Messages

1

Hardware and Performance / Re: Poor Performance with OpnSense 23.1 and Hyper-V 2019

« on: February 19, 2023, 10:07:44 pm »

Have you tried without windows? (i.e. Xen, KVM, ESX) That would be the fastest/easiest test to know for sure if it is the microsoft layer or something else (i.e. cpu).

2

21.7 Legacy Series / Re: OPNsense 21.7.3_3 - device is seen only on port 6 on the switch

« on: October 19, 2021, 02:40:25 am »

This makes very little sense. OpnSense might use 802.1X on your WAN connection if your provider requires it and if you set that up during the setup process, but otherwise that stuff is completely absent or disabled.

What switch do you have? What devices are connected where?
Perhaps it might be best to draw a diagram and use the "Insert Code" button on the forum and paste it there.
Something like asciiflow.com can be used (it has an export button which allows you to copy the text).

So far this is all that can be gleaned from your explanation:

Code: [Select]

         ┌───────────────────────────────────────┐
         │                                       │
         │        TP-Link Switch                 │
         │                                       │
         │                                       │
         │                                       │
         │  Port 6                               │
         └───┬───────────────────────────────────┘
             │
             │
             │ Ethernet cable
             │
             │
┌────────────┴──┐
│               │
│ OpnSense      │
│               │
│               │
└───────────────┘

 Some PC, Server, or Virtual Firewall appliance?

More information is required:

- What hardware are you using (type/part/brand)
- What network interfaces do exist in hardware
- What network interfaces are defined in the interface assignment in OpnSense
- How are those interfaces configured (manually, static, DHCP, PPPoE etc)
- What is connected where
- Which specific switch are you using
- What ports are available
- What is plugged in to those ports

3

21.7 Legacy Series / Re: Can I install from FreeBSD ports?

« on: October 19, 2021, 02:36:08 am »

It's probably not a good idea to mix the purpose of your firewall and what seems to be a video camera tool on the same installation. While not impossible, mixing this stuff together means that neither will work as well as they would stand-alone.

4

21.7 Legacy Series / Re: How to test Google Drive configuration backups

« on: October 11, 2021, 04:08:36 pm »

Download them from your google drive, import them into a virtual box vm to test them.

5

General Discussion / Route a routed subnet partially to some LAN devices

« on: October 03, 2021, 05:39:08 pm »

I'm trying to setup a routed subnet that is routed towards my WAN IPv4 to be used for multiple purposes. This is a relatively small subnet, a /29, and I'd like to:

- Have 2 addresses used for 2 LAN networks, they would have their own outbound NAT each
- Have 2 more used for 2 separate networks that run their own firewall on their own public IP

The problem is that with such a small subnet you can't really split it off into multiple subnets and have a public interface consuming 4 addresses (well, 2 addresses one network address and one broadcast address).

One "solution" might be a /31, but that would still waste addresses. Maybe a PPPoE connection would make it possible to use a private IPv4 on the OpnSense side and supply one of the routed IPs on the external firewall side?

Drawing to go with this story:

Code: [Select]

                                                              ┌────────────────┐
                                                              │                │
                                                              │ incoming fiber │
                                                              │                │
                                                              └────────┬───────┘
                                                                       │
                                                                       │
                                                                       │
                                                                       │
                                                                       │
                                                                       │
           OPNsense                                                    │
                                                                       │
┌───────────────────────────────────────┬────────────┐                 │
│                                       │            │    WAN          │
│       ┌───────────────────────────────┤            │                 │
│       │                               │  igb0      ◄─────────────────┘
│       │                               │            │
│       │                               │            │                        ┌───────────────────────────────┐
│       │             ┌─────────────────┼────────────┤                        │                               │
│       │             │                 │            │                        │  A subnet with DHCP, NAT etc  │
│       │             │ NAT             │            ├────────────────────────►                               │
│       ├─────────────►                 │  igb1      │                        │                               │
│       │             │                 │            │                        └───────────────────────────────┘
│       │             ├─────────────────┼────────────┤
│       │             │                 │            │
│       │             │                 │            │                        ┌───────────────────────────────┐
│       ├─────────────► NAT             │  igb2      │                        │                               │
│       │             │                 │            ├────────────────────────►                               │
│       │             │                 │            │                        │ A subnet with DHCP, NAT etc   │
│       │             └─────────────────┼────────────┤                        │                               │
│       │                               │            │                        └───────────────────────────────┘
│       │  one of the routed IPs        │ igb3       │
│       ├───────────────────────────────►            ├─────────────────┐        ┌────────────────────────┐
│       │                               │            │                 │        │                        │
│       │                               ├────────────┤                 └────────►  external firewall     │
│       │                               │            │                          │                        │
│       │   one of the routed IPs       │            │                          └────────────────────────┘
│       └───────────────────────────────► igb4       │
│                                       │            ├──────────────┐           ┌────────────────────────┐
│                                       │            │              │           │                        │
│                                       ├────────────┤              └───────────► external firewall      │
│                                       │            │                          │                        │
│                                       │            │                          └────────────────────────┘
│                                       │            │
│                (spare)────────────────┤ igb5       │
│                                       │            │
│                                       │            │
└───────────────────────────────────────┴────────────┘


6

Hardware and Performance / Re: Connection to console via serial port not possible

« on: August 26, 2021, 10:29:27 pm »

Generally such a BIOS would be managed over the serial port or in-band like coreboot.

