Messages

Gibt es in OPNsense also keine Möglichkeit, via Dead Peer Detection (DPD) einen "primären" Tunnel zu stoppen und einen "sekundären" Tunnel aufzubauen, und umgekehrt den "sekundären" Tunnel zu stoppen, sobald der "primäre" Tunnel wieder verfügbar ist?

Der Weg mit dynamischen Routing ist sicherlich der beste, wie bereits beschrieben abed auch sehr Fortgeschrittenen.

Da war ich dann ratlos, denn ein Transfernetz sollte eigentlich nur zwei Hosts drin haben (Kundenrouter und ISP Router, also /64 reicht völlig) über das dann ein (z.B.) /58 geroutet wird. Schließlich muss Inexio ja wissen, auf welche v6 Adresse (aus dem Transfernetz) das /58 geroutet werden soll.

Kleiner Vergleich: Bei der DTAG habe ich für mein statisches IPv6 Netzwerk folgende Infos bekommen:

IPv6 (Öffentlich/WAN)	2003:000a:1234:abcd:0000:0000:0000:0000/64
IPv6 (Kundennetz/LAN)	2003:000a:5678:ef00:0000:0000:0000:0000/56

--> Das /64er Transfer/WAN-Netzwerk liegt hier (wichtig) außerhalb des /56 Präfixes.

Wenn du auf der OPNsense kein NAT66/NPTv6 oder ND-Proxy (RFC 4389) einstellen willst, muss dir Inexio soweit ich weiß zusätzlich zum WAN/Transfer-Netzwerk 2a01:5c0:1:aa0::/60 auch ein LAN/Internes Netzwerk zu verfügung stellen.

Wer auch immer dort ein Netzwerk größer als /64 für ein Transfer-Netzwerk eingestellt hat, scheint sich hier möglicherweise nicht besonders gut mit IPv6 auszukennen...  :-\

[Part 4 - System preparation]

Hello TheHellSite,

I have recently switched back to using OPNsense and HAProxy and again used your tutorial.

As I mainly use IPv6 today, I had to slightly modify two steps to make it work with my setup:

Part 4 - System preparation

Step 4: To allow IPv4 and IPv6 with the same firewall rule, all I had to do was change "TCP/IP Version" from "IPv4" to "IPv4+IPv6":



Part 5 - HAProxy configuration

Step 10: To make HAProxy listen on ports 80 and 443 on its IPv6 as well as IPv4 addresses, all I had to add here was "[::]:80" and "[::]:443":



After applying these changes, I can now securely access my services behind HAproxy from IPv4 and IPv6 networks.
Do you think you could add these changes to your tutorial? Anyway, thanks for all your work :)

Then it would be a good idea to first check that Unbound is the only DNS server running on OPNsense.
If more than one DNS server is running, they all fight for port 53 and this usually does not end very well.

[Services > Unbound DNS]

Have you edited any configurations under "Services > Unbound DNS" or do you run another DNS service like "Dnsmasq DNS" by any chance?

If you have OPNsense installed on ZFS, this is probably the ARC cache, which uses all free/unused RAM for caching.

In your case, however, it seems that there are a lot of Python processes eating up your available RAM.
Have you tried rebooting your OPNsense firewall?

[Services > DHCP > LAN]

With DHCPv4, you can go to "Services > DHCP > LAN", create "DHCP Static Mappings" for all clients you want to get an IPv4 address from your DHCP server and then enable "Deny unknown clients".

There does not appear to be an equivalent option for DHCPv6.

