Messages

1

General Discussion / Re: unbound just died during the night, how to use monit

« on: September 24, 2021, 07:32:17 am »

I have similar problem. When one of the interfaces loosing connection Unbound service just dies.
And it is impossible to restart it using UI. You have to login manualy and run the command below.

$ sh -x /usr/local/opnsense/scripts/unbound/start.sh

I wonder if anyone have any other suggestions on how to fix this?

2

21.1 Legacy Series / OpenVPN disconnect triggers latency spikes on all other interfaces

« on: June 30, 2021, 09:53:00 pm »

I have OpenVPN client setup as a gateway.
http://chronicgeekage.blogspot.com/2019/02/opnsense-and-pia-private-internet-access.html

Every time I connect or disconnect OpenVPN client it causes huge latency spikes over all over interfaces, which disrupts connections.

Is there anything that can be done to avoid connection disruptions? I expect that other gateways should not be  affected.

I have Dual WAN setup and I expect failover to work, but instead when one interface goes down, OpenVPN client causes spike when it disconnects, and then it reconnects back, as a result for 3-5 min I have no connectivity until OpenVPN client figures it's own stuff out. I expect connectivity to work over another WAN but it doesn't.

OPNsense 21.1.7_1-amd64
FreeBSD 12.1-RELEASE-p18-HBSD
OpenSSL 1.1.1k 25 Mar 2021

Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz (8 cores)

Code: [Select]

64 bytes from 1.1.1.1: icmp_seq=2569 ttl=55 time=6.292 ms
64 bytes from 1.1.1.1: icmp_seq=2570 ttl=55 time=5.674 ms
64 bytes from 1.1.1.1: icmp_seq=2571 ttl=55 time=6.311 ms
64 bytes from 1.1.1.1: icmp_seq=2572 ttl=55 time=892.511 ms
64 bytes from 1.1.1.1: icmp_seq=2573 ttl=55 time=40.314 ms
64 bytes from 1.1.1.1: icmp_seq=2574 ttl=55 time=263.691 ms
64 bytes from 1.1.1.1: icmp_seq=2575 ttl=55 time=5.366 ms
64 bytes from 1.1.1.1: icmp_seq=2576 ttl=55 time=6.065 ms
64 bytes from 1.1.1.1: icmp_seq=2577 ttl=55 time=407.396 ms
64 bytes from 1.1.1.1: icmp_seq=2578 ttl=55 time=22.910 ms
64 bytes from 1.1.1.1: icmp_seq=2579 ttl=55 time=207.658 ms
64 bytes from 1.1.1.1: icmp_seq=2580 ttl=55 time=5.991 ms
64 bytes from 1.1.1.1: icmp_seq=2581 ttl=55 time=5.907 ms
64 bytes from 1.1.1.1: icmp_seq=2582 ttl=55 time=348.674 ms
64 bytes from 1.1.1.1: icmp_seq=2583 ttl=55 time=24.305 ms
64 bytes from 1.1.1.1: icmp_seq=2584 ttl=55 time=29.940 ms
64 bytes from 1.1.1.1: icmp_seq=2585 ttl=55 time=6.225 ms
64 bytes from 1.1.1.1: icmp_seq=2586 ttl=55 time=5.809 ms
64 bytes from 1.1.1.1: icmp_seq=2587 ttl=55 time=5.713 ms
64 bytes from 1.1.1.1: icmp_seq=2588 ttl=55 time=5.625 ms
64 bytes from 1.1.1.1: icmp_seq=2589 ttl=55 time=6.158 ms
64 bytes from 1.1.1.1: icmp_seq=2590 ttl=55 time=342.989 ms


3

Hardware and Performance / Re: Poor Throughput (Even On Same Network Segment)

« on: March 01, 2021, 09:55:45 pm »

Do we have any solution here?

I have R620 (Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz - 8 cores) under ESXi7 and I have 700Mbps between OPNsense <> Ubuntu VM on the same host, while two Ubuntu VMs can do 7Gbps, 10 times faster.

4

General Discussion / Aliases missing from pfTables

« on: November 14, 2020, 09:33:07 pm »

When you configure firewall rules you have an option to select different aliases for source, like "This Firewall", "LAN Net", "WAN addresses", etc. But those are missing when I go into pfTables, only the ones I defined are there.

How do I diagnose what they actually are?

You may think that those are equivalent to the net defined in the interface, but I have noticed that often those are not resolved this way. Where manually typing the address into the rule works, while using those aliases don't get things matched.

5

Virtual private networks / Re: IPsecVPN With Windows 10 native VPN Client

« on: November 08, 2020, 07:44:07 pm »

https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html

This guide requires you to install Root Certificate into your client. Should I remind you that it is a big security risk?
https://blog.malwarebytes.com/security-world/technology/2017/11/when-you-shouldnt-trust-a-trusted-root-certificate/

Is there any other way to enable VPN without exposing your clients' computers to potential malware, etc?