1
General Discussion / *deleted*
« on: December 18, 2022, 09:42:28 pm »
*deleted*
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
General Discussion / Re: Mac based VLAN with OPNsense on a multi-NIC system (e.g. Protectli Vault)
« on: December 14, 2022, 10:55:08 am »
Thank you!
3
General Discussion / Re: Mac based VLAN with OPNsense on a multi-NIC system (e.g. Protectli Vault)
« on: December 14, 2022, 09:46:18 am »
Assuming I have a VLAN capable wifi (e.g. Netgear Orbi Pro) and I plug this device into one of the ethernet ports of my future OPNsense box, how would I configure OPNsense VLAN-wise?
With a managed switch I could configure each port to process packets from more than one VLAN with tags.
In the OPNsense configuration I do not see any equivalent for that. I can only assign ONE tag to ONE interface.
How can OPNsense distinguish between VLAN20 and VLAN30 both coming into OPNsense on the same port?
EDIT:
Seems to be a similar problem to this one:
https://forum.opnsense.org/index.php?topic=7359.0
But instead of spanning the same VLAN across multiple NICs I want to have multiple VLANs on the same NIC....
With a managed switch I could configure each port to process packets from more than one VLAN with tags.
In the OPNsense configuration I do not see any equivalent for that. I can only assign ONE tag to ONE interface.
How can OPNsense distinguish between VLAN20 and VLAN30 both coming into OPNsense on the same port?
EDIT:
Seems to be a similar problem to this one:
https://forum.opnsense.org/index.php?topic=7359.0
But instead of spanning the same VLAN across multiple NICs I want to have multiple VLANs on the same NIC....
4
General Discussion / Re: Mac based VLAN with OPNsense on a multi-NIC system (e.g. Protectli Vault)
« on: December 13, 2022, 04:00:01 pm »
I was thinking in the same direction.
I would have to replace my Netgear Orbi with Orbi Pro which is capable of creating up to 4 different SSIDs and VLAN tagging.
I would have to replace my Netgear Orbi with Orbi Pro which is capable of creating up to 4 different SSIDs and VLAN tagging.
5
General Discussion / Mac based VLAN with OPNsense on a multi-NIC system (e.g. Protectli Vault)
« on: December 13, 2022, 01:19:59 pm »
Hi everybody,
right now I am running a "firewall on a stick" setup with a cable modem connected to the WAN port of my OPNsense machine (Intel NUC) and a managed 8 port switch connected to the LAN port (Netgear GS308T).
I have VLAN for my general wifi devices (VLAN20) that are all connected to a wifi AP (which is connected to a certain port on the switch).
Additionally I have a separate VLAN for IOT devices (VLAN30). Since many of them are also wifi devices I am using the feature "Mac based VLAN" in the Netgear switch to assign the VLAN30 tag to devices that would otherwise get the VLAN20 tag from the corresponding switch port.
The idea that I am developing currently is to replace the NUC and the switch with a 2-in-1 device like this Protectli Vault with 6 nics.
https://eu.protectli.com/product/vp4630/
How would I implement the "mac based vlan" feature in that case? Since I wouldn't have a dedicated switch anymore I would assume that I can control this via OPNsense but I don't find the corresponding options in the OPNsense gui.
It should be possible to use 802.1x features in conjunction with Freeradius but in that case all of the client devices would have to support 802.1x which is not the same thing as the simple mac based vlan from my current Netgear switch (this comes without any need for Radius authentication).
Any insights on that challenge?
EDIT:
I found a similar post here:
https://forum.opnsense.org/index.php?topic=13931.0
But my goal is to reduce the number of network devices to a minimum.
So bottom line, I want to separate wifi devices into two VLANs by only using a "dumb" access point (Netgear Orbi) attached to the mentioned Protectli Vault.
right now I am running a "firewall on a stick" setup with a cable modem connected to the WAN port of my OPNsense machine (Intel NUC) and a managed 8 port switch connected to the LAN port (Netgear GS308T).
I have VLAN for my general wifi devices (VLAN20) that are all connected to a wifi AP (which is connected to a certain port on the switch).
Additionally I have a separate VLAN for IOT devices (VLAN30). Since many of them are also wifi devices I am using the feature "Mac based VLAN" in the Netgear switch to assign the VLAN30 tag to devices that would otherwise get the VLAN20 tag from the corresponding switch port.
The idea that I am developing currently is to replace the NUC and the switch with a 2-in-1 device like this Protectli Vault with 6 nics.
https://eu.protectli.com/product/vp4630/
How would I implement the "mac based vlan" feature in that case? Since I wouldn't have a dedicated switch anymore I would assume that I can control this via OPNsense but I don't find the corresponding options in the OPNsense gui.
It should be possible to use 802.1x features in conjunction with Freeradius but in that case all of the client devices would have to support 802.1x which is not the same thing as the simple mac based vlan from my current Netgear switch (this comes without any need for Radius authentication).
Any insights on that challenge?
EDIT:
I found a similar post here:
https://forum.opnsense.org/index.php?topic=13931.0
But my goal is to reduce the number of network devices to a minimum.
So bottom line, I want to separate wifi devices into two VLANs by only using a "dumb" access point (Netgear Orbi) attached to the mentioned Protectli Vault.
6
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
« on: November 20, 2018, 12:16:17 pm »
Intel Pentium G4560T (2 cores, 4 threads) with 2.90 GHZ + 8 GB RAM.
But apart from the clock speed, why is only one core being used by suricata?
But apart from the clock speed, why is only one core being used by suricata?
7
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
« on: November 20, 2018, 11:09:00 am »
I recently got an upgrade for my internet badwidth from 200/50 mbit to 1000/50 mbit.
Sadly, my initial speed tests only resulted in 160 / 50 mbit.
I quickly identified Suricata with activated IPS as the bottleneck. I tried each combination of hyperscan vs aho-corasick, activation of Suricata on LAN (igb), LAN+WAN, WAN(em), every performance tuning rule described in the first post of this thread but still I got only around 160 / 50 with IPS enabled.
I also noticed that the Suricata process uses 100% of one CPU core during speed tests whereas the remaining three cores were ideling.
Also, disabling most of the rules resulted in a "successfull" speed test of 950 / 50 mbit.
So my question is, why doesn't Suricata make use of all four cores? Why is the clock speed of a single core the bottleneck here? From what I understood reading about Suricata, it should be capable of multithreading?
Sadly, my initial speed tests only resulted in 160 / 50 mbit.
I quickly identified Suricata with activated IPS as the bottleneck. I tried each combination of hyperscan vs aho-corasick, activation of Suricata on LAN (igb), LAN+WAN, WAN(em), every performance tuning rule described in the first post of this thread but still I got only around 160 / 50 with IPS enabled.
I also noticed that the Suricata process uses 100% of one CPU core during speed tests whereas the remaining three cores were ideling.
Also, disabling most of the rules resulted in a "successfull" speed test of 950 / 50 mbit.
So my question is, why doesn't Suricata make use of all four cores? Why is the clock speed of a single core the bottleneck here? From what I understood reading about Suricata, it should be capable of multithreading?
Pages: [1]