Messages

Reflection for port forwards should be enabled in this case I think, and you might (on this I am not certain) need to see if you need to disable the force gateway.

Not clicking on links but... I would check that you have disabled "block private networks" on the WAN intrface configuration and that your nat rule prob should work better with "wan address" as the destination.

seems that way. In my setup I don't have this problem, probably because I don't bother with selecting interfaces for AdG. That is where the firewall rules come into their own. So my AdGuard has in its config

Code Select Expand

dns:
  bind_hosts:
    - 0.0.0.0
  port: 53

I think the issue is a bit clearer now. Hopefully someone will have a suggestion.
I'm thinking maybe new sessions get blocked and existing ones are still visible but pure guess.
Firewall > Log Files > General : might have something.
I just checked mine, a URL Table (IPs) Alias.
Last updated 2025-06-21 13:18:03 and log has

Code Select Expand

"2025-12-06T12:42:00    Error    firewall    alias resolve error IP_PublicDNS (error fetching alias url https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt)"So I had missed that alias failing to update and I can see why.
I'm not saying you have the same problem but you need to try to narrow down _why_ it is happening.

What I mean is that your process is perfectly valid but unknown to us here on how it works.

yes I'm keeping the list in remote server. Firewall Aliases has a rules ( URL IP's tabele) who is checking every 60 sec for update the remote black list. from this rule i got Floating who does actual restriction to the network.

Before the update if I want restrict an IP,  just have to add it to the remote server black list.  And Firewall Aliases fetching this list automatic and blocking the new ip's.
Now this doesn't work anymore , to do so i need to go to Firewall: Diagnostics: States: find were is the new  ip or IP's  and manual drop it. And then the actual block comes in force.

It is impossible to tell why "this does not work anymore", your mechanism to fetch the list I imagine is the Alias automation on OPN. But the content might not be "correct".
Maybe use the Diagnostic part of the alias in OPN, to look into the table.
Or when you say "this doesn't work anymore". Does it mean nothing is fetched or something else?

it helps. So have you diagnosed the process ?

any clues in /var/log/AdGuardHome/AdGuardHome.log ?
You might need to search around the time of the attempted start i.e. boot of OPN, because the log is noisy.
Only one service can use a port at any given time, so if your manual start succeeds, then there won't be another service using it. Your manual start would simply fail.

So you have a server where you keep list or lists of ip addresses to block. Then you have OPNSense fetching them and what, update an alias with that? What is not working, the fetching, the update of the alias, something else?

Maybe just me but I'm unclear what is that you are saying. Can you break it up a bit?
What/where is the blacklist? You say they are restricted TO access your network. Is that they are allowed ?
If however you mean you are seeing a lot of attempts to access your network from ips in some sort of blacklist, then how is that a problem?
As I say, just all very unclear what the setup is, and what the problem is.

Alrighty. Thanks Seimus. I'm beginning to feel I'm close.

Maybe that is due to the TCP congestion algorithms used. You can change it with Windows, I think under Win10, it was BBR2, but that had some problems, so they reverted back to CUBIC for Win11.

With Linux, you can easily change it via sysctl. These are the values I use:

Code Select Expand

net.core.rmem_default = 2048000
net.core.wmem_default = 2048000
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.ipv4.tcp_rmem = 4096 1024000 33554432
net.ipv4.tcp_wmem = 4096 1024000 33554432

# don't cache ssthresh from previous connection
#net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_adv_win_scale = 5
# recommended to increase this for 1000 BT or higher
net.core.netdev_max_backlog = 30000
# for 10 GigE, use this
# net.core.netdev_max_backlog = 30000
net.ipv4.tcp_syncookies = 1
# Enable BBR for Kernel >= 4.9
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr


Interesting. I did not know anything about this. Thanks @meyergry

Hey. I've been using a windows laptop for testing the bufferbloat so far. Normally I use linux but had a need to stay booted on Win last few days. This one is connected via a Wi-Fi 6 (802.11ax) Wifi network using a Intel(R) Wi-Fi 6E AX210 160MHz adapter. Depending on location I can get as little as 480/721 (Mbps) agregated link speed (rec/tran) so I have a bottleneck there at times. Wired connections are only one for a PC but I can't get to it most of the time.
For OPN's CPU I'm using an AMD Ryzen 5 5600U on Proxmox with two vCPUs. Just did a ubench run on it and gives: Ubench Single CPU:  910759 (0.41s). So I think that is Ok.
I've now reset the shaper to docs defaults. This time also the upload side. I need to reboot (had limit and flows on the pipe), I'll update the post.

