ntopng enterprise for OPNsense

ntopng guys created a plugin based on the version I added to plugins and it offers the latest and greatest code, instead of the older binary from FreeBSD ports.

You also can switch between community features or add your license key and run enterprise version.

 

So goog to see a second vendor after Sensei / SunnyValley to join the party:

 

https://www.ntop.org/guides/ntopng/third_party_integrations/opnsense.html

Debug 10G Lab

Setup:

Linux-A <-> OPN-A <-> OPN-B <-> Linux-B

Every system is conntected via a Twinax 10G DAC cable. For testing, also Linux-A and Linux-B (both Debian with older Xeons (6-8 years old). OPN-X are newer SuperMicro boards, about 1 or 2 years old. NICs, dmesg and ifconfigs are here:

Linux-A

Linux-B

OPN-A

OPN-B

All systems have a 1G uplink in a mgmt network 10.24.80.0/24 so I dont loose connction. LAN-A is 10.1.0.0/24, LAN-B is 10.2.0.0/24, WAN for OPN is 10.0.0.0/24 where A has .1 and B has .2.

All standard results for my previous tests are here:

OPNsense Performance (20.1.8)

When I disable firewall rules with ‚pfctl -d‘ on both firewalls, the iperf gets full 9,4G.
Now I look into the ruleset. Now I create an emty file and do:

‚pfctl -d && pfctl -e empty.txt‘

Now the iperf get’s 8,6Gbit. And then I put this line in empty.txt and load again:

pass in quick from {any} to {any}

The thoughput drops from 8,6Gbit to 8,1Gbit.

To test if everything is correct I also did the iperf from Linux-A to Linux-B with the direct link and there is also 9,4Gbit with single stream. Also when adding iptables rules (INPUT/OUTPUT) the same performance.

With pf disabled and just using ipfw I get 8,1Gibt with this ruleset:

root@Zeus1:~ # ipfw list
00100 allow pfsync from any to any
00110 allow carp from any to any
00120 allow ip from any to any layer2 mac-type 0x0806,0x8035
00130 allow ip from any to any layer2 mac-type 0x888e,0x88c7
00140 allow ip from any to any layer2 mac-type 0x8863,0x8864
00150 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
00200 skipto 60000 ip6 from ::1 to any
00201 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 skipto 60000 ip6 from any to ::1
00203 skipto 60000 ip4 from any to 127.0.0.0/8
06000 skipto 60000 tcp from any to any out
06199 skipto 60000 ip from any to any
60000 return ip from any to any
65533 allow ip from any to any
65534 deny ip from any to any
65535 allow ip from any to any

top -CHIPS with one pf rule
12 root -92 – 0K 672K CPU2 2 9:43 49.35% intr{irq266: ix1:q0}
0 root -92 – 0K 912K – 5 4:17 48.71% kernel{ix1:q0}

top -CHIPS with pf unloaded
12 root -92 – 0K 672K CPU2 2 10:24 81.45% intr{irq266: ix1:q0}
0 root -92 – 0K 912K – 1 1:36 10.48% kernel{ix0:q0}

Firewalls need to be up2date!

One of my Firewalls is up2date when I check for updates (24.9.19):

Built on May 15th, so there was 4 months no update, for a security device? Not feeling really safe now. The latest realese on this is -p14 (at the time of writing). When I check the packages available via Package Manager, there is a ton of outdated software like bind (9.11 – 9.14), freeradius3 (3.0.17 – 3.0.19), ntopng (3.6 – 3.8), squid (3.5.27 – 3.5.28), stunnel (5.47 – 5.55 over a year no update!), telegraf (1.6.3 – 1.12.1), zabbix (all of them).

Seems to be a huge gap between security and „stability“ ..

FreeBSD APU serial installation

Just have an APU2 here for testing. While installing FreeBSD I was stuck since I always used the serial image from OPNsense. 

So when you need to install vanilla FreeBSD escape the loader prompt with „3“ and put in:

set boot_multicons="YES"
set boot_serial="YES"
set comconsole_speed="115200"
set console="comconsole,vidconsole"
set kern.cam.boot_delay="10000"
boot


Comparing OPNsense VPN performance

In my standard 10G lab I’m testing with average server hardware from Fujitsu, Xeon processor, plenty of RAM, standard 10G cards (X520, X710). 

Doing my ususal measurements without any kind of tweaking I got these results (iperf, 10 streams and single stream):

IPSEC (AES-GCM): 2.6 Gbit
WireGuard: 1.9 Gbit
OpenVPN: 1.1 Gbit
Tinc: 700 Mbit

OPNsense: Installing development versions of plugins

Sometimes I ask to people to test a plugin or new feature. 
There are two ways how to achieve this:

  1. When new version is merged into master, let’s say 0.4, there will be a new pkg when the next OPNsense version is released, like 18.7.3.
    So you go to your console and type:
    # pkg install os-pluginname-devel
  2. If you don’t want to wait for a new release you can grab the latest master code and install it on your own. You have to check the folder where the plugin resides, like /net/ for WireGuard:
    # opnsense-code plugins
    # cd /usr/plugins
    # cd category/pluginname
    # make upgrade