Messages

I followed Tomasz'sYT video series for a while now, and noted early that I would like to see OpnSense on it, instead of OpenWRT - this seemed infeasible at the time...

However, apart from the entertainment and enthusiast aspect of this effort, which in itself deserves praise, I see three problems:

1. The box only has 2x SFP+ ports and 3x 1 GbE ones. I know why it was infeasible to do 2.5 GbE, however, I think that is something left to be desired.

2. The price is now 600€ (the finished product will even be more, AFAIU), which is more than I would pay for an x64-based appliance with 3x 2.5 GbE and 2x SFP+. AFAIK, the routing speed is 10 Gbps as well for those.

3. As it appears, there are some legal obstacles with conflicts of the GPL v2 and commercially licensed code, which Tomasz has acknowledged in a pinned comment under his video and now seeks legal counsel as to if and how it will be possible to do it they way he intended.

There are two parts of firewall rules (well, actually, it's three):

1. On WAN, you need to allow "in" access on the UDP port that your wireguard instance is running on.
2. On the Wireguard group, you need to create "in" rules to access any of the LAN resources you want external clients to have access to. For starters, you could "allow from any to any".
3. In the wireguard peer, you need to set the "allowed ip" range to those of the wireguard clients that you want to pass. You could use 0.0.0.0/0 here.

All of this is explained for both site-to-site and roadwarrior setups in the official docs.



The order of checks would be outside -> in, so first make sure that the wireguard instance is really contacted by your clients.

That means:

a. the client must be able to connect to your external WAN IP, probably by using its dynamic DNS alias.
b. the client must be allowed to use the wireguard instance's external UDP port.
c. the secrets must be correct, otherwise the packets will be silently discarded.

You can check that via the Wireguard status. It must be green, having a "handshake age" and both sent and received traffic.

The second step would be to verify access from your client to your internal networks.

You can enable firewall logging for the default block rules and watch if there are blocks.

I got hooked by their APs many years ago, so adding their switches is a no-brainer. The management is more "prosumer" than what Cisco or Mikrotik offer, but quite effective and easy to manage. Of course it depends on if you already have one of their router-type appliances or can use all of that on a VM.

Matter-of-fact, the network controller is also available on iOS and Android as standalone apps, because apart from the guest portal, you do not need it running 24/7. I never tried those, because IMHO, you need a bit of screen real estate to easily use the interface.

My main gripes about them are:

1. The dream boxes are crap.
2. Unify protect is only available on their hardware (dream boxes and NVRs) - they stopped the VM versions.
3. In the last 2 years, they started way too many variants of their products, leading to a confusing portfolio and, with the many new offerings, degraded support for any of them.

What would be the difference between WAN and pppoe0?

One is just an assigned name for the underlying PPPoE interface - unless you made the mistake of naming the physical NIC (or VLAN) as WAN.

That is the problem with many of those videos: There is no such thing as a step-by-step tutorial, because each situation is different, like your example clearly shows.

You have to understand how things work, otherwise you will be stuck at each crossing.

With a PPPoE connection, you can have one of these topologies on the WAN side:

1. ISP ONT/modem -> physical NIC ("ONT") -> PPPoE interface ("WAN")
2. ISP ONT/modem -> physical NIC ("ONT") -> VLAN ("VLANXX") -> PPPoE interface ("WAN")

With OpnSense, you have either two or three logical interfaces. Name them according to the scheme above. Firewall rules should always be applied to "WAN", which usually is the same thing as "pppoe0". You do not even need explicit names for ONT and VLANXX, unless you want to have direct ONT/modem access. You also do not need firewall rules for "ONT" either, as per default, everything is blocked.

You obviously use it differently, which causes your confusion:

ISP ONT/modem -> physical NIC ("WAN") -> PPPoE interface ("???")

I have the USW-Pro-HD-24-PoE, which offers more ports, 4xSFP+, 2*10 GbE, PoE. I like the centralised management for Unifi Gear. Their routers are crap, but you can have the network management on a VM.

There are smaller offerings available as well, with and without PoE:

https://geizhals.de/?cat=switchgi&xf=13283_2%7E16696_8%7E2270_Ubiquiti&sort=p#productlist

[one]

@150d: What you characterize as a DMZ is actually something different, namely a double-firewall setup. Thus, you mix up two questions here.

I would argue that a "real" DMZ, in the notion of having some (potentually exposed) devices on a separate network in order to keep them out of your internal LAN makes complete sense. By doing that, an attack could not proliferate to your LAN. This would only presume one leg (either physical NIC or VLAN) of one OpnSense to be separated.

What you propose instead has two disadvantages the way you decribe it:

1. This is a router-behind-router scenario with double NAT and all of its complications, e.g. port-forwarding must be configured on both firewalls. I would avoid it for the average setup.

