Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - BondiBlueBalls

Pages1 2 3

Virtual private networks / Re: Wireguard, Port Forwarding and Proton VPN

January 16, 2025, 06:59:31 PM

Quote from: Bob.Dig on January 16, 2025, 10:32:31 AM
Quote from: bartjsmit on January 16, 2025, 10:26:59 AMThat is not likely to happen
Proton does allow opening a randomized port but it is very difficult to set up and the port can change any time.

I have a tool that will manage the port from Proton and sync it to OPNsense. It will optionally manage the forwarded port in qBittorrent, too. I've been running various iterations of it for two years without issue. https://github.com/clajiness/qbop

Virtual private networks / Re: ProtonVPN + Wireguard + NAT-PMP

November 19, 2024, 06:10:52 PM

Hey, all. I'm not sure if this meets your needs, but I wrote a little script that grabs the forwarded port from protonvpn and syncs it with OPNsense and qBittorrent. It's been keeping everything running perfectly for me for over a year. Hope it helps! https://github.com/clajiness/qbop

Tutorials and FAQs / Re: How to modify port forwarding rules via API

June 22, 2024, 06:00:42 AM

What are you trying to modify, specifically? If you're trying to update the forwarded port (which seems the likely case), set an alias and update that.

Here's some Ruby code I wrote a while back to get the job done. This class can grab the UUID of the alias, find the value, set it to whatever you like, and then apply it.

Good luck!

Code Select


module Service
  class Opnsense
    def get_alias_uuid(config)
      uri = URI("#{config['opnsense_interface_addr']}/api/firewall/alias/getAliasUUID/#{config['opnsense_alias_name']}")

      # Create client
      http = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = true
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE

      # Create Request
      req =  Net::HTTP::Get.new(uri)
      req.basic_auth config["opnsense_api_key"], config["opnsense_api_secret"]

      # Fetch Request
      res = http.request(req)
      JSON.parse(res.body)["uuid"]
    rescue StandardError => e
      @logger.error("get_alias_uuid - HTTP Request failed - (#{e.message})")
    end

    def get_alias_value(config, uuid)
      uri = URI("#{config['opnsense_interface_addr']}/api/firewall/alias/get")

      # Create client
      http = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = true
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE

      # Create Request
      req =  Net::HTTP::Get.new(uri)
      req.basic_auth config["opnsense_api_key"], config["opnsense_api_secret"]

      # Fetch Request
      res = http.request(req)

      alias_content = JSON.parse(res.body).dig("alias", "aliases", "alias", uuid, "content")
      alias_content.values[0]["value"].to_i
    rescue StandardError => e
      @logger.error("get_alias_value - HTTP Request failed - (#{e.message})")
    end

    def set_alias_value(config, forwarded_port, uuid)
      uri = URI("#{config['opnsense_interface_addr']}/api/firewall/alias/setItem/#{uuid}")

      # Create client
      http = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = true
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
      body = {"alias": {"content": forwarded_port}}.to_json

      # Create Request
      req =  Net::HTTP::Post.new(uri)
      # Add headers
      req.basic_auth config["opnsense_api_key"], config["opnsense_api_secret"]
      # Add headers
      req.add_field "Content-Type", "application/json; charset=utf-8"
      # Set body
      req.body = body

      # Fetch Request
      http.request(req)
    rescue StandardError => e
      @logger.error("set_alias_value - HTTP Request failed - (#{e.message})")
    end

    def apply_changes(config)
      uri = URI("#{config['opnsense_interface_addr']}/api/firewall/alias/reconfigure")

      # Create client
      http = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = true
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE

      # Create Request
      req =  Net::HTTP::Post.new(uri)
      # Add headers
      req.basic_auth config["opnsense_api_key"], config["opnsense_api_secret"]

      # Fetch Request
      http.request(req)
    rescue StandardError => e
      @logger.error("apply_changes - HTTP Request failed - (#{e.message})")
    end
  end
end

23.7 Legacy Series / Re: [solved] PIA Wireguard Tunnel

November 28, 2023, 12:17:06 AM

Glad you're up and running. The fact that you're using a 3rd party script would be useful info next time. :)

23.7 Legacy Series / Re: PIA Wireguard Tunnel

November 27, 2023, 11:46:59 PM

Did you use the FingerlessGlov3s script to set up your tunnel? If so, it looks like the maintainer released an update to support a change made in 23.7.8.

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard/releases/tag/23.7.8-1

Virtual private networks / Re: Suggestions for VPN with port forwarding

September 18, 2023, 05:15:44 AM

PIA absolutely supports port forwarding outside of the app. https://helpdesk.privateinternetaccess.com/kb/articles/manual-connection-and-port-forwarding-scripts-for-linux

If you want a better alternative (imo), I'm currently using ProtonVPN via WireGuard, and port forwarding works perfectly. I wrote a little script to handle natpmpc, but it's really straightforward otherwise. https://protonvpn.com/support/port-forwarding-manual-setup/

So ya, I used this (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html) with the info above, and my proton connection has been rock solid.

Good luck!

