Messages

Resolved -

Adding this to my grub file, updating grub and rebooting resolved the issue.  Not sure why or how, but thought I'd share in case it helps others:

Code Select Expand

GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on"
I believe if you have an Intel variant the command is slightly different.

Hey All -

I'm trying to configure OpnSense to be my router on a remote colocated machine.  I'm using out of band management/IPMI to control the server remotely.

I have proxmox installed - it's on a 172.16.5.0/24 network - via Linux Bridge and it's not bound to any physical NIC.  I then have a VM with OpnSense - it has 2 virtual NICs - one for the WAN and one for the LAN.  There's also a real PCI adapter that I will be passing through to the VM directly that is my WAN connection.

Upon booting the VM, I can ping the 172.16.5.100 (Proxmox) and ping 172.16.5.254 (OpnSense) - so far so good.

Next, I pass through the PCI adapter - so now 3 adapters are passed to the VM - the two internal ephermal adapters - one for LAN, one for WAN and the real PCI ethernet adapter.

Upon booting the VM, I can't ping anything.  The VM is functional, the system isn't locked - but it seems like the mapping of the devices or OpnSense simply doesn't like the new adapter appearing and not being configured.

If I shut down the VM, remove the passed through device, restart the VM - I can ping both sides again.

Any ideas?

Thanks

Hi -

Fairly new to OpnSense and wanted to part ways with my Netgear and Router combo from my ISP and landed on OpnSense.  I believe I have sufficient hardware:

Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz and 16 GB RAM with an Intel X550-T2 NIC.

Are there any specific tunables I should change or enable/disable?

I keep hearing its best to turn off random IP and the Spectre/Meltdown workarounds to improve performance but was unclear on things such as RSS and if the X550 card even supports that.

Thanks

Hey All -

I have sucessfully configured wireguard and have a site to site VPN tunnel going between two fiber networks with excellent latency (less than 5ms).

I'm trying to use clustering with Proxmox but I'm being told that the VPN I'm using (wireguard) must allow layer 2 traffic for the corosync service to work correctly.   Is that enabled by default or something I need to do?

The alternative suggestion that I don't understand is to pass one of the 192.168.0.X IPs to the far end of the connection using a VLAN so it appears to be on the same subnet as the rest of the nodes.   Not sure if OPNSense does that or not..

Any ideas?

Thanks

Hey All -

I'm not really sure if this is needed, but from searching and googling it seems that RSS is supported by my X550-T2 adapter (ifconfig shows it as an ix0 and ix1 card)

In the shell, this command returns the following:

root@fw1:~ # sysctl -a | grep rss

Code Select Expand

net.inet.rss.bucket_mapping: 0:0 1:1 2:2 3:3
net.inet.rss.enabled: 1
net.inet.rss.debug: 0
net.inet.rss.basecpu: 0
net.inet.rss.buckets: 4
net.inet.rss.maxcpus: 64
net.inet.rss.ncpus: 8
net.inet.rss.maxbits: 7
net.inet.rss.mask: 3
net.inet.rss.bits: 2
net.inet.rss.hashalgo: 2
hw.bxe.udp_rss: 0
hw.ix.enable_rss: 1

Does this look correct after playing around with the tunables?

The CPU is a Core i7-7700 @ 3.40Ghz so it's a 4 core CPU.

I've also turned off spectre/meltdown via their respective tunable.

Thanks

Hey all -

For some reason my Wireguard connection is not performing well at all.

I'm running OpnSense 24.7.7 on a dedicated computer (specs: i7-7700 @ 3.40 Ghz CPU, 16GB RAM and an X550 NIC)

The local internet where the OpnSense computer is located has a fiber connection with 2000x2000 and routinely gets that or slightly above (ISP over provisions a bit) - I do not use PPPoE, I have a static IP block.  I've confirmed the physical link rate and all is well there. 

Offsite, using either an android or iOS device on a mobile network or another fast Wi-Fi connection with Wireguard connected I get around 80Megs down max. If I disconnect Wireguard, back up to normal speeds for the given connection.

What's going on here?   I followed the steps here:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Thanks

Hey All -

Had no problem with performance until I upgraded to 5G fiber - now I'm lucky to get 3G in both directions.  Directly connecting a PC to the ISP router shows approx 5100/5100 so there seems to be a configuration issue or bottleneck somewhere in my setup.   

