Messages

1

General Discussion / Custom script and logging

« on: August 31, 2023, 04:25:53 pm »

I have a sh script that writes to a log file. It's primarily used on linux boxes, how can I adapt it to OPNsense?

I usually just drop it in /usr/local/bin and it logs to /var/log. I noticed there isn't a logrotate install. How do I handle log file rotation in OPNsense?

Thanks!

2

21.7 Legacy Series / Multiwan/source based routing type

« on: December 25, 2021, 11:28:55 pm »

Is there a way to get the policy based routing for multiwan to consider a hash or the source-ip and the source-port when applying round-robin determination? I need to balance traffic from another firewall that can only have a single external IP. The default "round-robin sticky-address" only seems to look at the source address.

3

21.1 Legacy Series / Re: Question about multiwan load balancing method algorithms

« on: July 27, 2021, 03:53:59 am »

Looking at the pf rules I'm guessing this is what is doing the load balancing:

Code: [Select]

pass in quick on re0 route-to { (ue0 $WAN1_IP), (ue1 $WAN2_IP) } round-robin sticky-address inet from (re0:network) to any flags S/SA keep state label "somelabel"
I've been going through the docs for pf but I can't seem to find a way to consider an ip/port hash, round-robin seems to be it, and that looks to only consider source IP...but I haven't found docs that specifically state so.

Any help please!

4

21.1 Legacy Series / Question about multiwan load balancing method algorithms

« on: July 25, 2021, 03:54:24 am »

 I have a setup where I'm using the typical multiwan setup where you have 2 wan interfaces, a single lan, and a gateway  group with both gateways being tier 1. This has worked for me for most setups, but now I have a setup where I have another firewall in my lan so most traffic is coming from the single IP on that firewall.

Yes, another firewall in my LAN zone. Can't argue that's not a great design...but it's what I'm stuck with for now.

The issue I'm seeing is that it seems whatever decides the load balancing round-robin option must only consider the source IP, as all traffic from that particular IP get's sent to the same WAN interface regardless of source port or amount of traffic from other lan clients.

Is there a way to have source based routing look at port number, or any way to modify it at all? Any other load balancing techniques or algorithms?

I can disable sticky connections, and I'll see an improvement in load balancing, but any ssl connections will have to be re-authenticated a few times during a session. It's random but does happen more without stickyness, which is to be expected.

5

19.1 Legacy Series / Alternative to ping for gateway monitoring?

« on: July 06, 2019, 08:44:10 pm »

Is there a way to define a check for gateway availability that isn't ICMP? Something like TCP port availability or DNS query success?

My ISP is obviously giving low priority to ICMP on the first several hops through their network.