Messages

So; I have set up the FW for a basic two interface setup. WAN and LAN and adding an OpenVPN client setup to VPN Provider.

Created rules in the LAN for 53/80/443 to push via OPT4_VPN4 (vpn intrerface) and another rule under that with * to WAN_DHCP.

Added nat rules for the LAN network to the opt4 as well as the WAN one.

So: Basic - IT works. all 80 /443 traffic is pushed out the vpn and using "whats-my-ip" reveals the proper VPN ip that i use.

Now comes the harder part. So, father of 3 - Online Gaming requires low latency - something that VPN providers MIGHT not be the best solution for. Hence the * rule.

BUT - how can I verify that the other traffic is using the proper WAN_DHCP and not the OPT4_VPN4

/C/

Hey.

For me, this sounds a tad unclear. Questions.

"I altered the default gateway to be the second firewall IP and the two networks could talk just fine. "

Where did you alter this GW? On the OpnSense box?

What are the logs saying to you? Firewall: Log Files: Normal View

What is the routing saying to you? System Routing Table

What is: System: Routes: All saying ? What did you add there?

/C/

I think the problem is realtek in your case not opnsense.  You could hit up ebay really fast with a 20 or 30 dollars and pick up a 4 or 2 port intel network card from ebay.  Would be my suggestion to you.  Swap out interfaces and try putting everything across intel network ports and set the loader.conf.local and see if the speed moves up.  That would tell you if it is realtek network or some other kind of IO or CPU or MEMORY issues you could be having.

And I second this statement. FreeBSD has had issues with RealkTek Drivers AND took some severe presvation to get compiled into the BSD (I'm a noob, was on my FreeNAS. Had to compile on separate FreeBSD machine and move the .o file - So Complicated) - If you can; remove the RealTek (Is in onboard, Disable it) my experience FreeBSD and RealTek is a no-go.

/C/

Running:
OPNsense 17.1.3-amd64
FreeBSD 11.0-RELEASE-p8
OpenSSL 1.0.2k 26 Jan 2017
On VMware.

I've enabled on ALL (Manual outbound NAT rule generation) my NAT rules the log option.

Likewise on the FW rules in question. LOG log and LOG.

So on the Firewall -> Log Files -> Normal View

I see two rows (For this example DNS query):

Accept - OUT - WAN - WANIP:19763 - 8.8.8.8:53
Accept - IN - LAN - 10.0.0.1:36546 - 8.8.8.8:53

So, my dilemma. When troubleshooting NAT - searching for the LAN IP  -Shows only the last entry. and not when the traffic is leaving the FW. Now in this setup/demo. Only one NAT rule. However, I have more interfaces that is being used for NAT. "OpenVPN Clients FTW!" - Making it cumbersome to diagnose and troubleshoot NAT.

Suggestion:

Add to outlog (10.0.0.1:36546) if natted exit.  SO log would look like:

Accept - OUT - WAN - WANIP:19763 (10.0.0.1:36546) - 8.8.8.8:53

Easy visibility both NAT rule is working AND Ruleset is allowing the traffic. Maybe even #index of the rule it matches?

Or is this already in here somewhere - I'm just missing an toggle?

Br, Christian