Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - snoopy78

Pages1

German - Deutsch / Re: WAN_PPPOE Interface noch irgendwo hinterlegt

January 17, 2024, 04:15:49 PM

zieh dir doch das Konfigbackup herunter, mach eine Kopie davon und öffne das file dann im z.B. notepad++

dort solltest du evtl. verwaiste Interfaces drin sehen und einfach die entsprechenden Abschnitte rauslöschen können....danach Konfig wieder einspielen und guggn ob es das war.....falls es nicht geht, fac res und original backup rein...

German - Deutsch / Re: Opnsense und Deutsche Giganetze Glasfaser PPPoE Einstellung

January 17, 2024, 04:07:06 PM

Hi,

soweit ich weiss hast du DS LITE und kein normales PPPoE.
Wird auch so in den DGN FAQ genannt:

https://deutsche-giganetz.de/faq/
"
WAN-Interface

1000Base-T RJ-45 Port
VLAN (IEEE 802.1Q)
DHCP-Client mit Prefix-Delegation Unterstützung
PPPoE
IPv6
IPv4/IPv6 Dual Stack
DS-Lite
"

Ich hatte dazu mal was in einem anderen Forum geschrieben:
"
DGN setzt auf PPPoE mit VLAN 7, kein DHCP...

BTW...wen es interessiert (um mal einen DS-Lite GIF Tunnel zu basteln)...die AFTR Adresse für DGN (zumindest für mich) lautet:

aftr.fra.purtel.com

2a01:41e3:ffff:cafe:face::3
"

d.h. du must m.W.n. einen GIF Tunnel für DS-Lite basteln, damit das funktioniert.
https://forum.opnsense.org/index.php?topic=27935.0

Ich hatte April '23 das gleiche Problem wie Du. Nach mehreren Tests und Versuchen kam es irgendwann dazu, dass gar nix mehr ging, da beim ISP (genauer gesagt bei PurTel) die PPPoE LogServer für mich übervoll waren und damit gar keine Einwahl mehr ging.
Selbst eine zwischenzeitlich gekaufte AVM 7530AX (welche ja von DGN unterstützt wird) ging nicht online.
Nachdem ich über die Hotline es endlich in den 2nd LVL Support geschafft hatte, konnte das LOG gelöscht werden und die AVM ging online.
Seither habe ich das notgedrungen so gelassen, da das 1 Gerät mehr es mir nicht wert ist dauernd der DGN auf die Füße zu treten.

Also meine Erfahrung ist somit kurz gesagt DGN und Sense....geht nicht so richtig..:S

Hardware and Performance / Re: Driver HP NC523SFP DUAL PORT 10Gb SERVER ADAPTER

December 26, 2023, 04:51:41 PM

hi there,

just want to share my findings....if it's obsolete, so be it...

using latest opnsense OPNsense 23.7.10_1 i installed my HP NF523SFP dual nic and tested initally with "kldload if_qlxgb"

in DMESG i then could see the adaptor comming up manually

"
ql0: <Qlogic ISP 80xx PCI CNA Adapter-Ethernet Function v1.1.36> mem 0xdf400000-0xdf5fffff,0xdf690000-0xdf69ffff at device 0.0 on pci2
ql0: qla_pci_attach: firmware[4.12.10.1348448512]
ql0: Ethernet address: 00:0e:1e:05:70:50
ql1: <Qlogic ISP 80xx PCI CNA Adapter-Ethernet Function v1.1.36> mem 0xdf200000-0xdf3fffff,0xdf680000-0xdf68ffff at device 0.1 on pci2
ql1: qla_pci_attach: firmware[4.12.10.1348448512]
ql1: Ethernet address: 00:0e:1e:05:70:54
"

after that, i then made it into the tunables to auto-load the driver after every startup
(as decribed here https://github.com/opnsense/core/issues/5491)

