Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - topuli

Pages: [1]

Hardware and Performance / Re: Poor Throughput (Even On Same Network Segment)

« on: September 04, 2020, 10:19:46 pm »

first of all, i like opnsense and i am an absolute supporter, my comment was meant to be absolutely constructive... i personally wasn't aware that a rather simple looking feature can have a nearly 50% performance impact and i have a feeling as if i couldn't be the only one, so i just wanted to share information.

Hardware and Performance / Re: Asking for hw recommendation(s)

« on: September 04, 2020, 10:08:18 pm »

can you give as some information about your usecase and the services you want to use (IPS, Proxy, Tor....).
If your requirements are not to high maybe this hardware may suite your needs:
https://www.supermicro.com/en/products/system/Box_PC/SYS-E50-9AP-N5.cfm

i personally use a e100-9ap and i am quite happy with it

Hardware and Performance / Re: Poor Throughput (Even On Same Network Segment)

« on: September 04, 2020, 09:39:01 pm »

A quick follow up. I am routing about 20 vlans. I read a lot about performance tuning and in one post the captive portals performance impact was mentioned. Recently i changed my WiFi setup and at some point i have tried the captive portal function for a guest vlan. So i gave it a try and disabled the captive portal (was active for one vlan) . I could not beliefe my eyes when i tested the throughput again.

captive portal enabled for one vlan:
530 Mbit/s

captive portal disabled:
910 Mbit/s

Hardware and Performance / Re: Poor Throughput (Even On Same Network Segment)

« on: September 04, 2020, 10:51:00 am »

just for the record. i am also experiencing degraded throughput. lan routing between different vlans only with firewall enabled, no IPS etc. is around 550 Mbit/s. the setup is switch -> 1Gbit trunk -> switch -> 1Gbit trunk -> opnsense fw. Low overall traffic.

19.7 Legacy Series / Re: OPNsense on Supermicro restarts on shutdown?

« on: September 21, 2019, 10:27:41 am »

Have you checked the watchdog settings in your bios?

18.7 Legacy Series / Re: ntp Questions

« on: February 18, 2019, 03:06:01 pm »

these are standard messages.
The opnsense gui shows the servertime and the sync source under dashboard\lobby in the section network time.

for me to work correctly, i had to set kern.timecounter.hardware in the system\settings\tunables
i have set the value to "HPET"

t.

19.1 Legacy Series / Re: Upgrade from 18.7.10_4 to 19.1.1 fails

« on: February 17, 2019, 03:41:36 pm »

happend to me too.
The very short version:

Download image (vga version)
sha256 check
Unzip
Take usb stick and clean with:
diskpart,list disks,select disks (‼ be sure its the USB stick), clean

Use rufus to create bootable image: dd image (the extracted opnsense file), GBT UEFI, 8192(default),fat32

Login with installer and pw opnsense
Install

Connect via cable to 192.168.1.1
Login with root and your pw from the install process
Restore backup
Modify your needed variables in tunables via the GUI or set in /boot/loader.conf.local

t.

18.1 Legacy Series / Re: AHCI Timeout on 18.1 but 17.7 installs fine

« on: January 04, 2019, 07:17:54 pm »

Just in case someone is on the same hardware.
Upgraded my firmware for the supermicro E100-9AP to 1.2.
For some strange reason and to my surprise the system bootet into an sdhci pci X-slot 0 timeout.
After several timeouts the system continous to boot.

#I had to set the following in /boot/device.hints - looks like the file is overwritten by the latest update
So i set the following in /boot/loader.conf.local

hint.sdhci_pci.0.disabled="1"
hint.sdhci_pci.1.disabled="1"
hint.sdhci_pci.2.disabled="1"

t.

General Discussion / Re: unbound - dhcpleases

« on: May 12, 2018, 11:13:12 pm »

today i was able to take a closer look at the problem.
after i found out about /usr/local/opnsense/scripts/dns/unbound_dhcpd.py i looked into the scipt.
unbound_control is used to list and read the local data.
So to further isolate my problem i started with:

Code: [Select]

unbound-control -c /var/unbound/unbound.conf list_loca_data I was greeted by an error message:

error: SSL handshake failed
2586055198312:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verfify failed:s3_clnt.c:1269:

the reason my /var/unbound/dhcpleases.conf is empty, is because the command (unbound_control) that wants to read my local data fails.

so i asked my second best friend google and found:
https://forum.ipfire.org/viewtopic.php?t=18906

inspired by this post and after reading https://www.unbound.net/documentation/unbound-anchor.html i:

sshed into the opnsense box

Code: [Select]

cd  /var/unbound
mv root.key _root.key
mv unbound_control.key _unbound_control.key
mv unbound_control.pem _unbound_control.pem

restart unbound in the opnsense gui under System/Diagnostics/Services

unbound restarts and the files root.key, unbound_control.key and unbound_control.pem get regenerated.

Now # unbound-control -c /var/unbound/unbound.conf list_loca_data works and /var/unbound/dhcpleases.conf can be written.

i now can resolve my local dhcp-clients.

