Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - theprez1980

Pages: [1] 2

24.7 Production Series / System Tunables to Improve Performance on a Fiber Connection - IX0 adapter

« on: October 31, 2024, 05:49:57 pm »

Hey All -

I'm not really sure if this is needed, but from searching and googling it seems that RSS is supported by my X550-T2 adapter (ifconfig shows it as an ix0 and ix1 card)

In the shell, this command returns the following:

root@fw1:~ # sysctl -a | grep rss

Code: [Select]

net.inet.rss.bucket_mapping: 0:0 1:1 2:2 3:3
net.inet.rss.enabled: 1
net.inet.rss.debug: 0
net.inet.rss.basecpu: 0
net.inet.rss.buckets: 4
net.inet.rss.maxcpus: 64
net.inet.rss.ncpus: 8
net.inet.rss.maxbits: 7
net.inet.rss.mask: 3
net.inet.rss.bits: 2
net.inet.rss.hashalgo: 2
hw.bxe.udp_rss: 0
hw.ix.enable_rss: 1

Does this look correct after playing around with the tunables?

The CPU is a Core i7-7700 @ 3.40Ghz so it's a 4 core CPU.

I've also turned off spectre/meltdown via their respective tunable.

Thanks

24.7 Production Series / Slow Performance with Road Warrior Setup on OpnSense

« on: October 30, 2024, 08:15:11 pm »

Hey all -

For some reason my Wireguard connection is not performing well at all.

I'm running OpnSense 24.7.7 on a dedicated computer (specs: i7-7700 @ 3.40 Ghz CPU, 16GB RAM and an X550 NIC)

The local internet where the OpnSense computer is located has a fiber connection with 2000x2000 and routinely gets that or slightly above (ISP over provisions a bit) - I do not use PPPoE, I have a static IP block. I've confirmed the physical link rate and all is well there.

Offsite, using either an android or iOS device on a mobile network or another fast Wi-Fi connection with Wireguard connected I get around 80Megs down max. If I disconnect Wireguard, back up to normal speeds for the given connection.

What's going on here? I followed the steps here:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Thanks

24.7 Production Series / Virtualized OpnSense Best Practices to Improve Performance w/Multi-Gig Service?

« on: October 17, 2024, 03:24:30 am »

Hey All -

Had no problem with performance until I upgraded to 5G fiber - now I'm lucky to get 3G in both directions. Directly connecting a PC to the ISP router shows approx 5100/5100 so there seems to be a configuration issue or bottleneck somewhere in my setup.

Here's my setup:

Dell PowerEdge T620 with Dual CPU (E5-2643) with 512GB ECC RAM running Proxmox.
Intel X550-T2 passed thru directly to OpnSense for WAN connection to ISP's 5GB port - link status confirmed to be 5000
Intel X540-T2 passed thru directly to OpnSense for LAN connection to Juniper 48 port EX3300 switch- link confirmed to be 10000

In Proxmox:
OpnSense has been allocated 8 cores, and has the highest CPU priority with 16GB dedicated RAM
The CPU is set to Host
The CPU setting also passes the AES instruction set to the VM

In OpnSense:
Hardware offloading is disabled (boxes are checked)
In Tunables - disabled the Spectre and Meltdown mitigation are disabled and system was rebooted

What else am I missing here? There's no fancy rules yet defined, no VLANs - just a vanilla setup with WAN DHCP, and LAN DHCP with OpnSense providing DHCP services currently.

Thanks

24.1 Legacy Series / Wireguard - Adding another site

« on: July 25, 2024, 01:45:11 pm »

Hey All -

Still trying to wrap my head around WireGuard as I've worked with OpenVPN and the client/server method for years. Anywhoo - I got Wireguard working in a site-to-site configuration using this well written reference material:

https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

So I have two sites that are working fine - but now need to add another and am unsure how.

I assume on the new site:

1. Create an Instance, use same port, increment the tunnel IP address up by one.
2. On the other two existing sites, add this newly create instance as a peer? Do I need to change allowed IPs?

Thanks

24.1 Legacy Series / Re: IP is Behind CGN - How to Get a Public IP to WAN Using VPS/OpenVPN for Port Fwd?

« on: July 01, 2024, 03:56:27 am »

Thanks - I'm assuming IPv6 is also CGN nat'd but I don't know yet.

I'll check out the other suggestions also - thanks

24.1 Legacy Series / IP is Behind CGN - How to Get a Public IP to WAN Using VPS/OpenVPN for Port Fwd?

« on: June 30, 2024, 04:08:26 am »

Hey All-

Switching to a new fiber ISP - and it only provides an IPv4 IP that's behind CGN. As such, I can't use port forwarding towards my LAN devices.

I've heard (and read) on here that apparently there's a way to use a VPS's IP to have it passed to the LAN and then I could use port forwarding from the VPS's IP.

I'm sure i'm using the wrong terms and am not exactly sure what to search for (reverse proxy? CGN's reverse?) but any walkthroughs or ideas?

Thanks

General Discussion / Re: Why did this LAN rule require turning off the adv. feature "state type" to work?

« on: June 19, 2024, 05:17:22 pm »

Added a gateway and static route - same behavior unfortunately

General Discussion / Re: Why did this LAN rule require turning off the adv. feature "state type" to work?

« on: June 19, 2024, 02:34:10 pm »

Thanks - I'll give that a try and that makes sense with one minor change-

From the remote VPN client side it would follow this path (I believe)
Client 192.168.0.1 to VPN Tunnel GW 172.0.0.1 to UnbuntuServer 10.0.0.104 to Proxmox 10.0.0.1

General Discussion / Re: Why did this LAN rule require turning off the adv. feature "state type" to work?