tunable " if_qlxgb_load "
description "Load kldload if_qlxgb QLE3242 driver" (here you can enter whatever you want)
value "YES"

now the driver is always loaded after bootup or upgrade

ql0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
ether 00:0e:1e:05:70:50
media: Ethernet autoselect
status: no carrier
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root@sense:~ # ifconfig ql1
ql1: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
ether 00:0e:1e:05:70:54
media: Ethernet autoselect
status: no carrier
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

dmesg | grep ql
ql0: <Qlogic ISP 80xx PCI CNA Adapter-Ethernet Function v1.1.36> mem 0xdf400000-0xdf5fffff,0xdf690000-0xdf69ffff at device 0.0 on pci2
ql0: qla_pci_attach: firmware[4.12.10.1348448512]
ql0: Ethernet address: 00:0e:1e:05:70:50
ql1: <Qlogic ISP 80xx PCI CNA Adapter-Ethernet Function v1.1.36> mem 0xdf200000-0xdf3fffff,0xdf680000-0xdf68ffff at device 0.1 on pci2
ql1: qla_pci_attach: firmware[4.12.10.1348448512]
ql1: Ethernet address: 00:0e:1e:05:70:54

using a DAC cable, it shows as follows

root@sense:~ # ifconfig ql0
ql0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
ether 00:0e:1e:05:70:50
media: Ethernet autoselect (10Gbase-SR <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

23.7 Legacy Series / Re: Error after upgrade - PHP Startup: Unable to load dynamic library 'mongodb.so

August 04, 2023, 07:48:28 PM

yes..i can confirm....completely uninstalling and re-installing it solved the issue....btw...i wan't using mongodb but elastisearch instead

Virtual private networks / Re: Using Monit to restart openvpn server when ping fails

December 19, 2022, 01:53:43 PM

Quote from: snoopy78 on December 19, 2022, 12:50:49 PM
i've found this thread...

also i want to restart my opnvpn clients on my opnsense (22.7.9_3)

in CLI i can successfully

root@OPNsense:~ # ps aux | grep openvpn
root 95966 25.8 0.0 17928 7952 - Ss 12:38 0:16.58 /usr/local/sbin/openvpn --config /var/etc/openvpn/client15.conf
root 23564 0.0 0.0 17928 7808 - Ss 12:38 0:00.41 /usr/local/sbin/openvpn --config /var/etc/openvpn/client19.conf
root 60688 0.0 0.0 17928 7952 - Ss 12:40 0:00.04 /usr/local/sbin/openvpn --config /var/etc/openvpn/client12.conf

and also then successfully

root@OPNsense:~ # pluginctl -s openvpn start 19
Service `openvpn' has been started.
root@OPNsense:~ # pluginctl -s openvpn start 15
Service `openvpn' has been started.
root@OPNsense:~ # pluginctl -s openvpn start 12
Service `openvpn' has been started.

When i follow your steps, you created a copy of "ping failed" test and changed it to executable, which i did then too..
The failed ping test copy i can save successfully, but as soon as i select it in the service settings, i get issues
i see this in cli under " cat /usr/local/etc/monitrc"

"
check host OpenVPNClientGateway address 8.8.4.4
if failed ping then alert
if failedpingGW then exec /bin/sh -c '/usr/local/sbin/pluginctl -s openvpn start 12'

"
so basically the ping test and the script are there, but i can't save via webgui as i always get an error..

