OPNsense Forum
English Forums => Hardware and Performance => Topic started by: tl5k5 on May 03, 2018, 08:44:56 pm
-
Anyone used Qotom Q310G4 hardware? https://amzn.to/2JOmGP0
AliExpress: https://bit.ly/2KtOSrz
Does the WIFI work well?
Thanks!
-
I've reached out to Qotom, and they say the Q310G4 will work with pfsense/FreeBSD.
It's been ordered and I'll reply with what I find after it's configured.
-
It will, several of us use them - however you will probably struggle to get the wifi card to work.
-
Got it working.
I'm not a router expert, so I'm not saying it's right...just working.
Here's what I did.
Port1 (eth0) = WAN
Port2 (eth2) = LAN1
Port3 (eth3) = LAN2
Port4 (eth1) = LAN3
ath0 = WIFI
bridge0 = bridge
LAN1: official "LAN" connection with static IP. x.x.x.1
LAN2,3, and WIFI are individual interfaces with no IPs.
bridge: contains LAN1-3 and WIFI. It has a static IP. x.x.x.2
DHCP is attached to the bridge since I could not get LAN1 to give addresses across interfaces when it was running DHCP. Any suggestions?
I think it would be nice to enable a bridge to be the official "LAN" connection and not a physical port. This way a single interface could handle the anti-lockout rule and DHCP across a bridged network.
I'm willing to take criticism and suggestions.
Thanks!
-
You can, that's how mine is done. I have three physical LAN ports all into the LAN bridge. The LAN bridge contains the IP, not the physical port.
(https://preview.ibb.co/hbsSRT/Capture.png) (https://ibb.co/m6wAfo)
-
I had the exact setup you have above, but the auto generated Anti-Lockout Rule only applies to the original physical LAN that's used for the initial setup. That was causing me some issues, so I set it up the way I have it now.
Is there a way to set up the Anti-Lockout Rule to apply to the Bridge interface?
Thanks!
-
When you create the bridge, first assign the two unused NICs to the bridge, do not change the the physical NIC port your pc is connected to at that point. Next re-assign the LAN to the bridge interface, you'll appear to lose the connection, at this point you need to connect your physical LAN cable to one of the two NICs assigned to the bridge, wait about 30 seconds, refresh your browser and you should be back in business, now add the third NIC to your bridge and you are done.
-
Sounds similar to what I've already done.
I'll give it a shot and see how it goes.
Thanks!
-
Some questions:
Is your DHCP on the bridge/LAN or on a igbx port??
If it's on the bridge, what did you do with the original static IP assigned to the igbx port? Change to none? What does the firewall rule for that original igbx port look like?
Thanks!
-
It's on the Bridge, all three of my ports go in difference directions and dhcp is available on all of them.
All the OPTx Interfaces should look like this -
(https://preview.ibb.co/kC9UD8/Capture.png)
There is no IP address, only the Bridge gets that:
(https://preview.ibb.co/fZQfLo/Capture.png)
-
Ok...I guess I had it 92% there. I set LAN1 to no IP and all seems to work this time.
Don't really remember what the issues were the first time I tried this. Do I need to worry about the Anti-Lockout Rule on LAN1?
Everything seems to work as-is, so I guess not.
BTW...how do you apply the dark theme?
Thanks for all the help!!!
-
No need to worry about the lockout, that's on the LAN. The three NICs are bridged, in fact they all now have the same address. If you wish, just swap your main LAN cable between them, you'll find they all work.
There are now two dark themes, Rebellion and Cicada, Rebellion is a fairly simple theme colour change I did, Cicada is more complex and uses the abilities of the themes to a much greater degree - I did NOT do that one. :)
Go to System->Settings->General. Theme is the fifth item down, select the theme you want and apply it. Depending on the version of Opnsense you are running you may have Cicada available too. In the next release there will be another theme, Tukan - Like Cicada it's also done by René and is very cool.
