Messages

Ok... so the following command appears to list what I need. The first two lines are the automatically generated rules, the second two are my IPv4 interface specific ones.

Does the lack of a specified interface on the automatically generated rules indicate 'any/all'? How should I be interpreting this output difference?

Code Select Expand

root@opnsense:~ # pfctl -sa | grep crowdsec
block drop in quick inet from <crowdsec_blacklists> to any label "xxxxxxxxxxxxxxxx"
block drop in quick inet6 from <crowdsec6_blacklists> to any label "yyyyyyyyyyyyy"
block drop in quick on ovpnc1 reply-to (ovpnc1 xx.xx.xx.x) inet from <crowdsec_blacklists> to any label "zzzzzzzzzzzzzzzzz"
block drop in quick on vmx2 reply-to (vmx2 xx.xxx.xxx.xxx) inet from <crowdsec_blacklists> to any label "zzzzzzzzzzzzzzzzz"

G'day All,

Reading here https://homenetworkguy.com/how-to/install-and-configure-crowdsec-on-opnsense/ that "CrowdSec automatically creates floating rules to block all incoming IPv4/IPv6 malicious IP addresses". I can confirm that there are in fact two new floating rules... one for IPv4, the other for IPv6.

Any idea what interfaces these are applied to? Is it just "IN" on WAN or perhaps all non-LAN interfaces? (Specifically interested in CrowdSec here but in general is there a command I could use to review/verify other automatically generated rules as well?)

For the moment, I have created additional floating rules to cover my other external facing interfaces... but it would be nice to know whether they are actually necessary.

Thanks in advance!

Not suggesting that MTU size is 100% the issue but with a 3G modem I vaguely recall being forced down to ~1370ish to prevent fragmentation. 4G may be similar? Look up MTU ping test - it isn't hard to confirm an appropriate size.

Some programs do not handle fragmentation well (e.g. In my experience Steam will simply refuse to connect to their game controller), others may be unaffected - giving the impression of intermittent errors.

I had similar loss issues a while back and it came down to MTU as someone posted earlier. Just had to put an override number in at the WAN interface and it was all good. No idea why it couldn't auto detect and correct the MTU... I suspect it was ISP related.

If you are monitoring the gateway, are your tolerances set too tightly - causing it to restart itself intermittently?

System: Gateways: Single --> Advanced (perhaps temporarily disable monitoring just to eliminate that possibility?)

Thanks Franco,

Confirmed patch functional on Firefox 68.9.0esr (64-bit) & Chromium 83.0.4103.97 (openSUSE Build) (64-bit).

Edit: And having realised how out of date the standard packages are... after updating can confim also working on Firefox 78.7.0esr (64-bit) & Chromium 88.0.4324.96 (openSUSE Build) (64-bit).

Cheers,
Guv

Is it just me or do others have this problem as well?

I have it too. Firefox via openSUSE, default OPNsense theme. Clicking the 'pen icon' is unresponsive...

Console error reads "TypeError: string.replaceAll is not a function"

Yet another point of reference; I use much older hardware (Dell T320 w/ Xeon E5-2450 v2, Mellanox ConnectX-3 EN based LAN cards, ESXi6.5 w/ numerous VMs - one of which happens to be OPNsense). In summary, not so ideal from an OPNsense CPU/install point of view.

With hardware offload disabled (IPS running only on WAN), routing via OPNsense (LAN subnets) I am limited to around 1400Mbit.

With offload enabled (IPS off), performance is closer to 9400Mbit.

My guess is if you are limited by your hardware, you need to choose either security or speed - depending on your needs. Default appears to be security (and stability in the case of some cards offload capability) - which I think is the correct way to lean in this case.

Just wanted to say thanks mate - this just caught me out too.

G'day mimugmail,

Not sure which part of my query would require a GitHub feature request? Perhaps the local-data SOA line?

As far as my own example, the first line appears to be redundant. The defaults listed in /var/unbound/unbound.conf appear to cover this and many other private addresses.

The local-data part I've also commented out without any apparent ill effect. I use IP addresses internally anyway - so no need for this in my use case either I don't think...

Can also confirm that yes, hashes are the correct method to comment out in unbound.conf (and therefore also work in the custom parameters box).

Cheers,
Guv

G'day All,

Has been a while since I played with OPNsense. It has been running like a champ. However, I have recently updated to 20.1.4 and note that there has been some discussion on Unbound's Custom Options field regarding its [future] removal.

I've managed to swap over to mimugmail's unbound-plus, which has removed the need for one line from my custom options re DNS filtering (great job mimugmail).

However, at the risk of looking like an idiot, I'm hoping someone can tell me where my other few lines need to be 'moved' to in order to clear the custom options while retaining the same functionality. Hopefully simple and obvious to one of the in-house experts!

Code Select Expand

server:private-address: 127.0.0.0/8
## include:/var/unbound/blacklist.conf
local-data: "local.lan. 10800 IN SOA opnsense.local.lan. root.local.lan. 1 3600 1200 604800 10800"

Thanks in advance,
Guv

P.s. Is # the correct way to comment out the custom options??

Plenty of posts regarding getting both to a quieter state e.g. https://www.reddit.com/r/homelab/comments/7lkzqz/best_way_to_silence_a_hp_procurve_281024g_switch/

With those two brands, I've only had prior experience with a fanless HP - no complaints there.

Currently run Ubiquiti Unifi gear which performs well without the expense of some of the bigger brands (and has a nice GUI interface when running the Unifi controller in a VM)...

System > Settings > General ... look for the DNS Servers and check what Gateway they are set to use.

Also, make sure under System > General you have DNS servers such as 1.1.1.1 or 8.8.8.8

The trick on my system was also allocating at least one of your listed DNS servers to WAN (or the default gateway?) - I had them set to none previously...

Looking forward to where this (& mimugmail's Bind plugin) might lead to!

At present I use a cron job, along with the method described here to load my DNS blacklists: https://forum.opnsense.org/index.php?topic=6734.0 & https://devinstechblog.com/block-ads-with-dns-in-opnsense/. Would be really nice to eventually transition to a nice gui interface!

Keep up the good work guys!

Also it always depends on the use case .. some guys want to get 1 GB on 1 stream which is hard to achieve on FreeBSD. If you run multiple streams it's really easy to achieve higher rates. In all my use cases I never need only ONE single GB stream, so I'm always fine with OPN performance :)

That is some very interesting info! I've just now realised that the sites I used to test when setting things up allowed multithread testing e.g. https://testmy.net/ Maybe that is why they always seemed to give me better numbers?!

That said, now that OP has ruled out any fundamental setup issues and has achieved raw speed, IMO the best thing to start chasing now is lower buffer bloat :devil: - check out for example http://www.dslreports.com/speedtest

Good luck!