Messages

Have you tried the following settings?

Interfaces -> Settings -> Disable hardware checksum offload
Interfaces -> Settings -> Disable hardware TCP segmentation offload
Interfaces -> Settings -> Disable hardware large receive offload
Interfaces -> Settings -> Disable VLAN Hardware Filtering

The solution was adding a NAT outbound rule such as the the one attached.

Source address is the IP LAN range from the site "B".

Consider managing the CPU through the BIOS configuration to achieve lower power consumption on idle for the Ryzen 2600 CPU.

Also, use powerd to force the CPU to lower clock speeds as much as possible. On my i5 4690k, its idle power consumption at the power plug is around 60W. The CPU load on my firewall usually is below 20%.

Hello.

If you're using the intrusion detection service, turn it off for testing.

Also, set the following parameters to ensure no power management is messing with the CPU clock speed:

System -> Settings -> Miscellaneous -> Power Savings -> All to "Maximum" and "Use PowerD" ON.

Ensure both iperf3 server and client can handle the load on a switch first, rather testing straight from a router.

Repeat the tests with: iperf3 -c 10.0.2.200 -t 180 -P 8

For reference, I can manage 1 gigabit routing with IDS+IPS both enabled, on a i5-4690k, with > 50% CPU load on the 4 cores. So, consider upgrading the CPU from an under-powered and under-voltaged model to a more muscular one.

Best regards.

Additionally, I manage to capture a traceroute from a client on the B site, to the IP range 213.13.24.0/24:

Hello.

My issue with selective routing is accessing a specific public ip range (213.13.24.0/24) from an Openwrt Site "B" connected site-to-site through an OPNsense Site "A".

Configuring that subnet range on the Site "B" as "allowed ips" to the tunnel, so that Site "B" could access it through the Site "A", it isn't working as expected:

Code Select Expand

tracert 213.13.24.11

Tracing route to 213.13.24.11 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  OpenWRT.lan [192.168.0.1]
  2    17 ms    14 ms    15 ms  10.0.0.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
10     *        *        *     Request timed out.
11     *        *        *     Request timed out.
12     *        *        *     Request timed out.
13     *        *        *     Request timed out.
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.

The site "B" LAN range is 192.168.0.0/24 with tunnel IP 10.0.0.2/32, the Site "A" is 192.168.10.0/24 with tunnel IP 10.0.0.1/32, and the WG tunnel range is 10.0.0.0/24. Both sites are connected to the internet with public IP addresses on their WAN interfaces.

The OPNsense configuration is presented within the attachments bellow.

A half workaround on the site B is to enable masquerading to get selective routing, but blocks site A to access site B:

Code Select Expand


uci set firewall.lan.masq="1"
uci commit firewall
/etc/init.d/firewall restart


I'm hoping that someone could shed some light into this. :-)

Thanks.

[Interfaces > Settings]

After some experimentation I was able to successfully run Suricata in IPS mode with local VLANs on OPNsense 19.7.

Hardware tested:

• ZOTAC ZBOX PRO CI329 nano: Intel Celeron N4100, 2 x Realtek PCIe GBE (re), 8 GB RAM
• Thomas Krenn LES v3: Intel Celeron N3160, 2 x Intel i211AT (igb), 4 GB RAM

Topology:

• WAN: pppoe on igb1/re1
• LAN on igb0/re0 (not used directly)
• VLANS with LAN as parent (all internal hosts connect to one of the VLANs)

The primary problem I have experienced was the total loss of network connectivity (on all interfaces) when switching from IDS to IPS mode. Several workarounds posted elsewhere did not solve the problem but rather introduced new ones (cf. this posting).

It turned out that the most important setting change to avoid total loss of network connectivity was:

• In Interfaces > Settings set VLAN Hardware Filtering to Disable VLAN Hardware Filtering

Other configuration details:

Services > Intrusion Detection > Administration - Settings (in advanced mode):

• Enabled: (checked)
• IPS mode: (checked)
• Promiscuous mode: (checked)
• Pattern matcher: Hyperscan
• Interfaces: LAN
• Home networks: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
• Log package payload: (checked)
• (Other settings left at their defaults.)

I have downloaded and enabled all rules offered by OPNsense with actions set to Drop, except for ET emerging-policy (downloaded and enabled, but action unchanged). Some individual rules were then disabled as deemed necessary.

In the above setting, Suricata did block VLAN traffic and reported "SID 7999999: OPNsense test eicar virus" on the "Alert" tab when running this test on an internal Linux host (on a VLAN):

Code Select Expand

curl http://malware.wicar.org/data/eicar.com > /dev/null

So far everything seems to run pretty stable with a scheduled reboot every 24 hours.

This post should be fixed.

You saved my day!

Thanks, Oliver!

Hello.

I'm sorry if this thread hijack would seem unproper.

My issue with selective routing is accessing a specific public ip range (213.13.24.0/24) from an Openwrt Site "B" connected site-to-site through an Opnsense Site "A".

Configuring that subnet range on the Site "B" as "allowed ips" to the tunnel, so that Site "B" could access it through the Site "A", it isn't working as expected:

Code Select Expand

tracert 213.13.24.11

Tracing route to 213.13.24.11 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  OpenWRT.lan [192.168.0.1]
  2    17 ms    14 ms    15 ms  10.0.0.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
10     *        *        *     Request timed out.
11     *        *        *     Request timed out.
12     *        *        *     Request timed out.
13     *        *        *     Request timed out.
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.

The site "B" LAN range is 192.168.0.0/24 with tunnel IP 10.0.0.2/32, the Site "A" is 192.168.10.0/24 with tunnel IP 10.0.0.1/32, and the WG tunnel range is 10.0.0.0/24. Both sites are connected to the internet with public IP addresses on their WAN interfaces.

The opnsense configuration is presented within the attachments bellow.

I'm hoping that someone could shed some light into this. :-)

Thanks.

Thx, @Fabian.

The error message on the page is:

The following input errors were detected:

    Saved settings, but remote backup failed.

There are two (I think,  :) entries related to the attempt to setup the backup to Nextcloud:

• Settings in JSON format

• "Cannot get real username"

(...)

This is still an issue for me on OPNsense 20.7.3 and Nextcloud 19.0.4.

Code Select Expand



2020-10-16T10:15:55 config[31428] {"url":"https:\/\/192.168.10.67:443\/ocs\/v1.php\/cloud\/user","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":1,"redirect_count":0,"total_time":0.022022,"namelookup_time":6.4e-5,"connect_time":0.000381,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.10.67","certinfo":[],"primary_port":443,"local_ip":"192.168.10.1","local_port":33230,"http_version":0,"protocol":2,"ssl_verifyresult":0,"scheme":"HTTPS","appconnect_time_us":0,"connect_time_us":381,"namelookup_time_us":64,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":22022}
2020-10-16T10:15:55 config[31428] Cannot get real username