Messages

1

22.7 Legacy Series / Weird states behaviour when using "Inspect"

« on: August 25, 2022, 12:18:18 am »

I have an OPNsense 22.7.2 box where I was trying to debug some traffic.

I have a Floating rule with the settings:

• Interface: Guest, VPN
• Direction: In
• Protocol: IPv4+6 TCP
• Source: any
• Destination: ALIAS (The alias contains 2 RFC1918 IPv4 addresses)
• Port: MS DS (445)
• Description: server CIFS

On the Floating Rules page, if I push "Inspect" then the UI updates to show me a new "States" column, which shows 1 session. This is as I expect (there is currently one client connected from the VPN interface, so this lines up).

If I click the "1" text, then I get taken to the Firewall/Diagnostics/States screen where there are several matches, one of which is the one I expect, and several of which don't match the criteria. For example there are matches with the destination port of 80, there are IPv6 matches even though the alias only contains IPv4 addresses, etc. I've attached a couple of screenshots, some redacting has been done but there's enough to show that these states should not match the rule they claim to be matching

2

22.1 Legacy Series / Re: scattered issues OPNsense version 22.1.9_1 (the very latest)

« on: June 30, 2022, 12:35:39 am »

the GUI reboot works if and especially when it wants: after giving it, think about it, go back to the "dashboard" and, with ease, start again, obviously whatever you do you will need to log in.

Out of interest, do you use the memory filesystem, and have features like Insights enabled with backups to disk?

On a previous release, I used to see that when I had this combination of features, during the reboot OPNsense would try to back up the memory-backed mountpoint to disk. This took so long that the "check for when the box has rebooted" spinner thing would start firing, see that the UI was up, and assume the reboot was finished even though it wasn't. Then when the backup script actually finished, the reboot would happen.

I did some tinkering a while back and opened https://github.com/opnsense/core/issues/5278 about changing the compression algorithm; by default it uses gzip which gives good compression but is slow. I changed my appliance to use zstd level-1 which was slightly larger but compressed in around 15% of the time

3

22.1 Legacy Series / Re: [CALL FOR TESTING] FreeBSD 13.1 / 22.7 operating system preview

« on: June 23, 2022, 04:17:23 pm »

Is there anything to be aware of if someone applied this test base/kernel, with 22.1.9 being released? i.e. should you avoid 22.1.9 altogether? Should you upgrade to 22.1.9, then reapply this preview? Should you do something else?

4

General Discussion / How does the firewall interact with the shaper?

« on: December 21, 2020, 09:47:10 pm »

I'm looking to use the shaping functionality to make for smoother audio calls (like everyone else, I'm working at home...)

The UI for the shaper is "enough", but it's less feature rich than I might like (ports specified manually, can't use aliases, etc). So one thought I had is simply to create myself some low/med/high priority queues and then configure rules for certain DSCP values which could then be applied by firewall rules. However, to know whether that would work properly depends on how the packets flow through the firewall, which could be (for example):

Code: [Select]

ingress --> filter --> shaper --> egress(this could work because the filter could apply a DSCP class to the packet, the shaper could see it and handle it in the correct queue)

Code: [Select]

ingress --> shaper --> filter --> egress(this could not work because by the time the filter saw the packet to mark it, the shaping decision would have already been made)

So in a system with both packet filtering and shaping enabled, does anyone know what's the order?