[WAN1]

Hello everyone,

I was just looking through my OPNsense firewall rules and OpenVPN settings and noticed, that even though all my OpenVPN users connect to WAN2 and use WAN1 as a fallback, in "Firewall: Diagnostics: States", OPNsense shows that the states are being matched to the WAN1 rule:

https://imgur.com/a/CS07KQK

But that isn't true, as the addresses on the WAN interfaces show:

https://imgur.com/a/ZsbAIQZ

The firewall rules are named according to which interface they are on:

https://imgur.com/a/QpJuWfp
https://imgur.com/a/PSJGW0t

I even ran tcpdump and got this as a result:

WAN1

Code Select Expand


root@opnsense:~ % tcpdump -i pppoe0 port 1194 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe0, link-type NULL (BSD loopback), capture size 262144 bytes
^C
0 packets captured
378145 packets received by filter
0 packets dropped by kernel


WAN2

Code Select Expand


root@opnsense:~ % tcpdump -i igb1 port 1194 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
--- snip ---
sudo tcpdump -i igb1 port 1194 -n
19:10:03.658113 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 64
19:10:03.658116 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 156
19:10:03.658564 IP 95.208.###.##.1194 > 217.225.###.###.63282: UDP, length 192
19:10:03.731677 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 64
19:10:05.631989 IP 217.225.###.###.51180 > 95.208.###.##.1194: UDP, length 117
19:10:05.632005 IP 217.225.###.###.51180 > 95.208.###.##.1194: UDP, length 117
19:10:05.632008 IP 217.225.###.###.51180 > 95.208.###.##.1194: UDP, length 117
19:10:11.542748 IP 217.225.###.###.59780 > 95.208.###.##.1194: UDP, length 40
19:10:11.542840 IP 95.208.###.##.1194 > 217.225.###.###.59780: UDP, length 40
19:10:11.798099 IP 95.208.###.##.1194 > 217.225.###.###.51180: UDP, length 40
19:10:11.803840 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 156
19:10:11.804513 IP 95.208.###.##.1194 > 217.225.###.###.63282: UDP, length 192
19:10:11.826767 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 136
19:10:11.827436 IP 95.208.###.##.1194 > 217.225.###.###.63282: UDP, length 136
19:10:11.905935 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 64
19:10:15.637783 IP 217.225.###.###.51180 > 95.208.###.##.1194: UDP, length 40
19:10:17.181198 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 156
19:10:17.181655 IP 95.208.###.##.1194 > 217.225.###.###.63282: UDP, length 192
19:10:17.256555 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 64
--- snip ---
^C
4481 packets captured
4881 packets received by filter
0 packets dropped by kernel


This is kind of annoying because it makes it really hard to analyze and troubleshoot my firewall rules in the OPNsense GUI because I can't trust what's being displayed. Everything else is working as it should though, so this doesn't affect anything else.

Some additional information:
- Both WAN interfaces have IPv4 outbound NAT rules.
- Both firewall rules use the Gateway "default".
- I am currently using OPNsense 23.1.11-amd64.

Now to my question: Is this a known problem and is there a fix?

I would like to know what are the TCP and UDP connections limit values.

Hello luiz.souza,

are you referring to the OPNsense traffic shaping options?
Or do you mean the maximum amount of states?

Regards

[Both HDDs]

My question is, are both drives bootable when using the installer mirror option by default, Or do I need to mess with the partition tables?

Hello ender526,

I just installed OPNsense 22.1.2 on a spare PC (Biostar J3160NH) with two Seagate 2TB SATA HDDs (zfs mirror) and tried booting with both, only the first and only the second HDD.

This were my results:

• Both HDDs: Boots just fine, as expected
• Only the first HDD (ada0): Boots just fine
• Only the second HDD (ada1): Boots just fine, but the CLI is broken (the screen hangs at the Kernel loading messages)

The Web GUI could be reached in all three cases.

Some more System information (the system time can be ignored):

Both HDDs

Code Select Expand


root@OPNsense:~ # zpool status
  pool: zroot
state: ONLINE
  scan: resilvered 4.80M in 00:00:01 with 0 errors on Wed Jul 29 00:52:21 2015
config:

NAME          STATE     READ WRITE CKSUM
zroot         ONLINE       0     0     0
  mirror-0    ONLINE       0     0     0
    ada0p4    ONLINE       0     0     0
    gpt/zfs1  ONLINE       0     0     0

errors: No known data errors
root@OPNsense:~ # camcontrol devlist
<SEAGATE ST2000NM0033 NS01>        at scbus0 target 0 lun 0 (pass0,ada0)
<SEAGATE ST2000NM0033 NS01>        at scbus1 target 0 lun 0 (pass1,ada1)
root@OPNsense:~ # opnsense-version
OPNsense 22.1.2_2 (amd64/OpenSSL)


