OpenVPN Clients + pfblocker + DNSBL [+ suricata] + unbound == unusable
I don't think it is a 2.4 only problem, but let me tell you the story:
scenario: 3 Subnet, 1 openVPN Server, 4 openVPN Clients, the mentioned services activated, GW groups and a bit policy routing.
To do all my filtering comfortable, I upgraded my pfsense from an Apu1d4 to a j4205 cpu. Enough performance for what I needed.
Still, there was no stable solution with 2.3; the DNS was down all the time or at least unusable for the clients, the system were barely usable.. so I also read the common RT8111 error in the terminal and decided to take one error source out of the game and upped to a Supermicro E300-8D + ECC + M.2.
So I read that driver vice the 2.4 RC has a better support for the board should be usable (according for what I read here and elswere), so I tried my luck.
The result is IMHO devastating.
As soon as I upped the game with pfblock and or suricata or some OpenVpn clients the system came more and more unresponsable.
I suspect unbind to have a great part in it, also it may have something to to with interface updates in general.
I would like to think of an config error, but the behavior was problematic with 4 openVPN client interfaces alone.
Sadly the debugging is a pain with a sluggish to not responsive at all webinterface.
I'm intrigued to order official service, as this setup can be done within a short time, but I'll bet it won't run stable this given time.
Solution: I switched to opnsense, even if I miss some features (especially pfblockerNG) and settings - but at least it does it job.
But as PFSense is more my style I would like to hear if anyone has made similar experience and or workarounds with the services activated in the title?
This issue did cost me quite some time and some expensive hardware - after long years of pfsense.
As result I didn't show any logs. But what I can tell you is, that nearly the same setup with the same accounts didn't provoke the error on opensense. (Don't get me wrong I don't care which sense it is… pf, open, common... but I find it very interesting, as I thought that it is very similar to pfsense)
If I may guess the unbound problem had something to do with changing interfaces (or a result of it).
I would be really interested if someone has similar issues and best - which are now resolved.
I got tired of fighting w/ unbound myself and switched to dnsmasq. For me it was a good move, although others will argue to the contrary. I know Unbound is "better" on paper and the purist in me wants to use it, but it just wasn't as stable for me. Dnsmasq does everything I need it to and just never seems to have issues. The recent CVEs were fixed in record time. I think from wide disclosure to having the patched binary running on my system was <24 hours, which I consider amazing.
To be fair, I didn't give Unbound much of a chance w/ recent 2.4 snaps and I hear it has improved, but for me there is no compelling reason to switch. Maybe worth it for you to give dnsmasq a try.