OPNsense Discussions

[woshiitcy]

so n100 cant even saturate the 2.5gbps ports?

A bit late... but
N100 can easily saturate 2.5Gbps port.


ISP: Starhub 5Gbps Plan
Hardware: N100 with 4 x 2.5Gbps port (32GB RAM)
Setup:
OPNSense is Virtualised with NIC Pass through to the VM
Host: Proxmox 8.4.1
VM: OPNSense 25.1.8_1 - 4CPU/8GB RAM
* Host is running my 'logging' vm and pihole container as well


Speedtest Able to hit ~2.35Gbps
https://www.speedtest.net/result/c/d4616aad-c60b-4f5a-a798-884e6efe0e11
Highest CPU was around 70% ~


IPerf Test over Wireguard S2S VPN to my Friend House:
Friend ISP: Starhub 5Gbps Plan
Friend Router: Asus BT-10
Server Machine: Virtualised Host (i5-8500T), with the VM (5 CPU Core and 24GB RAM)
Client Machine: i7-8700 Truenas

[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 501 MBytes 421 Mbits/sec 299 sender
[ 5] 0.00-10.01 sec 500 MBytes 420 Mbits/sec receiver
[ 7] 0.00-10.00 sec 319 MBytes 267 Mbits/sec 112 sender
[ 7] 0.00-10.01 sec 318 MBytes 267 Mbits/sec receiver
[ 9] 0.00-10.00 sec 709 MBytes 595 Mbits/sec 903 sender
[ 9] 0.00-10.01 sec 707 MBytes 593 Mbits/sec receiver
[ 11] 0.00-10.00 sec 600 MBytes 503 Mbits/sec 468 sender
[ 11] 0.00-10.01 sec 597 MBytes 501 Mbits/sec receiver
[ 13] 0.00-10.00 sec 409 MBytes 343 Mbits/sec 249 sender
[ 13] 0.00-10.01 sec 408 MBytes 342 Mbits/sec receiver
[SUM] 0.00-10.00 sec 2.48 GBytes 2.13 Gbits/sec 2031 sender
[SUM] 0.00-10.01 sec 2.47 GBytes 2.12 Gbits/sec receiver

Highest CPU is around 80% ~
Do take note when I was doing this test previously I was only able to get 1.25Gbps.
After upgrading from OPNSense 23.x to 25.x, big improvement seen in Wireguard. Believe this is due to the FreeBSD updates, something got to do with Kernel iirc.

 

[xiaofan]

Poorman's home lab playground with a PC with single network card, running Proxmox PVE, OPNsense, Tailscale and Linux VMs (or other VMs).

The tip is using a PVE VLAN for the OPNsense LAN interface, while using the physical LAN for the OPNsense WAN interface.

I will still recommend using a PC with at least two network interface cards though.

Edit: I just found out that I posted the same thing before in this thread.

 

[xiaofan]

Detailed OPNsense guide updated for year 2025

 

[xiaofan]

Updating OPNsense installtion can be a lengthy process if you miss a few major version updates.

Just did the update myself.

24.7.4 --> 24.7.12
-->> 25.1 --> 25.1.11
-->> 25.7 --> 25.7.1

It can be done using WebUI but then the documentation recommends local update (with VGA console or serial console).
https://docs.opnsense.org/manual/updates.html

 

[xiaofan]

Interestingly that OPNsense is moving away from KEA DHCP to Dnsmasq DHCP. Usually Dnsmasq is more for DNS.
https://docs.opnsense.org/manual/dnsmasq.html#dnsmasq-dns-dhcp

Reference:
https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/page-99

Interestingly, Opn is going with Dnsmasq instead of KEA. It switched to KEA with v.24.1 until it moved with v.25.7.

I was resisting the move to KEA because it was feature incomplete. Now I'm not sure about Dnsmasq.

I just go with what ISC (Internet System Consortium) recommends. Ars Technica has a few good article on Kea DHCP worth checking out.

If you are building a homelab, I guess it is fine for either since nothing breaking or mission critical.​

I did read the Opn documentation and note that they did state Kea is better for larger scale deployments, so it appears Opn seems to be targeting the homelab market more?

Just shared cos it seems like another fork here - approach to DHCP.

