Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - theogravity

Pages1
#1
Tutorials and FAQs / [Tutorial] How I do port forwarding - simple and straightforward
May 29, 2018, 03:21:51 AM
Hi there!

After going through quite a few guides on the forums on how to port forward, I felt I was not getting anywhere with getting my port forwards to work.

The following is a guide on how to set up a port forward, as if you were doing it from a consumer grade router using IPv4 on v18.1 of opnsense.

Firewall settings

Firewall -> Settings -> Advanced:

Code Select

- Reflection for port forwards: Enabled
- Reflection for 1:1: Disabled
- Automatic outbound NAT for Reflection: Enabled


Save.

Port Forwarding:

- You have a host with IP 192.168.1.200, with port 3100 open TCP.

- You want to port forward from the outside 3200 to 3100.

Step 1: Set up aliases

Too simple explanation: Aliases are friendly names to IP addresses. If you're managing a bunch of IPs to forward, it's best to give the IP address a label.

Under firewall > aliases > add a new alias

Code Select

- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"
- type: Host(s)
- Aliases: Input 192.168.1.200


Save.

Step 2: Register the port forward

Firewall > NAT > Port forward > add

Code Select

- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: TCP

Under Source > Advanced:

- Source / Invert: Unchecked
- Source: Any
- Source Port Range: any to any

- Destination / Invert: Unchecked
- Destination: WAN address
- Destination Port range: (other) 3200 to (other) 3200

- Redirect target IP: Alias "media-server"
- Redirect target Port: (other) 3100

- Pool Options: Default
- NAT reflection: Enable
- Filter rule association: Rule NAT


Save, and you now should be able to forward an incoming 3200 to 3100.

Feel free to respond if I should make any corrections or have comments. I'm not an expert at this, BTW.
#2
18.1 Legacy Series / Missing Router Advertisement section in DHCPv6 services
February 26, 2018, 06:12:25 PM
It used to be there, now it's missing. How do I get the section to show up?

The only options I have under the section is

- Relay
- Leases

I'm using DHCPv6 on WAN, tracking it on LAN with Comcast as my ISP.

I do have a v6 IP assigned on both WAN and LAN interfaces. Trying to get my clients on the LAN assigned v6 IPs.

I do have the firewall rule to forward WAN 547 to internal 546 on UDP.

The radvd service is running.
#3
Tutorials and FAQs / [Tutorial] - How to configure fq_codel for comcast to help bufferbloat / QoS
February 25, 2018, 07:15:07 AM
Hi there,

After seeing a few threads on how to configure fq_codel / fq codel, I eventually figured out the right settings (I wouldn't say perfect) that will get myself an A on the bufferbloat report. This post is being created to for those who do not want to sift through forum threads and have the right info in one place to get this working.

This was written using the v18.1 opnsense firmware.

I am on Comcast with a 280 Mbps download (to 300 Mbps burst) and a 10 Mbps upload (to 12 Mbps burst) for reference.

For the quantum / limit values, I used this as a guide:

https://www.bufferbloat.net/projects/codel/wiki/Best_practices_for_benchmarking_Codel_and_FQ_Codel/

Note: Do NOT check the enable CoDel box at all in any of these steps. Make sure to hit the 'apply' button after you've added in each section to apply settings.

In the Firewall > Traffic Shaper

Create two pipes

Download Pipe:

Code Select

- Bandwidth: 280 Mbit/s
- queue: 2 (I found this was the best value so far after playing around with it)
- Scheduler type: FlowQueue-CoDel
- Enable (FQ-)CoDel ECN
- FQ-CoDel Quantum: 1000
- FQ-CoDel Limit: 1000
- description: I called mine "Download pipe"


For quantum / limit, the rule seems to be 300 per 100 Mbps.

Upload Pipe:

Code Select

- Bandwidth: 11 Mbit/s
- Scheduler type: FlowQueue-CoDel
- Enable (FQ-)CoDel ECN
- description: I called mine "Upload pipe"


(Note: I did not define a quantum / limit here.)

Create two queues

Download queue:

Code Select

- Pipe: Download pipe
- Weight: 100
- Enable (FQ-)CoDel ECN


Upload queue:

Code Select

- Pipe: Upload pipe
- Weight: 100
- Enable (FQ-)CoDel ECN


Create two rules

For the download rule:

Code Select

- Interface should be the WAN interface
- Target: download queue
- Protocol: ip
- Destination: The LAN network address. If you use an address of 192.168.1.x with a 255.255.255.0 subnet, the value will most likely be "192.168.1.0/24"


I use a 172.16.0.x with a 255.255.0.0 subnet, so my value is 172.16.0.0/16

For the Upload rule:

Code Select

- Interface should be the WAN interface
- Target: upload queue
- Protocol: ip
- Source: The LAN network address. If you use an address of 192.168.1.x, the value will most likely be "192.168.1.0/24"


It is important you use the correct network address. The 192.168.1.0/24 value in this context means that "for any IP address under this subnet (anything under 192.168.1.x)...":

- if source, apply the upload queue when the 192.168.1.x IPs are sending data out to WAN
- if destination, apply the download queue when the WAN is sending data to 192.168.1.x addresses

Now restart your router. The settings should take effect. You do not need to restart to modify any values (but don't forget to hit 'apply' after changes) at this point on.

Notes

In the traffic shaper GUI, if you go to status, you will get the WRONG information (I think it's a bug or it's using some incorrect flag to get status). Eg:

it says FIFO instead of FQ_CODEL for the type.

Code Select

Limiters:
10000: 280.000 Mbit/s    0 ms burst 0
q75536  50 sl. 0 flows (1 buckets) sched 10000 weight 0 lmax 0 pri 0 droptail
sched 75536 type FIFO flags 0x0 0 buckets 0 active
10001:  11.000 Mbit/s    0 ms burst 0
q75537  50 sl. 0 flows (1 buckets) sched 10001 weight 0 lmax 0 pri 0 droptail
sched 75537 type FIFO flags 0x0 0 buckets 0 active


Queues:
q10000  50 sl. 0 flows (1 buckets) sched 10001 weight 100 lmax 0 pri 0 droptail
q10001  50 sl. 0 flows (1 buckets) sched 10000 weight 100 lmax 0 pri 0 droptail


If you want to verify your settings, you need to go into the shell and type:

Code Select
ipfw sched show

And you should get something like this:

Code Select

10000: 280.000 Mbit/s    0 ms burst 0
q10000  50 sl. 0 flows (1 buckets) sched 10001 weight 100 lmax 0 pri 0 droptail
sched 10000 type FQ_CODEL flags 0x0 0 buckets 1 active
FQ_CODEL target 5ms interval 100ms quantum 1000 limit 1000 flows 1024 ECN
   Children flowsets: 10001
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip           0.0.0.0/0             0.0.0.0/0        1       83  0    0   0
10001:  11.000 Mbit/s    0 ms burst 0
q10001  50 sl. 0 flows (1 buckets) sched 10000 weight 100 lmax 0 pri 0 droptail
sched 10001 type FQ_CODEL flags 0x0 0 buckets 0 active
FQ_CODEL target 5ms interval 100ms quantum 1514 limit 600 flows 1024 ECN
   Children flowsets: 10000


Hope this helps!

Using the above settings, you should get the best performance for upload, and near-best perf for downloads, resulting in an A rating.

Feel free to post better values if you have any!
Pages1