32 using Intel's nvmupdate64e tool and the BillyCurtis firmware, by booting the firewall into an Ubuntu live environment.

1. Context and warnings
Typical scenario:

Hardware: N5105 mini‑PC with 3–4× Intel I226‑V (device ID 111C).

Current state (example):


dmesg | grep igc
[1] igc0: <Intel(R) Ethernet Controller I226-V> ...
[1] igc0: EEPROM V2.14-0 eTrack 0x80000110
...
 igc1: link state changed to UP
 igc1: link state changed to DOWN
 igc1: link state changed to UP
...
Problem: I226‑V NVM 2.14 / 2.17 is known to cause link flapping, random disconnects, ping spikes, especially with ASPM/EEE enabled.

Target: move NICs to FXVL_111C_V_1MB_2.32.bin (EEPID 80000425) as documented by BillyCurtis and in the OPNsense thread:

"[solved] Intel i226 Firmware (see post #39]"
https://forum.opnsense.org/index.php?topic=48695.0

DISCLAIMER: You do this at your own risk. Always back up the NVM first, never power‑off during an update, and read the Intel "Quick Usage Guide" that comes with the tool.
�

2. References
Main OPNsense thread (read post #39 and following):
https://forum.opnsense.org/index.php?topic=48695.0

BillyCurtis Intel I226‑V NVM firmware repo (1MB/2MB bins + README):
https://github.com/BillyCurtis/Intel-I226-V-NVM-Firmware
�

Ready‑made package (tool + 1MB 2.32 bin + example cfg + README):
https://intel226bucket.s3.us-east-1.amazonaws.com/i226.zip
�

Intel document: "Intel Ethernet NVM Update Tool – Quick Usage Guide for FreeBSD" (included in the ZIP, Revision 1.4, 333909‑005).
�

3. Preparation (on OPNsense and on a separate PC)
3.1. Check NICs and current NVM in OPNsense
On the OPNsense console / SSH:


dmesg | grep igc
ifconfig igc0 | grep ether
ifconfig igc1 | grep ether
ifconfig igc2 | grep ether
ifconfig igc3 | grep ether
Example output (adapt to your box):

I226‑V with NVM 2.14, EEPID 80000290 (→ I226‑V 1MB 2.14 bin in BillyCurtis README).
�

MAC addresses (example values):

igc0: 00:AA:BB:CC:DD:10 → 00AABBCCDD10

igc1: 00:AA:BB:CC:DD:11 → 00AABBCCDD11

igc2: 00:AA:BB:CC:DD:12 → 00AABBCCDD12

igc3: 00:AA:BB:CC:DD:13 → 00AABBCCDD13

Write your own MACs down in both formats (with and without colons) for later use with -m.
�

3.2. Prepare two USB sticks
USB1: Ubuntu Desktop live (created with Rufus / Balena Etcher from the ISO).
�

USB2: plain FAT32 stick for firmware files.

On USB2:

Download and extract:
https://intel226bucket.s3.us-east-1.amazonaws.com/i226.zip
�

Create a folder i226-fw.

Copy into i226-fw:

nvmupdate64e

FXVL_125C_V_1MB_2.32.bin

nvm.cfg

Optional: Intel PDF and the README.

3.3. Adjust nvm.cfg for 1MB I226‑V 2.14 → 2.32
Open nvm.cfg on USB2 and ensure it matches your case. For a 1MB I226‑V with EEPID 80000110, a typical config is:


CURRENT FAMILY: 1.0.0
CONFIG VERSION: 1.20.0

; NIC device
BEGIN DEVICE
DEVICENAME: Intel(R) Ethernet Controller I226-V
VENDOR: 8086
DEVICE: 125C
SUBVENDOR: 8086
SUBDEVICE: 0000
NVM IMAGE: FXVL_125C_V_1MB_2.32.bin
EEPID: 80000425
RESET TYPE: REBOOT
REPLACES: 80000110
END DEVICE
NVM IMAGE: must match the 1MB 2.32 bin filename.

REPLACES: set to your current EEPID (e.g. 80000110 for 2.14) instead of the example 2.17 EEPID from the thread.

4. Offline phase – Booting Ubuntu live on the firewall
When you can take the firewall offline:

Power off the N5105.