 

[xiaofan]

1) OPNsense -- using KEA DHCP
https://docs.opnsense.org/manual/kea.html

Kea is the next generation of DHCP software, developed by Internet Systems Consortium (ISC).

It is considered the replacement for ISC-DHCP in larger HA enabled setups and synergizes well with radvd for HA enabled router advertisements.

Currently it is not possible to register hostnames dynamically between KEA and Unbound, only static reservations will be synchronized on an Unbound service restart.

2) OPNsense -- using Dnsmasq DHCP
Dnsmasq is the perfect DHCP server for small and medium sized setups (less than 1000 unique clients). The configuration is straight forward, and since it can register the DNS names of leases, it can replicate the simplicity known from consumer routers.

If HA for DHCP is a requirement, split pools can be configured for two Dnsmasq instances. With a dhcp reply delay, the secondary instance will only answer when the first instance is unresponsive. DHCPv6 and Router Advertisements are also an option for small HA setups that do not have fast failover requirements, as IPv6 failover can take up to 30 seconds with available configuration options.

For larger enterprise setups, KEA DHCP can be a viable alternative. It supports lease synchronisation via REST API, which means both DHCP servers keep track of all existing leases and do not need split pools. It is also far more scalable if there are thousands of leases.

The tradeoff using KEA DHCP is a more complicated setup, especially when custom DHCP options are needed. DNS registration is also not possible.

With this in mind, pick the right choice for your setup. When in doubt, our advise is to use Dnsmasq .

 

[woshiitcy]

1) OPNsense -- using KEA DHCP
https://docs.opnsense.org/manual/kea.html

Kea is the next generation of DHCP software, developed by Internet Systems Consortium (ISC).

It is considered the replacement for ISC-DHCP in larger HA enabled setups and synergizes well with radvd for HA enabled router advertisements.

Currently it is not possible to register hostnames dynamically between KEA and Unbound, only static reservations will be synchronized on an Unbound service restart.

2) OPNsense -- using Dnsmasq DHCP
Dnsmasq is the perfect DHCP server for small and medium sized setups (less than 1000 unique clients). The configuration is straight forward, and since it can register the DNS names of leases, it can replicate the simplicity known from consumer routers.

If HA for DHCP is a requirement, split pools can be configured for two Dnsmasq instances. With a dhcp reply delay, the secondary instance will only answer when the first instance is unresponsive. DHCPv6 and Router Advertisements are also an option for small HA setups that do not have fast failover requirements, as IPv6 failover can take up to 30 seconds with available configuration options.

For larger enterprise setups, KEA DHCP can be a viable alternative. It supports lease synchronisation via REST API, which means both DHCP servers keep track of all existing leases and do not need split pools. It is also far more scalable if there are thousands of leases.

The tradeoff using KEA DHCP is a more complicated setup, especially when custom DHCP options are needed. DNS registration is also not possible.

With this in mind, pick the right choice for your setup. When in doubt, our advise is to use Dnsmasq .

Used this tool for the migration of static leases
https://github.com/EasyG0ing1/Migration

was on 25.1.8_1 when doing it

 

[xiaofan]

Just did a fresh virtual OPNsense 25.7 installation and it indeed uses Dnsmasq as the DHCP server.

DNS -- Unbound + Dnsmasq
DHCP v4 -- Dnsmasq

But somehow DHCPv6 is still from ISC DHCPv6. For this installation I do not have IPv6 so I just disabled it.

 

[xiaofan]

OPNsense 26.1 Released
https://forum.opnsense.org/index.php?topic=50544.0

Changes overview

 

[xiaofan]

Updated one simple installation of OPNsense VM from 25.7 to 25.7.11 and then to 26.1.

This one is behind the main OpenWRT router (Double NAT) and only for internal testing.

I am using the following settings and all seem to work fine.
DNS -- Dnsmasq
DHCP v4 -- Dnsmasq
No IPv6

 

[xiaofan]

Just set up a new OPNsense 26.1 VM which is directely connected to the Internet via a 1Gbps upstream.

Not doing much now.

DNS -- Ubound + Dnsmasq, Ubound block list is working (tested using https://adblock.turtlecute.org/)
DHCP v4 -- Dnsmasq
DDNS -- DuckDNS is working

Need to try the following.
1) Tailscale overlay VPN
2) Wireguard VPN
3) Singtel native IPv6.