Are you using a null-modem cable? Some USB-to-Serial adapters require that if you are going host-to-host.

Also test your serial port by shorting TX and RX on your USB-to-Serial to see if the cable at least works.

Regarding the hardware: check if there is a number on the other side of the PCB that shows what it is.

It's a normal APU 2d board. https://pcengines.ch/apu2.htm There are two serial ports and there is coreboot instead of a legacy BIOS. Probably the apu2e2 or apu2e4. There are two serial ports, the classic COM port and a 3v3 COM2.

https://www.pcengines.ch/ht_com.htm "Use a DB9 female to female null modem cable" and "115200 8N1 no flow control".

Also: "The serial console can be disabled in BIOS setup if you need the serial port for an external device. To get the serial console back, please press the small pushbutton switch S1 while powering up the board. You can then change the setting in the BIOS."

They have more pages: https://pcengines.ch/howto.htm#serialconsole

So there you go!

7

Hardware and Performance / Re: Very slow through put

« on: July 12, 2021, 03:13:55 am »

That is the link speed but not the speed at which the interface actually operates. Same for the ethernet link speed.

If the chipset can only do around 90Mbit/s (which happens a lot with USB 3 "gigabit ethernet" adapters), it doesn't matter that the USB link says 5Gbps and the ethernet link says 1000Mbps.

USB Ethernet adapters can be very hard to check, especially since a lot of vendors make bad USB drivers for FreeBSD, and some don't make any drivers at all so they have to be reverse-engineered to work, which isn't ideal.

Maybe there is an easy way to test if the chipset is even capable of running that the full link speed, you can plug it in to a computer running Windows, macOS or Linux and see if you can saturate the link there. If that works, we know for sure that at least the chip in the adapter works correctly.

8

Development and Code Review / Re: DHCP Leases improvement

« on: July 09, 2021, 03:27:32 am »

Ah, I see. There is no visual feedback that the header is clickable at all, I guess that's why I assumed it didn't work when I clicked Interface (which is the only one that doesn't do anything).

9

Development and Code Review / DHCP Leases improvement

« on: July 08, 2021, 06:03:41 pm »

I was looking at the DHCP leases page to see if there was an easy way to improve it to filter and sort (for example on Interface or by IP or by MAC), but it looks like this is one of the pages and services that is still in the legacy format, is that correct?

It looks like it's possible to add some JavaScript in there and tack it on to the old style mixed front-end, but this seems like a prime candidate for a refactoring to Phalcon. Is this something that is already being looked at, or is this, being a core service, not currently something to be messed with.

10

Hardware and Performance / Re: Very slow through put

« on: July 07, 2021, 02:15:56 am »

Seems like your LAN is running at 100Mbit, not 1Gbit.

11

Hardware and Performance / Re: TPM Support?

« on: July 01, 2021, 11:42:00 pm »

I know what it is and wouldn't expect it to improve network security other than if the firewall itself was compromised by something that altered the bootloader.

Ah, so it's not the TPM that is the main thing here, but Secure Boot or Verified Boot then? That can indeed use something like the PCR feature in TPMs.

The problem is that secure boot needs to be built into FreeBSD and it is currently not really present.

https://github.com/opnsense/src/issues/81

12

Hardware and Performance / Atom C3000 LED control

« on: July 01, 2021, 05:51:18 pm »

Has anyone had any luck with LED control, GPIO control or I2C control on Atom C3000 systems?
I'm mostly looking into tuning the hardware watchdog, thermal configuration, front-panel LED and SFP configuration (LEDs for the network ports run via a CPLD that is configured over I2C at boot - I already have the parameters but I don't have access to any I2C bus )

13

Hardware and Performance / Re: Hardware Recommendations for 1Gbps

« on: July 01, 2021, 05:44:43 pm »

Always nice to see the end result. Did you also wall mount it? Or do you have it sitting on a shelf somewhere. I'm curious how other people have their airflow done; for me it mostly doesn't seem to matter in my climate but other places in the world probably need to pay more (or even less) attention to it.

14

Hardware and Performance / Re: Protectli Vault clone with i7-10510U - Thoughts, Coreboot support?

« on: July 01, 2021, 05:40:00 pm »

Most of them do not have coreboot from the factory, but since almost all of them are based on the same Intel designs you could probably get it to work anyway. The biggest factor is Intel Boot Guard. If that is enabled, there are some limitations as to how much coreboot you can use.

In general, I tend to use Qotom or Dell VEP boxes, they work pretty well. Someone is selling off a bunch of Xeon D embedded supermicro boards on eBay, also a very nice platform for high performance on the cheap.

On the other hand: what do you actually need? A lot of 1G networks work fine on say, a 4th generation Intel NUC with a miniPCIe network card and an extra hole in the case, or even 2 VLANs on the built in network port for a fully functional 450Mbit network. Costs almost nothing that way and works all the same.

15

Hardware and Performance / Re: TPM Support?

« on: July 01, 2021, 05:36:18 pm »

It 'supports' it as in, it is functional and has a driver but it doesn't "do" anything for your network.

Do you know what a TPM is and what it is for? Because it seems like you might just like it because it has a cool name