Here's my setup:

Dell PowerEdge T620 with Dual CPU (E5-2643) with 512GB ECC RAM running Proxmox.
Intel X550-T2 passed thru directly to OpnSense for WAN connection to ISP's 5GB port - link status confirmed to be 5000
Intel X540-T2 passed thru directly to OpnSense for LAN connection to Juniper 48 port EX3300 switch- link confirmed to be 10000

In Proxmox:
OpnSense has been allocated 8 cores, and has the highest CPU priority with 16GB dedicated RAM
The CPU is set to Host
The CPU setting also passes the AES instruction set to the VM

In OpnSense:
Hardware offloading is disabled (boxes are checked)
In Tunables - disabled the Spectre and Meltdown mitigation are disabled and system was rebooted

What else am I missing here?   There's no fancy rules yet defined, no VLANs - just a vanilla setup with WAN DHCP, and LAN DHCP with OpnSense providing DHCP services currently.

Thanks

Added a gateway and static route - same behavior unfortunately

Thanks - I'll give that a try and that makes sense with one minor change-

From the remote VPN client side it would follow this path (I believe)
Client 192.168.0.1 to VPN Tunnel GW 172.0.0.1 to UnbuntuServer 10.0.0.104 to Proxmox 10.0.0.1

Yes - same /24 (10.0.0.x) for the OpnSense, Ubuntu and Proxmox devices.   The VPN Ubuntu server has an 172.X network that's used for the tun tunnel that's a /24 also.

I don't have a VPN interface tho, my VPN server is running on a Ubuntu VM on the LAN side.

Is that an issue?

Thanks

Basically the subject line - I couldn't get this rule to work - it's a rule to allow remote access to a LAN device on port 8006 on TCP (Proxmox) from over a VPN connection.

After exhausting troubleshooting I decided to turn off the "State Type" from Keep State to None - and now it works fine.

I'm unsure why this was required and hope an expert can school me.  I've attached a packet capture if that helps.

Thanks

Here's a link to the packet capture screenshot: https://imgur.com/a/dSR4RWI

No worries, I don't think I explained it very well lol.   

For the 1:1 BINAT setup, a few questions please:

I have a /29 public IP range and my LAN network is currently configured as a /24 so off hand, I don't think I can use BINAT with that particular LAN network right since the subnets have to be the same size based on what I read elsewhere on the forums?

It looks like I'll have to create another LAN network, say 192.168.50/29.   If I do that, do I have to burn a /29 IP for the LAN gateway in that subnet?  I'm assuming I have to create a gateway in that IP space but perhaps not?  When I setup a local machine in that new subnet, I'll pick an IP in the 192.168.50.X range, but what gateway do I give it?

Thanks

Thanks Nick -

that helps me understand the concept of Virtual IPs but am still struggling between the difference between 1:1 NAT and just regular Virtual IPs with port forwarding.

Once issue I seem to be running into with Virtual IPs is the following:


I have a /29 public IPv4 block - and they are configured as virtual IPs under Interfaces -> Virtual IPs -> Settings.

Under NAT -> Port Forward I have rules setup to route services from the public IPs to their corresponding private IPs in the 10.0.0.0/24 block.

Entries such as SSH/22UDP and Web TCP/80 work as expected. However, there seems to be an issue with OpenVPN server on SSH/1194 on one of these virtually mapped IPs.

I can connect this OpenVPN server fine using the public virtual IP that's mapped to a private 10.0.0.104 IP, I can ping other connected clients just fine also and they can ping me. I can also ping the 10.0.0.254 address which is the OpenVPN server LAN IP. All that works as expected.

What's broken: Pinging to other devices on the 10.0.0.X subnet doesn't work. I have the OpenVPN server set to forward and masquerade and this configuration worked fine on UniFi. Upon closer inspection, it appears my ping requests are getting received by the WAN IP address and of course blocked by the WAN filter.

Why would responses going back come from the WAN IP of OpnSense and not the same virtual IP? Is this by design? How would I resolve a situation such as this?

Thanks

Hey All -

I'm trying to understand the differences and practices between 1:1 NAT and a Virtual IP.  I was allocated a /29 (5 usable) and if I got this right - it seems Virtual IP traffic can cause problems where inbound traffic comes in on one of the public IPs but is returned via the gateway IP - which can cause other applications to block it since it's expecting traffic back on the same IP it contacted but instead, the response came from the WAN IP of OpnSense.  Did I get that right?  I guess 1:1 BI NAT basically has traffic coming in on one of these IPs and leaving out the same IP?

If I use 1:1 NAT, do I plug one of the /29 public IP address on the machine and use the ISP provided gateway or am I still using private IPs and mapping them somehow?

Any screenshots would be great  - I plan to use my 5 IPs for a VPN Server, Mail Server and Web Server.

Thanks