Messages

Hello experts :)

I'm building a new gateway, and I was wondering if it is better* to use two interfaces for LAN + WAN or just one dual interface?

By "better" I'm thinking of max throughput, features, security, CPU usage, etc. so quite broad. Does it make any difference, or is it all just theoretical at best?


EDIT TO ADD:

Follow-up question: If using a dual NIC for two LANs, would internal switching etc. happen or does everything still need to leave the card? In other words, would the above matter with two LANs if not with WAN + LAN?

OPNsense WebGUI. I can't ping anything at all (except my own IP and localhost). Not even the switch the PC is connected directly to, two hops away from OPNsense. I've checked that the IP on the machine is correct of course. As soon as OPNsense dies every other device (at least the ones with a screen and keyboard I can test from) also dies. Reboot OPNsense and everything is back.


Edit:

I forgot to add that with OPNsense powered down the network works just fine (except through OPNsense of course). It is only after the box goes down by itself that everything else goes with it.

[Several PCs connect to Cisco switch ----> HP switch connecting different LANs ----> OPNsense ---- Internet ---> Dragons]

I'm having a strange problem and I have no idea where to even start. I'll try my best to explain:

At seemingly random intervals (we are talking days or weeks), the network suddenly goes down for the PCs on our LAN. Between these PCs and OPNsense there is 1 Cisco and 1 HP (fibre) switch and the connection to both of those also dies (from the PCs LAN). No WebGUI, no ping. Each time it has happened I've run around like a headless chicken trying to fix it by rebooting the switches, rebooting PCs, etc. etc. because surely it must be here the issue lies. Well, the fix was to reboot OPNsense - then everything comes up back again. But how does OPNsense taking a crap kill ping to a switch two hops away?

A simple diagram:

Several PCs connect to Cisco switch ----> HP switch connecting different LANs ----> OPNsense ---- Internet ---> Dragons

I tried using Wireshark, but couldn't see anything out of the ordinary, but then again I'm no expert. The fix for now is using an older OPNsense box, but it is a bit too slow to handle the almost 1 Gbit/s traffic, so I got to get the newer one running as soon as possible.

Running latest version (23.7 I believe?) on both boxes.

Thank you for your input. I might not have been very clear on my goal though. I want to, basically, turn a nano image into a non-nano image with the logging to disk functionality turned on instead of logging to RAM only as it does by default so the functionality that requires logs on disk will be available. I'm aware this is kinda a strange way to go about it, but I can't seem to get a stable serial connection and since I successfully installed to mSATA SSD with the installer I'd rather not touch that part again if there's an easy way to turn on the disk log.

Hi there  :)

I just installed OPNsense on a SSD disk from a nano image via SSH. Booted right up which was pretty cool as I forgot a serial cable. Now I'm wondering how I change some logs from logging to RAM to logging to disk as in non-nano images?

I thought "Local Logging - Disable writing log files to the local disk" would be the setting used, but it is off in nano.

This is how it look in Firefox. I'll survive but it looks... I don't know.. unprofessional? Buggy?  :)

Is there a good reason that something like 2/3 of posts in the forum (always replies) are not the same fontsize as everything else? It makes reading on mobile a real pain, having to zoom in on every second post or something like that. Seems an easy fix  ???

Any update on this? Seems the last comment could use a reply, especially since there were good replies to the rest (which is very commendable btw.)

Hello experts  :)

I have a quick question: I have WireGuard set to Always On, on some phones, but when they are on the local network on Wi-Fi inside OPNsense VPN stops working/can't connect. What is the correct way to fix this, so it isn't necessary to turn the VPN on and off? DNS override? NAT reflection?  ???

Thanks!

[Hybrid outbound NAT]

There are good reasons to not want to use UPnP IMO but what option is the best I wont comment further on. I will however add how it is possible to get the same result (NAT type 2) without installing UPnP via Hybrid outbound NAT.

• Change IP to static on Xbox/Playstation
  
• Firewall -> NAT -> Outbound: Set Mode to Hybrid outbound NAT rule generation
• Add a new rule just below (See attached screenshot for options)
• Make sure the Xbox/Playstation is allowed to communicate on the interface it is connected to (likely LAN).

That's it.

I'm sorry if I'm missing something obvious here but I keep getting a update available (OPNsense 22.1.b3) but updating reinstalls OPNsense 22.1.b_141. Is this the same version or what is going on?

Code Select Expand

pkg-static opnsense-devel reinstalled: 22.1.b_141 -> 22.1.b_141

I have deleted every single rule on all interfaces and created Default Allow rules on all of them. No difference.

You still haven't said what interface these rules are on

They are on the interface shown blocking in the log. VLAN123 - 192.168.123.x

You've masked so much it's hard to make out what your rules are. What interface are the rules configured on?

The masked out rules are simply "block from this LAN to another LAN" - one rule per LAN/VLAN. I will attached new screenshots with changed names for privacy  :)

How theoretical is this example? Did you have any issue with a particular service?

Yes, for example Netflix's speedtest doesn't run unless I try multiple times and websites doesn't always load (browser just hangs). It isn't just a single block but a log full of them (see new screenshots - filtered on just one device (android phone)). I also have trouble watching old movies that would stream fine from Plex before I switched to OPNsense (using the same hardware) - it buffers constantly (edit: but that is likely unrelated to this as it is on another LAN/interface).

Hi all  :)

I'm confused what is going on here and I'm sorry if I'm missing something obvious. If you look at the screenshots attached you'll see there's a default allow rule that allows all IPv4 traffic (rule 11) but I still get blocked by a default block rule (rule 12). Is it because of some TCP flag or something? Because HTTPS works fine while Netflix speedtest at port 443 gets blocked  ???