Messages

BufferBloat is a common problem and OpnSense does have a combination of features which can help.

But configuring them is a slow exercise of meticulously copying things from one web page to another input screen, multiplying bandwidth by 85%..., etc. and can be fraught with user mistakes leading to more problems than when the user started.

This repetition doesn't make sense when many people have relatively simple home configurations.

My suggestion is to add a wizard which would prompt for ISP download/upload advertised speed and the correct ports, and run a script to create the approximate rules.  The user could obviously go back and fine tune the values, but it would probably give better results than the bare OpnSense configuration and make a lot of people happy.   

It could simply refuse to run if any of the existing Queue/Pipes/Rules have bufferbloat in their comment fields, so as not to mix multiple configurations.

Thanks for listening,
Erick

The recently. changed reporting traffic page lost some features.

You used to be able to easily identify heavy traffic users with individual graphs, now that's gone. 

The smooth graph looks pretty, but it's a lot less useful for dealing with user situations.

So I 'd prefer something more like the old one.
Erick

I have a commodity board with two realtek devices.  OpnSense names one em0 and the other re0.
em0 always connects at 1000BaseT, whereas I can never get re0 to work at 1000BaseT, it always goes to 100BaseT no matter which mode I select.  It has been this ever since 19.1 was installed, prior to that it was 1000BaseT.

Speedtest.net rating have dropped from 143Mbps to 97Mbps.  So this is reflected with in the data transfer rates.

Is there something about the Realtek driver which makes it not work with 1000BaseT?

Erick

More on my problem.  Looking at packet captures, I see the data coming in from the LAN side, but nothing is generated going to the outside interface for that IP address.   But it works for some addresses, because I can turn on a VPN. 

Very strange.
Erick

More on the case I mentioned where NAT's not working: ssh to a work server from my laptop behind opnsense times out, but the TCP connection is marked as established.  So the Syn and SYN ACK get through, but not the subsequent data.

Erick

I upgraded to 19.1 tonight at 6 and have been struggling for the next six hours.

Some IP connects get through but not others.   My provider is solely IPv4, I've disabled IPv6 in all the locaitons I could find, but no difference.

I can get PINGs through to my work subnet 129.97.50.x, but I cannot ssh there from my NATed subnet, though I can ssh there from SSH from a shell in my OpnSense box. 

And I get my client VPN client to work when I want it to, that works all night,  but I can't Google or Netflix without my VPN client ever tonight. 

So something is selectively disabling NAT through connections, but I don't know what.   I don't have any firewall rules.  I've done clean installs, but it stilll fails.

BTW, my OpnSense box is an i3 with two realtek cards. 

Very weird.  I;ve reinstalled several times, no luck.  Unfortunately, I can't find an online copy of 18.x or I would downgrarde temporarily, all you have listed is 19.1, which is a bit  optimistic on a new release.

Thanks for any advice you can give.
Erick

I can use openconnect to connect to my work VPN.  But it just adds as a route on the opnsense device, it does not NAT me through.

So I can telnet to port 80 on devices through the VPN on the opnsense box (which I would would not be able to do from the wide internet).

But my clients cannot connect to those sites because opnsense isn't NATting the connection for my clients.

Any advice?



Thanks

Thanks

Oh, I do not know how ... yet.

I tried it on the dev build.  Once I moved the default httpdlite to 8080, the nginx worked on 80 on the NAT side. 

My goal is to set up an internal cloud, and have NGINX/OpnSense be the router/firewall/virtual hosting place.  So HTTPS traffic would be decrypted at the OpnSenseo which would be my single certificate holder.

I can try this on my dev system...

Erick

I looked in the development branch, I guess it's not there yet.

I'd be interested in helping develop this, as my needs are not yet production services.

Erick

I have several OpnSense systems working and liking it.

Now I would like to set up is putting servers on a private LAN connection and use the OPNsense firewall/web server to forward WAN requests to the correct LAN server.

For example, R + free Shiny for web graphics run servers on port 3838.  So I would like to run Shiny on a private LAN server and expose it through a URL redirect through opnsense firewall/web proxy server.

Is this doable with OPNsense?  It's a very powerful model because it allows you to effectively firewall your servers from attacks, traffic shape, etc.

THanks

I'm using the VGA usb image.  The device doesn't have a CD-ROM player.

Hi,

I have a Z Box that I wanted to run opnsense on.  It works ok from the USB stick - stayed live for 36 hour test, but I want to transfer to the hard disk so I can get updates, The boot stick has troubles trying to read the non-existent sdhc card which times out every 20 seconds, so I'd like to comment it out.  And I don't like having to boot up in safe mode every time.

The problem is, after booting from the stick (da1) , ada0 does not show up, nor any /dev/ada* drives, so I can't transfer it.

When I install normal freebsd latest binary, it works perfectly, recognizing and auto installing to ada0 and not needing safe mode.  I wonder if safe mode is needed due to the sdhc driver loading.

PFSense never laster 24 hours because the Realtek driver would fail and halt.  Of course, the dual gig ethernet cards are internal and there is no expandability for other brands.

Erick