Messages

I can confirm that 10G experience with opnsense is lacking...

I have a somewhat similar setup to yours: Two opnsense 20.1 Supermicro based firewalls with Intel i3-9100 CPUs and Chelsio T540-CR cards in them.

When I iperf3 between firewalls on intranet interface in same subnet (no rules, no nat, no routing) I come to very similar results as you (~2 Gbits/sec), if I run several streams I can bring it up to 3-4Gbits/sec total but not more.

If on another hand I run out of the box freebsd on the same machines I get 4-5 Gbits/sec on single thread and 7-8 Gbits/sec on several threads.

Opnsense seems to have issues there, I am not sure what the problem is as I had no time to dig deeper and my internet uplink is just 1Gbits/sec anyway.

Just as an info for anyone who might run into similar issue:

It is technically impossible to reflect / redirect to a host on same interface that host is connected to, see man pf.conf:

Redirections cannot reflect packets back through the interface they
arrive on, they can only be redirected to hosts connected to different
interfaces or to the firewall itself.

Too bad. In my specific case I have no other option but to connect my host directly to internet, bypassing the firewalls.

If you are using unbound on the opnsense router to serve DNS on your network, you can possibly avoid the need for NAT reflection by using a DNS alias instead.  Set it so that your public hostname resolves to your internal IP, and all should be well.

Unfortunately I cannot rely on DNS, the connection is done via IP bypassing normal DNS resolution.

I tried and gave up with NAT reflection because I found it had too many odd side effects for my liking.  If the above solution doesn't work for you, then hopefully someone else will be able to assist.

That is what I am afraid of..  This is very essential for me.

Hi,

I have a 1:1 NAT setup for a server located on inside network, I also have a somewhat exotic requirement in that this very machine runs several processes that need to connect to it's public IP address. (This is a P2P network node that runs several processes).

I have enabled NAT reflection and it seems to make entries in pfctl -sn table:

Code Select Expand

rdr on cxl1_vlan80 inet from any to $PUB_IP -> $LOCAL_IP bitmask

Still, I am not able to open a simple SSH connection to my own public IP.

What could be wrong?

Thanks