Open sjorge opened 5 years ago
sjorge
commented
5 years ago Another example that does not include the opnsense gateway.
Laptop -[RDP]-> windows 10 -[SSH]-> FreeBSD Dev VM
The RDP is fine, the SSH is not (unless LSO/TSO) is disables on both VMs
sjorge
commented
5 years ago sjorge
commented
5 years ago As mentioned on IRC, the CN is vlan tagging stuff... update flows with tags mentioned
laptop -(vlan10)> opnsense -(vlan5)-> internet = OK laptop -(vlan10)-> windows 10 VM = OK laptop -(vlan10)-> omnios vm = OK windows -(vlan10)-> opnsense -(vlan5)-> internet = BAD omnios -(vlan10)-> opnsense -(vlan5)-> internet = BAD windows -(vlan10)-> omnios = BAD Laptop -RDP-> windows 10 -SSH-> FreeBSD Dev VM
The guests are not aware of the VLAN as they are on the VNICs... VLAN HW tagging is disabled on virtio, that looks to be the default.
pfmooney
commented
5 years ago I tried to reproduce this by placing a number of my test guest instances on a vlan tag (100) while initiating iperf back and forth. Between Windows (2016 Datacenter), Freebsd (11.2 RELEASE), and Linux (CentOS 7), TCP streams were able to flow freely with TSO/LSO enabled everywhere.
Perhaps provide (privately if you choose) a more detailed write-up of how you've configured everything?
sjorge
commented
5 years ago Any particular info/command output that would be helpful?
I'll try to find some time to setup 2 test VMs just to reproduce the issue and try and upload them once I can.
pfmooney
commented
5 years ago If you're able to reproduce it with two test VMs, I would be interested in the vmadm json payloads to start.
sjorge
commented
5 years ago OK I think I am getting a step closer...
Win 10 -[SSH]-> FreeBSD 11
Win 10 -[SSH]-> FreeBSD 11
Win 10 -[SSH]-> FreeBSD 11
The freebsd guest is getting the traffic! But the firewall is not happy with it and dropping it with LSO/TSO enabled.
So I started poking it with tcpdump...
root@hydrogen:~ # tcpdump -vvv -i vtnet1 'host 10.23.10.231 and port ssh'
tcpdump: listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:31:39.645624 IP (tos 0x0, ttl 128, id 41398, offset 0, flags [DF], proto TCP (6), length 52)
wino.acheron.be.50452 > 10.23.10.228.ssh: Flags [S], cksum 0xf9ad (incorrect -> 0x118d), seq 620854586, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:31:39.911211 IP (tos 0x0, ttl 128, id 41399, offset 0, flags [DF], proto TCP (6), length 52)
wino.acheron.be.50453 > 10.23.10.228.ssh: Flags [S], cksum 0xf9ad (incorrect -> 0xaa6f), seq 1614915862, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:31:40.395468 IP (tos 0x0, ttl 128, id 41400, offset 0, flags [DF], proto TCP (6), length 52)
wino.acheron.be.50454 > 10.23.10.228.ssh: Flags [S], cksum 0xf9ad (incorrect -> 0xf3a0), seq 1350070189, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
<snip>
# disabling of LSO/TSO and trying again
15:32:27.441941 IP (tos 0x0, ttl 128, id 39000, offset 0, flags [DF], proto TCP (6), length 40)
wino.acheron.be.50517 > 10.23.10.228.ssh: Flags [F.], cksum 0xab7f (correct), seq 8330, ack 6329, win 1026, length 0
15:32:27.470773 IP (tos 0x0, ttl 112, id 0, offset 0, flags [DF], proto TCP (6), length 40)
10.23.10.228.ssh > wino.acheron.be.50517: Flags [F.], cksum 0xab7e (correct), seq 6329, ack 8331, win 1026, length 0
15:32:27.471148 IP (tos 0x0, ttl 128, id 39001, offset 0, flags [DF], proto TCP (6), length 40)
wino.acheron.be.50517 > 10.23.10.228.ssh: Flags [.], cksum 0xab7e (correct), seq 8331, ack 6330, win 1026, length 0This also explains why UDP/ICMP is not effected. The firewall is rejecting the traffic due to a bad checksum. I'm surprise the VM is happy with the traffic without the firewall though. Maybe the vtnet driver skips some checks?
sjorge
commented
5 years ago On the windows side:
TCP Checksum Offload (IPv4): Rx & Tx Enabled Large Send Offload V2 (IPv4): Enabled vs TCP Checksum Offload (IPv4): Disabled Large Send Offload V2 (IPv4): Disabled
This was during my lunchbreak, I will still try and get some test VMs this weekend or the next (more likely, as I am free for 4 days)
pfmooney
commented
5 years ago So if PF is looking at the actual checksum value without paying heed to the flags from the NIC (about TSO and the checksum state), that's going to be a problem. One of the keys to making loopback traffic fast is skipping work like checksum calculation, since it becomes a real burden at high speeds. I need to look at what PF and perhaps iptables do in cases like this.
sjorge
commented
5 years ago So for bhyve to bhyve (same CN) the flow is: bhyve -> vnic -> vnic -> bhyve (no checksum added)
bhyve to bhyve (or zone, or laptop) not on same CN the flow is: bhyve -> vnic -> hwnic [MAC fills in the checksum using hardware if possibe] -> switch -> hwnic [MAC verifies bits] -> vnic -> bhyve
(Or close to that)
If so that would perfectly explain the weird work/does not work patterns I am seeing.
Edit: Random thing that popped into my head...
zone -> vnic -> vnic -> bhyve.... would also be missing a checksum?
pfmooney
commented
5 years ago Correct. The guest, having negotiated the capability for checksum (TX and RX) offloading, will skip calculating it on TX. If the packet goes out the NIC, hardware will take care of its calculation. If it loops back, then it's up to the receiving endpoint for what happens. If the destination entity, let's say it's a bhyve guest, has negotiated RX cksum offload, then we just pass the frame right in, noting that it's cksum is OK. (It looped back, so why would it be wrong.) If the guest hasn't negotiated that capability, viona would calculate the cksum and fill it into the packet before passing it to the guest.
TSO support implies checksum offload, since the ckums can't be pre-calculated for all the split-up packets.
sjorge
commented
5 years ago Right, so something is making FreeBSD + PF not happy with L[RS]O/TSO It looks like the LRO/TSO nobs need to be off on both locations for it to work fine. If one of the two sides has it on, it stops working. Which with your explenation would make sense.
(A bit confusing that boith LSO and LRO seem to be used interchangably)
pfmooney
commented
5 years ago When the host exposes LSO to the guest, it's an indication that the guest can send large packets that the host/NIC will split up into appropriate sizes when it goes out on the wire. When the guest negotiates LRO with the host, it means that the guest is willing to accept large (>MTU) packets which may have been coalesced by the NIC (or in this case, a LSO transmission).
sjorge
commented
5 years ago The ifconfig man page only seems to list LRO for FreeBSD though. I guess LSO would be negotiation only between the guest and the host.
snippet from ifconfig manpage on freebsd 11
tso If the driver supports tcp(4) segmentation offloading, enable TSO
on the interface. Some drivers may not be able to support TSO
for ip(4) and ip6(4) packets, so they may enable only one of
them.
-tso If the driver supports tcp(4) segmentation offloading, disable
TSO on the interface. It will always disable TSO for ip(4) and
ip6(4).
-tso6, -tso4
If the driver supports tcp(4) segmentation offloading for ip6(4)
or ip(4) use one of these to selectively disable it only for one
protocol family.
lro If the driver supports tcp(4) large receive offloading, enable
LRO on the interface.
-lro If the driver supports tcp(4) large receive offloading, disable
LRO on the interface.
...
vlanmtu, vlanhwtag, vlanhwfilter, vlanhwcsum, vlanhwtso
If the driver offers user-configurable VLAN support, enable
reception of extended frames, tag processing in hardware, frame
filtering in hardware, checksum offloading, or TSO on VLAN,
respectively. Note that this must be issued on a physical
interface associated with vlan(4), not on a vlan(4) interface
itself.
-vlanmtu, -vlanhwtag, -vlanhwfilter, -vlanhwtso
If the driver offers user-configurable VLAN support, disable
reception of extended frames, tag processing in hardware, frame
filtering in hardware, or TSO on VLAN, respectively.There is also
rxcsum, txcsum, rxcsum6, txcsum6
If the driver supports user-configurable checksum offloading,
enable receive (or transmit) checksum offloading on the
interface. The feature can be turned on selectively per protocol
family. Use rxcsum6, txcsum6 for ip6(4) or rxcsum, txcsum
otherwise. Some drivers may not be able to enable these flags
independently of each other, so setting one may also set the
other. The driver will offload as much checksum work as it can
reliably support, the exact level of offloading varies between
drivers.
-rxcsum, -txcsum, -rxcsum6, -txcsum6
If the driver supports user-configurable checksum offloading,
disable receive (or transmit) checksum offloading on the
interface. The feature can be turned off selectively per
protocol family. Use -rxcsum6, -txcsum6 for ip6(4) or -rxcsum,
-txcsum otherwise. These settings may not always be independent
of each other.Toggling those has no impact, just once LRO/TSO gets toggled thinks break.
sjorge@hydrogen:~ % ifconfig vtnet1 | grep options
options=6c00bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>Everything I could enabled with the firewall on is this.
pfmooney
commented
5 years ago LSO: large send offload, is covered by TSO4 in this case
sjorge
commented
5 years ago OK, got it... atleast I can now wrap my head around the options a bit better.
sjorge
commented
5 years ago So given RXCSUM and TXCSUM can be on and keep the firewall happy... While it stops working with TSO/LRO enabled... given the later just deals with chucking up the data in smaller MTU size chunks or not... (unless I got it wrong)
So with TSO/LRO set it would be up to FreeBSD to send a 'big' data packet or MTU sized chunks and for it to chop up 'big' data packets to MTU sized chucks for internal socket consumers right?
