Messages

Have you tried as Destination

'This Firewall' or 'Any' ?

I have a couple of PFs for my Tor Relay with Destination 'This Firewall' and they work.

I don't see FreeDNS either.

It certainly is there under 'Dynamic DNS (legacy)',

but not in the 'new' os-ddclient (I have V1.1 installed)

Have you tried rebooting after setting up the new VLANs ?

Recently had the case where I added a new VLAN.
Everything seemed (and turns out was) set up fine, but I couldn't get DHCP to work. Spent a few hours eliminating everything else and finally decided to reboot.

Et voila, everything worked as expected after the reboot.

So if under System:Firmware:Packages it shows these versions

base         21.1.8
kernel         21.1.8
opnsense      21.1.9_1
opnsense-update   21.1.8_2

the system should be ready for a trouble-free update?

[0.0]

OPNSense
LAN | 10.0.0.1/24

mit  DHCP server:
Subnet   10.10.10.0
----------------
Ist das ein Schreibfehler oder ist das OPNSense LAN wirklich auf 10.0.0.1
und DHCP wird auf 10.10.10.0 gemacht?

According to
https://maclookup.app/macaddress/C4AD34

the MAC address belongs to a MikroTik device.
Does that get you further?

Also, if I'm remembering an old problem of mine correctly,
I had a static lease set (in OPNsense) for one of my phones on the main WiFi network,
and then for testing purposes wanted it to connect to another wireless SSID on a different VLAN.
I believe to remember that that caused problems with DHCP as well until I realized and disabled the static lease for the main LAN.

Did you only try with wireless clients?

Try plugging a PC directly into a LAN port on the OPNsense box and see if that gets DHCP.

Also, to eliminate your wireless routers firewall completely, just plug the cable from OPNsense into a LAN port on the wireless router, not the WAN port.

Meine OPNsense installation läuft direkt auf einem HP T-620 ThinClient mit AMD GX-415GA

https://www.cpubenchmark.net/compare/Intel-Celeron-N3450-vs-AMD-GX-415GA-SOC/2907vs2081

AMD single-core ist ein wenig niedriger als der Celeron

Mit iperf3 zwischen LAN und verkabeltem PC krieg ich ~500Mbit/s max., dabei ist ein Kern mit dem iperf3 thread bei ~80%.

Mit zusätzlichen Verlusten durch das Virtualisieren sind deine 450Mbit/s wohl durch deine CPU-Leistung verursacht.

Könnte Plugin os-siproxd vielleicht helfen?

"Siproxd is a proxy daemon for the SIP protocol

Siproxd is a proxy/masquerading daemon for the SIP protocol. It handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections work via an masquerading firewall (NAT). It allows SIP software clients (like kphone, linphone) or SIP hardware clients (Voice over IP phones which are SIP-compatible, such as those from Cisco, Grandstream or Snom) to work behind an IP masquerading firewall or NAT router.

WWW: http://siproxd.sourceforge.net/

Kannst du dein set-up und deine Absichten genauer beschreiben?

Welcher traffic geht durch's VPN ?

Woraus schließt du dass die Domain nicht aufgelöst wird?

Für  nslookup de-fra.prod.surfshark.com
bekomme ich mehrere IPs

Non-authoritative answer:
Name:   de-fra.prod.surfshark.com
Address: 74.119.145.51
Name:   de-fra.prod.surfshark.com
Address: 84.16.240.174
Name:   de-fra.prod.surfshark.com
Address: 45.87.212.211
Name:   de-fra.prod.surfshark.com
Address: 185.158.135.34
Name:   de-fra.prod.surfshark.com
Address: 185.220.70.83
Name:   de-fra.prod.surfshark.com
Address: 185.102.219.6

Könnte das dein Problem sein?

Wie hoch ist denn die CPU-Auslastung für den openvpn Prozess während einem Speedtest?

Openvpn läuft m.W.n. single-threaded, dafür bringen viele Cores dann also nicht viel.

Kann der Prozessor AES-NI?

Schon mal ganz ohne Encryption probiert?

I'm now making it easier for myself by routing the websites in question through a VPN using an alias.

- create an alias under Firewall:Aliases of Type: Hosts   and enter the URLs for the websites you want to route differently in the 'Content' field.
- create a Firewall:NAT:Outbound rule with the 'Interface' being your VPN-IF and the 'Destination address' your alias from above
- create a Firewall:Rules:LAN rule with 'Destination' being your alias and the 'Gateway' your VPN-IF

See attached screenshots

I know this is old but the thread came up as the first result when googling for this problem.

Even going to 'Automatic outbound NAT rule generation' as suggested above did not allow me access to my cable modem admin page.

But I got it to work using the method described here:
https://forum.opnsense.org/index.php?topic=8616.0

In short:
- cable modem and own network (from which you want to access the cable-modem) need to be on different subnets
- create a Virtual IP (in OPNsense 19.7.5 under Firewall->Virtual IPs) in the same subnet as the cable modem
- create a floating firewall rule and a corresponding NAT outbound rule
- profit

My home network is 192.168.0.0/24
My modem is a Linksys CM3008 on 192.168.100.1 - created the Virtual IP as 192.168.100.2

FWIW, I have the same or at least a similar problem.

ISP is Xfinity/Comcast via cable modem.

Various PCs, both Windows and Linux, same behaviour.

OPNSense on a HP ThinClient, Realtek LAN.

Sites that don't work:
https://informeddelivery.usps.com
https://tools.usps.com
https://my.cigna.com/
(Also others, e.g. some sites of the local community college)

Usually using Unbound in resolve mode. Tried forwarding mode with various DNS servers, and also using Dnsmasq. Also using ISP provided DNS.
No dice, can't access.

If I use a VPN client on a PC I can access the sites with no problem.

I have a few OVPN clients set up on my OPNSense. If I route a PC's traffic through one of those I can access the sites.
(I believe in this setup traffic goes through VPN, but DNS is still locally through Unbound). So that should mean the DNS resolution is not the problem, it's the traffic.

I have a spare router (FreshTomato) as backup, going through that through the same cable-modem I can access these sites just fine.

I have always been able to ping and nslookup these sites. The IP-addresses returned by nslookup are the same in working (with VPN) or non-working 'mode'.

I tried disabling various features (Suricata, Sensei), no help.

I spent way too much time trying to debug this already, I'll probably just make do with using a VPN when needed...

I have set up OPNsense on VirtualBox for testing purposes,
assigned WAN IP from my own Router,
but never tried to get WAN IP directly from a cable-modem or whatever your access to ISP is

For testing I set up a Linux VM to be on the same internal network as the OPNsense VM LAN port,
so I was able to access it from there and get a better view of what's happening.

Would this be any help
https://kifarunix.com/how-to-install-opnsense-on-virtualbox/