Messages

Resolved -

Adding this to my grub file, updating grub and rebooting resolved the issue.  Not sure why or how, but thought I'd share in case it helps others:

Code Select Expand

GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on"
I believe if you have an Intel variant the command is slightly different.

Hey All -

I'm trying to configure OpnSense to be my router on a remote colocated machine.  I'm using out of band management/IPMI to control the server remotely.

I have proxmox installed - it's on a 172.16.5.0/24 network - via Linux Bridge and it's not bound to any physical NIC.  I then have a VM with OpnSense - it has 2 virtual NICs - one for the WAN and one for the LAN.  There's also a real PCI adapter that I will be passing through to the VM directly that is my WAN connection.

Upon booting the VM, I can ping the 172.16.5.100 (Proxmox) and ping 172.16.5.254 (OpnSense) - so far so good.

Next, I pass through the PCI adapter - so now 3 adapters are passed to the VM - the two internal ephermal adapters - one for LAN, one for WAN and the real PCI ethernet adapter.

Upon booting the VM, I can't ping anything.  The VM is functional, the system isn't locked - but it seems like the mapping of the devices or OpnSense simply doesn't like the new adapter appearing and not being configured.

If I shut down the VM, remove the passed through device, restart the VM - I can ping both sides again.

Any ideas?

Thanks

Hi -

Fairly new to OpnSense and wanted to part ways with my Netgear and Router combo from my ISP and landed on OpnSense.  I believe I have sufficient hardware:

Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz and 16 GB RAM with an Intel X550-T2 NIC.

Are there any specific tunables I should change or enable/disable?

I keep hearing its best to turn off random IP and the Spectre/Meltdown workarounds to improve performance but was unclear on things such as RSS and if the X550 card even supports that.

Thanks

Hey All -

I have sucessfully configured wireguard and have a site to site VPN tunnel going between two fiber networks with excellent latency (less than 5ms).

I'm trying to use clustering with Proxmox but I'm being told that the VPN I'm using (wireguard) must allow layer 2 traffic for the corosync service to work correctly.   Is that enabled by default or something I need to do?

The alternative suggestion that I don't understand is to pass one of the 192.168.0.X IPs to the far end of the connection using a VLAN so it appears to be on the same subnet as the rest of the nodes.   Not sure if OPNSense does that or not..

Any ideas?

Thanks

Hey All -

I'm not really sure if this is needed, but from searching and googling it seems that RSS is supported by my X550-T2 adapter (ifconfig shows it as an ix0 and ix1 card)

In the shell, this command returns the following:

root@fw1:~ # sysctl -a | grep rss

Code Select Expand

net.inet.rss.bucket_mapping: 0:0 1:1 2:2 3:3
net.inet.rss.enabled: 1
net.inet.rss.debug: 0
net.inet.rss.basecpu: 0
net.inet.rss.buckets: 4
net.inet.rss.maxcpus: 64
net.inet.rss.ncpus: 8
net.inet.rss.maxbits: 7
net.inet.rss.mask: 3
net.inet.rss.bits: 2
net.inet.rss.hashalgo: 2
hw.bxe.udp_rss: 0
hw.ix.enable_rss: 1

Does this look correct after playing around with the tunables?

The CPU is a Core i7-7700 @ 3.40Ghz so it's a 4 core CPU.

I've also turned off spectre/meltdown via their respective tunable.

Thanks

Hey all -

For some reason my Wireguard connection is not performing well at all.

I'm running OpnSense 24.7.7 on a dedicated computer (specs: i7-7700 @ 3.40 Ghz CPU, 16GB RAM and an X550 NIC)

The local internet where the OpnSense computer is located has a fiber connection with 2000x2000 and routinely gets that or slightly above (ISP over provisions a bit) - I do not use PPPoE, I have a static IP block.  I've confirmed the physical link rate and all is well there. 

Offsite, using either an android or iOS device on a mobile network or another fast Wi-Fi connection with Wireguard connected I get around 80Megs down max. If I disconnect Wireguard, back up to normal speeds for the given connection.

What's going on here?   I followed the steps here:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Thanks

Hey All -

Had no problem with performance until I upgraded to 5G fiber - now I'm lucky to get 3G in both directions.  Directly connecting a PC to the ISP router shows approx 5100/5100 so there seems to be a configuration issue or bottleneck somewhere in my setup.   

Here's my setup:

Dell PowerEdge T620 with Dual CPU (E5-2643) with 512GB ECC RAM running Proxmox.
Intel X550-T2 passed thru directly to OpnSense for WAN connection to ISP's 5GB port - link status confirmed to be 5000
Intel X540-T2 passed thru directly to OpnSense for LAN connection to Juniper 48 port EX3300 switch- link confirmed to be 10000

In Proxmox:
OpnSense has been allocated 8 cores, and has the highest CPU priority with 16GB dedicated RAM
The CPU is set to Host
The CPU setting also passes the AES instruction set to the VM

In OpnSense:
Hardware offloading is disabled (boxes are checked)
In Tunables - disabled the Spectre and Meltdown mitigation are disabled and system was rebooted

What else am I missing here?   There's no fancy rules yet defined, no VLANs - just a vanilla setup with WAN DHCP, and LAN DHCP with OpnSense providing DHCP services currently.

Thanks

Hey All -

Still trying to wrap my head around WireGuard as I've worked with OpenVPN and the client/server method for years.   Anywhoo - I got Wireguard working in a site-to-site configuration using this well written reference material:

https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

So I have two sites that are working fine - but now need to add another and am unsure how.

I assume on the new site:

1. Create an Instance, use same port, increment the tunnel IP address up by one.
2. On the other two existing sites, add this newly create instance as a peer?  Do I need to change allowed IPs?

Thanks

Thanks - I'm assuming IPv6 is also CGN nat'd but I don't know yet.

I'll check out the other suggestions also - thanks

Hey All-

Switching to a new fiber ISP - and it only provides an IPv4 IP that's behind CGN.  As such, I can't use port forwarding towards my LAN devices.

I've heard (and read) on here that apparently there's a way to use a VPS's IP to have it passed to the LAN and then I could use port forwarding from the VPS's IP. 

I'm sure i'm using the wrong terms and am not exactly sure what to search for (reverse proxy? CGN's reverse?) but any walkthroughs or ideas?

Thanks

Added a gateway and static route - same behavior unfortunately

Thanks - I'll give that a try and that makes sense with one minor change-

From the remote VPN client side it would follow this path (I believe)
Client 192.168.0.1 to VPN Tunnel GW 172.0.0.1 to UnbuntuServer 10.0.0.104 to Proxmox 10.0.0.1

Yes - same /24 (10.0.0.x) for the OpnSense, Ubuntu and Proxmox devices.   The VPN Ubuntu server has an 172.X network that's used for the tun tunnel that's a /24 also.

I don't have a VPN interface tho, my VPN server is running on a Ubuntu VM on the LAN side.

Is that an issue?

Thanks

Basically the subject line - I couldn't get this rule to work - it's a rule to allow remote access to a LAN device on port 8006 on TCP (Proxmox) from over a VPN connection.

After exhausting troubleshooting I decided to turn off the "State Type" from Keep State to None - and now it works fine.

I'm unsure why this was required and hope an expert can school me.  I've attached a packet capture if that helps.

Thanks

Here's a link to the packet capture screenshot: https://imgur.com/a/dSR4RWI