By that logic, PF not liking those 'big' data packets would point to either a big in PF (where it does not handle those) or a bug in vtnet on FreeBSD where it does not prepare those properly for the consumers?
sjorge
commented
5 years ago Heading home now but some extra info
TSO/LRO needs to be disabled on both source and destination! Having it disabled on FreeBSD but enabled on windows also causes problems. Which complicates things, as it is not as simple as just disable TSO/LRO when using PF :( / crossing a physical NIC works in all cases though.
Edit (too much traffic to leave): Also disabling TX/RXCSUM on the host with the firewall makes all traffic work but the performance suffers somewhat. But that way you do not need to fix all other hosts. shrugs
sjorge
commented
5 years ago Now I am really going home...
TSO + LRO + Firewall = OK [600Mbps] RXCSUM + TXCSUM + Firewall = OK [85Mbps] RXCSUM + TXCSUM + TSO + LRO = OK ? (one bad result... but might be due to human error) [620Mbps] RXCSUM + TXCSUM + TSO + LRO + Firewall = BAD [0Mnps]
For now I am going for the top configuration, this gives best performance while still working.
Might still be worth trying to replicate on your end though.
sjorge
commented
5 years ago According to some of the FreeBSD folks we might be hitting https://reviews.freebsd.org/rS289703, but that should have been fix. It might be a edge case related to this. Maybe that is usefulz
pfmooney
commented
5 years ago I spun up an OPNsense instance in an attempt to repro this, but loopback traffic did not seem to be effected in my tests. It would be helpful if you could distill the repro down to a minimum number of components/steps.
sjorge
commented
5 years ago I'll try and get you 2 vm jsons + a broke and ok config.xml for opnsense this or next weekend.
I'll drop this here already because those look the most relavent.
I also have scrub on vtnet0 all fragment reassemble random-id no-df max-mss 1500 my freebsd dev VM
pfmooney
commented
5 years ago @sjorge Thanks
FYI: According to the virtio-net spec, disabling checksum offload means also disabling TSO/LRO.
VIRTIO_NET_F_HOST_TSO* and VIRTIO_NET_F_HOST_UFO are dependent on VIRTIO_NET_F_CSUM; a dvice which offers the offload features must offer the checksum feature, and a driver which accepts the offload features must accept the checksum feature. Similar logic applies to the VIRTIO_NET_F_GUEST_TSO4 features depending on VIRTIO_NET_F_GUEST_CSUM.
Disabling only hardware CRC in the config likely has the effect of disabling all of those features.
sjorge
commented
5 years ago Interesting... but performance with everything on except CSUM was better than just CSUM. I did not run iperf with everything off though.
Edit: rewrote for clarity as it came across reverse.
pfmooney
commented
5 years ago Perhaps it's disabling only the outgoing offload? It would be useful to query the interface state from the CLI when toggling those options.
sjorge
commented
5 years ago vtnet1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c05b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,LRO,VLAN_HWTSO,LINKSTATE>
ether 72:89:ba:aa:84:4a
hwaddr 72:89:ba:aa:84:4a
inet 10.23.10.1 netmask 0xffffff00 broadcast 10.23.10.255
inet6 fe80::7089:baff:feaa:844a%vtnet1 prefixlen 64 scopeid 0x2
inet6 2001:470:7ee7:10::1 prefixlen 64
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T <full-duplex>
status: activeThis is the 'best' config I found so far, that just disabled hardware checksumming. TSO4 and LRO are still enabled.
Let me swap around the checkboxes and reboot (reboot is needed, otherwise it does not seem to take effect)
pfmooney
commented
5 years ago When I was playing with opnsense yesterday, it looked like visiting the specific interface configuration page and saving the data there was adequate to apply the updated offload configuration to it. (Instead of requiring a reboot)
pfmooney
commented
5 years ago Also: Even if the guest OS thinks that TSO/LRO are enabled while hardware CSUM is not, that does not mean that the host device is operating with those features. If you look at the TSO/LRO-related code paths in viona, they have an explicit check for the corresponding checksum feature bit.
sjorge
commented
5 years ago Yeah I was under the impression as well, but while troubleshooting (I noticed a reboot was required)
vtnet1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6c00bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
ether 72:89:ba:aa:84:4a
hwaddr 72:89:ba:aa:84:4a
inet 10.23.10.1 netmask 0xffffff00 broadcast 10.23.10.255
inet6 fe80::7089:baff:feaa:844a%vtnet1 prefixlen 64 scopeid 0x2
inet6 2001:470:7ee7:10::1 prefixlen 64
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T <full-duplex>
status: activeThis is whet TSO/LRO disabled but checksumming enabled.
The option field atleast tells me it is applying TSO4/LRO without RXCSUM(_IPV6), TXCSUM(_IPV6), granted I have not looked at the vtnet code... it may still be ignoring TSO/LRO if the *CSUM options are missing.
This one has everything disabled:
vtnet1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
ether 72:89:ba:aa:84:4a
hwaddr 72:89:ba:aa:84:4a
inet 10.23.10.1 netmask 0xffffff00 broadcast 10.23.10.255
inet6 fe80::7089:baff:feaa:844a%vtnet1 prefixlen 64 scopeid 0x2
inet6 2001:470:7ee7:10::1 prefixlen 64
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T <full-duplex>
status: activeThere seems to be no performance impact with everything disabled vs just having CSUM disabled. Given your viona comment, this makes sense. It also makes sense that with CSUM disable on the GW no changes are needed to the other VMs as all traffic hitting the GW should then have checksums computed.
[hyperon :: sjorge][~/Desktop]
[.]$ diff broken_TSO_LRO_CSUM.xml working_NO_TSO_LRO_CSUM.xml
242a243,245
> <disablechecksumoffloading>1</disablechecksumoffloading>
> <disablesegmentationoffloading>1</disablesegmentationoffloading>
> <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
374c377
< <time>1544203641.0953</time>
---
> <time>1544204779.0319</time>Hitting #816 while building a minimal test setup... so probably won't get you an opnsense config this weekend.
sjorge
commented
5 years ago [modem] ---- [(access port - vlan 5) SWITCH (trunk port - vlan 5,100)] ---- [(nictag=trunk) CN][vm os=win10 (default nic settings)] ---- [(vnic vlan_id=100) CN (vnic vlan_id=5) ] ---- [vm2 os=opnsense]
(vnic vlan_id=100)] --/The configuration is rather minimal
Nothing was changed for NAT or the firewall, it's basically a vanilla firewall/gateway type setup. So nothing exotic!
The password was set to pmooney, login is just root (default)
Running 18.7 Happy Hippo because that is what I already had a disk image for.