First HDD only

Code Select Expand


root@OPNsense:~ # zpool status
  pool: zroot
state: DEGRADED
status: One or more devices could not be opened.  Sufficient replicas exist for
the pool to continue functioning in a degraded state.
action: Attach the missing device and online it using 'zpool online'.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-2Q
  scan: resilvered 5.70M in 00:00:01 with 0 errors on Wed Jul 29 00:43:16 2015
config:

NAME          STATE     READ WRITE CKSUM
zroot         DEGRADED     0     0     0
  mirror-0    DEGRADED     0     0     0
    ada0p4    ONLINE       0     0     0
    gpt/zfs1  UNAVAIL      0     0     0  cannot open

errors: No known data errors
root@OPNsense:~ # camcontrol devlist
<SEAGATE ST2000NM0033 NS01>        at scbus0 target 0 lun 0 (pass0,ada0)
root@OPNsense:~ # opnsense-version
OPNsense 22.1.2_2 (amd64/OpenSSL)


Second HDD only

Code Select Expand


root@OPNsense:~ # zpool status
  pool: zroot
state: DEGRADED
status: One or more devices could not be opened.  Sufficient replicas exist for
the pool to continue functioning in a degraded state.
action: Attach the missing device and online it using 'zpool online'.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-2Q
  scan: resilvered 4.80M in 00:00:01 with 0 errors on Wed Jul 29 00:52:21 2015
config:

NAME          STATE     READ WRITE CKSUM
zroot         DEGRADED     0     0     0
  mirror-0    DEGRADED     0     0     0
    ada0p4    UNAVAIL      0     0     0  cannot open
    gpt/zfs1  ONLINE       0     0     0

errors: No known data errors
root@OPNsense:~ # camcontrol devlist
<SEAGATE ST2000NM0033 NS01>        at scbus1 target 0 lun 0 (pass0,ada0)
root@OPNsense:~ # opnsense-version
OPNsense 22.1.2_2 (amd64/OpenSSL)


I hope this answered your question. :)

Hello, if the calculator for calculating the equipment
from the included services and modules and the maximum traffic in the network?
Thank you!

Hello sergggggg,

looking at your other post ,it seems like you want to know if there is a formula to calculate how much system resources (CPU, RAM, Disk, ...) is needed with IPS, depending on the traffic.
As far as I know, there aren't really any formulas, since the type of traffic and the number of active rules (e.g. with Suricada) can heavily influence how much performance is needed.
Using a CPU with lots of cores and high clock speed will always help though.

Hello arnoldg,

it seems that your post has way too few information for us to be able help you with your problem.

Please provide some further information, for example:

• What Operating System are you using (Windows, MacOS, Linux, etc.)?
• What Device are you using to download files (PC, Laptop, Smartphone, etc.)?
• Are you using a Web Browser (Google Chrome, Mozilla Firefox, etc.) or some other software?
• What kind of device are you using to run OPNsense on?
• Are you shure that your Internet connection (ISP Modem / Router, etc.) is working correctly?
• What is the speed (in Megabit per second) and type of your Internet connection (DSL, Cable, Fibre) you use?
• ...

If you run iperf3 from a OPNsense interface to a client, your only limiting factor is the single core performance of your CPU(s).

If you run iperf3 from client 1 to client 2 and have OPNsense in the middle, it has to do a lot of work routing the Packets with pf(4), which uses lots of CPU time.

Afaik iperf3 usually only creates one tcp stream, which isn't really a real world load on a firewall.
You could try to run multiple parallel streams with the -P flag:

-P, --parallel n
              number of parallel client streams to run. Note that iperf3 is single threaded, so if you are CPU bound, this will not yield higher throughput.

We use SSH tunnels at this point.

What are the SSH tunnels used for?
And how did you configure them (manually/GUI)?

Depending on the NIC, passing it through to the OPNsense VM (less overhead from Proxmox VE) and using Hardware offloading might be faster.