Messages

The internal network identifier (optXX) must be the same on your devices!

Thanks userbenutzer, that was the issue.

[primary]

the rule itself is being removed by the sync process.

The rule is removed from the secondary node, because it's not present on the primary, who syncs its rule to it.

But I created the rule in the primary.

Ok, that's down to the language I used and not being clear enough, sorry from my dyslexia.  I have the rule created on the Primary HA Interface, it is not syncing to the secondary and furthermore, any rules created on the secondary HA interface are being removed.

I hope that clears up the confusion.

I set the rules on the primary with these settings:
source: SYNC subnet
destination: This firewall

This fits for the secondary as well and hence can be synced.

Thanks for the reply,

I'm not sure it I was clear enough, the rule itself is being removed by the sync process.

My rule is more open atm, Source: HA Net, Destination: Any.

Hello,

I have set up a secondary firewall, the NIC configuration is different, but I don't believe that is a problem anymore.  I do not have CARP configured yet.  For HA, I have All Services selected, and all networks configured equally, for example HA is called HA and LAN is called LAN on both firewalls.

After sync, everything looks good, except for HA firewall rules.  The single basic HA rule is being removed on the secondary firewall after sync. So I can no longer perform another sync until I add the rule back to the secondary firewall.

Any idea what is causing the behaviour?

Thanks

I have an odd issues, where when a device restarts DHCPv6 is always giving the client a new IPv6 address.

Within the leave on "ICP DHCPv6" I see the following (attached)



Any idea's the leave times are default?

So you want to use the entire /56 PD for NPT? No GUAs in the LANs at all?

Set the internal IPv6 prefix (source) to your ULA /56, leave the external IPv6 prefix (target) empty and set the track interface to an interface which tracks the WAN interface. Since you don't seem to be using tracking at all, you'll have to create a dummy interface for this purpose. Make sure the IPv6 Prefix ID used there isn't in use for any of your "real" LAN interfaces.

This is a rather new workaround and I haven't personally tested it yet, but I think that's how it's supposed to work. There's currently no "direct" way to use a delegated prefix for NPT.

Like others I want to keep it consistance with the prefix changes on the WAN.  I'll give your suggestion a look, but @ProximusAl how are you mapping addresses on the WAN side?

Hi Guys,

• I have DHCPv6 configured on the WAN interface and its using PD with a /56.
• I also have Static IPv6 configured on my LAN interfaces using ULA configured as /64.
• I'd like to use NPT for 1:1 between the equivalent WAN /56 mapped to the LAN /56.

I have this working with NPT (/56 and /64) mapping configs, however I need to enter the "External IPv6 Prefix (target)" to make this work.  I recall reading to leave "External IPv6 Prefix (target)" empty for it to work dynamically, however that does not work, even with /56, which is address to address.

Any thoughts, what I'm missing?

Did you find a solution to this?  I have just deployed a new opnsense VM using KVM and NAT rules are not automatically being generated.

In server instance there should be a checkbox called "Username is Common Name" .. this should help there too, but using certificates is always better than User Auth only

I was playing with that, but I am specifically trying to use different certificate Common Names.

I'm hitting another issue now regarding certification, 'Remote Access (SSL/TSL + User Auth)' and overrides. 

Although Overrides work when the Username and cert CN are the same, it doesn't if a different certificate with a different CN is used.  Additionally, within 'Connection Status' the common name remains the username.

Thanks,

It was due to the Server Mode being 'Remote Access (User Auth)' and not include SSL.

For anyone else looking, it appears to Spectre and Meltdown Mitigation.  This is a subtle difference between pfSense and opnsense.  I only needed to tweak 'hw.ibrs_disable' to 1, within Tunables.

https://docs.opnsense.org/troubleshooting/hardening.html

Hi Guys,

I understand the Common Name within 'Client Specific Overrides' is the certificate CN used for the user, however, it doesn't appear to be working.

Any Ideas?

Thanks,

I've been using it for years without issues, its just at this speed, its hitting some form of bottle neck.  I know there are card related issues and recommendations for shapers in a virtual machine, such as using e1000 cards over vmxnet3.

I've done a bunch of testing on to try and resolve it and found various things regarding Hz and tickrates on ipfw, I think thats a dead end.  I've ended up dropping in pfsense to see how that performs as a comparison.  That is working very well and although I'm not a fan of pfsense, I'll keep with it until I find the cause.

Edit:  Although I have shapers working in pfsense, the other interesting observation is the performance without shapers, I am noticing a marked performance increase over opnsense.

Hi Guys,

I have a couple of shapers, one for inbound and one for outbound on my WAN interface.  I am running a virtual firewall, the external WAN interface is now passthrough using igb, which has improved things a lot.

When enabling any shapers using vmxnet3 on the LAN interface, my download performance drops from 800-900Mbit to 600Mbit. 

I therefore changed to E1000e for the LAN, and that increased performance without shapers to between 850-950Mbit.  However, I am still getting a performance drop with shapers to around 700Mbit (during testing, I am increasing the shaper to 1800Mbit to eliminate queue size).

Any Suggestions?

Thanks,