Messages

1

20.1 Legacy Series / Re: iperf3 speed difference with 10G networking

« on: July 02, 2020, 01:51:33 am »

I can confirm that 10G experience with opnsense is lacking...

I have a somewhat similar setup to yours: Two opnsense 20.1 Supermicro based firewalls with Intel i3-9100 CPUs and Chelsio T540-CR cards in them.

When I iperf3 between firewalls on intranet interface in same subnet (no rules, no nat, no routing) I come to very similar results as you (~2 Gbits/sec), if I run several streams I can bring it up to 3-4Gbits/sec total but not more.

If on another hand I run out of the box freebsd on the same machines I get 4-5 Gbits/sec on single thread and 7-8 Gbits/sec on several threads.

Opnsense seems to have issues there, I am not sure what the problem is as I had no time to dig deeper and my internet uplink is just 1Gbits/sec anyway.

2

20.1 Legacy Series / Re: Nat reflection does not seem to work

« on: June 30, 2020, 09:44:34 pm »

Just as an info for anyone who might run into similar issue:

It is technically impossible to reflect / redirect to a host on same interface that host is connected to, see man pf.conf:

Redirections cannot reflect packets back through the interface they
arrive on, they can only be redirected to hosts connected to different
interfaces or to the firewall itself.

Too bad. In my specific case I have no other option but to connect my host directly to internet, bypassing the firewalls.

3

20.1 Legacy Series / Re: Nat reflection does not seem to work

« on: June 30, 2020, 11:03:28 am »

If you are using unbound on the opnsense router to serve DNS on your network, you can possibly avoid the need for NAT reflection by using a DNS alias instead.  Set it so that your public hostname resolves to your internal IP, and all should be well.

Unfortunately I cannot rely on DNS, the connection is done via IP bypassing normal DNS resolution.

I tried and gave up with NAT reflection because I found it had too many odd side effects for my liking.  If the above solution doesn't work for you, then hopefully someone else will be able to assist.

That is what I am afraid of..  This is very essential for me.

4

20.1 Legacy Series / Nat reflection does not seem to work

« on: June 30, 2020, 02:06:23 am »

Hi,

I have a 1:1 NAT setup for a server located on inside network, I also have a somewhat exotic requirement in that this very machine runs several processes that need to connect to it's public IP address. (This is a P2P network node that runs several processes).

I have enabled NAT reflection and it seems to make entries in pfctl -sn table:

Code: [Select]

rdr on cxl1_vlan80 inet from any to $PUB_IP -> $LOCAL_IP bitmask
Still, I am not able to open a simple SSH connection to my own public IP.

What could be wrong?

Thanks