Messages

This is my second fresh install of opnsense on a protectli FW6B. Whenever I go to insights, and click 30 days or more, the insights graphs stop working and simply hang indefinitely. I can reload the page and view anything under 30 days again, but if I click 30 days or anything above, it hangs and doesn't display the data. The FW6B should have more than enough power to display these graphs. Intel i3 7100U, 4GB ram, plenty of disk space, etc.

Anyone else have this issue, or possibly a solution?

For specs see the following:
https://protectli.com/product/fw6b/

[/usr/local/etc/unbound.opnsense.d/dot.conf]

I am currently using Unbound + Nextdns with client identification. It should be noted that you cannot modify /usr/local/etc/unbound.opnsense.d/dot.conf directly. opnsense will overwrite this file with whatever is configured in the GUI, even if it's blank. Unbound is configured to automatically load in any files contained in the /usr/local/etc/unbound.opnsense.d/ directory.

So, simply wipe your exiting DoT config in unbound, copy in the unbound config from NextDNS, add tls-server-bundle file option, to prevent any SSL errors (I ran into this), save, and restart. Here are the detailed steps.

• Disable all DoT options in Unbound, save, and restart unbound.
• Edit/create this file: /usr/local/etc/unbound.opnsense.d/dot-custom.conf
• Insert the Unbound config code block from NextDNS setup. You can use my code block, but ensure you update the ID and ensure it's similar to the NextDNS setup instructions. My example also shows how to configure a NextDNS client. I called mine "opnsense01", you can change this to whatever.
• Save the file, and restart unbound. Your UI may show Unbound is not started, but refresh the page and you should be good. If there are issues, check the logs.

Code Select Expand


server:
  tls-cert-bundle: "/etc/ssl/cert.pem"

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#opnsense01-1a2345.dns1.nextdns.io
  forward-addr: 45.90.30.0#opnsense01-1a2345.dns2.nextdns.io


I am now able to use the default mirror. No certificate issues appear anymore.

I believe this is the issue:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

I used the cloudflare CDN mirror which seemed to allow updates to work. A large portion of the internet, for TLS anyway, is broken right now until people update their root CAs. Blocklists are also broken due to the same reason I believe. DNS over TLS is also affected.

I was able to delete the LetsEncrypt CA, then regenerate the LE cert. It created a new cert under the new R3 CA properly. This fixed my UI/HAProxy issues, but you'll need to update all your settings that referenced the old cert. For instance under the opnsense settings for the web UI. However, some endpoints, like the update repo mirrors, seem to still be using expired root CAs in their cert chain. Nothing we can do until everyone updates their TLS certs.

[However, today, I finally got traffic shaping working for shared internet across all vlans to wan in/out.]

I know this is a bit old, but I've been trying for a year to get traffic shaping to work as well as it did in pfsense. I migrated to opnsense about a year ago and have been less than satisfied with traffic shaping, wireguard, and the latest changes to the traffic graph aren't as informative as they were in the past.

So, I've followed the opnsense guides and am very familiar with the links to the issues posted. Specifically
https://forum.opnsense.org/index.php?topic=7235.0

I've nuked all my settings and started from scratch numerous times thinking I did something wrong.

First, I followed the guide from opnsense. This resulted in an upload/download pipe set to my ISPs bandwidth specifications, upload/download queues, and an upload/download rule

This seemed to help, I did get slightly better speeds when something was using all the bandwidth. To test, I had my desktop download a steam game at full blast and did speed tests on my laptop. I was getting about 3Mbps down on the laptop, sometimes less, but the desktop was still downloading at 75Mbps or so, and was more/less unaffected by the shaping.

However, today, I finally got traffic shaping working for shared internet across all vlans to wan in/out.

Here's what I've come up with. But first, let me describe my layout:

ISP UP/DL:
UP: 40Mbps
DL: 80Mbps

VLANs:
20_LAN, 30_guest, 50_isolated, 100_iot

WANs:
only one, pppoe0

output of ipfw -a list, we only care about the queues so I've only included that output.

