This article focuses on optimizing FnOS. For instructions on installing FnOS on PVE or a physical machine, please see the previous article.
Network Optimization
The following optional steps can improve network throughput and privacy.
Execute this script to enable the BBR congestion control algorithm:
cat > /etc/sysctl.d/99-enable-bbr.conf <<EOF net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr EOF
Apply the BBR configuration without rebooting:
sysctl -p /etc/sysctl.d/99-enable-bbr.conf
Execute this script to enable modern IPv6 privacy address standards (RFC 7217 and RFC 4941):
cat > /etc/sysctl.d/99-enable-private-ipv6.conf <<EOF net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 net.ipv6.conf.all.addr_gen_mode=1 net.ipv6.conf.default.addr_gen_mode=1 EOF
Apply the sysctl configuration:
sysctl -p /etc/sysctl.d/99-enable-private-ipv6.conf
🚨 Warning: Do not use the “EUI-64” option in the FnOS web interface. Doing so will negate these privacy enhancements by exposing the device’s MAC address in its IPv6 address.
Applying Network Changes
To activate the new IPv6 address settings, the network interface must be reset. This can be done with
nmcli
without a full system reboot.🚨 Important: Execute these commands from the PVE web console (
Xterm.js
), as running them over SSH will cause a disconnection due to the IPv6 address change and may not be recoverable.Step 1: Identify the Connection Name List all active connections to find the name of your primary interface.
nmcli connection show
The output will list available connections. Note the name of your Ethernet connection, which is often
Wired connection 1
.Step 2: Reset the Connection Use the identified name to restart the network interface:
nmcli connection down "Wired connection 1" && nmcli connection up "Wired connection 1"
The network interface will restart. You can confirm the new IPv6 address configuration using
ip a
or in theSummary
page for the VM in the PVE web console.Enabling IPv6 Router Advertisements (RA) for Hosted Virtual Machines
To allow VMs inside it to also acquire IPv6 addresses via SLAAC, its RA settings must be changed:
cat > /etc/sysctl.d/99-virtual-machine.conf <<EOF net.ipv6.conf.all.accept_ra = 2 net.ipv6.conf.default.accept_ra = 2 EOF sysctl -p /etc/sysctl.d/99-virtual-machine.conf
Enabling Memory and CPU Hot-plug as a PVE/QEMU Guest
Modify
/etc/default/grub
to enable memory hot-plug:- GRUB_CMDLINE_LINUX="modprobe.blacklist=pcspkr" + GRUB_CMDLINE_LINUX="modprobe.blacklist=pcspkr memhp_default_state=online"
Create a UDEV rule to enable CPU hot-plug:
cat > /lib/udev/rules.d/80-hotplug-cpu.rules <<EOF SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1" EOF
Shut down the virtual machine.
In the PVE web console, on the
Processor
page, check “Enable NUMA”.In the PVE web console, on the
Options
page, checkMemory
andCPU
in the “Hotplug” options list.