Messages

Solved.

I did not figured out what rule exactly cause the issue. But when I placed the pass rule before my standard blocking rules, it worked. (Spamhaus drop, Spamhaus edrop, crowdsec)

I would refrain from using SFP adapters for GPON at all and use external ONTs with a 2.5 Gbps ethernet connector (I do that).

It looks like this will be the best idea. I thought I could save one device by using a SFP GPON. But going with the mainstream solution of an external device seems to be the best way to go.

1. To not introduce a single-point of failure in the Proxmox machine. If something goes wrong with that, I would like to keep internet access.

Basically this I see in the same way. That's how I started over a decade ago. And that's where I am again today after an excurse up to a full blown server. Today, again I would be willing to do a little compromise.

2. For security reasons.

Yes. I am home user. Using pci passthrough for at least the WAN NIC would give to me enough confidence in security.

3. Because Opnsense under Promox has its limitations and pitfalls, see this.

Proxmox is what I am familiar with. For several reasons my primary choice is XCP-ng for this plan. (Or bare metal)

I did not even know that SGMII works with the adapters built into the DEC 750 at all - I once owned one and back then, it did not work with SFP-GPON modules at SGMII speed.

Thank you.

It looks like that I have to re-think my complete idea. I am undecide if I go with OPNsense on bare metal or if I will go for a little bit higher spec, run opnSense under Proxmox VE or XCP-ng and use the idle recourses or some small VMs. The devices so far on my comparison list are: Protectli VP2440, Protectli VP6630, Protectli VP6650, Deciso DEC750, Netgate 6100, Netgate 8200. If Intel X710-BM2 has the same limitation it looks like only the Netgate devcies will be left over in my list.

Hello,

when I look in the datasheet of Deciso DEC750 I will find the following limitation:

When using SFP+Modules, do not mix 2.5/5Gbps and 10Gbps link-speed as the hardware does not support mixing these due to different frequencies.

What does it mean exactlty? Can I not use one of the ports for a 1 GBit SFP GPON fiber modem and one port for a 10 GBit SFP+ module to connect to a switch?

Have you seen the Teklager TLSense C3758R which appears to be a rebadged Qotom Q20331G9-S10?

Thank you. Yes, I found. But at a differnt price than the Aliexprewss offers.
Same for this German shop. https://eckstein-shop.de/QOTOM-Q20331G9-1U

@jde1000 , I got the Qotom Denverton Q20300G9-S10 Atom C3808 to run my OpnSense and some firewall apps like Traefik and Authentik.

Let us know how it performs.
Especially I would be interested in the difference between C3808 and C3758R/C3758 when running OPNsense on bare metal.

I am interested in the Qotom Q20331G9-S10 or Q20331G9-1U with C3758R. But so far I cannot find an OK offer in Europe. The Amazon and Aliexpress vendors currently are not shipping to Europe, or at least to my country.

Thank you.

Hello,

what is the advantage of using "Proxy TCP/UDP on Layer 4" by Caddy instead of using port forwarding in OPNsense?

I just migrated from HAProxy to Caddy. Reverse proxy with TLS termination and TLS (SNI) Multiplexing on HTTPS Port with TLS passthrough were easy to set-up and just work fine. It was a pain to get this combination running in HAProxy.

Not clear to me is what a use case for "Proxy TCP/UDP on Layer 4" could be where it is better to use Caddy instead of just do port forwarding.

Thank you. This helps.

Somehow I missed your replays on my question.

OK, I did not mentioned that these two vlans are isolated from each other by default and only inter vlan routing is possible where it explicitly is allowed by a firewall rule.

Yes, I just could make trial and error. But I want to understand what is right and what is wrong. That's why I am asking in the hope someone know the answer.

[mDNS repeater]

Hello,

I want to use the mDNS repeater on OPNsense to forward mDNS between two subnets.
Out of the documentation it is not clear to me what firewall rules I need to allow the mDNS multicast traffic between these two vpn.

• on both interfaces to port 5353 at 224.0.0.251 and [ff02::fb] or
• on both interfaces to port 5353 at "subnet address" or
• on both interfaces to port 5353 at "this firewall"

Or a combination out of these three?

Hello,

there I are many new hardware devices with modern powerful CPU, small form factor and low energy footprint and low noise that it is difficult to find the right choice. "Old" hardware is cheap to get as used devices often was a good choice in the past.

Is today a Sophos SG 210 / SG 220 / SG 310 / SG 330 still a good choice to run OPNsense in an ambitious home environment? Or is it blast from the past that cannot compete with actual new devices in regards of power, energy consumption and noise, even when taking cost into the calculation?

I am looking to upgrade my Qotom Q355G4 with something that provides one or two SFP+ ports. A DEC2752A or DEC2770 looks like a "dream build" but at high price. Is Sophos you get for around 100 $/EUR still an option to go nowadays?

I was running in the same issue.
Habe a look here.

https://forum.opnsense.org/index.php?topic=38435.0

Thank you.
This looks like the issue I am facing.

Hello,

for the issue with IDS not workong after update I could find quickly here the solution.
Now I have detected the second issue after update to 14.1.

I use HAProxy in a mix of SNI frontend (TCP type) and https frontend (SSL offloading). For offloading I use two hostnames with two ssl certificates that will will use two different backend servers.

Since the update the wrong certificate of the both is getting provided to the client. Backend selection is as expected. This setup is running since years. It broke when I upgraded to 14.1 yesterday.