Changes:
<?xml version="1.0"?>
<opnsense>
<theme>opnsense</theme>
<sysctl>
<item>
<descr>Disable the pf ftp proxy handler.</descr>
<tunable>debug.pfftpproxy</tunable>
<value>default</value>
</item>
<item>
<descr>Increase UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html</descr>
<tunable>vfs.read_max</tunable>
<value>default</value>
</item>
<item>
<descr>Set the ephemeral port range to be lower.</descr>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
</item>
<item>
<descr>Drop packets to closed TCP ports without returning a RST</descr>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</descr>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.accept_sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
</descr>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>default</value>
</item>
<item>
<descr>
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
</descr>
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr>Enable sending IPv4 redirects</descr>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Enable sending IPv6 redirects</descr>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
<tunable>net.inet6.ip6.use_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
</item>
<item>
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
<tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to enable filtering on the bridge interface</descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr>Allow unprivileged access to tap(4) device nodes</descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum size of the IP input queue</descr>
<tunable>net.inet.ip.intr_queue_maxlen</tunable>
<value>default</value>
</item>
<item>
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr>Enable TCP extended debugging</descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr>Set ICMP Limits</descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr>TCP Offload Engine</descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr>UDP Checksums</descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum socket buffer size</descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
</sysctl>
<system>
<serialspeed>115200</serialspeed>
<primaryconsole>serial</primaryconsole>
<optimization>normal</optimization>
<hostname>pmgw</hostname>
<domain>example.org</domain>
<dnsallowoverride>on</dnsallowoverride>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>user-shell-access</priv>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$2b$10$0jkZ.G66NzGZf9osugQhJeWV.TV6n7eqjknXmARngN8AVOb0BXPx2</password>
<uid>0</uid>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Etc/UTC</timezone>
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
<ssl-certref>5c0aa093e5cf0</ssl-certref>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu/>
<ipv6allow/>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<bogons>
<interval>monthly</interval>
</bogons>
<kill_states/>
<backupcount>60</backupcount>
<crypto_hardware>aesni</crypto_hardware>
<pf_share_forward>1</pf_share_forward>
<lb_use_sticky>1</lb_use_sticky>
<backup>
<nextcloud version="1.0.0">
<enabled>0</enabled>
<url/>
<password/>
<password_encryption/>
<backupdir>OPNsense-Backup</backupdir>
</nextcloud>
</backup>
<language>en_US</language>
<disablechecksumoffloading>1</disablechecksumoffloading>
<disablesegmentationoffloading>1</disablesegmentationoffloading>
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
</system>
<interfaces>
<wan>
<enable>1</enable>
<if>vtnet0</if>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<gateway/>
<media/>
<mediaopt/>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
</wan>
<lan>
<enable>1</enable>
<if>vtnet1</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media/>
<mediaopt/>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
</lan>
</interfaces>
<dhcpd>
<lan>
<enable/>
<range>
<from>192.168.1.10</from>
<to>192.168.1.245</to>
</range>
</lan>
</dhcpd>
<unbound>
<enable>on</enable>
</unbound>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<syslog>
<reverse/>
</syslog>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
<rule>
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<descr>Default allow LAN to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet6</ipprotocol>
<descr>Default allow LAN IPv6 to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>
<rrd>
<enable/>
</rrd>
<load_balancer>
<monitor_type>
<name>ICMP</name>
<type>icmp</type>
<descr>ICMP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>TCP</name>
<type>tcp</type>
<descr>Generic TCP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>HTTP</name>
<type>http</type>
<descr>Generic HTTP</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>HTTPS</name>
<type>https</type>
<descr>Generic HTTPS</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>SMTP</name>
<type>send</type>
<descr>Generic SMTP</descr>
<options>
<send/>
<expect>220 *</expect>
</options>
</monitor_type>
</load_balancer>
<ntpd>
<prefer>0.opnsense.pool.ntp.org</prefer>
</ntpd>
<widgets>
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
<column_count>2</column_count>
</widgets>
<revision>
<username>(system)</username>
<time>1544204779.0319</time>
<description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
</revision>
<OPNsense>
<captiveportal version="1.0.0">
<zones/>
<templates/>
</captiveportal>
<cron version="1.0.1">
<jobs/>
</cron>
<Netflow version="1.0.0">
<capture>
<interfaces/>
<egress_only>wan</egress_only>
<version>v9</version>
<targets/>
</capture>
<collect>
<enable>0</enable>
</collect>
</Netflow>
<Firewall>
<Alias version="1.0.0">
<aliases/>
</Alias>
</Firewall>
<IDS version="1.0.1">
<rules/>
<userDefinedRules/>
<files/>
<fileTags/>
<general>
<enabled>0</enabled>
<ips>0</ips>
<promisc>0</promisc>
<interfaces>wan</interfaces>
<homenet>192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</homenet>
<defaultPacketSize/>
<UpdateCron/>
<AlertLogrotate>W0D23</AlertLogrotate>
<AlertSaveLogs>4</AlertSaveLogs>
<MPMAlgo>ac</MPMAlgo>
<syslog>0</syslog>
<LogPayload>0</LogPayload>
</general>
</IDS>
<monit version="1.0.4">
<general>
<enabled>0</enabled>
<interval>120</interval>
<startdelay>120</startdelay>
<mailserver>127.0.0.1</mailserver>
<port>25</port>
<username/>
<password/>
<ssl>0</ssl>
<logfile>syslog facility log_daemon</logfile>
<statefile/>
<eventqueuePath/>
<eventqueueSlots/>
<httpdEnabled>0</httpdEnabled>
<httpdUsername>root</httpdUsername>
<httpdPassword>nd7Vz2nelrHRAiAkEXn</httpdPassword>
<httpdPort>2812</httpdPort>
<httpdAllow/>
<mmonitUrl/>
<mmonitTimeout>5</mmonitTimeout>
<mmonitRegisterCredentials>1</mmonitRegisterCredentials>
</general>
<alert uuid="f3495c7f-ff9c-4a8b-be2f-e75c627039ce">
<enabled>0</enabled>
<recipient>root@localhost.local</recipient>
<noton>0</noton>
<events/>
<format/>
<reminder>10</reminder>
<description/>
</alert>
