Messages

1

General Discussion / How to avoid Double NAT with Fritz!Box

« on: February 10, 2018, 03:47:11 am »

My thank you's to the dev's for their hard work on this great product.  I happily contribute to support for dev's who save me time and frustration!

I'm hoping some of you will be able to help me with my doubleNAT issue:

I have the following Setup:

Internet (VLAN10) Fibre---> (PublicIP):Fritz!Box 7490(NAT, FW enabled, Port Sharing Exposed Host for single IP) --> Static Private IP *.*.1.* --->ESXi 6.0:WAN--->Static Private IP *.1.*:WAN NIC:OPNSense 18.1 (DHCP, NAT, FIREWALL)LAN NIC: --> Managed Switch (Private IP *.*.30.*) --> Home Servers/PC's, Devices

When I connect directly to the Fritz!Box 7490 using SpeedTest.net, I get 900/500Mb speeds
When I connect through OPNSense using SpeedTest.net, I get 349/359Mb speeds
When I do a tracert of 8.8.8.8 when connected directly to Fritz!Box LAN port I get single private IP from Fritz!Box as first leg of the trace.
When I do a tracert of 8.8.8.8 when connected directly to OPNSense LAN (via the managed switch) I get two Private IP's in the trace with the first leg being the OPNSense IP, the second leg being the Fritz!Box.

My research yields that the Fritz!box 7490 does not have DMZ.  Rather, I've configured the Fritz!box to have a dedicated Shared Port which is supposed to allow all ports available to the IP of the OPNSense Fireware. This appears to work as my UPnP settings have no issues.

Question:
How do I remove the double NAT issue with OPNSense being behind the Fritz!box to improve my network speeds?  If I turn off NAT on Fritz!box, I get no internet (or access to the Fritz!box for that matter).  I'm a neophyte with this sort of device so clear instructions would be appreciated if possible.

Thank you

2

18.1 Legacy Series / Re: 18.1 Network Performance (17.7.11-12 was fine)?

« on: February 05, 2018, 11:40:56 am »

Hi
Just in case it helps Intel NIC owners, following what funar explained

I have a solution for my Broadcom-NIC'ed Dell R610. It was definitely a driver issue more than a NAT or anything else.  The hw.bce.* settings only apply to Broadcom, but there's probably similar options for the others who have also replied to this thread.

In /boot/loader.conf.local:

hw.bce.verbose=0
hw.bce.tso_enable=0
hw.bce.rx_pages=8
hw.bce.tx_pages=8
hw.pci.enable_msix=1
hw.pci.enable_msi=1
net.inet.tcp.tso=0
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.recvbuf_max=16777216
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.recvbuf_inc=524288

I'm now getting full bandwidth in both directions via opnsense. After getting that sorted out, I enabled dual-stack IPv4/IPv6, IDS and upstream traffic shaping. No more issues.

I found that these values for an HP NC360T based on Intel 82571EB (em driver) makes network performance OK , unless for me

Here's my actual /boot/loader.conf.local :
hw.pci.enable_msix=1
hw.pci.enable_msi=1
hw.em.rxd=4096
hw.em.txd=4096
net.inet.tcp.tso=0
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.recvbuf_max=16777216
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.recvbuf_inc=524288

Regards,
Jorge

I have a SuperMicro A1SAi C2758 MB with 4 x Intel i354 Gigabit Ethernet NIC's.  Can I use the above settings in the driver config or should I use something else?

3

18.1 Legacy Series / Creating a Certificate Signing Request under 18.1 yields empty .crt files

« on: February 01, 2018, 10:38:30 pm »

Is the process of creation of a CSR for submission to a CA authority supposed to create blank files?  Only one file (the .key) had any information in it despite several attempts.  This issue is found under 18.1_1

4

18.1 Legacy Series / Re: Has anyone had a problem-free upgrade from OPNsense 17.7.12 to 18.1?

« on: February 01, 2018, 10:17:59 pm »

Two issues for me.

1- NAT didn't work at first, but a patch solved that one
2- Download speed has dropped 50% from previous version.
**** UPDATE ****
Speeds were affected because custom tweaks were removed by the upgrade. All OK now.

Can you provide us with those custom tweaks that were removed?  It appears that several of us are experiencing performance issues since the upgrade and would like to know what tweaks improve throughput.

5

18.1 Legacy Series / Re: Has anyone had a problem-free upgrade from OPNsense 17.7.12 to 18.1?

« on: February 01, 2018, 10:09:57 pm »

This one?