-
I only have opnsense as a theme. Nothing else is listed.
I'm also running the most current stable release.
-
Have a look under System->Firmware: Plugins.
Look for OS-Theme*
Install the themes then you can select them as I previously said.
Sorry, I forgot you need to install them first. ;)
-
That was it. So much easier on my eyes!
Thanks for all the help!
-
When you create the bridge, first assign the two unused NICs to the bridge, do not change the the physical NIC port your pc is connected to at that point. Next re-assign the LAN to the bridge interface, you'll appear to lose the connection, at this point you need to connect your physical LAN cable to one of the two NICs assigned to the bridge, wait about 30 seconds, refresh your browser and you should be back in business, now add the third NIC to your bridge and you are done.
Thanks for this insight MARJOHN56, I am also setting up opnsense as router switch but have stumbled to get my LAN on more than one NIC. I understand all of it except 're-assign the LAN to the bridge interface'? Is this changing the name on LAN to something else (LAN1) AND bridge0 to LAN in the interfaces. Also when to remove the fixed IP address off the old LAN, before or after moving computer to the bridge NIC.
I have had great difficulty in the opnsense gui seeing just how LAN was linked to WAN so I Could visualise what is connected to what and change it.
-
When you create the bridge, first assign the two unused NICs to the bridge, do not change the the physical NIC port your pc is connected to at that point. Next re-assign the LAN to the bridge interface, you'll appear to lose the connection, at this point you need to connect your physical LAN cable to one of the two NICs assigned to the bridge, wait about 30 seconds, refresh your browser and you should be back in business, now add the third NIC to your bridge and you are done.
Thanks for this insight MARJOHN56, I am also setting up opnsense as router switch but have stumbled to get my LAN on more than one NIC. I understand all of it except 're-assign the LAN to the bridge interface'? Is this changing the name on LAN to something else (LAN1) AND bridge0 to LAN in the interfaces. Also when to remove the fixed IP address off the old LAN, before or after moving computer to the bridge NIC.
I have had great difficulty in the opnsense gui seeing just how LAN was linked to WAN so I Could visualise what is connected to what and change it.
Sorry if this posts twice...having serious internet latency problems...need this router workig to see why and prove it is the telco not my lan.
-
No, once you have created the bridge as I explained, go to interfaces->Assignments. On the LAN interface select the bridge as the networks port.
-
Just noticed something you wrote, you do not need to change anything on LAN settings page itself. You will see you have three OPT* interfaces, just make sure they are enabled but have no addresses set. Then add the unused OPT* to the bridge.. job done.
-
Thanks Marjohn56, that is what I did first (renamed LAN as LAN1, Then renamed LANBridge as LAN), didnt work as there is some referencing in the background that got screwed.
So have got it working, with 6 LAN connections plus 1 for WAN. Haven't tried to assign the original port (em0) back in to the bridge as first time I did that I lost all connectivity through the gui, easy recovered using backup on the console. But a bit more stable now so will do that tomorrow.
But now I have a problem that I cannot communicate between LAN router NICs. I can ping anything (that supports ping) from the OPNSense Console, put if I want to connect, say with a browser to a server on another router bridge NIC there is no connection. I can connect with other devices on the same NIC (router connects directly two switches and one AP) plus a few direct devices. I also seem to have a very slow connection ( but that may be the WAN, as soon as I move a moderate bit of data over it, latency is 1 to 8 seconds and lost packets gets as high as 18%) between LAN devices.
A single DHCP is working (part of bridge), and devices connecting OK with it and setting up IP (most static, a few dynamic), DNC and Gateway and DHCP server ok. All are connecting with internet albeit its latency issue is frustrating.
Router hardware capacity is idling so not a problem.
So is there a setting I am missing to allow all network communications between all NICs connected to the bridge.
Thanks
Ian
Sent from my SM-P585Y using Tapatalk
-
What hardware are you using?