"
Error monit /usr/local/etc/monitrc:32: syntax error 'failedpingGW'
"

can you help me here please?

aarrghh...

if i use the correct command...it works..
"
check host OpenVPNClientGateway address 8.8.4.4
if failed ping then alert
if failed ping then exec /bin/sh -c '/usr/local/sbin/pluginctl -s openvpn start 12'
"

Virtual private networks / Re: Using Monit to restart openvpn server when ping fails

December 19, 2022, 12:50:49 PM

i've found this thread...

also i want to restart my opnvpn clients on my opnsense (22.7.9_3)

in CLI i can successfully

root@OPNsense:~ # ps aux | grep openvpn
root 95966 25.8 0.0 17928 7952 - Ss 12:38 0:16.58 /usr/local/sbin/openvpn --config /var/etc/openvpn/client15.conf
root 23564 0.0 0.0 17928 7808 - Ss 12:38 0:00.41 /usr/local/sbin/openvpn --config /var/etc/openvpn/client19.conf
root 60688 0.0 0.0 17928 7952 - Ss 12:40 0:00.04 /usr/local/sbin/openvpn --config /var/etc/openvpn/client12.conf

and also then successfully

root@OPNsense:~ # pluginctl -s openvpn start 19
Service `openvpn' has been started.
root@OPNsense:~ # pluginctl -s openvpn start 15
Service `openvpn' has been started.
root@OPNsense:~ # pluginctl -s openvpn start 12
Service `openvpn' has been started.

When i follow your steps, you created a copy of "ping failed" test and changed it to executable, which i did then too..
The failed ping test copy i can save successfully, but as soon as i select it in the service settings, i get issues
i see this in cli under " cat /usr/local/etc/monitrc"

"
check host OpenVPNClientGateway address 8.8.4.4
if failed ping then alert
if failedpingGW then exec /bin/sh -c '/usr/local/sbin/pluginctl -s openvpn start 12'

"
so basically the ping test and the script are there, but i can't save via webgui as i always get an error..

"
Error monit /usr/local/etc/monitrc:32: syntax error 'failedpingGW'
"

can you help me here please?

Hardware and Performance / Re: question about multi-wan-performance

February 26, 2021, 08:22:32 AM

The weight on all interfaces is the same = 1.

AFAIK to my understanding the the weight tells how many packets (compared to the other weight) will be transmitted.

So if i have a 50 & 10 Mbit connection i would use weight 5 on the 50Mbit connection and 1 on the 10 Mbit ones.

However, i have in my setup 110 Mbit + ~90 MBit + ~ 90MBit so its nearly equeal and then it can be 1 1 1 for equeal sharing.

I already tried different values...but no success..
so i tried for testing 1 - 2 -2 but, as expected bad result...
by testing 2 - 1 - 1 i get the similar results as 1 - 1 -1, so for now i use 2 - 1 - 1

also all 3 gw having priority 254

WAN3 only troughput (client firewall rule provides wan 3 as gateway)

WAN 1 - 2 - 3 combined troughput, but only display of WAN 2 & 3

WAN 1 - 2 - 3 combined troughput

Hardware and Performance / question about multi-wan-performance

February 25, 2021, 02:26:24 PM

hello @all.

i am running an opnsense OPNsense 21.1.2-amd64 on an Intel(R) Atom(TM) CPU C3758 @ 2.20GHz (8 cores).

Due to my poor VDSL connection (110Mbit down & 40 Mbit up) i have added 2 LTE Router (Huawei) (each ~ 70-90Mbit down & 20-40 Mbit up) in NAT-behind-NAT setup. The firewall has disabled sticky connection and is on aggressive mode.

Also i did follow the howto of setting the loadbalancing up and made them all the same weight and tier.

When i connect (use) each WAN 1, WAN2 or WAN3 in single setup i get full speed. This i can verify by connecting a WiFi device to the huawei routers and do an speedtest.
All connections by itselt are workoing correctly.

When i use the GW-Group as my Gateway, then it is also working, however the combined speed is at most 210Mbit, while the upload is up to 120Mbit.

So if i calculate for upload 40+40+40Mbit = 120Mbit for upstream the GW-Group works fine.
However, when i download, i only get max 210 Mbit (usually less), which isn't 110 + 80 + 80 Mbit = 270 MBit (or more).

The CPU load is with traffic between 20-40%.

Is this normal behavior? What can i do to improve the combined download so that i actually can reach the real limits?

Thank you in advance.

