Messages

I have an odd issues, where when a device restarts DHCPv6 is always giving the client a new IPv6 address.

Within the leave on "ICP DHCPv6" I see the following (attached)



Any idea's the leave times are default?

Did you find a solution to this?  I have just deployed a new opnsense VM using KVM and NAT rules are not automatically being generated.

In server instance there should be a checkbox called "Username is Common Name" .. this should help there too, but using certificates is always better than User Auth only

I was playing with that, but I am specifically trying to use different certificate Common Names.

I'm hitting another issue now regarding certification, 'Remote Access (SSL/TSL + User Auth)' and overrides. 

Although Overrides work when the Username and cert CN are the same, it doesn't if a different certificate with a different CN is used.  Additionally, within 'Connection Status' the common name remains the username.

Thanks,

It was due to the Server Mode being 'Remote Access (User Auth)' and not include SSL.

For anyone else looking, it appears to Spectre and Meltdown Mitigation.  This is a subtle difference between pfSense and opnsense.  I only needed to tweak 'hw.ibrs_disable' to 1, within Tunables.

https://docs.opnsense.org/troubleshooting/hardening.html

Hi Guys,

I understand the Common Name within 'Client Specific Overrides' is the certificate CN used for the user, however, it doesn't appear to be working.

Any Ideas?

Thanks,

I've been using it for years without issues, its just at this speed, its hitting some form of bottle neck.  I know there are card related issues and recommendations for shapers in a virtual machine, such as using e1000 cards over vmxnet3.

I've done a bunch of testing on to try and resolve it and found various things regarding Hz and tickrates on ipfw, I think thats a dead end.  I've ended up dropping in pfsense to see how that performs as a comparison.  That is working very well and although I'm not a fan of pfsense, I'll keep with it until I find the cause.

Edit:  Although I have shapers working in pfsense, the other interesting observation is the performance without shapers, I am noticing a marked performance increase over opnsense.

Hi Guys,

I have a couple of shapers, one for inbound and one for outbound on my WAN interface.  I am running a virtual firewall, the external WAN interface is now passthrough using igb, which has improved things a lot.

When enabling any shapers using vmxnet3 on the LAN interface, my download performance drops from 800-900Mbit to 600Mbit. 

I therefore changed to E1000e for the LAN, and that increased performance without shapers to between 850-950Mbit.  However, I am still getting a performance drop with shapers to around 700Mbit (during testing, I am increasing the shaper to 1800Mbit to eliminate queue size).

Any Suggestions?

Thanks,

Thanks for your replies guys.  I am currently running FRR but I don't see anything in there for routing instances, VRF, etc.  I could maybe do it manually in FRR's configuration, but I'm unsure if that would be persistent.

I'll check out the kernel requirements such as the mentioned vimage, so thanks for that.  If it's fully enabled on the kernel in 21.7, I'll play around with it.

I have implemented policy-based rules to get this working ATM, but multiple tables would be preferable.

Thanks,

Hi Guys,

Is there any support for VRF's?  I have a use case for a Management/OOB interface.

Thanks,

If DNS is resolving you might be looking in the wrong place.  You might also be hitting locally cached DNS records, so under testing, you might want to clear it. Below is my dig of worldclassroom.webster.edu.  Additionally, some ISP's block root DNS server, so you might need to forward.

You're not using firefox are you with DNS over HTTPS?

Code Select Expand

dig worldclassroom.webster.edu

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> worldclassroom.webster.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30238
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;worldclassroom.webster.edu.    IN      A

;; ANSWER SECTION:
worldclassroom.webster.edu. 17268 IN    CNAME   webster-vanity.instructure.com.
webster-vanity.instructure.com. 141 IN  CNAME   canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com.
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 34.197.146.108
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 34.236.11.156
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 3.222.218.57

;; Query time: 0 msec
;; SERVER: X.X.X.X#53(X.X.X.X)
;; WHEN: Mon Sep 23 15:31:45 BST 2019
;; MSG SIZE  rcvd: 218



If you think the rules are correct, try resetting the states, under Diagnostics.

The Global DNS settings are for the firewall itself unless you don't have a DNS server enabled, then those servers are pushed via DHCP to the client.  I am sure you get that but just wanted to clarify.

What DNS Server are you using on opnsense?  I don't recall the default, its ether Unbound DNS or Dnsmasq DNS.  I'd suggest checking out the settings.

I haven't used IPSEC on opnsense before, but have on many enterprise devices, so this might not help.

This is normally a routing or subnet issue from the firewall itself, therefore not as you would normally traverse it.  I would suggest you SSH into opnsense and press 8 for shell.  I'd check if you can ping the host on the opposite side of the tunnel and take a look at the routing tables (netstat -rn).