Messages

Even when I dump all rules via command line there are no rules for port 5353 at all....

First make an overdrive in Unbound DNS -> Overrides.  At that point I think it would be easier to set up whatever IP you are forwarding to just listen on port 80 and/or 443.    The other option is to use NAT to port forward.

Just FYI chrome has the certificates for all google domains pinned.  That means no chromium based browser will allow what you are trying to do.

You know, I see this occasionally as well.  I have a catch-all allow any to any on my LAN interface as well.  And every now and then something hits the the default deny rule.  I have not been able to figure out why either.

The 192.168.*.* address will not show on the WAN interface because NAT will have already converted it to your WAN IP before the filters. You need to look at the LAN interface.

OR

Is there a site you know should be blocked?  Put your kids safari in private mode (to keep it out of the history) and try to go there.  Then try from another computer.

Can someone help me understand how the mDNS repeater plays into firewall rules? 

I have two networks LAN and IoT.  LAN can access IoT without restriction.  IoT has a Block any to LAN and Block any to This Firewall.  However mDNS repeater is still working as I can see the mDNS advertisements from devices that are on the IoT network.

How is this possible?  I don't see any automatic rules.  Sorry if this is a newbie question..

I understand, thank you.

Maybe you can offer a suggestion then.  I am trying to properly firewall an IoT network.  I would like the devices to have unrestricted access to the internet, but not be able to access the LAN, or the OPNSense GUI, ssh on the router, etc.

I have two networks: LAN and IoT. For the IoT network have these rules:

- Pass from any UDP to IoT address port 53 (for DNS)
- Block from any to LAN net
- Block from any to This Firewall
- Pass from IoT net to any (internet access)

Which seems to do what I want, but the only issue is there seems to be a bunch of ICMP packets aimed at the IoT address.  I'm assuming some of my devices are pinging for connectivity or similar.  Should I just ignore that or let just ICMP stuff in?

If I am understand you correctly, that means by installing 4.11.0.6, I am automatically getting the boost frequency without taking any other action?

Also, any insight into the other questions?

So if I am configure the firewall rules for LAN, for example, in those rules "This Firewall" would be all of the addresses assigned to the LAN interface?

You can check them in firewall/diagnostics/pfTables. There should be two autogenerated aliases: one for IPv4 and one for IPv4.

Hmm... It's not there on my system

[net.inet.tcp.tso]

I have an APU2C4 that I have been using for a few years with pfSense.  I recently moved to OPNSense, and in the process of building the new system, I wanted to make sure to optimize performance I stumbled upon this thread as well as the https://teklager.se/en/knowledge-base/opnsense-performance-optimization/ link.  I have the latest mainline BIOS installed:

PC Engines apu2
coreboot build 20202604
BIOS version v4.11.0.6

The TekLager site suggests setting both net.inet.tcp.tso and net.inet.udp.checksum to 1, but they were already set this way on my fresh OPNSense 20.1 install.  Presumably this is reflected with the checkboxes in Interfaces->Settings with both Disable hardware checksum offload and Disable hardware TCP segmentation offload being unchecked.

Teklager also suggest setting the following:

hw.igb.rx_process_limit="-1"
hw.igb.tx_process_limit="-1"
legal.intel_igb.license_ack="1"

However when I do that, I see the following during bootup:

Code Select Expand

sysctl: oid 'hw.igb.rx_process_limit' is a read only tunable
sysctl: Tunable values are set in /boot/loader.conf
sysctl: oid 'hw.igb.tx_process_limit' is a read only tunable
sysctl: Tunable values are set in /boot/loader.conf

SO here come the questions:

• Does the above text mean that these are not applied?
• ...and is there some way to GET them to apply?
• In Interfaces->Settings there is an option for Disable hardware large receive offload that is currently CHECKED.  Should I leave it that way?
• The TekLager site also mentions the CPU boost available to 1.4 Ghz in the firmware.  I found on a separate site that I need to set hint.p4tcc.0.disabled=1, hint.acpi_throttle.0.disabled=1, and hint.acpi_perf.0.disabled=1.  Any reason I should NOT do that?

Thanks!

Is it all IPs associated with each interface?

If I have an IoT network and I have a firewall rule set to block any to "This firewall" does that have downsides I need to workaround?

Thanks much, @marjohn56 !

how longs a piece of string?

long enough  8)

The default automatic mode is judged to be the optimal for a simple setup, but that's only in the opinion of whoever designed it that way. You can tailor it to your needs, but as only you know what your needs are .....😊

Is the default mode "Managed" or "Assisted"?

Thanks for the info.  I guess my question is what is a "Standard" IPv6 deployment... is it Managed?  What is a disadvantage of going SLAAC only on the LAN.

If you look in the Rules you'll see that the there are 'Automatically generated rules', these can be expanded by clicking the expand button to the right of that text.

Right - however, there are no rules allowing ICMP traffic in the WAN appearing in the automatically generated list.  My question is: does ICMPv6 get auto-allowed on the WAN when Firewall->Settings->Advanced "Allow IPv6" is checked?  Should I add one?  My understanding is this is required for proper functioning of IPv6.

Long time pfSense user setting up OPNSense for the first time...

- My IPS gives me a /56 which I use for two LANs 
- WAN interface gets an IPv6 address from the ISP via DHCPv6
- My LAN interfaces are set to track the WAN

With this, everything works.  Computers on the LANs get IPv6 address and it's good.

With this setup - it appears DHCPv6 is active on the LANs as well and the interface doesn't appear under Services->DHCPv6.  That surprised me, as in pfSense, you would have to manually set that up if you wanted it.  How does this work with SLAAC?  IS this a "normal" setup?  I thought one of main features of IPv6 is that it is more setup to "just work" without the need to DHCP.  Essentially I am asking what the default setup is for IPv6 on LAN when "Track Interface" is used and all other settings are left default.

With regard to firewall rules.  I know that ICMP is heavily used in DHCP - do I need to setup WAN rules to allow that traffic or is that automagically configured somewhere?  I don't see that in the automatic rules list.