<service uuid="33831b6c-0d98-4b91-a828-ff03b2c3a597">
<enabled>1</enabled>
<name>$HOST</name>
<type>system</type>
<pidfile/>
<match/>
<path/>
<address/>
<interface/>
<start/>
<stop/>
<tests>a2b62f7d-bbfd-41f2-9f2b-b82f1d7bbc02,5fbbb3c7-fa5f-4f1c-b4a7-ef367d91b058,47f478c9-445a-4f08-92d4-95d37838db05,90e7f3da-674b-4f90-881d-9a6095c07481</tests>
</service>
<service uuid="5e4b9a22-5b9f-4413-9609-ffcdcc6790bd">
<enabled>1</enabled>
<name>RootFs</name>
<type>filesystem</type>
<pidfile/>
<match/>
<path>/</path>
<address/>
<interface/>
<start/>
<stop/>
<tests>3fbe0b64-1883-4113-9fe0-75d649e612a0</tests>
</service>
<test uuid="5c2e4c53-c349-4db6-8862-10965175318a">
<name>Ping</name>
<condition>failed ping</condition>
<action>alert</action>
<path/>
</test>
<test uuid="23f6d59e-1751-49b8-9003-b2f2a23bd436">
<name>NetworkLink</name>
<condition>failed link</condition>
<action>alert</action>
<path/>
</test>
<test uuid="fc73c27a-598b-4000-a3af-3f9c1ce24c55">
<name>NetworkSaturation</name>
<condition>saturation is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
<test uuid="a2b62f7d-bbfd-41f2-9f2b-b82f1d7bbc02">
<name>MemoryUsage</name>
<condition>memory usage is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
<test uuid="5fbbb3c7-fa5f-4f1c-b4a7-ef367d91b058">
<name>CPUUsage</name>
<condition>cpu usage is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
<test uuid="47f478c9-445a-4f08-92d4-95d37838db05">
<name>LoadAvg1</name>
<condition>loadavg (1min) is greater than 2</condition>
<action>alert</action>
<path/>
</test>
<test uuid="90e7f3da-674b-4f90-881d-9a6095c07481">
<name>LoadAvg5</name>
<condition>loadavg (5min) is greater than 1.5</condition>
<action>alert</action>
<path/>
</test>
<test uuid="b05beee5-dc48-485a-b385-deecdac44e89">
<name>LoadAvg15</name>
<condition>loadavg (15min) is greater than 1</condition>
<action>alert</action>
<path/>
</test>
<test uuid="3fbe0b64-1883-4113-9fe0-75d649e612a0">
<name>SpaceUsage</name>
<condition>space usage is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
</monit>
<proxy version="1.0.1">
<general>
<enabled>0</enabled>
<icpPort/>
<logging>
<enable>
<accessLog>1</accessLog>
<storeLog>1</storeLog>
</enable>
<ignoreLogACL/>
<target/>
</logging>
<alternateDNSservers/>
<dnsV4First>0</dnsV4First>
<forwardedForHandling>on</forwardedForHandling>
<uriWhitespaceHandling>strip</uriWhitespaceHandling>
<useViaHeader>1</useViaHeader>
<suppressVersion>0</suppressVersion>
<VisibleEmail>admin@localhost.local</VisibleEmail>
<VisibleHostname/>
<cache>
<local>
<enabled>0</enabled>
<directory>/var/squid/cache</directory>
<cache_mem>256</cache_mem>
<maximum_object_size/>
<size>100</size>
<l1>16</l1>
<l2>256</l2>
<cache_linux_packages>0</cache_linux_packages>
<cache_windows_updates>0</cache_windows_updates>
</local>
</cache>
<traffic>
<enabled>0</enabled>
<maxDownloadSize>2048</maxDownloadSize>
<maxUploadSize>1024</maxUploadSize>
<OverallBandwidthTrotteling>1024</OverallBandwidthTrotteling>
<perHostTrotteling>256</perHostTrotteling>
</traffic>
</general>
<forward>
<interfaces>lan</interfaces>
<port>3128</port>
<sslbumpport>3129</sslbumpport>
<sslbump>0</sslbump>
<sslurlonly>0</sslurlonly>
<sslcertificate/>
<sslnobumpsites/>
<ssl_crtd_storage_max_size>4</ssl_crtd_storage_max_size>
<sslcrtd_children>5</sslcrtd_children>
<snmp_enable>0</snmp_enable>
<snmp_port>3401</snmp_port>
<snmp_password>public</snmp_password>
<ftpInterfaces/>
<ftpPort>2121</ftpPort>
<ftpTransparentMode>0</ftpTransparentMode>
<addACLforInterfaceSubnets>1</addACLforInterfaceSubnets>
<transparentMode>0</transparentMode>
<acl>
<allowedSubnets/>
<unrestricted/>
<bannedHosts/>
<whiteList/>
<blackList/>
<browser/>
<mimeType/>
<safePorts>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</safePorts>
<sslPorts>443:https</sslPorts>
<remoteACLs>
<blacklists/>
<UpdateCron/>
</remoteACLs>
</acl>
<icap>
<enable>0</enable>
<RequestURL>icap://[::1]:1344/avscan</RequestURL>
<ResponseURL>icap://[::1]:1344/avscan</ResponseURL>
<SendClientIP>1</SendClientIP>
<SendUsername>0</SendUsername>
<EncodeUsername>0</EncodeUsername>
<UsernameHeader>X-Username</UsernameHeader>
<EnablePreview>1</EnablePreview>
<PreviewSize>1024</PreviewSize>
<OptionsTTL>60</OptionsTTL>
<exclude/>
</icap>
<authentication>
<method/>
<realm>OPNsense proxy authentication</realm>
<credentialsttl>2</credentialsttl>
<children>5</children>
</authentication>
</forward>
<pac/>
</proxy>
<ARPscanner version="1.0.0">
<general>
<interface>lan</interface>
<networks/>
</general>
</ARPscanner>
<TrafficShaper version="1.0.2">
<pipes/>
<queues/>
<rules/>
</TrafficShaper>
<vnstat>
<general version="0.0.1">
<enabled>0</enabled>
<interface/>
</general>
</vnstat>
</OPNsense>
<cert>
<refid>5c0aa093e5cf0</refid>
<descr>Web GUI SSL certificate</descr>
<crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZiekNDQTFlZ0F3SUJBZ0lKQUxHZVYrd1Z3Q015TUEwR0NTcUdTSWIzRFFFQkN3VUFNRTR4Q3pBSkJnTlYKQkFZVEFrNU1NUlV3RXdZRFZRUUlEQXhhZFdsa0xVaHZiR3hoYm1ReEZUQVRCZ05WQkFjTURFMXBaR1JsYkdoaApjbTVwY3pFUk1BOEdBMVVFQ2d3SVQxQk9jMlZ1YzJVd0hoY05NVGd4TWpBM01UWXpNakl4V2hjTk1Ua3hNakEzCk1UWXpNakl4V2pCT01Rc3dDUVlEVlFRR0V3Sk9UREVWTUJNR0ExVUVDQXdNV25WcFpDMUliMnhzWVc1a01SVXcKRXdZRFZRUUhEQXhOYVdSa1pXeG9ZWEp1YVhNeEVUQVBCZ05WQkFvTUNFOVFUbk5sYm5ObE1JSUNJakFOQmdrcQpoa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDQWdFQXR4ajg1RzFOYzVEVkczNEdFMlBUc09oSGR3aTRrY1dQCjYyYWtIVnJ0MUx5SENDcEdEc0V5aENRYVNpdGRBdXlxZ0RhaHpQMnBZSlk0SFpZM1NsbUxQaW9EZFZMUmtrSmIKamFGS3NYNFhxc1liQzNYUzFBNE1MVUFsTkIxRkZzbW5TQjdhY29WbWtNN0hxMUdVWENIRFAwREFsOExKb2dRYwp1ZUdNSTFHM0tjY2VxU1hrMVhUWGNjbVlTa0RiYmVYWVU1MlVlalhzWU1HbmFVMlc3Z3FQbXhHMi9LakxyUkU3CjYxVkt1aE9KR0lMZDFBY0UzN29JdVYxZEFZNWNLMUFNYVJtbWt2NGpDM2FrckZabHQzUDBSMUlnS0Y0ejc2bTYKdml3dUFkcWthaXZrZHAwcVBmU1gvdTVGMlVZN0JoOVpzd3VFWFVBdzlTeFlXZnJJUzIrSitnN0Foc0VTZ2NXbwppQ1EzRURtb0VJUEcveUcyZ3pEeWo5N1VOVzNXaEk1RGE5eFBFenpDZ3RUdkx6YnpwN2pUY05qWEVnTjA3NmI5CkhndjlqTW45Y0lSZEVEckxzeW0yZGRZTDNCUFgrdzBCTzYzUSs3V2FSY1VtZStuTG5wV2JNY1dJMEZXc0dDMnMKeUwxY2RIV2dvR1dtY3dEMHZUNUtjcTNQbjlxMGhKVHJiWXd4NEVKODN3MTQxZmV6RE8yQTBERVhWK3d5OGNxSQoyK0ZxUkYyOVBuRytWcXQ3OEg0OWZYQVRLY29yUHBqTkZRcXRHNzhLQThiZDFWQ2FRMWk2NlJ2RnpVWHBYcm5YCjRCd01pWS9MQ2Zuem9laU93YnZhTFYxTWNBbzJUTUo0c3kyZmM5VmFUU3pNTldaeGY4MFZOc0hmbVE0dEx4N0YKSFJtWFhoRVYyYWtDQXdFQUFhTlFNRTR3SFFZRFZSME9CQllFRkJ0cVBlWVFha21lRy96amJERDRsdUZ4T0xlTwpNQjhHQTFVZEl3UVlNQmFBRkJ0cVBlWVFha21lRy96amJERDRsdUZ4T0xlT01Bd0dBMVVkRXdRRk1BTUJBZjh3CkRRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFBUmxJaE5EZGF6OUVSL29tQi9XWlpzVkJvRzcvaS9FaVQvcG9nbjEKZnBIbS94cWt1RkRaSzR5eVNsUUhQcUEyeERmQ08vZG9mcWtLK1Z3V1JhL2JOSWRSaGo2VmZFZXlxZzhHV2lrRApNSVd2bE55cUo3b0xLeXNqVWMrM3lURk0zam9WdXNXMkg0MGF0Lyt1bTY0Q1JFQlBTSHExeGlTYS85U1RwMTY4CmJ0Y1hWU3JEZ21MVkhob21rOUtQdVFFYk9ybVFrdi95WXdrMTNRMndQdkhmcTRwU1MxRWVybVppRTlYYy90R0kKWnp6UEVzWUJkV0FaRmJZUDZuNTUzK1hpV3Y1Wm5oclJiZmdOb0hzUFVRR3VxSTBUK3c1U2Q0U0p6b1E0NGJtOAp2OGdOYU5NamxkK3pFY25IS1lXc2xKdXM4Q0ZEQ3dZbTZrVURpM3ArcjB6WlgxV2ZTMEpEUUdEdXFFZ01NWUZCCms5LzQ4VVZBOHlDaFlQZ1FXQnVueUQvL3M4b0E2UFJ3L2Z1UjlSckduWGJHSlhDZFBSa2tYTTBTbTRxSjVDTUoKeGI4RWhZcVIrM1l2UERwVUdNemVMQW5wOVh4dStCSTlzZElhNkVLcm5YMEtZb3BNbmd2ZlIrUnpKdmo0bXozdwpIb1RwVEc1b0kwcnVZcFpUYVl4dEtUdVR5RUI5aGwxaCtTaWFRcmJ2dlQ4dStRZDdEd0xKV3RUVGVvdjU5cXJ1CmhESFFMV094U0FTOXQxdHFFSWV5b2JOQkliRzZDVVdsQ0gxQnNwK1pVVHd2N3plZzJIUmtpL0hscUZFWDJxbFIKbDR6QXEvMU9qQ080UXJWTHVYcG5WUWMrNWk3WnhlZy8rR2NHc0F6VmtGSnhCdWdseUlRQS9TTSs5K2k1d0NqbQoyNVRECi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K</crt>
<prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRQzNHUHprYlUxemtOVWIKZmdZVFk5T3c2RWQzQ0xpUnhZL3JacVFkV3UzVXZJY0lLa1lPd1RLRUpCcEtLMTBDN0txQU5xSE0vYWxnbGpnZApsamRLV1lzK0tnTjFVdEdTUWx1Tm9VcXhmaGVxeGhzTGRkTFVEZ3d0UUNVMEhVVVd5YWRJSHRweWhXYVF6c2VyClVaUmNJY00vUU1DWHdzbWlCQnk1NFl3alViY3B4eDZwSmVUVmROZHh5WmhLUU50dDVkaFRuWlI2TmV4Z3dhZHAKVFpidUNvK2JFYmI4cU11dEVUdnJWVXE2RTRrWWd0M1VCd1RmdWdpNVhWMEJqbHdyVUF4cEdhYVMvaU1MZHFTcwpWbVczYy9SSFVpQW9YalB2cWJxK0xDNEIycVJxSytSMm5Tbzk5SmYrN2tYWlJqc0dIMW16QzRSZFFERDFMRmhaCitzaExiNG42RHNDR3dSS0J4YWlJSkRjUU9hZ1FnOGIvSWJhRE1QS1AzdFExYmRhRWprTnIzRThUUE1LQzFPOHYKTnZPbnVOTncyTmNTQTNUdnB2MGVDLzJNeWYxd2hGMFFPc3V6S2JaMTFndmNFOWY3RFFFN3JkRDd0WnBGeFNaNwo2Y3VlbFpzeHhZalFWYXdZTGF6SXZWeDBkYUNnWmFaekFQUzlQa3B5cmMrZjJyU0VsT3R0akRIZ1FuemZEWGpWCjk3TU03WURRTVJkWDdETHh5b2piNFdwRVhiMCtjYjVXcTN2d2ZqMTljQk1weWlzK21NMFZDcTBidndvRHh0M1YKVUpwRFdMcnBHOFhOUmVsZXVkZmdIQXlKajhzSitmT2g2STdCdTlvdFhVeHdDalpNd25pekxaOXoxVnBOTE13MQpabkYvelJVMndkK1pEaTB2SHNVZEdaZGVFUlhacVFJREFRQUJBb0lDQVFDczUrTUIwQnFCRlBlNms2TW5NbkZaCnNiQ3pQMEFWSU0xTlRzdVNrU2poYWZ2V2dSMVJsNjZkelA0cXBwS2FUV2FoMTNXcWdLMHY4Z3dpSEpZd0Z5bUEKVmVxWUk5S1czU1ZhTlVPMUk4OHp6UXNESW93ckJ1MEcybm1Ib2xCNU9ZdElkeUp4WFhyREt4S3h2VU51VWMvdwo3clF4WEpoTzhMVXo4RVFIb29abTVJd1d6aHN3WEx1TDBBV0pzWC9HWTNTTFdkYzZKYXdJbnpmNklIUjBiUEs2ClROdFI5QkVMYWFmOUQ3bVd5UllCV0t3bEswKzEreGQ3L1NmMGJUeXJCbGdCOUdBeWxkNEFXRlVnRGlMV1FLRWgKclBPRFM1cWVLOW1XOTErbkRwT1BVODNYR1lvbm9kRGJ4S1dmamt2MDl5d2RBYlpJM1hLZVJQZFdXWlpHYnBtTApPcFRGU200QzNjTlZMMHV2aVM5SGdMMmVwdTJOcnZFZ0U4QlFRaFQ1REduMHNjbDl1a1laR2JKQjJOeTNvME9tCmU2TnNKazArZTZ5SXB6dkNzMkN5KzQvZTYzMy9uZzFYZVQ1ZU5OSkFJNjFJa2ZPZ0tuRG8xMDd5VE04RmRDOFgKSVUzc1czdVYyOGhWWDdYVElhQndPK3FlcHRXVXErMjRaSUExT2ZzRlE3WDRJdXlVTEpKcGYyeFpGZnF5SG5wRgpkd001SWlRVFc5U1BNQmY5cmNZNTJMVGRkS1JTc1dqN0dZb1hIN3pRaUFGQVVyWnZqNzRlck9lcllkZjAzcm00CkQxbW95elRGS29rS2RwaXdEMUJ5c3F1ODFiNUU1U3RCejAyTnJ5QVVLSW5lSHVodlp2MVhXbnlyVjZ6dnBEOWoKR1FMVC9yODV4ejIwMVVkN0FVUFVWUUtDQVFFQTRmckxjT2ZScXhzUVR2aWhzbVdHRGUrWS9qaDk3Z2U5bDBOQwpUZXRZNDNuajF6My9OWlZ2ZUo1cUtCZ0FVRkRqWDJGdHIxb21ha0dEcUFjVVFtU3RmTHprR2JyU3pyRnZPYUFBCmcyaURGc2lCQmJHNVdTVE9XYVQxZHdKTjhiRXlGUHJXUWpxRGsyVXcrd3MvNW1Nb2tFWExIN1J6dWtoOEZId3oKR0FqU2NTQWhGdmZmYTBaYkVEeGhsbEV6cGdsdTBtbTRHNVd6WnR5UGZHaVhmQ2YrdmVBQWI4SmRneS9NcDZndAp2VjFNQ1pCNm1ZQWc3T09EYzZZM2dRSGMvak4zZXB1WTNJOERsd1VqaGYxeVpYTEpRRXZHRnZxZkVPU2FPcVFUCjBKWHduVjArMmFDazZJZ1h2WnpoVXhLbHk1T3JFbytheFpWVjRnblB6QWxVaHVpL2x3S0NBUUVBejJ2WDRmaUcKSzJENkRzK3J5aDlBQkVxaVptOSt0N0t1Zk1yU2s5cVA3c3RkQXByUnljQXRuNnJxd3R4dDlSUE04VmlubGNYcApVZDJtRkwxeEtIREJ3VE1FbitzY09lUWRPUFlaaGVzd2l0aWdVYTJTcUV6VlJVdGZZR2szV0ZuN3Q1RE5ycGo1CmVPa0VRd05zcE1TVjNlRG9adjFOd2Uyem9Rdk94TGFMY3QyRk1xZnFrdGZ1ZDBjN2FHdFJEN2phSlBXc0VkVWsKTnVBeHIrQVZrUzcyN2pmaHZKaTJnRm4rU2crMUNsNU56bEtMdFUvbUFHQmNLeG5FU0NSaDE1TkdaQjNJVEVySgovdFRJd2M4MmdNZ2ltVnRKZHlLUUQvZGcyYndoNmtIbUtiVDBjM2lwanhMdkxYa3NQWWNtem0zZkRxVXY5YlhmCmNLRW96SWVlMTJWWXZ3S0NBUUVBMG1hcTRwM0V0dFpFOGZKR3d3NEpxWklLMWJBTmVBRlhBYTVLM3JlZ2xIT1oKc245enpoVXJxNWQ3YVljblM2QjBnd3I0a0FxVXQ5djExQTE3VEhIbW9ieFJlSzljdGJ1NHZtTjk5dHZwS2Q1WApXdERsck4wN0QzWXFZYnNRalZjWk5UVnpKa2pLMXdLaGZ5d3pPN1BaUWJMcDg4UVUrRDJpNFlQZUlxT2NKRjN3CjBTektwVnZsVDVHWW50ZE9DbXEvOTBNZGV2bUFCdWFXNWhPUDc3WmhWYkpwVmFVWFloeXdKTzNPWUlDc1dqOWUKRnV1WVBGZDh2Y0hsN2NTcFdUamNKcGtXMDB5STRDU1Z0WnlMMVc3eGVGN1V1Zkp4QmM2QzF0U0w2bXFnbERRTQpYNTVWekhkaCsxWkU2UTcwdFQzeFN4L1B6K1ZDQ0dwd1FoM3h5SWFPVXdLQ0FRQldOMlJudUM3RXp5MkJoSTdLCm1BeTYrKzdmRjA4YnVqalBCRnRkTzhjQ0lpUEtGbUpITXd1RHg3NkhPcXExNlFJUis2REZINXVvL0xHeEEwR0sKNXJ1U3U4c2JVZFhNdG1YekxGQlZtdm4xYksvTzQ1QUhSdENMV2hZTjlBNGVPbURuMzFldlVFUzZIbGs0SmE4KwpHYnlWbW92ZmEwQ3I4RXJ2RVFKa1ArQmM0WGtoSWl6ZDFzVjNiUE5qcHQvdDRnOUN0NTlMVmtZVVRVSTU4YkhsClJCazkwWnFTRXdRZys4YzRMNmszNHhVQ1FzdHhsUUZzZktFekJTWFNPdFUwanpIK0lXY0ZWeno1SUtkRjhBU2UKcVJIQW52STlnKzlQdzZyTk5tYitnVi9UVERVajNpN1VtckV5UEtESC9tcUIrYWR5NWZTMmRGK282RVFXSi9VOQpZUkh2QW9JQkFHUDhaeEh6Y2ZReWdRMXlQUXBrdlVHWElTZ0d5N1BTMkpyVy9rU1NBazBRVmVWR3NwTHFqbkpYCnBSZ1ZpSUk1cnJodUMzTDkya0FBd1ZKemJYT1ZZNzN6M1h5aEhZaGdZSk55L0UraFpjdXVPaXhZOEtRWnRrUkYKb1ZZcmRnaTF0SmZacVZlOG5TT05HMGdFN3plOHdEc1FpTVdiMDNzRzlWUytGWU1yL3BaMTVKS2VRN09MRSs5YgpWazhFeXpFdjkveHY0SlVFTHM5ck1pR042VlBXZ2lJTFlEbVkzWkh3WTNKd3ZwaGdYNXgyZDdpNVc5ZGhDSC9DClU2U2w2OG1kcnd2Nkh0YjdBT3I1ZHp4aWdpdGVvL3d0bjluTTlLNFBONFEwU0VINVZ3bG56anNXNmc5WTQrZTYKTC9TeEczNVlnOW5zYnpJaWgxVEZCWmJZU2p1UStZaz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=</prv>
</cert>
<ppps/>
<staticroutes version="1.0.0"/>
</opnsense>
Changes:
<?xml version="1.0"?>
<opnsense>
<theme>opnsense</theme>
<sysctl>
<item>
<descr>Disable the pf ftp proxy handler.</descr>
<tunable>debug.pfftpproxy</tunable>
<value>default</value>
</item>
<item>
<descr>Increase UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html</descr>
<tunable>vfs.read_max</tunable>
<value>default</value>
</item>
<item>
<descr>Set the ephemeral port range to be lower.</descr>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
</item>
<item>
<descr>Drop packets to closed TCP ports without returning a RST</descr>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</descr>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.accept_sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
</descr>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>default</value>
</item>
<item>
<descr>
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
</descr>
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr>Enable sending IPv4 redirects</descr>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Enable sending IPv6 redirects</descr>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
<tunable>net.inet6.ip6.use_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
</item>
<item>
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
<tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to enable filtering on the bridge interface</descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr>Allow unprivileged access to tap(4) device nodes</descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum size of the IP input queue</descr>
<tunable>net.inet.ip.intr_queue_maxlen</tunable>
<value>default</value>
</item>
<item>
