6100 SLOW in comparison to Protectli FW6E
-
@bmeeks Awesome
-
@manilx said in 6100 SLOW in comparison to Protectli FW6E:
Here is one I saved.
And I got no internet connection on the LAN. The 8200 had one.
[14-Feb-2023 16:28:32 Europe/Lisbon] PHP Fatal error: Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724 Stack trace: #0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false) #1 {main} thrown in /etc/inc/pfsense-utils.inc on line 2724 [14-Feb-2023 16:28:52 Europe/Lisbon] PHP Fatal error: Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724 Stack trace: #0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false) #1 {main} thrown in /etc/inc/pfsense-utils.inc on line 2724 [14-Feb-2023 16:31:40 Europe/Lisbon] PHP Fatal error: Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724 Stack trace: #0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false) #1 {main} thrown in /etc/inc/pfsense-utils.inc on line 2724 [14-Feb-2023 16:32:19 Europe/Lisbon] PHP Fatal error: Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724 Stack trace: #0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false) #1 {main} thrown in /etc/inc/pfsense-utils.inc on line 2724
Also had 100's of messages I receive via Pushover. I didnd't save those. They were different BUT weere about missing firewall rules or such.
Yeah, these are all core to pfSense PHP itself and not related to Suricata. Perhaps the Netgate guys can respond to those. With a new SG-8200 you get some free initial support, so I would take advantage of it and open a TAC ticket here: https://www.netgate.com/tac-support-request.
-
@bmeeks I will return the 8200 and keep the 6100 and wait for the new suricata, I just don't have enough energy left after 3 months at this ;)
Putting the 6100 at work again after factory restart ro send back and fresh import of the config was 10min.
-
@manilx said in 6100 SLOW in comparison to Protectli FW6E:
@bmeeks I will return the 8200 and keep the 6100 and wait for the new suricata, I just don't have enough energy left after 3 months at this ;)
Well, the 8200 is a nice box if you have the budget to keep it and the 6100 .
-
@bmeeks Like in Women "nice" is not always "good" :)
-
@manilx said in 6100 SLOW in comparison to Protectli FW6E:
@bmeeks Like in Women "nice" is not always "good" :)
It's Valentine's Day today, so I will let that one lay lest I get myself in trouble with the lady in my life .
-
@bmeeks For the record and because I'm not english native:
With nice I meant good looking
With good I meant good heartValentine's day saved :)
-
@manilx said in 6100 SLOW in comparison to Protectli FW6E:
Well after 3 hours and crashes after crashes
Urgh, I'm sorry about that. The 8200 is supplied with 22.05.1 by default because it required a point release to recognise the new hardware.
It looks like you're hitting a known issue there. Hold on.... -
@stephenw10 Yes I have seen that. And it wanted my to upgrade to the RC!!
I have until tomorrow morning to decide which unit to send back!
If you get me a solution in the next few hours I can try
-
Yeah this: https://forum.netgate.com/post/1080059
You can apply that patch using the system patches package and the commit ID or just copy/pasting the patch.With that patch in place you should be able to import that config with the URL table aliases.
It's fixed in 23.01 which is imminent.
Steve
-
@stephenw10 OK. I will try again!
-
@stephenw10 Steve,
Did that. Applied patch and then the config restore.
Had issues because it didn't reinstall the packages as it should:
Also it again had the RC set as the update to load. Had to change it back to 22.05.1 release.
After that manually installed the missing packages (all in red).
No internet for me. Refreshed DHCP and all OK.Seems running now!
Question about that patch. On reboot it's loaded automatically and I don't have to do anything?
-
When you apply the patch it is permanent unless the file(s) are replaced. So it will be lost at upgrade for example but it's fixed in 23.01 anyway so not a problem.
-
@stephenw10 Great. 6100 is going back then and 8200 is the keeper :)
-
@manilx Now back to the speed issue with Suricata:
I have no tested the speedest with my standard rules applied to WAN (yes, I know about better to do LAN but with the open ports I feel better like this).
Speed reaches full 900+ !!!!!!! This CPU is up to par now.
-
@manilx said in 6100 SLOW in comparison to Protectli FW6E:
@manilx Now back to the speed issue with Suricata:
I have no tested the speedest with my standard rules applied to WAN (yes, I know about better to do LAN but with the open ports I feel better like this).
Speed reaches full 900+ !!!!!!! This CPU is up to par now.
Once the stall/hang bug with "workers" mode is fixed in Suricata, the box should really fly then when you switch Suricata to
runmode = workers
and use Inline IPS Mode. -
@bmeeks Looking forward to!
-
@manilx:
Do you still have your Protectli appliance and can you configure it with OPNsense again? If so, I would really be interested in how this test Suricata package from the OPNsense developer works for you in terms of eliminating the stall/hang when using Suricata in IPS mode.Here is a link to the link for the package as posted on the Suricata Redmine site: https://redmine.openinfosecfoundation.org/issues/5744#note-69. The package was created by Franco for use on OPNsense, so it will not work on pfSense. A different user in that Redmine thread had been working with us for testing, but he seems to have dropped off the radar over the last week or so.
The test package at the link above contains the latest iteration of a fix for the stall/hang condition in netmap that happens during heavy traffic transfers such as speed tests when using IPS mode in Suricata. I have also included this fix in the next release of Suricata 6.0.10 on pfSense, but some early feedback would be helpful.
-
@bmeeks Hi
Yes have it with pfsense configured as backup.
Still have my OPNsense proxmox VM, which run for 9 months until....
I can test it there.
Tell me how I can install this patch and how you want me to test this.
-
@manilx P.S: I tried running OPNsense on the Protectli before but it got sporadic crashes with lost internet access and could not afford to debug that as VM was running fine.