OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of theogravity »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - theogravity

Pages: [1]
1
Tutorials and FAQs / [Tutorial] How I do port forwarding - simple and straightforward
« on: May 29, 2018, 03:21:51 am »
Hi there!

After going through quite a few guides on the forums on how to port forward, I felt I was not getting anywhere with getting my port forwards to work.

The following is a guide on how to set up a port forward, as if you were doing it from a consumer grade router using IPv4 on v18.1 of opnsense.

Firewall settings

Firewall -> Settings -> Advanced:

Code: [Select]
- Reflection for port forwards: Enabled
- Reflection for 1:1: Disabled
- Automatic outbound NAT for Reflection: Enabled

Save.

Port Forwarding:

- You have a host with IP 192.168.1.200, with port 3100 open TCP.

- You want to port forward from the outside 3200 to 3100.

Step 1: Set up aliases

Too simple explanation: Aliases are friendly names to IP addresses. If you're managing a bunch of IPs to forward, it's best to give the IP address a label.

Under firewall > aliases > add a new alias

Code: [Select]
- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"
- type: Host(s)
- Aliases: Input 192.168.1.200

Save.

Step 2: Register the port forward

Firewall > NAT > Port forward > add

Code: [Select]
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: TCP

Under Source > Advanced:

- Source / Invert: Unchecked
- Source: Any
- Source Port Range: any to any

- Destination / Invert: Unchecked
- Destination: WAN address
- Destination Port range: (other) 3200 to (other) 3200

- Redirect target IP: Alias "media-server"
- Redirect target Port: (other) 3100

- Pool Options: Default
- NAT reflection: Enable
- Filter rule association: Rule NAT

Save, and you now should be able to forward an incoming 3200 to 3100.

Feel free to respond if I should make any corrections or have comments. I'm not an expert at this, BTW.

2
18.1 Legacy Series / Missing Router Advertisement section in DHCPv6 services
« on: February 26, 2018, 06:12:25 pm »
It used to be there, now it's missing. How do I get the section to show up?

The only options I have under the section is

- Relay
- Leases

I'm using DHCPv6 on WAN, tracking it on LAN with Comcast as my ISP.

I do have a v6 IP assigned on both WAN and LAN interfaces. Trying to get my clients on the LAN assigned v6 IPs.

I do have the firewall rule to forward WAN 547 to internal 546 on UDP.

The radvd service is running.

3
Tutorials and FAQs / [Tutorial] - How to configure fq_codel for comcast to help bufferbloat / QoS
« on: February 25, 2018, 07:15:07 am »
Hi there,

After seeing a few threads on how to configure fq_codel / fq codel, I eventually figured out the right settings (I wouldn't say perfect) that will get myself an A on the bufferbloat report. This post is being created to for those who do not want to sift through forum threads and have the right info in one place to get this working.

This was written using the v18.1 opnsense firmware.

I am on Comcast with a 280 Mbps download (to 300 Mbps burst) and a 10 Mbps upload (to 12 Mbps burst) for reference.

For the quantum / limit values, I used this as a guide:

https://www.bufferbloat.net/projects/codel/wiki/Best_practices_for_benchmarking_Codel_and_FQ_Codel/

Note: Do NOT check the enable CoDel box at all in any of these steps. Make sure to hit the 'apply' button after you've added in each section to apply settings.

In the Firewall > Traffic Shaper

Create two pipes

Download Pipe:

Code: [Select]
- Bandwidth: 280 Mbit/s
- queue: 2 (I found this was the best value so far after playing around with it)
- Scheduler type: FlowQueue-CoDel
- Enable (FQ-)CoDel ECN
- FQ-CoDel Quantum: 1000
- FQ-CoDel Limit: 1000
- description: I called mine "Download pipe"

For quantum / limit, the rule seems to be 300 per 100 Mbps.

Upload Pipe:

Code: [Select]
- Bandwidth: 11 Mbit/s
- Scheduler type: FlowQueue-CoDel
- Enable (FQ-)CoDel ECN
- description: I called mine "Upload pipe"

(Note: I did not define a quantum / limit here.)

Create two queues

Download queue:

Code: [Select]
- Pipe: Download pipe
- Weight: 100
- Enable (FQ-)CoDel ECN

Upload queue:

Code: [Select]
- Pipe: Upload pipe
- Weight: 100
- Enable (FQ-)CoDel ECN

Create two rules

For the download rule:

Code: [Select]
- Interface should be the WAN interface
- Target: download queue
- Protocol: ip
- Destination: The LAN network address. If you use an address of 192.168.1.x with a 255.255.255.0 subnet, the value will most likely be "192.168.1.0/24"

I use a 172.16.0.x with a 255.255.0.0 subnet, so my value is 172.16.0.0/16

For the Upload rule:

Code: [Select]
- Interface should be the WAN interface
- Target: upload queue
- Protocol: ip
- Source: The LAN network address. If you use an address of 192.168.1.x, the value will most likely be "192.168.1.0/24"

It is important you use the correct network address. The 192.168.1.0/24 value in this context means that "for any IP address under this subnet (anything under 192.168.1.x)...":

- if source, apply the upload queue when the 192.168.1.x IPs are sending data out to WAN
- if destination, apply the download queue when the WAN is sending data to 192.168.1.x addresses

Now restart your router. The settings should take effect. You do not need to restart to modify any values (but don't forget to hit 'apply' after changes) at this point on.

Notes

In the traffic shaper GUI, if you go to status, you will get the WRONG information (I think it's a bug or it's using some incorrect flag to get status). Eg:

it says FIFO instead of FQ_CODEL for the type.

Code: [Select]
Limiters:
10000: 280.000 Mbit/s    0 ms burst 0
q75536  50 sl. 0 flows (1 buckets) sched 10000 weight 0 lmax 0 pri 0 droptail
 sched 75536 type FIFO flags 0x0 0 buckets 0 active
10001:  11.000 Mbit/s    0 ms burst 0
q75537  50 sl. 0 flows (1 buckets) sched 10001 weight 0 lmax 0 pri 0 droptail
 sched 75537 type FIFO flags 0x0 0 buckets 0 active


Queues:
q10000  50 sl. 0 flows (1 buckets) sched 10001 weight 100 lmax 0 pri 0 droptail
q10001  50 sl. 0 flows (1 buckets) sched 10000 weight 100 lmax 0 pri 0 droptail

If you want to verify your settings, you need to go into the shell and type:

Code: [Select]
ipfw sched show
And you should get something like this:

Code: [Select]
10000: 280.000 Mbit/s    0 ms burst 0
q10000  50 sl. 0 flows (1 buckets) sched 10001 weight 100 lmax 0 pri 0 droptail
 sched 10000 type FQ_CODEL flags 0x0 0 buckets 1 active
 FQ_CODEL target 5ms interval 100ms quantum 1000 limit 1000 flows 1024 ECN
   Children flowsets: 10001
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip           0.0.0.0/0             0.0.0.0/0        1       83  0    0   0
10001:  11.000 Mbit/s    0 ms burst 0
q10001  50 sl. 0 flows (1 buckets) sched 10000 weight 100 lmax 0 pri 0 droptail
 sched 10001 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 600 flows 1024 ECN
   Children flowsets: 10000

Hope this helps!

Using the above settings, you should get the best performance for upload, and near-best perf for downloads, resulting in an A rating.

Feel free to post better values if you have any!

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2