Messages

A big thank you to keeping this going! I'm mostly using this in local virtual machines on macOS where the aarch64 images work really well.
I used to have my local CI build ARM images but I got lazy and didn't really keep up with the updates and never setup a repo to do in-place upgrades with... but your solution has been a blast!

Some details: this works with native hardware accelerated virtualisation as well as QEMU; but on recent macOS releases you either have to do local user networking (slow, emulated, think: SLIRP) or vmnet which is what Apple supplies. Downside is that it only wants to do NAT, Host-only (PTP) or Bridged networking, and you cannot create something like a Open vSwitch yourself, there is no more TUN/TAP and even VDE doesn't really work anymore. But! You can create a Bond interface with 0 members, which even when down will pass L2 frames like a champ (even VLANs), and it works with vmnet natively as well. End result: accelerated machines and networking for your local networking needs.

Have you tried without windows? (i.e. Xen, KVM, ESX) That would be the fastest/easiest test to know for sure if it is the microsoft layer or something else (i.e. cpu).

This makes very little sense. OpnSense might use 802.1X on your WAN connection if your provider requires it and if you set that up during the setup process, but otherwise that stuff is completely absent or disabled.

What switch do you have? What devices are connected where?
Perhaps it might be best to draw a diagram and use the "Insert Code" button on the forum and paste it there.
Something like asciiflow.com can be used (it has an export button which allows you to copy the text).

So far this is all that can be gleaned from your explanation:

Code Select Expand


         ┌───────────────────────────────────────┐
         │                                       │
         │        TP-Link Switch                 │
         │                                       │
         │                                       │
         │                                       │
         │  Port 6                               │
         └───┬───────────────────────────────────┘
             │
             │
             │ Ethernet cable
             │
             │
┌────────────┴──┐
│               │
│ OpnSense      │
│               │
│               │
└───────────────┘

Some PC, Server, or Virtual Firewall appliance?


More information is required:

- What hardware are you using (type/part/brand)
- What network interfaces do exist in hardware
- What network interfaces are defined in the interface assignment in OpnSense
- How are those interfaces configured (manually, static, DHCP, PPPoE etc)
- What is connected where
- Which specific switch are you using
- What ports are available
- What is plugged in to those ports

It's probably not a good idea to mix the purpose of your firewall and what seems to be a video camera tool on the same installation. While not impossible, mixing this stuff together means that neither will work as well as they would stand-alone.

Download them from your google drive, import them into a virtual box vm to test them.

I'm trying to setup a routed subnet that is routed towards my WAN IPv4 to be used for multiple purposes. This is a relatively small subnet, a /29, and I'd like to:

- Have 2 addresses used for 2 LAN networks, they would have their own outbound NAT each
- Have 2 more used for 2 separate networks that run their own firewall on their own public IP

The problem is that with such a small subnet you can't really split it off into multiple subnets and have a public interface consuming 4 addresses (well, 2 addresses one network address and one broadcast address).

One "solution" might be a /31, but that would still waste addresses. Maybe a PPPoE connection would make it possible to use a private IPv4 on the OpnSense side and supply one of the routed IPs on the external firewall side?

Drawing to go with this story:

Code Select Expand


                                                              ┌────────────────┐
                                                              │                │
                                                              │ incoming fiber │
                                                              │                │
                                                              └────────┬───────┘
                                                                       │
                                                                       │
                                                                       │
                                                                       │
                                                                       │
                                                                       │
           OPNsense                                                    │
                                                                       │
┌───────────────────────────────────────┬────────────┐                 │
│                                       │            │    WAN          │
│       ┌───────────────────────────────┤            │                 │
│       │                               │  igb0      ◄─────────────────┘
│       │                               │            │
│       │                               │            │                        ┌───────────────────────────────┐
│       │             ┌─────────────────┼────────────┤                        │                               │
│       │             │                 │            │                        │  A subnet with DHCP, NAT etc  │
│       │             │ NAT             │            ├────────────────────────►                               │
│       ├─────────────►                 │  igb1      │                        │                               │
│       │             │                 │            │                        └───────────────────────────────┘
│       │             ├─────────────────┼────────────┤
│       │             │                 │            │
│       │             │                 │            │                        ┌───────────────────────────────┐
│       ├─────────────► NAT             │  igb2      │                        │                               │
│       │             │                 │            ├────────────────────────►                               │
│       │             │                 │            │                        │ A subnet with DHCP, NAT etc   │
│       │             └─────────────────┼────────────┤                        │                               │
│       │                               │            │                        └───────────────────────────────┘
│       │  one of the routed IPs        │ igb3       │
│       ├───────────────────────────────►            ├─────────────────┐        ┌────────────────────────┐
│       │                               │            │                 │        │                        │
│       │                               ├────────────┤                 └────────►  external firewall     │
│       │                               │            │                          │                        │
│       │   one of the routed IPs       │            │                          └────────────────────────┘
│       └───────────────────────────────► igb4       │
│                                       │            ├──────────────┐           ┌────────────────────────┐
│                                       │            │              │           │                        │
│                                       ├────────────┤              └───────────► external firewall      │
│                                       │            │                          │                        │
│                                       │            │                          └────────────────────────┘
│                                       │            │
│                (spare)────────────────┤ igb5       │
│                                       │            │
│                                       │            │
└───────────────────────────────────────┴────────────┘