« on: June 19, 2024, 02:04:06 pm »

Yes - same /24 (10.0.0.x) for the OpnSense, Ubuntu and Proxmox devices. The VPN Ubuntu server has an 172.X network that's used for the tun tunnel that's a /24 also.

General Discussion / Re: Why did this LAN rule require turning off the adv. feature "state type" to work?

« on: June 19, 2024, 11:30:48 am »

I don't have a VPN interface tho, my VPN server is running on a Ubuntu VM on the LAN side.

Is that an issue?

Thanks

General Discussion / Why did this LAN rule require turning off the adv. feature "state type" to work?

« on: June 18, 2024, 10:12:05 pm »

Basically the subject line - I couldn't get this rule to work - it's a rule to allow remote access to a LAN device on port 8006 on TCP (Proxmox) from over a VPN connection.

After exhausting troubleshooting I decided to turn off the "State Type" from Keep State to None - and now it works fine.

I'm unsure why this was required and hope an expert can school me. I've attached a packet capture if that helps.

Thanks

Here's a link to the packet capture screenshot: https://imgur.com/a/dSR4RWI

General Discussion / Re: Difference Between Virtual IP and 1:1 NAT and Best Practices

« on: June 17, 2024, 11:52:40 am »

No worries, I don't think I explained it very well lol.

For the 1:1 BINAT setup, a few questions please:

I have a /29 public IP range and my LAN network is currently configured as a /24 so off hand, I don't think I can use BINAT with that particular LAN network right since the subnets have to be the same size based on what I read elsewhere on the forums?

It looks like I'll have to create another LAN network, say 192.168.50/29. If I do that, do I have to burn a /29 IP for the LAN gateway in that subnet? I'm assuming I have to create a gateway in that IP space but perhaps not? When I setup a local machine in that new subnet, I'll pick an IP in the 192.168.50.X range, but what gateway do I give it?

Thanks

General Discussion / Re: Difference Between Virtual IP and 1:1 NAT and Best Practices

« on: June 17, 2024, 03:35:55 am »

Thanks Nick -

that helps me understand the concept of Virtual IPs but am still struggling between the difference between 1:1 NAT and just regular Virtual IPs with port forwarding.

Once issue I seem to be running into with Virtual IPs is the following:

I have a /29 public IPv4 block - and they are configured as virtual IPs under Interfaces -> Virtual IPs -> Settings.

Under NAT -> Port Forward I have rules setup to route services from the public IPs to their corresponding private IPs in the 10.0.0.0/24 block.

Entries such as SSH/22UDP and Web TCP/80 work as expected. However, there seems to be an issue with OpenVPN server on SSH/1194 on one of these virtually mapped IPs.

I can connect this OpenVPN server fine using the public virtual IP that's mapped to a private 10.0.0.104 IP, I can ping other connected clients just fine also and they can ping me. I can also ping the 10.0.0.254 address which is the OpenVPN server LAN IP. All that works as expected.

What's broken: Pinging to other devices on the 10.0.0.X subnet doesn't work. I have the OpenVPN server set to forward and masquerade and this configuration worked fine on UniFi. Upon closer inspection, it appears my ping requests are getting received by the WAN IP address and of course blocked by the WAN filter.

Why would responses going back come from the WAN IP of OpnSense and not the same virtual IP? Is this by design? How would I resolve a situation such as this?

Thanks

General Discussion / Difference Between Virtual IP and 1:1 NAT and Best Practices

« on: June 15, 2024, 09:17:27 pm »

Hey All -

I'm trying to understand the differences and practices between 1:1 NAT and a Virtual IP. I was allocated a /29 (5 usable) and if I got this right - it seems Virtual IP traffic can cause problems where inbound traffic comes in on one of the public IPs but is returned via the gateway IP - which can cause other applications to block it since it's expecting traffic back on the same IP it contacted but instead, the response came from the WAN IP of OpnSense. Did I get that right? I guess 1:1 BI NAT basically has traffic coming in on one of these IPs and leaving out the same IP?

If I use 1:1 NAT, do I plug one of the /29 public IP address on the machine and use the ISP provided gateway or am I still using private IPs and mapping them somehow?

Any screenshots would be great - I plan to use my 5 IPs for a VPN Server, Mail Server and Web Server.

Thanks

General Discussion / Confused on how to mirror Ubiquiti Rule on OpnSense

« on: June 14, 2024, 11:43:32 pm »

Hey All -

I have a /29 Public IP from my ISP. I'm using one of these IPs as my OpnSense IP - for this example, we'll call it 205.123.123.1 as my OpnSense IP with 205.123.123.6 as my OpenSense WAN Gateway.

I also have OpnSense configured to use one of my other public IPs in the Interfaces -> Virtual IP area, 205.123.123.3 as an example with this IP having a rule to allow incoming SSH and VPN traffic via Firewall -> NAT -> Port Forward and the Destination address pointing to the 205.123.123.3 and it the NAT IP as my internal device 10.0.0.104. So VPN and SSH traffic accessing the public IP, 205.123.123.3 gets shuttled to the 10.0.0.104 IP internally on the LAN side.

That seems to work fine - I can SSH in from the public Internet and Connect via OpenVPN without issue - but....

Problem time:

Connected devices cannot see or ping other connected devices on the 10.0.0.0 network other than 10.0.0.104, I assume there's another rule needed but am unsure.... any suggestions would be great.

Thanks!

Pages: [1] 2