Code: [Select]

[Thu Feb  1 14:58:38 EET 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Thu Feb  1 14:58:40 EET 2018] _ret='0'
[Thu Feb  1 14:58:40 EET 2018] code='400'
[Thu Feb  1 14:58:40 EET 2018] Update account error.
[Thu Feb  1 14:58:40 EET 2018] _on_issue_err
[Thu Feb  1 14:58:40 EET 2018] Please check log file for more details: /var/log/acme.sh.log


I had the code '400' as well as now the code '202'

Code: [Select]

[Thu Feb 1 22:58:49 NZDT 2018] code='202'
[Thu Feb 1 22:58:48 NZDT 2018] _ret='0'
[Thu Feb 1 22:58:48 NZDT 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Thu Feb 1 22:58:48 NZDT 2018] url='https://acme-staging.api.letsencrypt.org/acme/challenge/VPHhSBoLrKHx0v0OFCcDcZXtGPqHPByS19IzOusHVjo/97238858'
[Thu Feb 1 22:58:48 NZDT 2018] POST
[Thu Feb 1 22:58:48 NZDT 2018] payload='{"resource": "challenge", "keyAuthorization": "GnEN-3x5LEaX0JY0MCI2f5CnqqAGZ7UNfCD9G-SQKvk.MWT6TBf_bqAL23Qyf5vMzH8pVfGeuSTTNpd8Lr6fIiI"}'
[Thu Feb 1 22:58:48 NZDT 2018] url='https://acme-staging.api.letsencrypt.org/acme/challenge/VPHhSBoLrKHx0v0OFCcDcZXtGPqHPByS19IzOusHVjo/97238858'
[Thu Feb 1 22:58:48 NZDT 2018] code='400'
[Thu Feb 1 22:58:47 NZDT 2018] _ret='0'
[Thu Feb 1 22:58:47 NZDT 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Thu Feb 1 22:58:47 NZDT 2018] url='https://acme-staging.api.letsencrypt.org/acme/challenge/feDqnEOavG71OFJysjupxhnl8xpBGdUP2PKeKdaotY0/97238857'
[Thu Feb 1 22:58:47 NZDT 2018] POST
[Thu Feb 1 22:58:47 NZDT 2018] payload='{"resource": "challenge", "keyAuthorization": "RTqcwn1u5RX1za4U01_4CVIlI3HgHKuejSXW7sTiPgc.MWT6TBf_bqAL23Qyf5vMzH8pVfGeuSTTNpd8Lr6fIiI"}'
[Thu Feb 1 22:58:47 NZDT 2018] url='https://acme-staging.api.letsencrypt.org/acme/challenge/feDqnEOavG71OFJysjupxhnl8xpBGdUP2PKeKdaotY0/97238857'
[Thu Feb 1 22:58:46 NZDT 2018] Please check log file for more details: /var/log/acme.sh.log

6

18.1 Legacy Series / Re: 18.1 Network Performance (17.7.11-12 was fine)?

« on: February 01, 2018, 11:38:26 am »

I have the same issue.  I' have 900 down and 500 up as measured using Speedtest.net with my local ISP when connected directly to one of the LAN ports on my FritzBox! router.  When I connect my OPNSense box directly to the FritzBox! and then to its LAN port, I see only 384 down and 384 up.  The OPNSense Box is a single VM running on a ESXi 6.0 host which has an Atom C2758 8 core CPU and 8 GB's of ECC RAM.  The OPNSense guest is provisioned with 4 GB RAM and 4 vCPU's.

Please advise on how I can improve throughput on OPNSense 18.1.

7

18.1 Legacy Series / Re: Has anyone had a problem-free upgrade from OPNsense 17.7.12 to 18.1?

« on: February 01, 2018, 11:08:45 am »

I just completed an upgrade to 18.1, but I'm receiving an error from the Acme-Client supporting Let's Encrypt.  I opened a ticket about this issue in 17.7.12 and was told to wait until I upgraded. 

8

General Discussion / Re: OPNsense 17.7.12-amd64 Web GUI HTTPS Not Trusted by Chrome63 or Edge

« on: February 01, 2018, 06:24:08 am »

I followed your advise and tried Let's Encrypt.
Using the plug-crashes OPNsense 17.7.12-amd64. I installed the plug-in and am trying to figure out how to use it. The short tutorial is not very clear to me and does not match the configuration settings in the current version. It would be appreciated if you would assist me. I'm new to this.

Attached are the log files and the error contents when the OPNSense Server warns of a serious error.

Please advise.

9

General Discussion / Re: OPNsense 17.7.12-amd64 Web GUI HTTPS Not Trusted by Chrome63 or Edge

« on: January 29, 2018, 11:48:33 pm »

The issue is that my browser of choice complains about the invalid CA certificate that is provided with OPNSense installation.  I just want the OPNSense Website to be trusted by my browser(s).  Please advice.

10

General Discussion / OPNsense 17.7.12-amd64 Web GUI HTTPS Not Trusted by Chrome63 or Edge

« on: January 24, 2018, 01:49:51 am »

Logging into Opnsense 17.1.12 URL using either an IP or a server name like opnsense.localdomain with Chrome 63 gives a warning that the OPNSense CA is not trusted.  I added the CA certificate into Trusted Root Certificates and the Browser (as well as Windows 10 Edge) refuses to trust the certificate. 
I also created a self-signed certificate using the OpenSSL v3.ext in creation to use the new SubjectAltName with the server domain as as alternate IP.1 IPV4 address and added it to the Trust section of Opnsense.  I then added this self-signed certificate (along with my rootkeyCA.pem key) to my browsers.  Both browsers still complain about OpenSense's CA certificate as being invalid. 
Please advise on how I can fix this CA certificate.