-
So is there a setting I am missing to allow all network communications between all NICs connected to the bridge.
Hi,
if you wan't to use all brigded interfaces like an (umanaged) switch you have to change the system tunables.
https://www.infotechwerx.com/blog/Creating-a-Simple-pfSense-Bridge
best regards
Dirk
-
Good point, need to create a wiki doc for this, I'll try and do one next week.
-
Thanks again monstermania and Marjohn56. Setting those two attributes in tunables did the trick and things are working nicely (until I changed my flow in Node-red and it stopped!
I had been ignoring pfsense help and forums as opnsense was largely rewritten....but now realise menu structure is very similiar.
As for my hardware, it is a old PC, i5-2500, 8gb Ram, 120 gb ssd and a hdd, with 2 of HP NC364T quad port 4 NIC PCIe cards (and onboard realtek Ethernet and another very old fast ethernet card which I might activate). I have seen the chipsets but currently can find it again (think it was the console when running zeroshell... abandon when PPPoE would not work which appears to be a Telstra tg797n problem in the end). The HP card is Intel chipsets.
Modem now is a netgear d7000 in modem only mode, network is all on one subnet with static IP for most devices, physically the Router direct connects to a 8 port engenius switch, and a 24 port netgear switch (both have 50% PoE ports for IOT things), two engenius AP (one to router, one to Netgear switch), IP Camera and lots of end devices mostly on the switches or AP.
Although I have bridge set up as a unmanaged switch now, I am interested if there is a more efficient way to set this up. Not sure if the unmanage switches are smart enough i that they only route traffic onto the port where the device is connected...or it 'broadcasts' it on all ports hoping one has the device with that IP is connected. May i the future need to make work smarter to reduce network loading (especially if I add a few more IP cameras).
Next will be to sort out openVPN port so I can access the LAN securely from the Ethernet (via droid tablet and laptop) when away from home.
Ian
Sent from my SM-P585Y using Tapatalk
-
Wont it be easier to have only 2 ports and connect LAN port of opnsense to a switch?
Run everything off switch to get best performance?
Software bridge is not recommended most places.
-
That's the preferred method. Really depends how much traffic is on the individual ports. In my case it's Port2 _> Modem_Lan for monitoring purposes and Port1 -> rest of LAN. I could of course have put the modem onto a second network address range and achieved the same thing, but I went from using a switch to a bridge as it was quicker.
-
That's the preferred method. Really depends how much traffic is on the individual ports. In my case it's Port2 _> Modem_Lan for monitoring purposes and Port1 -> rest of LAN. I could of course have put the modem onto a second network address range and achieved the same thing, but I went from using a switch to a bridge as it was quicker.
True.
Im currently running my LAN off my Netgear router acting as a WLAN AP and switch but of course its also software switch and not actual switch.
-
Although I have bridge set up as a unmanaged switch now, I am interested if there is a more efficient way to set this up. Not sure if the unmanage switches are smart enough i that they only route traffic onto the port where the device is connected...or it 'broadcasts' it on all ports hoping one has the device with that IP is connected. May i the future need to make work smarter to reduce network loading (especially if I add a few more IP cameras).
Small (5 port) gigabit hardware switches are very cheap these days and (at least Netgear and D-Link) very reliable too. Those definitely function as you mention ie keep tables of MAC addresses reachable at each port and route traffic accordingly. Old ‘hubs’ from the days of 10 Mbit Ethernet used to broadcast indiscriminately but that was quite a while ago.
Not sure if there are many strong cases for software bridging these days given how cheap the hardware is? At least if you’re trying to minimise complexity and chances of things going wrong in connection with software updates etc...
-
Not sure if there are many strong cases for software bridging these days given how cheap the hardware is?