Generally such a BIOS would be managed over the serial port or in-band like coreboot.

Are you using a null-modem cable? Some USB-to-Serial adapters require that if you are going host-to-host.

Also test your serial port by shorting TX and RX on your USB-to-Serial to see if the cable at least works.

Regarding the hardware: check if there is a number on the other side of the PCB that shows what it is.

It's a normal APU 2d board. https://pcengines.ch/apu2.htm There are two serial ports and there is coreboot instead of a legacy BIOS. Probably the apu2e2 or apu2e4. There are two serial ports, the classic COM port and a 3v3 COM2.

https://www.pcengines.ch/ht_com.htm "Use a DB9 female to female null modem cable" and "115200 8N1 no flow control".

Also: "The serial console can be disabled in BIOS setup if you need the serial port for an external device. To get the serial console back, please press the small pushbutton switch S1 while powering up the board. You can then change the setting in the BIOS."

They have more pages: https://pcengines.ch/howto.htm#serialconsole

So there you go!

That is the link speed but not the speed at which the interface actually operates. Same for the ethernet link speed.

If the chipset can only do around 90Mbit/s (which happens a lot with USB 3 "gigabit ethernet" adapters), it doesn't matter that the USB link says 5Gbps and the ethernet link says 1000Mbps.

USB Ethernet adapters can be very hard to check, especially since a lot of vendors make bad USB drivers for FreeBSD, and some don't make any drivers at all so they have to be reverse-engineered to work, which isn't ideal.

Maybe there is an easy way to test if the chipset is even capable of running that the full link speed, you can plug it in to a computer running Windows, macOS or Linux and see if you can saturate the link there. If that works, we know for sure that at least the chip in the adapter works correctly.

Ah, I see. There is no visual feedback that the header is clickable at all, I guess that's why I assumed it didn't work when I clicked Interface (which is the only one that doesn't do anything).

I was looking at the DHCP leases page to see if there was an easy way to improve it to filter and sort (for example on Interface or by IP or by MAC), but it looks like this is one of the pages and services that is still in the legacy format, is that correct?

It looks like it's possible to add some JavaScript in there and tack it on to the old style mixed front-end, but this seems like a prime candidate for a refactoring to Phalcon. Is this something that is already being looked at, or is this, being a core service, not currently something to be messed with.

Seems like your LAN is running at 100Mbit, not 1Gbit.

I know what it is and wouldn't expect it to improve network security other than if the firewall itself was compromised by something that altered the bootloader.

Ah, so it's not the TPM that is the main thing here, but Secure Boot or Verified Boot then? That can indeed use something like the PCR feature in TPMs.

The problem is that secure boot needs to be built into FreeBSD and it is currently not really present.

https://github.com/opnsense/src/issues/81

Has anyone had any luck with LED control, GPIO control or I2C control on Atom C3000 systems?
I'm mostly looking into tuning the hardware watchdog, thermal configuration, front-panel LED and SFP configuration (LEDs for the network ports run via a CPLD that is configured over I2C at boot - I already have the parameters but I don't have access to any I2C bus :( )

Always nice to see the end result. Did you also wall mount it? Or do you have it sitting on a shelf somewhere. I'm curious how other people have their airflow done; for me it mostly doesn't seem to matter in my climate but other places in the world probably need to pay more (or even less) attention to it.

Most of them do not have coreboot from the factory, but since almost all of them are based on the same Intel designs you could probably get it to work anyway. The biggest factor is Intel Boot Guard. If that is enabled, there are some limitations as to how much coreboot you can use.

In general, I tend to use Qotom or Dell VEP boxes, they work pretty well. Someone is selling off a bunch of Xeon D embedded supermicro boards on eBay, also a very nice platform for high performance on the cheap.

On the other hand: what do you actually need? A lot of 1G networks work fine on say, a 4th generation Intel NUC with a miniPCIe network card and an extra hole in the case, or even 2 VLANs on the built in network port for a fully functional 450Mbit network. Costs almost nothing that way and works all the same.