Code Select Expand


root@opnsense01:~ # ipfw -a list

60001 11698461 17007930989 queue 10001 ip from any to any recv pppoe0 xmit lagg0_vlan20 // a6e70bb8-d78d-476e-a4b3-f05e6b3647ea wan -> opt1: Queue WAN Downd
60002  9321607   996798783 queue 10000 ip from any to any xmit pppoe0 recv lagg0_vlan20 // 5e0c6413-0a1f-47a5-9b32-24a34eb595b8 opt1 -> wan: Queue WAN Uplod
60003   263208   333891849 queue 10001 ip from any to any recv pppoe0 xmit lagg0_vlan50 // 4e016558-e251-4b47-a362-8561b1b8d0b5 wan -> opt2: Queue WAN Downd
60004   277856   104526307 queue 10000 ip from any to any xmit pppoe0 recv lagg0_vlan50 // 6625845a-e8c3-40cd-9546-317cafee4d12 opt2 -> wan: Queue WAN Uplod
60005   115963   116951966 queue 10001 ip from any to any recv pppoe0 xmit lagg0_vlan100 // 77dbdd28-393f-43b5-852b-4dd9d06e8e5b wan -> opt4: Queue WAN Dowd
60006   106041    38089982 queue 10000 ip from any to any xmit pppoe0 recv lagg0_vlan100 // 78f3ca35-32ab-428e-a58a-dce8ad097b15 opt4 -> wan: Queue WAN Upld
60007   103515   142606808 queue 10001 ip from any to any recv pppoe0 xmit lagg0_vlan30 // f2c84d39-63dc-46a1-8882-edab23edb93b wan -> opt3: Queue WAN Downd
60008    63038     4545797 queue 10000 ip from any to any xmit pppoe0 recv lagg0_vlan30 // c09e826e-fa31-4c92-88ce-6cf0b3325a1f opt3 -> wan: Queue WAN Uplod
60009 15393100 21516050871 queue 10001 ip from any to any in via pppoe0 // fcadaed6-e9ae-48b7-8f87-32342024d50f wan: Queue WAN Download
60010  1475091  1576433747 queue 10000 ip from any to any out via pppoe0 // 1b5397b6-e3ea-48f6-9843-20262b5a348e wan: Queue WAN Upload



I'm only providing the WAN rules and VLAN_20 rule screenshots. The WAN rules are from the opnsense shared bandwidth guide, except I'm using direction rather than IP ranges.

The VLAN rules I created myself and you can duplicate these for any other VLANs you need to include. I'm only providing screenshots for VLAN_20_LAN

Basically what it came down to is creating the WAN up/dl rules AND the specific VLAN up/dl rules. I placed the VLAN rules above the generic WAN rules.

So, once I had the up/dl rules for the WAN AND the VLANs, I'm getting a nice split in traffic when my desktop is downloading and I'm doing a speedtest I get a perfect split; as long as nothing else was downloading of course.

Do you need both set of rules? I asked myself that very question. So I disabled the WAN rules and the problem came back, laptop getting poor up/dl speeds again when the network was saturated.
I turned the WAN rules back on and disabled the VLAN rules, same problem.

Once I turned them all back on, everything is working as expected. I cannot explain this behavior but it appears to be working as expected. I also rebooted between enabling disabling the WAN/VLAN rules when testing this theory, so something getting hung up shouldn't be the case.

TL;DR
Follow the opnsense guide for sharing internet for all users, except for the rules. Then, create WAN up/dl rules similar to mine AND individual up/dl rules per VLAN. Use my screenshots as reference.

Ok, good to know. Thanks for the reply.

I can't seem to find decent opnsense CLI documentation for service management. I simply need to know how to start/stop/enable, mainly enable, services. Specifically the HAProxy service.

Set up a monthly donation of $20, so $240/year. Keep up the good work, migrated from a decent multi site pfsense deployment. Upgraded all nodes to protectli fw6b appliances at the same time.

After one of the updates, I can't recall which one, regex stopped working in the live view search. In fact the search is no longer there, it was replaced by some very limited drop down filters.

Am I missing some option to enable that or was regex ripped out completely? I often use NOT and regex expressions to filter for specific patterns in my firewall logs. There isn't even a NOT operator in the filter choices. Seems like a step backwards if you ask me. Regex is basically a must when filtering stuff like this.