By the way. One big point for me is energy consumption and space! I use bridging to connect my wlan ap to OPNsense. The ap get his power by PoE from the OPNsene power supply. So i don't need an external switch that uses space an need his own power supply.
best regards
Dirk
-
Thankyou all for your help above. Switch vse hub differences was enlightening. I have now got this OPNSense router working quite nicely, as a router/Switch/Gateway for a my network, and the whole system suddenly started to work more well once I set the bridge setting filters to the LAN in Tunables.
Also got unbounded DNS working (can use names like BMS/ rather than IP addresses to access devices web interfaces) and configured OpenVPN which appears to work (just need to access it remotely check I can access the network).
I then need to findout how to block access to the Router Web interface from WAN (as I should access remotely it through VPN), havent seen a immediate setting for that, maybe it is a router rule.
I will leave it as a Router/Switch (with 6 (7 when I enable the last NIC I used to initially set it up)) as it allows me to use some of the tools like Insight and PRTG to see what traffic is running between parts of the network as well as the WAN (albeit I can't see traffic that does not exit any of the attached switches/AP). This has been useful as I have finally found which computer currently stomps on the network. It looks like this PC, OneDrive keeps trying to upload .pst file over a limited uplink (usually only 300kB up, 6.5MB down), but there is other stuff uploading so it is about to be backed up and W10 clean installed.
-
Also, I forgot to mention, router performance is not a issue, the Router is only using a fraction of CPU and Memory (old i5-2500 with 8GB of RAM, and 128GB SSD), so it is idling.
-
Not sure how you have been able to set the system so that access to the GUI is possible from the WAN, by default it is not. :)
-
Are any of you running a Qotom device with a 1Gb ISP? If so, what type of CPU do you have and what kind of bandwidth throughput are you seeing in speed tests? I’m more curious about performance with IPS enabled and how many signatures you have enabled.
I have a Qotom Q335G4 with a Intel Core i5-5250U but I’m currently running Sophos XG on my home network and it achieves around 900 Mbps with IPS off but drops down to about 300 Mbps with IPS on. Sophos XG uses Snort though which is single threaded and the weird part is throughout doesn’t change if I reduce the number of signatures in my ruleset.
I’ve been running OPNsense in a VM environment and I understand it uses Suricata which is multi threaded, so I suspect bandwidth performance will be better.
-
Yes. Qotom 355G4 with i5, opnsense and symmetric gigabit WAN. Without IDS/IPS I easily saturate full gigabit, with Suricata and my current rule set I get approx 800Mbit down and 700 up.
-
Q375G4 delivered today.. very nice construction. i appreciate the advice here on replacing the thermal compound. but i think the aluminum heatsink itself can be improved. i read somewhere that these low power intel chips are designed for only TDP 5W. that's seems low for this mini enclosure.
there is about 1cm clearance above the RAM and SSD .. space left deliberately to install a 2.5" HDD. i am thinking to raise the board 1cm, flip the end plates and replace the 1cm aluminum with a 2cm copper server heatsink like this alseye LGA2011 (https://www.aliexpress.com/item/ALSEYE-sever-cooler-heatsink-CPU-Cooler-1U-sever-Copper-Heatsink-CPU-Socket-Intel-LGA2011-cooling-for/32302894055.html (https://www.aliexpress.com/item/ALSEYE-sever-cooler-heatsink-CPU-Cooler-1U-sever-Copper-Heatsink-CPU-Socket-Intel-LGA2011-cooling-for/32302894055.html)).
-
so far the qotom cpu peak temperatures are not too bad .. only about 35C .. hopefully no heat sink shenanigans will be required.
i tested the NAT throughput of qotom/opnsense using iperf between wan and lan ports .. without filtering it's easily doing true gigabit 900+ Mbps.
-
i’m looking for a second unit, any experience here with the new Q1000X models?
https://qotom.net/product/91.html
-
these fanless mini pc x64/amd64 are too pricey, power hungry, overheated, so better idea to move to arm64/aarch64.
maybe rpi usb router or cm4 module with gbe carrier board.
Can someone give me some hints to compile a build for Compute Module 4?