Connect monitor, keyboard, and USB1 (Ubuntu).

Enter BIOS/boot menu and boot from the Ubuntu USB.
�

In Ubuntu's boot menu select "Try Ubuntu" (do not install).

Once on the desktop, insert USB2 (firmware).

5. Ubuntu terminal commands (local console)
Open a Terminal window and:

bash
# 1) Go where Ubuntu mounts USB devices
cd /media/ubuntu
ls
Identify USB2 volume name (e.g. I226_FW), then:

bash
# 2) Enter data stick and firmware folder
cd I226_FW/i226-fw
ls
# You should see: nvmupdate64e, FXVL_125C_V_1MB_2.32.bin, nvm.cfg
5.1. Verify NICs and current firmware
bash
sudo ./nvmupdate64e -i
Confirm it detects your I226‑V NICs and shows the current NVM version (e.g. 2.14).
�

5.2. NVM backup (mandatory)
bash
sudo ./nvmupdate64e -b -l nvm_backup.log
The tool will create backup(s) and the log file in the same directory (i226-fw on USB2). Do not delete them; copy them to a safe location later.
�

5.3. Per‑interface firmware update (example MACs)
Using the generic example MACs from above:

igc0 → 00AABBCCDD10

igc1 → 00AABBCCDD11

igc2 → 00AABBCCDD12

igc3 → 00AABBCCDD13

Run, one interface at a time:

bash
# Update igc2 (example)
sudo ./nvmupdate64e -b -l nvm_igc2.log -m 00AABBCCDD12 -f -u -c nvm.cfg

# Update igc3
sudo ./nvmupdate64e -b -l nvm_igc3.log -m 00AABBCCDD13 -f -u -c nvm.cfg

# Update igc0
sudo ./nvmupdate64e -b -l nvm_igc0.log -m 00AABBCCDD10 -f -u -c nvm.cfg

# Update igc1
sudo ./nvmupdate64e -b -l nvm_igc1.log -m 00AABBCCDD11 -f -u -c nvm.cfg
Replace the -m values with your own MACs (without colons). This is exactly the pattern recommended in the thread, adapted to 1MB 2.14 → 2.32.

If any update command fails, immediately run:

bash
echo $?
and look up the error code in the Intel Quick Usage Guide or in post #39 notes.
�

6. Reboot and validation in OPNsense
Quit Ubuntu, shut the firewall down cleanly, remove both USB sticks.

Boot normally into OPNsense from the internal drive.

On the OPNsense console:


dmesg | grep igc
You should now see something like:


igcX: EEPROM V2.32-0 eTrack 0x80000115
for all updated ports instead of V2.14-0 0x80000110.
�

Check logs for a while and ensure there are no more frequent link state changed to DOWN/UP bursts on the I226‑V interfaces after boot.
�

7. Practical tips from the thread
Do not flash "blindly": always adjust nvm.cfg to match your actual EEPID and PROM size (1MB vs 2MB). Users with 2MB PROM need the FXVL_125C_V_2MB_2.32.bin + EEPID 80000422 config instead.
�

If you must flash an in‑use NIC over SSH, consider the "sleep + reboot" script approach shown in post #59 to avoid hard power‑offs; with local console (monitor + keyboard) it's easier to perform a graceful reboot afterwards.
�

If you are on latest OPNsense / FreeBSD 14.3 with the newer igc driver, keeping Intel NICs on up‑to‑date NVM images (e.g. 2.32) is strongly recommended to avoid the known I226 issues.

[Seimus]

I'm the author of repository and thank you for noticing my work. Purpose of this repository is describing all functions in tunables with provided examples based on my hardware and network setup. Like I wrote in repository, you can't copy paste all settings since it's tuned for my needs, hardware, ISP and network setup.

Honestly good job on that, finding the tunables on itself is easy but finding the explanation is...... different story.

Are you gonna keep it updated? Cause as you most likely know tunables tent to change, decom depending how FBSD deems them usable and need-able.

Regards,
S.

[Lucid1010]

I also performed tuning by referring to that repository. Rather than simply copying it, I asked Gemini and ChatGPT what each configuration parameter does and which values would be suitable for my hardware specifications, and adjusted the settings based on that.