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr>Enable TCP extended debugging</descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr>Set ICMP Limits</descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr>TCP Offload Engine</descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr>UDP Checksums</descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum socket buffer size</descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
</sysctl>
<system>
<serialspeed>115200</serialspeed>
<primaryconsole>serial</primaryconsole>
<optimization>normal</optimization>
<hostname>pmgw</hostname>
<domain>example.org</domain>
<dnsallowoverride>on</dnsallowoverride>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>user-shell-access</priv>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$2b$10$0jkZ.G66NzGZf9osugQhJeWV.TV6n7eqjknXmARngN8AVOb0BXPx2</password>
<uid>0</uid>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Etc/UTC</timezone>
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
<ssl-certref>5c0aa093e5cf0</ssl-certref>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu/>
<ipv6allow/>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<bogons>
<interval>monthly</interval>
</bogons>
<kill_states/>
<backupcount>60</backupcount>
<crypto_hardware>aesni</crypto_hardware>
<pf_share_forward>1</pf_share_forward>
<lb_use_sticky>1</lb_use_sticky>
<backup>
<nextcloud version="1.0.0">
<enabled>0</enabled>
<url/>
<password/>
<password_encryption/>
<backupdir>OPNsense-Backup</backupdir>
</nextcloud>
</backup>
<language>en_US</language>
</system>
<interfaces>
<wan>
<enable>1</enable>
<if>vtnet0</if>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<gateway/>
<media/>
<mediaopt/>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
</wan>
<lan>
<enable>1</enable>
<if>vtnet1</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media/>
<mediaopt/>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
</lan>
</interfaces>
<dhcpd>
<lan>
<enable/>
<range>
<from>192.168.1.10</from>
<to>192.168.1.245</to>
</range>
</lan>
</dhcpd>
<unbound>
<enable>on</enable>
</unbound>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<syslog>
<reverse/>
</syslog>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
<rule>
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<descr>Default allow LAN to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet6</ipprotocol>
<descr>Default allow LAN IPv6 to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>
<rrd>
<enable/>
</rrd>
<load_balancer>
<monitor_type>
<name>ICMP</name>
<type>icmp</type>
<descr>ICMP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>TCP</name>
<type>tcp</type>
<descr>Generic TCP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>HTTP</name>
<type>http</type>
<descr>Generic HTTP</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>HTTPS</name>
<type>https</type>
<descr>Generic HTTPS</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>SMTP</name>
<type>send</type>
<descr>Generic SMTP</descr>
<options>
<send/>
<expect>220 *</expect>
</options>
</monitor_type>
</load_balancer>
<ntpd>
<prefer>0.opnsense.pool.ntp.org</prefer>
</ntpd>
<widgets>
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
<column_count>2</column_count>
</widgets>
<revision>
<username>(system)</username>
<time>1544203641.0953</time>
<description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
</revision>
<OPNsense>
<captiveportal version="1.0.0">
<zones/>
<templates/>
</captiveportal>
<cron version="1.0.1">
<jobs/>
</cron>
<Netflow version="1.0.0">
<capture>
<interfaces/>
<egress_only>wan</egress_only>
<version>v9</version>
<targets/>
</capture>
<collect>
<enable>0</enable>
</collect>
</Netflow>
<Firewall>
<Alias version="1.0.0">
<aliases/>
</Alias>
</Firewall>
<IDS version="1.0.1">
<rules/>
<userDefinedRules/>
<files/>
<fileTags/>
<general>
<enabled>0</enabled>
<ips>0</ips>
<promisc>0</promisc>
<interfaces>wan</interfaces>
<homenet>192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</homenet>
<defaultPacketSize/>
<UpdateCron/>
<AlertLogrotate>W0D23</AlertLogrotate>
<AlertSaveLogs>4</AlertSaveLogs>
<MPMAlgo>ac</MPMAlgo>
<syslog>0</syslog>
<LogPayload>0</LogPayload>
</general>
</IDS>
<monit version="1.0.4">
<general>
<enabled>0</enabled>
<interval>120</interval>
<startdelay>120</startdelay>
<mailserver>127.0.0.1</mailserver>
<port>25</port>
<username/>
<password/>
<ssl>0</ssl>
<logfile>syslog facility log_daemon</logfile>
<statefile/>
<eventqueuePath/>
<eventqueueSlots/>
<httpdEnabled>0</httpdEnabled>
<httpdUsername>root</httpdUsername>
<httpdPassword>nd7Vz2nelrHRAiAkEXn</httpdPassword>
<httpdPort>2812</httpdPort>
<httpdAllow/>
<mmonitUrl/>
<mmonitTimeout>5</mmonitTimeout>
<mmonitRegisterCredentials>1</mmonitRegisterCredentials>
</general>
<alert uuid="f3495c7f-ff9c-4a8b-be2f-e75c627039ce">
<enabled>0</enabled>
<recipient>root@localhost.local</recipient>
<noton>0</noton>
<events/>
<format/>
<reminder>10</reminder>
<description/>
</alert>
<service uuid="33831b6c-0d98-4b91-a828-ff03b2c3a597">
<enabled>1</enabled>
<name>$HOST</name>
<type>system</type>
<pidfile/>
<match/>
<path/>
<address/>
<interface/>
<start/>
<stop/>
<tests>a2b62f7d-bbfd-41f2-9f2b-b82f1d7bbc02,5fbbb3c7-fa5f-4f1c-b4a7-ef367d91b058,47f478c9-445a-4f08-92d4-95d37838db05,90e7f3da-674b-4f90-881d-9a6095c07481</tests>
</service>
<service uuid="5e4b9a22-5b9f-4413-9609-ffcdcc6790bd">
<enabled>1</enabled>
<name>RootFs</name>
<type>filesystem</type>
<pidfile/>
<match/>
<path>/</path>
<address/>
<interface/>
<start/>
<stop/>
<tests>3fbe0b64-1883-4113-9fe0-75d649e612a0</tests>
</service>
<test uuid="5c2e4c53-c349-4db6-8862-10965175318a">
<name>Ping</name>
<condition>failed ping</condition>
<action>alert</action>
<path/>
</test>
<test uuid="23f6d59e-1751-49b8-9003-b2f2a23bd436">
<name>NetworkLink</name>
<condition>failed link</condition>
<action>alert</action>
<path/>
</test>
<test uuid="fc73c27a-598b-4000-a3af-3f9c1ce24c55">
<name>NetworkSaturation</name>
<condition>saturation is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
<test uuid="a2b62f7d-bbfd-41f2-9f2b-b82f1d7bbc02">
<name>MemoryUsage</name>
<condition>memory usage is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
<test uuid="5fbbb3c7-fa5f-4f1c-b4a7-ef367d91b058">
<name>CPUUsage</name>
<condition>cpu usage is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
<test uuid="47f478c9-445a-4f08-92d4-95d37838db05">
<name>LoadAvg1</name>
<condition>loadavg (1min) is greater than 2</condition>
<action>alert</action>
<path/>
</test>
<test uuid="90e7f3da-674b-4f90-881d-9a6095c07481">
<name>LoadAvg5</name>
<condition>loadavg (5min) is greater than 1.5</condition>
<action>alert</action>
<path/>
</test>
<test uuid="b05beee5-dc48-485a-b385-deecdac44e89">
<name>LoadAvg15</name>
<condition>loadavg (15min) is greater than 1</condition>
<action>alert</action>
<path/>
</test>
<test uuid="3fbe0b64-1883-4113-9fe0-75d649e612a0">
<name>SpaceUsage</name>
<condition>space usage is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
