Messages

I realize that I can do blocks in the pf, and I am currently doing that now.  The problem I am having is when I have an application that I want to allow across all countries.  So, I want the allow in Sensei to take precedence over my lower level pf rules for country blocks or have the ability to do the country blocks in Sensei and be able to configure the precedence.

Is there a way to do GeoIP country blocks?  I am doing that in the packet filter currently, but I would like to do it through Sensei and have applications and web filters take precedence, then country blocks.

I figured out my problem.  I cannot explain why, but I enabled all interfaces except for WAN and my speed is now what it should be in the speed tests.

OPNsense 21.7.3_3-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021

Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz (4 cores)

8GB memory

Intel NIC 1GB

I recently installed the sensei plugin for opnsense.  I love what I am seeing so far, but I seem to be having an issue with the netmap config.  When I choose native netmap, I get half of my 1G fiber speeds.  I usually hit around 940/940 with Sensei enabled on my LAN interface. When I choose the generic netmap driver, I get great download speeds, but my upload is less than 1Mbps.  I think this is telling me that the generic driver works best for my download, but I can't imagine why my upload is doing so bad.

I recently installed the sensei plugin for opnsense.  I love what I am seeing so far, but I seem to be having an issue with the netmap config.  When I choose native netmap, I get half of my 1G fiber speeds.  I usually hit around 940/940 with Sensei enabled on my LAN interface. When I choose the generic netmap driver, I get great download speeds, but my upload is less than 1Mbps.  I think this is telling me that the generic driver works best for my download, but I can't imagine why my upload is doing so bad.

When traffic flows through Opnsense with IPS enabled, does it hit the firewall or the IPS first?  If I create IP Aliases that are allowed at the firewall filter level, does that bypass the traffic running through IPS?  If not, is there a way I can create an allowance that allows certain traffic to bypass the IPS?

I will also contact the GitHub user who wrote the original pfatt code and let them know of the change.

I was able to make the modification mentioned in this thread.  I simply created a /boot/loader.conf.local file and put the required modules in it.  I have a guide on my site to setting up the bypass using the pfatt method and I posted an update to my article regarding the changes and what is required to make it work.  Everything is working fine on my system and the local loader file should protect me against the next update.
https://geekzweb.com/2019/06/10/bypassing-arris-bgw210-700-pfsense-netgraph/

I figured this out.  The profiles have evidently changed in the latest version(s).  There is no longer an option for Android or IOS.  I downloaded the file option which basically outputs a single file with the keys included.  This was perfect for OpenVPN Connect on the iPhone and the app I am using on my Mac.

Gotcha.  I had moved the VIP for the VPN from an IP alias to "other".  I forgot that Alias (or one of the other options) is needed to run services on the VIP.  Thank you for your response.  It is working perfectly now.

I have configured an OpenVPN server, but the only interface options are LAN, WAN, Any.  I do not want it to listen on Any, but I do want it to listen on a VIP.  How can this be done?

The documentation for OPNsense OpenVPN config mentions going to client export under VPN->OpenVPN and choosing the OpenVPN Connect profile for IOS devices.  I do not have that option.  Is that missing in 19.7?  How can I create a config for IOS with the certificates included in the config file like was done in the past?

Hi,

Yes, there are default rules which are not visible in the UI, the source of the defaults is filter.inc (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc).
Eventually we are going to restructure the auto-generated rules to make these defaults visible and simply our filter generation (https://github.com/opnsense/core/issues/993), which will very likely mature in our 17.1 release.

The easiest way to inspect which rules are actually generated for your setup (some rules are optional) is to read  the /tmp/rules.debug file.

Best regards,

Ad

Is this still something that is being considered?  I would love to see the default rules.  I have some that are taking actions on traffic and I am having a hard time understanding the intent.

I had this same problem yesterday.  It is there if you read it, but somehow I kept missing.  I think it was because my natural instinct was to press y