2. It does not even have the benefit that some enterprise setups would try to reach by doing such a thing nonetheless: By using two cascaded firewalls of different kind, you could potentially harden your infrastructure against attacks to known vulnerabilities of one or the other. This is not the case with two cascaded firewalls of the same kind.

Why don't you try to export reservations to see what the format is?

You will find this structure:

ip_address;hw_address;hostname;description;option_data;option

Take a look at this post, it will most probably explain your situation and how to fix it (and knowing the problem will prevent you from creating it again).

[it can ping one of the android tv box only. Not others Window Lan as well.]

A fine example of how you misinterpret things according to your confirmation bias:

One of my LAN - almalinux cannot ping gateway IP. Very strange, it can ping one of the android tv box only. Not others Window Lan as well. I try to disable the firewalld n look the ip route show and found nothing.

 It cannot browser internet anymore. I can browser intenet yesterday. This is proof. Something is broke.

"This proof" means only:

1. You can ping at least one device on your LAN 192.168.1.0/24, so obviously your Linux PC is connected to some network.
2. Not being able to ping Windows PCs on your LAN is perfectly normal, depending on what kind of network connection (private or public) is selected. The Windows firewall does not allow incoming pings.
3. Not being able to ping the gateway can be because of many reasons, most of which are simple misconfigurations:

- Having selected the wrong port to connect to because physical ports are numbered differently than logical NICs
- Using multiple ports as a bridge without having them configured as per docs
- Using another subnet or differrent VLAN
- Cabling problems
- Not having opened the firewall for such kind of traffic (or having blocked such traffic by error in trying to "strengthen security"

For example: Did you try the other way around, namely to ping the Linux PC from your OpnSense?
4. Together with not being able to reach the internet (because of what? Can you resolve DNS names?) it suggests missing connectivity to your firewall for any kind of traffic.

You see: None of "this" is "proof" - only a hint at some kind of misconfiguration. Nobody questions "something is broke", but there is no grounds to suggest any hacker being involved.

Altogether this means:

a. unproven claims of hacker attacks
b. random tries to "strengthen security"
c. (only after asking for facts) connection problems of some kind
d. not enough useable facts for us to start with

Instead of jumping to (false) conclusions, you would be better off to state the facts, like in this case: "I do not get internet connection and I cannot reach my gateway", together with helpful facts about what you have done, including:

- network topology
- firewall rules
- positive and negative results of tests you have conducted to identify the exact problem

Also, stop messing around with random measures like:

I added RESET WAN interface every 10 min using cron job.

Those will do more harm than good if you do not know what you are doing. This alone might account for missing internet access...


P.S.: Your network configuration looks right and the fact that the gateway is in the arp table suggests a blocking firewall rule, no physical or VLAN problem.

Did you actually try to keep the server ID fixed? Or try to use one of the fast Comcast servers now? Obviously, those were never used in 2026 for whatever reasons, thus the numbers are not comparable as such.

Maybe the mechanism has changed for 26.x?

Also, did you heed the warning about dependencies and changing values without a reboot? It sometimes matters in what order the values are being applied.

Matter-of-fact, with some ISP equipment, the enlargement does not work at all, so consider yourself lucky if it works for you.

I keep hearing that multi-threading support is on the top of the priority list for some years now. Sounds like when Trump says "in two weeks".

And yes, you would be hard pressed to find a low-power (embedded) CPU with a high enough single-thread performance to run Zenarmor at >= 1 GBps speeds. Only desktop or high-performance server CPUs (many server CPUs have many cores, but low single-thread performance) would do that.

And even then, you would only use a fraction of the potential power, but have the high cost (both purchase and consumption) until multithreading will be supported.

Yeah, that all sounds too familiar. Considering the style, the claims and even the profil name, I suspect that @peterwkc is the same person, so it is now the bazillionth time, see: https://forum.opnsense.org/index.php?topic=44259.0

@nicholaswkc: I suggest you to find a new hobby besides IT. The way you argue shows that you do not know what you are talking about. It seems like a mix of not understanding why specific things go wrong for lack of technical skill, mixed with a paranoid fear that the problems are not caused by your own mistakes, but by some evil hackers/ISPs/whomever.

You have been advised multiple times now, that your claims (which I cannot even comprehend) do not match reality.

However, remembering the old saying "just because you are paranoid does not mean that they are not after you.", maybe you are right. Are you living in Russia by any chance?

Since Zenarmor still is limited to one thread only, you can simply relate any known CPU's single-thread performance against the C3758R's single-thread perfomance on one of the many CPU-Performance comparison sites. The kind of work Zenarmor is doing here cannot be easily accelerated by a proprietary chip, unlike encryption.

So, choose a CPU whose performance you know and compare it.

1. Such requests can be done via Github.
2. You can achieve the same effect by using categories.