Jupidu!

General Discussion / Re: unbound - dhcpleases

« on: May 12, 2018, 10:27:25 pm »

thanks for your reply. yes the dns-server the clients via DHCP is the opnsensebox.

General Discussion / unbound - dhcpleases

« on: May 07, 2018, 01:12:26 pm »

Hi,

i have setup dhcp and unbound.
Under System/General/Domain, a domain is set.

Unbound is enabled and "Register DHCP leases in the DNS Resolver" and "Register DHCP static mappings in the DNS Resolver" is set.

My clients do get an ip, dns-server,gateway, dns suffix... via dhcp
I can see the leased IPs under DHCPv4/Leases

However i cant resolve the hosts in my environment.
I have noticed that /var/unbound/dhcpleases.conf is empty!

What i have already tried ist:
set "System\Settings\Administration\Disable DNS Rebinding Checks"
set "Unbound DNS\General\Local Zone Type\static"

Any ideas?

Thx t.

German - Deutsch / Re: Firewall Rule Problem - ping

« on: May 02, 2018, 06:40:36 pm »

offensichtlich ein bekanntes Verhalten und die Art und Weise wie der PF arbeitet:
https://forum.pfsense.org/index.php?topic=39895.0
http://freebsd.1045724.x6.nabble.com/PF-quot-keep-state-quot-for-ICMP-td4183717.html

LG
t.

German - Deutsch / Firewall Rule Problem - ping

« on: May 02, 2018, 12:09:23 pm »

Hallo Leute,

zu meinem Setup:
Ein supermicro E100-9AP als Opnsensebox mit einem Wan und einem Lan interface.
Am Lan Interface hängt über einen Trunk ein Cisco SG300 switch der wieder über einen Trunk mit einem zweiten SG300 verbunden ist. Auf beiden switches liegen Vlans an, die über die Trunks zur Opnsensebox geführt werden.
Zum Testen habe ich zwei Clients an einen switch angeschlossen. Die Ports für die Clients habe ich für jeweils ein Vlan als access-port definiert; also einmal access-port vlan10 und einmal access-port vlan 20.

In Opensense sind die vlans, interfaces,nat.... für die vlans definiert.
Prinzipiell funktioniert der Zugriff der Clients ins Internet.

Zu meinem Problem:
Um die Konfiguration zu testen habe ich für vlan10 und vlan20 die FW-Rules so definiert, dass aus dem jeweiligen Netz in das andere Netz icmp zugelassen ist.

Ein Ping von vlan10 nach vlan20 und vlan20 nach vlan10 hat wie erwartet wechselseitig funktioniert.

Dann habe ich für vlan20 die Rule für icmp auf reject gesetzt. Und dann hatte ich folgendes Phänomen:

Ein Ping aus vlans20 nach vlan10 hat nicht funktioniert, ein Ping aus vlan10 nach vlan 20 hat funktioniert; so weit so gut.
Wenn allerdings ein Ping von vlan10 nach vlan20 läuft funktioniert plötzlich auch das Ping aus vlan20 nach vlan10. Das ganze ist zeitabhängig, wenn ich das Ping von vlan10 nach vlan20 beende, ist nach kurzer Zeit auch das Pingen aus vlan20 nicht mehr möglich.

Mir ist klar das icmp stateless ist, das lösen aber andere FWs auch; eigenlich ist ja Echo und Echo Reply ganz gut auseinander zu halten.

Kann mich bitte jemand aufklären, wass genau hier passiert und wie ich das gegebenenfalls unterbinden kann.

LG
t.

18.1 Legacy Series / Re: AHCI Timeout on 18.1 but 17.7 installs fine

« on: April 29, 2018, 01:17:53 pm »

i can confirm that setting this variables also works for the supermicro e100-9ap (motherboard a2san-e) with an installed sata m.2 samsung 860 evo! without the settings, the ssd is not recognized by the installer (ssd is visible in the bios)

To recap the steps needed for 18.1 and my hardware:

* boot usb pendrive (amd64_vga image prepared with dd) - booth a 2GB usb 2 and a 16GB usb 3 key worked
* press escape as soon as the boot logo appears
* cursor blinks beside the OK prompt
* type:
set machdep.disable_msix_migration=1 (press return)
set hint.hpet.0.clock=0 (press return)
set hint.ahci.0.msi=2 (press return) ahci.0 for channel 0 ahci.1 for channel1 or juste set it for both channels
set hint.ahci.1.msi=2 (press return)
* boot (press return)

* at the login prompt login as root with the password you have set during the installation process
choose 8.) shell

* with your favourite create the file /boot/loader.conf.local
you can also put it in the existing /boot/loader.conf, but this file will be overwritten with the next upgrade

* insert the lines :
machdep.disable_msix_migration=1
hint.hpet.0.clock=0
hint.ahci.0.msi=2
hint.ahci.1.msi=2

* write the file and reboot

hope it helps someone

t.

Pages: [1]