Messages

displayed WAN IP is broken in general for me. I have a full native dual-stack WAN interface, and my WAN shows a link-local IPv6 address instead of my actual public IPv6 WAN IP.

It seems like the new widget is just guessing at random which IP address to list.

Did some research and found out that with open-vm-tools 11.3.0 they added support for arm64 (vmci is not working). You can read more about it here https://github.com/vmware/open-vm-tools/pull/474 and https://vincerants.com/open-vm-tools-on-freebsd-under-vmware-esxi-arm-fling/

Hey, thanks for referencing my work! Hopefully it has helped you all out. :)

I've been running earlier builds of OPNsense under ESXi ARM Fling for probably at least a year now. I guess it is about time I update to these new builds you are all putting together! :D

I'll have to switch my 16-core ARM server back over from FreeBSD bare metal to running ESXi ARM Fling instead, and see what kind of bandwidth that thing can push with dual-10gbe NICs.

Is this older AMD hardware, like an Athlon X4 or similar/older era?

This generally wont work, because the packet's return path wouldn't be hitting your NAT router.

NAT and Port Forwarding modifies the packet's destination address in-flight, but the return address remains the same. So when the destination attempts to reply to the packet, it would send it back to the original source with the modified destination. The source will see this packet, and have no idea what to do with it, because its local state table will have no matches for [original source] + [new destination]

Instead, a proxy service like HAProxy would work. Or, if this is web traffic, a service like Nginx would work as well.

There is a huge difference in how skype, vpn, and streaming media all work. There is still a chance that your "trusted" LAN may also be experiencing issues. Streaming video services pre-download and buffer a certain amount of content before playing it (10s of seconds to a few minutes of content), and have the ability to quickly re-establish a connection to the same or different server to maintain smooth playback. Skype doesn't have this luxury due to the low-latency nature of bi-directional human communication. For the time, however, I'd suggest running a wired connection from your machine directly to the router to eliminate any stability concerns with the wifi access.

Without any information whatsoever about your particular configuration, there is little we could possibly do to help.

For instance, is the VPN software running on OPNsense itself, or is it running on your desktop? What type of VPN is it in the first place? Is Skype traffic going over that VPN connection when it has issues? Is other traffic that is stable going over that same VPN connection? There are a lot of variables in play here, even beyond just this, that could effect your network performance and stability.

Different environments use different terminology. This is common across all of computing. "Static Lease" is a term used in other routers, too. There will never be a 100% compatibility in terms between two different vendors for various reasons.

As an FYI, the issues with XBox NAT has nothing to do with UPnP at all.

OPNsense for security reasons uses port randomization during NAT, and this breaks peer-to-peer communication of game consoles. This issue effects XBox, PlayStation, Nintendo Switch/WiiU/DS, and even some desktop games.

All you need is essentially a static DHCP lease for the game console, set hybrid NAT type, and then create a NAT rule with static port enabled for the given console's IP address.

https://ultramookie.com/2020/05/opnsense-xbox-live/


Also, VLAN tagging issues are generally not an OPNsense firmware issue, but a FreeBSD driver issue. These are generally fairly easy to overcome, but without knowing which NICs are being used, there isn't much I can say to that.

Do you have routes setup between the LANs of the two OPNsense boxes over ZeroTier? If so, this is a known issue with ZeroTier where it attempts to use the LAN address instead of the WAN address for communication, then fails, then reverts back to WAN. This flapping back and forth causes dropped packets and CPU spikes.

https://github.com/zerotier/ZeroTierOne/issues/779