</monit>
<proxy version="1.0.1">
<general>
<enabled>0</enabled>
<icpPort/>
<logging>
<enable>
<accessLog>1</accessLog>
<storeLog>1</storeLog>
</enable>
<ignoreLogACL/>
<target/>
</logging>
<alternateDNSservers/>
<dnsV4First>0</dnsV4First>
<forwardedForHandling>on</forwardedForHandling>
<uriWhitespaceHandling>strip</uriWhitespaceHandling>
<useViaHeader>1</useViaHeader>
<suppressVersion>0</suppressVersion>
<VisibleEmail>admin@localhost.local</VisibleEmail>
<VisibleHostname/>
<cache>
<local>
<enabled>0</enabled>
<directory>/var/squid/cache</directory>
<cache_mem>256</cache_mem>
<maximum_object_size/>
<size>100</size>
<l1>16</l1>
<l2>256</l2>
<cache_linux_packages>0</cache_linux_packages>
<cache_windows_updates>0</cache_windows_updates>
</local>
</cache>
<traffic>
<enabled>0</enabled>
<maxDownloadSize>2048</maxDownloadSize>
<maxUploadSize>1024</maxUploadSize>
<OverallBandwidthTrotteling>1024</OverallBandwidthTrotteling>
<perHostTrotteling>256</perHostTrotteling>
</traffic>
</general>
<forward>
<interfaces>lan</interfaces>
<port>3128</port>
<sslbumpport>3129</sslbumpport>
<sslbump>0</sslbump>
<sslurlonly>0</sslurlonly>
<sslcertificate/>
<sslnobumpsites/>
<ssl_crtd_storage_max_size>4</ssl_crtd_storage_max_size>
<sslcrtd_children>5</sslcrtd_children>
<snmp_enable>0</snmp_enable>
<snmp_port>3401</snmp_port>
<snmp_password>public</snmp_password>
<ftpInterfaces/>
<ftpPort>2121</ftpPort>
<ftpTransparentMode>0</ftpTransparentMode>
<addACLforInterfaceSubnets>1</addACLforInterfaceSubnets>
<transparentMode>0</transparentMode>
<acl>
<allowedSubnets/>
<unrestricted/>
<bannedHosts/>
<whiteList/>
<blackList/>
<browser/>
<mimeType/>
<safePorts>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</safePorts>
<sslPorts>443:https</sslPorts>
<remoteACLs>
<blacklists/>
<UpdateCron/>
</remoteACLs>
</acl>
<icap>
<enable>0</enable>
<RequestURL>icap://[::1]:1344/avscan</RequestURL>
<ResponseURL>icap://[::1]:1344/avscan</ResponseURL>
<SendClientIP>1</SendClientIP>
<SendUsername>0</SendUsername>
<EncodeUsername>0</EncodeUsername>
<UsernameHeader>X-Username</UsernameHeader>
<EnablePreview>1</EnablePreview>
<PreviewSize>1024</PreviewSize>
<OptionsTTL>60</OptionsTTL>
<exclude/>
</icap>
<authentication>
<method/>
<realm>OPNsense proxy authentication</realm>
<credentialsttl>2</credentialsttl>
<children>5</children>
</authentication>
</forward>
<pac/>
</proxy>
<ARPscanner version="1.0.0">
<general>
<interface>lan</interface>
<networks/>
</general>
</ARPscanner>
<TrafficShaper version="1.0.2">
<pipes/>
<queues/>
<rules/>
</TrafficShaper>
<vnstat>
<general version="0.0.1">
<enabled>0</enabled>
<interface/>
</general>
</vnstat>
</OPNsense>
<cert>
<refid>5c0aa093e5cf0</refid>
<descr>Web GUI SSL certificate</descr>
<crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZiekNDQTFlZ0F3SUJBZ0lKQUxHZVYrd1Z3Q015TUEwR0NTcUdTSWIzRFFFQkN3VUFNRTR4Q3pBSkJnTlYKQkFZVEFrNU1NUlV3RXdZRFZRUUlEQXhhZFdsa0xVaHZiR3hoYm1ReEZUQVRCZ05WQkFjTURFMXBaR1JsYkdoaApjbTVwY3pFUk1BOEdBMVVFQ2d3SVQxQk9jMlZ1YzJVd0hoY05NVGd4TWpBM01UWXpNakl4V2hjTk1Ua3hNakEzCk1UWXpNakl4V2pCT01Rc3dDUVlEVlFRR0V3Sk9UREVWTUJNR0ExVUVDQXdNV25WcFpDMUliMnhzWVc1a01SVXcKRXdZRFZRUUhEQXhOYVdSa1pXeG9ZWEp1YVhNeEVUQVBCZ05WQkFvTUNFOVFUbk5sYm5ObE1JSUNJakFOQmdrcQpoa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDQWdFQXR4ajg1RzFOYzVEVkczNEdFMlBUc09oSGR3aTRrY1dQCjYyYWtIVnJ0MUx5SENDcEdEc0V5aENRYVNpdGRBdXlxZ0RhaHpQMnBZSlk0SFpZM1NsbUxQaW9EZFZMUmtrSmIKamFGS3NYNFhxc1liQzNYUzFBNE1MVUFsTkIxRkZzbW5TQjdhY29WbWtNN0hxMUdVWENIRFAwREFsOExKb2dRYwp1ZUdNSTFHM0tjY2VxU1hrMVhUWGNjbVlTa0RiYmVYWVU1MlVlalhzWU1HbmFVMlc3Z3FQbXhHMi9LakxyUkU3CjYxVkt1aE9KR0lMZDFBY0UzN29JdVYxZEFZNWNLMUFNYVJtbWt2NGpDM2FrckZabHQzUDBSMUlnS0Y0ejc2bTYKdml3dUFkcWthaXZrZHAwcVBmU1gvdTVGMlVZN0JoOVpzd3VFWFVBdzlTeFlXZnJJUzIrSitnN0Foc0VTZ2NXbwppQ1EzRURtb0VJUEcveUcyZ3pEeWo5N1VOVzNXaEk1RGE5eFBFenpDZ3RUdkx6YnpwN2pUY05qWEVnTjA3NmI5CkhndjlqTW45Y0lSZEVEckxzeW0yZGRZTDNCUFgrdzBCTzYzUSs3V2FSY1VtZStuTG5wV2JNY1dJMEZXc0dDMnMKeUwxY2RIV2dvR1dtY3dEMHZUNUtjcTNQbjlxMGhKVHJiWXd4NEVKODN3MTQxZmV6RE8yQTBERVhWK3d5OGNxSQoyK0ZxUkYyOVBuRytWcXQ3OEg0OWZYQVRLY29yUHBqTkZRcXRHNzhLQThiZDFWQ2FRMWk2NlJ2RnpVWHBYcm5YCjRCd01pWS9MQ2Zuem9laU93YnZhTFYxTWNBbzJUTUo0c3kyZmM5VmFUU3pNTldaeGY4MFZOc0hmbVE0dEx4N0YKSFJtWFhoRVYyYWtDQXdFQUFhTlFNRTR3SFFZRFZSME9CQllFRkJ0cVBlWVFha21lRy96amJERDRsdUZ4T0xlTwpNQjhHQTFVZEl3UVlNQmFBRkJ0cVBlWVFha21lRy96amJERDRsdUZ4T0xlT01Bd0dBMVVkRXdRRk1BTUJBZjh3CkRRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFBUmxJaE5EZGF6OUVSL29tQi9XWlpzVkJvRzcvaS9FaVQvcG9nbjEKZnBIbS94cWt1RkRaSzR5eVNsUUhQcUEyeERmQ08vZG9mcWtLK1Z3V1JhL2JOSWRSaGo2VmZFZXlxZzhHV2lrRApNSVd2bE55cUo3b0xLeXNqVWMrM3lURk0zam9WdXNXMkg0MGF0Lyt1bTY0Q1JFQlBTSHExeGlTYS85U1RwMTY4CmJ0Y1hWU3JEZ21MVkhob21rOUtQdVFFYk9ybVFrdi95WXdrMTNRMndQdkhmcTRwU1MxRWVybVppRTlYYy90R0kKWnp6UEVzWUJkV0FaRmJZUDZuNTUzK1hpV3Y1Wm5oclJiZmdOb0hzUFVRR3VxSTBUK3c1U2Q0U0p6b1E0NGJtOAp2OGdOYU5NamxkK3pFY25IS1lXc2xKdXM4Q0ZEQ3dZbTZrVURpM3ArcjB6WlgxV2ZTMEpEUUdEdXFFZ01NWUZCCms5LzQ4VVZBOHlDaFlQZ1FXQnVueUQvL3M4b0E2UFJ3L2Z1UjlSckduWGJHSlhDZFBSa2tYTTBTbTRxSjVDTUoKeGI4RWhZcVIrM1l2UERwVUdNemVMQW5wOVh4dStCSTlzZElhNkVLcm5YMEtZb3BNbmd2ZlIrUnpKdmo0bXozdwpIb1RwVEc1b0kwcnVZcFpUYVl4dEtUdVR5RUI5aGwxaCtTaWFRcmJ2dlQ4dStRZDdEd0xKV3RUVGVvdjU5cXJ1CmhESFFMV094U0FTOXQxdHFFSWV5b2JOQkliRzZDVVdsQ0gxQnNwK1pVVHd2N3plZzJIUmtpL0hscUZFWDJxbFIKbDR6QXEvMU9qQ080UXJWTHVYcG5WUWMrNWk3WnhlZy8rR2NHc0F6VmtGSnhCdWdseUlRQS9TTSs5K2k1d0NqbQoyNVRECi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K</crt>
<prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRQzNHUHprYlUxemtOVWIKZmdZVFk5T3c2RWQzQ0xpUnhZL3JacVFkV3UzVXZJY0lLa1lPd1RLRUpCcEtLMTBDN0txQU5xSE0vYWxnbGpnZApsamRLV1lzK0tnTjFVdEdTUWx1Tm9VcXhmaGVxeGhzTGRkTFVEZ3d0UUNVMEhVVVd5YWRJSHRweWhXYVF6c2VyClVaUmNJY00vUU1DWHdzbWlCQnk1NFl3alViY3B4eDZwSmVUVmROZHh5WmhLUU50dDVkaFRuWlI2TmV4Z3dhZHAKVFpidUNvK2JFYmI4cU11dEVUdnJWVXE2RTRrWWd0M1VCd1RmdWdpNVhWMEJqbHdyVUF4cEdhYVMvaU1MZHFTcwpWbVczYy9SSFVpQW9YalB2cWJxK0xDNEIycVJxSytSMm5Tbzk5SmYrN2tYWlJqc0dIMW16QzRSZFFERDFMRmhaCitzaExiNG42RHNDR3dSS0J4YWlJSkRjUU9hZ1FnOGIvSWJhRE1QS1AzdFExYmRhRWprTnIzRThUUE1LQzFPOHYKTnZPbnVOTncyTmNTQTNUdnB2MGVDLzJNeWYxd2hGMFFPc3V6S2JaMTFndmNFOWY3RFFFN3JkRDd0WnBGeFNaNwo2Y3VlbFpzeHhZalFWYXdZTGF6SXZWeDBkYUNnWmFaekFQUzlQa3B5cmMrZjJyU0VsT3R0akRIZ1FuemZEWGpWCjk3TU03WURRTVJkWDdETHh5b2piNFdwRVhiMCtjYjVXcTN2d2ZqMTljQk1weWlzK21NMFZDcTBidndvRHh0M1YKVUpwRFdMcnBHOFhOUmVsZXVkZmdIQXlKajhzSitmT2g2STdCdTlvdFhVeHdDalpNd25pekxaOXoxVnBOTE13MQpabkYvelJVMndkK1pEaTB2SHNVZEdaZGVFUlhacVFJREFRQUJBb0lDQVFDczUrTUIwQnFCRlBlNms2TW5NbkZaCnNiQ3pQMEFWSU0xTlRzdVNrU2poYWZ2V2dSMVJsNjZkelA0cXBwS2FUV2FoMTNXcWdLMHY4Z3dpSEpZd0Z5bUEKVmVxWUk5S1czU1ZhTlVPMUk4OHp6UXNESW93ckJ1MEcybm1Ib2xCNU9ZdElkeUp4WFhyREt4S3h2VU51VWMvdwo3clF4WEpoTzhMVXo4RVFIb29abTVJd1d6aHN3WEx1TDBBV0pzWC9HWTNTTFdkYzZKYXdJbnpmNklIUjBiUEs2ClROdFI5QkVMYWFmOUQ3bVd5UllCV0t3bEswKzEreGQ3L1NmMGJUeXJCbGdCOUdBeWxkNEFXRlVnRGlMV1FLRWgKclBPRFM1cWVLOW1XOTErbkRwT1BVODNYR1lvbm9kRGJ4S1dmamt2MDl5d2RBYlpJM1hLZVJQZFdXWlpHYnBtTApPcFRGU200QzNjTlZMMHV2aVM5SGdMMmVwdTJOcnZFZ0U4QlFRaFQ1REduMHNjbDl1a1laR2JKQjJOeTNvME9tCmU2TnNKazArZTZ5SXB6dkNzMkN5KzQvZTYzMy9uZzFYZVQ1ZU5OSkFJNjFJa2ZPZ0tuRG8xMDd5VE04RmRDOFgKSVUzc1czdVYyOGhWWDdYVElhQndPK3FlcHRXVXErMjRaSUExT2ZzRlE3WDRJdXlVTEpKcGYyeFpGZnF5SG5wRgpkd001SWlRVFc5U1BNQmY5cmNZNTJMVGRkS1JTc1dqN0dZb1hIN3pRaUFGQVVyWnZqNzRlck9lcllkZjAzcm00CkQxbW95elRGS29rS2RwaXdEMUJ5c3F1ODFiNUU1U3RCejAyTnJ5QVVLSW5lSHVodlp2MVhXbnlyVjZ6dnBEOWoKR1FMVC9yODV4ejIwMVVkN0FVUFVWUUtDQVFFQTRmckxjT2ZScXhzUVR2aWhzbVdHRGUrWS9qaDk3Z2U5bDBOQwpUZXRZNDNuajF6My9OWlZ2ZUo1cUtCZ0FVRkRqWDJGdHIxb21ha0dEcUFjVVFtU3RmTHprR2JyU3pyRnZPYUFBCmcyaURGc2lCQmJHNVdTVE9XYVQxZHdKTjhiRXlGUHJXUWpxRGsyVXcrd3MvNW1Nb2tFWExIN1J6dWtoOEZId3oKR0FqU2NTQWhGdmZmYTBaYkVEeGhsbEV6cGdsdTBtbTRHNVd6WnR5UGZHaVhmQ2YrdmVBQWI4SmRneS9NcDZndAp2VjFNQ1pCNm1ZQWc3T09EYzZZM2dRSGMvak4zZXB1WTNJOERsd1VqaGYxeVpYTEpRRXZHRnZxZkVPU2FPcVFUCjBKWHduVjArMmFDazZJZ1h2WnpoVXhLbHk1T3JFbytheFpWVjRnblB6QWxVaHVpL2x3S0NBUUVBejJ2WDRmaUcKSzJENkRzK3J5aDlBQkVxaVptOSt0N0t1Zk1yU2s5cVA3c3RkQXByUnljQXRuNnJxd3R4dDlSUE04VmlubGNYcApVZDJtRkwxeEtIREJ3VE1FbitzY09lUWRPUFlaaGVzd2l0aWdVYTJTcUV6VlJVdGZZR2szV0ZuN3Q1RE5ycGo1CmVPa0VRd05zcE1TVjNlRG9adjFOd2Uyem9Rdk94TGFMY3QyRk1xZnFrdGZ1ZDBjN2FHdFJEN2phSlBXc0VkVWsKTnVBeHIrQVZrUzcyN2pmaHZKaTJnRm4rU2crMUNsNU56bEtMdFUvbUFHQmNLeG5FU0NSaDE1TkdaQjNJVEVySgovdFRJd2M4MmdNZ2ltVnRKZHlLUUQvZGcyYndoNmtIbUtiVDBjM2lwanhMdkxYa3NQWWNtem0zZkRxVXY5YlhmCmNLRW96SWVlMTJWWXZ3S0NBUUVBMG1hcTRwM0V0dFpFOGZKR3d3NEpxWklLMWJBTmVBRlhBYTVLM3JlZ2xIT1oKc245enpoVXJxNWQ3YVljblM2QjBnd3I0a0FxVXQ5djExQTE3VEhIbW9ieFJlSzljdGJ1NHZtTjk5dHZwS2Q1WApXdERsck4wN0QzWXFZYnNRalZjWk5UVnpKa2pLMXdLaGZ5d3pPN1BaUWJMcDg4UVUrRDJpNFlQZUlxT2NKRjN3CjBTektwVnZsVDVHWW50ZE9DbXEvOTBNZGV2bUFCdWFXNWhPUDc3WmhWYkpwVmFVWFloeXdKTzNPWUlDc1dqOWUKRnV1WVBGZDh2Y0hsN2NTcFdUamNKcGtXMDB5STRDU1Z0WnlMMVc3eGVGN1V1Zkp4QmM2QzF0U0w2bXFnbERRTQpYNTVWekhkaCsxWkU2UTcwdFQzeFN4L1B6K1ZDQ0dwd1FoM3h5SWFPVXdLQ0FRQldOMlJudUM3RXp5MkJoSTdLCm1BeTYrKzdmRjA4YnVqalBCRnRkTzhjQ0lpUEtGbUpITXd1RHg3NkhPcXExNlFJUis2REZINXVvL0xHeEEwR0sKNXJ1U3U4c2JVZFhNdG1YekxGQlZtdm4xYksvTzQ1QUhSdENMV2hZTjlBNGVPbURuMzFldlVFUzZIbGs0SmE4KwpHYnlWbW92ZmEwQ3I4RXJ2RVFKa1ArQmM0WGtoSWl6ZDFzVjNiUE5qcHQvdDRnOUN0NTlMVmtZVVRVSTU4YkhsClJCazkwWnFTRXdRZys4YzRMNmszNHhVQ1FzdHhsUUZzZktFekJTWFNPdFUwanpIK0lXY0ZWeno1SUtkRjhBU2UKcVJIQW52STlnKzlQdzZyTk5tYitnVi9UVERVajNpN1VtckV5UEtESC9tcUIrYWR5NWZTMmRGK282RVFXSi9VOQpZUkh2QW9JQkFHUDhaeEh6Y2ZReWdRMXlQUXBrdlVHWElTZ0d5N1BTMkpyVy9rU1NBazBRVmVWR3NwTHFqbkpYCnBSZ1ZpSUk1cnJodUMzTDkya0FBd1ZKemJYT1ZZNzN6M1h5aEhZaGdZSk55L0UraFpjdXVPaXhZOEtRWnRrUkYKb1ZZcmRnaTF0SmZacVZlOG5TT05HMGdFN3plOHdEc1FpTVdiMDNzRzlWUytGWU1yL3BaMTVKS2VRN09MRSs5YgpWazhFeXpFdjkveHY0SlVFTHM5ck1pR042VlBXZ2lJTFlEbVkzWkh3WTNKd3ZwaGdYNXgyZDdpNVc5ZGhDSC9DClU2U2w2OG1kcnd2Nkh0YjdBT3I1ZHp4aWdpdGVvL3d0bjluTTlLNFBONFEwU0VINVZ3bG56anNXNmc5WTQrZTYKTC9TeEczNVlnOW5zYnpJaWgxVEZCWmJZU2p1UStZaz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=</prv>
</cert>
<ppps/>
<staticroutes version="1.0.0"/>
</opnsense>
{
"brand": "bhyve",
"vcpus": 1,
"vnc_port": -1,
"disks": [
{
"boot": true,
"model": "virtio",
"media": "disk",
"size": 25600,
"compression": "lz4",
"block_size": 8192
}
],
"nics": [
{
"vlan_id": 5,
"nic_tag": "trunk",
"ip": "dhcp",
"ips": [
"dhcp",
"addrconf"
],
"model": "virtio",
"allow_dhcp_spoofing": true,
"allow_ip_spoofing": true,
"allow_mac_spoofing": true,
"allow_restricted_traffic": true,
"primary": true
},
{
"vlan_id": 100,
"nic_tag": "trunk",
"ip": "dhcp",
"ips": [
"dhcp",
"addrconf"
],
"model": "virtio",
"allow_dhcp_spoofing": true,
"allow_ip_spoofing": true,
"allow_mac_spoofing": true,
"allow_restricted_traffic": true
}
],
"bootrom": "uefi",
"ram": 1024
}[hyperon :: sjorge][~/Desktop]
[!]$ diff -u broken_TSO_LRO_CSUM.xml working_NO_TSO_LRO_CSUM.xml
--- broken_TSO_LRO_CSUM.xml 2018-12-07 18:52:51.000000000 +0100
+++ working_NO_TSO_LRO_CSUM.xml 2018-12-07 18:52:51.000000000 +0100
@@ -240,6 +240,9 @@
</nextcloud>
</backup>
<language>en_US</language>
+ <disablechecksumoffloading>1</disablechecksumoffloading>
+ <disablesegmentationoffloading>1</disablesegmentationoffloading>
+ <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
</system>
<interfaces>
<wan>
@@ -371,7 +374,7 @@
</widgets>
<revision>
<username>(system)</username>
- <time>1544203641.0953</time>
+ <time>1544204779.0319</time>
<description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
</revision>
<OPNsense>@pfmooney are you able to recreate it with this information?
Be sure to upgrade to today’s release as there is an extra fix in it that also properly disable csum for ipv6, which got left at the negotiated value before. (No change in behavior though)
blackwood821
commented
1 year ago @sjorge I came across this thread while trying to figure out why NFS write performance is so much slower from a Debian bhyve VM as opposed to a native SmartOS zone. The NFS server is a Triton volume on a different compute node. I wanted to test out some of the NIC settings you found that worked around this issue for you but I'm not able to change them because they're fixed. For example:
root@worker-1:~# ethtool -K net1 tso on
Actual changes:
tx-tcp-segmentation: off [requested on]
tx-tcp-ecn-segmentation: off [requested on]
tx-tcp-mangleid-segmentation: off [requested on]
tx-tcp6-segmentation: off [requested on]
Could not change any device featuresHow were you able to set yours?
sjorge
commented
1 year ago I was able to change those on opnsense at least.
I dont remember if that was with virtio or e1000 nic type though.
blackwood821
commented
1 year ago @sjorge Ok. The VM defaulted to virtio. I also tried updating the driver via vmadm update to e1000, e10000 vmxnet3, etc. and rebooting but it still didn't allow me to change any of those settings. https://smartos.org/bugview/OS-6794 makes it seem like you should be able to from what I can tell.
Been struggling with this for a bit and I poked @pfmooney this on IRC already. Opening a ticket to write everything down.
I have 2 CN's one that runs bhyve only and one that runs zones only (This split is because other networking issues between zone -> bhyve on the same CN that is out of scope of this).
I have the following VM:
Traffic to from a VM is fine as long as the destination is outside of the CN.
Traffic between VM on the same CN is not
Only TCP traffic seems to be effected and UDP/ICMP are working fine.
I found a workaround but this is not idea. Disabling LSO and TSO seems to fix the problem. Atleast on FreeBSD and Windows 10.
Setting these 2 settings to disabled makes the traffic OK:
Likewise for FreeBSD removing the LRO and TSO flags for the interface using ifconfig makes everything OK, although sometimes that does not seem to take effect and I need to reboot and try again.
Setting the following in the loader config and rebooting has 100% success rate.