BR

20.7 Legacy Series / strange behavior about VPNs with MultiWAN

December 05, 2020, 10:32:42 AM

hello @all,

i'm using since quite some time opnsense in following setup

WAN 1 = VDSL 100MBit/ + WAN 2 = LTE 70 MBit/s

For my WAN1+WAN2 i use a GW group to do loadbalancing which works, because i get the combined speed in speedtest

Additionally i also have outgoing VPNs bound each on a WAN Interfaces (f.e. zurich = WAN 1+ zurich LTE = WAN 2), for this i also have a GW group and all the bound clients did get the full speed of up to 170MBit via VPN

since latest update 20.7.5 i was wondering why the VPN traffic always was stuck at 100Mbit, while my normal clients (not passing the vpn gw group) still could get full speed of 170Mbit.
Within the opnsense the interface counter for VPN Zurich and VPN Zurich LTE always showed ~ 50Mbit traffic. Today i checked the counters of the LTE Router and did some speedtests. Then i can see clearly, that the VPN Traffic which should pass trough the WAN2 is passing trough WAN1, because i see the counters rising within the opnsense, but not a single packet is beeing counted on my LTE router. When doing the same test without the VPN, then the counters on the LTE router increase accodingly.

Is this a bug within the 20.7.5? Can i safely revert to 20.7.4, because it was working there without any issue.

If you could help mit, it would be great, because i am currently planning to spent a lot of money on a new 5G outdoor CPE so that i can increase my LTE/5G WAN speed.

Thank you in advance.

snoopy78

#10

General Discussion / dual wan with lan ipv4 and wan ipv4+ipv6

July 28, 2020, 12:26:23 PM

Hi @all,

i've a quick question, where i'd like to get your opinion and some tips.

Currently i do have a leased line IPv4 only and my clients within my vlans are IPv4 only (some don't even support IPv6).
Now i'm thinking of getting a 2nd wan connection and do some load balancing.
The new ISP i'm thinking of, however, only provides IPv6 addresses.

What could i do? I need to keep my private IPv4 addresses for at least 10 devices, while the other could do IPv6.

BR
snoopy78

#11

General Discussion / how to change from single lan to lagg?

July 13, 2020, 02:16:01 PM

solved by modifying the backup config......

Hello @all,

i've a question and hope you all can help me solve it.

currently i'm running an opnsense (20.1.8_1) firewall (own dedicated hardware) and my only lan is an ix0 (10G) interface with several vlans.

due to energy saving i'd like to turn off my main switch at night or when i'm away. However, my secondary switch holding the APs has no 10G interface, so simply moving the cable won't solve the question.

My idea now was to create an LAGG in failover mode, which then during day time uses the 10G link, while otherwise it falls back to an 1G link.

In Opnsense i can create the LAGG but can't assign the currently used interfaces to it.

So, how can i easily modify the settings? maybe by editing the configuration backup?

This is a part of my config (i already created an lagg with oder interfaces for testing purposes)

<lagg>
<members>igb2,ix0</members>
<descr>Failover_LAGG</descr>
<laggif>lagg0</laggif>
<proto>failover</proto>
<mtu/>
</lagg>

<lan>
<if>ix1</if>
<descr>LAN_10GBIT_VLAN1</descr>
<enable>1</enable>
<spoofmac/>
<ipaddr>x.x.x.x</ipaddr>
<subnet>24</subnet>
</lan>
<opt3>
<if>ix1_vlan3</if>
<descr>LAN_10GBIT_VLAN3_CaptivePortal</descr>
<enable>1</enable>
<spoofmac/>
<ipaddr>x.x.x.x.</ipaddr>
<subnet>24</subnet>
</opt3>
<opt4>
<if>ix1_vlan10</if>
<descr>LAN_10GBIT_VLAN10</descr>
<enable>1</enable>
<spoofmac/>
<ipaddr>x.x.x.x</ipaddr>
<subnet>24</subnet>
</opt4>
<opt5>
<if>ix1_vlan200</if>
<descr>LAN_10GBIT_VLAN200</descr>
<enable>1</enable>
<spoofmac/>
<ipaddr>x.x.x.x.</ipaddr>
<subnet>24</subnet>
</opt5>
<opt6>
<if>ix1_vlan300</if>
<descr>LAN_10GBIT_VLAN300</descr>
<enable>1</enable>
<spoofmac/>
<ipaddr>x.x.x.x</ipaddr>
<subnet>24</subnet>
</opt6>