HW should be okay to handle ZA + Shaper and that throughput.
But keep in mind the stuff about WiFi I mentioned above.


Regards,
S.

So far, gone back to exactly as docs I am getting consistent B grades. It seems to confirm my testing was flawed too. Wired testing seems better but don't have the values at hand.
That said, although I did know that I expected wired/wifi differences, I was hoping that the bufferbloat cure would help the wireless clients, which are the majority in the household, hence I was testing this way.
Is it possible or even desirable to tweak the shaper for wireless as main target ?

Hey. I've been using a windows laptop for testing the bufferbloat so far. Normally I use linux but had a need to stay booted on Win last few days. This one is connected via a Wi-Fi 6 (802.11ax) Wifi network using a Intel(R) Wi-Fi 6E AX210 160MHz adapter. Depending on location I can get as little as 480/721 (Mbps) agregated link speed (rec/tran) so I have a bottleneck there at times. Wired connections are only one for a PC but I can't get to it most of the time.
For OPN's CPU I'm using an AMD Ryzen 5 5600U on Proxmox with two vCPUs. Just did a ubench run on it and gives: Ubench Single CPU:   910759 (0.41s). So I think that is Ok.
I've now reset the shaper to docs defaults. This time also the upload side. I need to reboot (had limit and flows on the pipe), I'll update the post.

Very good information. Thank you @OPNethu  your observation of the BW is interesting.
@Seimus very thankful to you for the advice. I'll need to digest it a bit and go back to resetting all the way as per docs BUT I am on OPN 25.1.12 and worry about upgrading to latest for what other changes it might bring, unrelated to the shaper. And yes setting the BW right seems to be the hardest part. I just tested and got an A. I am closer to the AP for the test so it seems my testing methodology is something I need to be more conscious of. And the BW measured was 151 Mbps for this A result. Makes me suspect the results a little.

Also, rookie question but I'll ask. Do zenarmor / crowdsec interfere when running the bufferbloat tests?
And to clarify. Can I/should I reset as per docs on my 25.1.12 version ? Suggested testing method ?

To make it factual, my just-made 2 test results:
BUFFERBLOAT GRADE
B

LATENCY
Unloaded 26 ms
Download Active +39 ms

Upload Active +0 ms
SPEED ↓ Download 259.5 Mbps
↑ Upload 66.9 Mbps

Second:
BUFFERBLOAT GRADE
B

Your latency increased moderately under load.

LATENCY
Unloaded 21 ms
Download Active +42 ms
Upload Active +0 ms
SPEED ↓ Download 262.4 Mbps
↑ Upload 66.8 Mbps
==
So it's giving me Bs at the moment. Is this "good enough" leave-it-alone result? Tomorrow it might give me Cs though. I'll keep checking.

Is a downstream shaper (particularly a single queue) likely to have the effect you want? I used downstream shapers in the past, but my purpose was to control offered load by adding latency, using multiple queues on a CBQ shaper. I didn't bother after my link passed 10Mb; it did help at 6-10Mb.

I'd think a simple fair queue with no shaper would be the best option for you. I don't know the best way to accomplish that - perhaps open the pipe beyond 520Mb/s (toward single-station LAN speed). I haven't looked at the fq-codel implementation in... a while. The one I recall used a flow hash, and you could set the number of bits (up to 16, I believe). It looks like the ipfw implementation has that limit (65536). I'd think more can't hurt - fewer (potential) collisions. I wouldn't expect any negatives, but you never can tell. PIE just sounds like a RED implementation - I can't see that it'd have much if any effect, as I wouldn't expect your queue depths/times to reach discard levels.

Of course, you could have upstream issues, at any point in the path.

You mean set it up as per the docs https://docs.opnsense.org/manual/how-tos/shaper_bufferbloat.html ?
But I can try see if I follow the thinking and put a pipe beyond the 520 Mbps, to see what happens. Thanks for the idea.
Going a little mad with this at the moment.

Thing is, I have a decent (for me) 520 Mbps bandwith. Normally I wouldn't bother with shaping but I seem to have the odd buffering now after this change I made. Frustratingly it is not better ie back to normal after restoring the previous settings.