Any help and suggestions appreciated.

thank you

#12

19.7 Legacy Series / Re: IP directed broadcast (WOL from WAN)

November 21, 2019, 08:08:04 AM

NAT

Interface Rule on incomming interface

works like a charm...

#13

19.7 Legacy Series / Re: Whole house VPN?

November 21, 2019, 08:02:42 AM

yes you can. i'm doing this too,

create the opnvpn connection
create the interface
define within your lan/vlan the policy pointing to the new opnvpn interface gateway
define outbound nat for your vpn

#14

19.7 Legacy Series / newbie asks for a bit of advice about netflow and src interface

November 21, 2019, 07:50:59 AM

hi at all,

i'm new to opnsense but got my private setup working like this:

opnesense 19.7 on an A2SDI-H + I350 qad nic
LAN (incl. vlan) on the 10G
wan1 (pppoe) on I350 port
wan2 (lte) on I350 port

now i want to use netflow.

my netflow server is 192.168.10.60/24 which is behind an ipsec tunnel.
my opnsense has vlan1 192.168.0.1/24.

since i haven't recieved any data on my prtg i checked by console and saw, that the firewall can't reach the server, since it's using it's wan IP. So i created a outbound nat telling WAN1 target Server use VLAN1 Interface ip, since then i use "ping -S 192.168.0.1 192.168.10.60" i can reach the server via the tunnel.

can you advice me please, where are my thoughts incorrect..

thank you

br
snoopy78

#15

Hardware and Performance / newbie wants to build 1st opnsense firewall

October 30, 2019, 03:16:16 PM

Hello,

I'm a newbie in terms of firewalling but want to consolidate my current network.

Currently i do have a vpn Firewall connecting tom my wan (100/40MBit) and LTE (10/10MBit) in spillover mode. Also acting as VPN Server for 2x IPSec site to site and 1–3 (max.) roaming clients.
I also have a 2nd router behind the firewall acting as openvpn client (to bypass georestrictions). Routing between my vlans is working.

My internal network is 10gbit backbone and also some clients/server have 10gbit connections.

My plan/idea is to migrate both existing routers into 1 opnsense box.

Also I would like to connect the vlans (internally) with 10g. Here is purely routing active, no nat/pat/...or ACL.
Additionally I want to have my existing site–to–site & roaming client vpns. But also the opensense should act as a openvpn client (maybe 2 or 3 different tunnels/targets). Here I want to use ACLs/Firewalling to define from which vlan/client i use which gateway. And only this gateway.
Also i have some incoming rules.

IDS/IPS will be maybe later.
Freeradius maybe later for cert based WiFi.
WebProxy when the kids grow a bit more.

From what I've read so far, I can realize all the things witH OPNsense.

So now comes the tricky part. I must save energy.

Therefore I was looking for this hardware.

https://www.asrock.com/mb/Intel/J5005-ITX/index.asp

Or

https://www.supermicro.com/en/products/motherboard/A2SDi-H-TF

Which one would you suggest? Also, are this systems able to handle my requirements?

I did check about i3 already but the idle/load consumption was way higher (at least what I've seen so far).
Also I already have an https://www.supermicro.com/en/products/motherboard/X10SDV-2C-TP4F Working as my NAS.
The power consumption is also too high for 25/7 usage.

Thank you in advance.

BR
Snoopy78

Pages1