23.7 Legacy Series / Re: Question about enabling RSS

August 09, 2023, 09:40:35 PM

I think this best explains why we still see "direct" under Configuration -> Dispatch policy: https://forum.opnsense.org/index.php?topic=24409.msg118244#msg118244

23.7 Legacy Series / Re: Question about enabling RSS

August 09, 2023, 08:36:22 PM

QuotePlus if you look at the workstreams you will see that you have 8 of each of them associated to every single CPU.

Got it. I was (obviously) a bit confused given that Dispatch policy under Configuration was still shown as direct. I see an opportunity to update the docs a bit. :)

Anyway, thanks so much! I appreciate the reply!

23.7 Legacy Series / Re: Question about enabling RSS

August 09, 2023, 08:17:08 PM

Well, after reading the code again, I see that Dispatch policy is still set to direct, but ip, ip6, ip_direct, and ip6_direct, under Protocols, are all set to hybrid. Was it correct the whole time? Is the Dispatch policy under Configuration the wrong thing to base my assumption on?

#10

23.7 Legacy Series / Question about enabling RSS

August 08, 2023, 10:57:29 PM

Hey, all. I tried enabling RSS on my Supermicro box with ixl 10gb interfaces. Following the instructions, I ran netstat -Q, but still see Dispatch policy = direct. Everything else seems to look correct. Thoughts? Thanks!

I set these four tunables:

Code Select


+    <item>
+      <tunable>net.isr.bindthreads</tunable>
+      <value>1</value>
+      <descr>Set manually to enable RSS</descr>
+    </item>
+    <item>
+      <tunable>net.isr.maxthreads</tunable>
+      <value>-1</value>
+      <descr>Set manually to enable RSS</descr>
+    </item>
+    <item>
+      <tunable>net.inet.rss.enabled</tunable>
+      <value>1</value>
+      <descr>Set manually to enable RSS</descr>
+    </item>
+    <item>
+      <tunable>net.inet.rss.bits</tunable>
+      <value>3</value>
+      <descr>Set manually to enable RSS</descr>
+    </item>

When I run netstat -Q, I get:

Code Select


Configuration:
Setting                        Current        Limit
Thread count                         8            8
Default queue limit                256        10240
Dispatch policy                 direct          n/a
Threads bound to CPUs          enabled          n/a

Protocols:
Name   Proto QLimit Policy Dispatch Flags
ip         1   1000    cpu   hybrid   C--
igmp       2    256 source  default   ---
rtsock     3    256 source  default   ---
arp        4    256 source  default   ---
ether      5    256    cpu   direct   C--
ip6        6   1000    cpu   hybrid   C--
ip_direct     9    256    cpu   hybrid   C--
ip6_direct    10    256    cpu   hybrid   C--

Workstreams:
WSID CPU   Name     Len WMark   Disp'd  HDisp'd   QDrops   Queued  Handled
   0   0   ip         0     9        0    19585        0     2482    22067
   0   0   igmp       0     0       24        0        0        0       24
   0   0   rtsock     0     0        0        0        0        0        0
   0   0   arp        0     0      388        0        0        0      388
   0   0   ether      0     0    97182        0        0        0    97182
   0   0   ip6        0     0        0        0        0        0        0
   0   0   ip_direct     0     0        0        0        0        0        0
   0   0   ip6_direct     0     0        0        0        0        0        0
   1   1   ip         0    25        0        0        0    20988    20988
   1   1   igmp       0     0        0        0        0        0        0
   1   1   rtsock     0     2        0        0        0      107      107
   1   1   arp        0     0        0        0        0        0        0
   1   1   ether      0     0        0        0        0        0        0
   1   1   ip6        0     0        0        0        0        0        0
   1   1   ip_direct     0     0        0        0        0        0        0
   1   1   ip6_direct     0     0        0        0        0        0        0
   2   2   ip         0    32        0        0        0    12189    12189
   2   2   igmp       0     0        0        0        0        0        0
   2   2   rtsock     0     0        0        0        0        0        0
   2   2   arp        0     0        0        0        0        0        0
   2   2   ether      0     0    31153        0        0        0    31153
   2   2   ip6        0     0        0        0        0        0        0
   2   2   ip_direct     0     0        0        0        0        0        0
   2   2   ip6_direct     0     0        0        0        0        0        0
   3   3   ip         0   157        0     6561        0    94986   101547
   3   3   igmp       0     0        0        0        0        0        0
   3   3   rtsock     0     0        0        0        0        0        0
   3   3   arp        0     0        0        0        0        0        0
   3   3   ether      0     0        0        0        0        0        0
   3   3   ip6        0     0        0        0        0        0        0
   3   3   ip_direct     0     0        0        0        0        0        0
   3   3   ip6_direct     0     0        0        0        0        0        0
   4   4   ip         0    47        0        0        0     9834     9834
   4   4   igmp       0     0        0        0        0        0        0
   4   4   rtsock     0     0        0        0        0        0        0
   4   4   arp        0     0        0        0        0        0        0
   4   4   ether      0     0    37183        0        0        0    37183
   4   4   ip6        0     0        0        0        0        0        0
   4   4   ip_direct     0     0        0        0        0        0        0
   4   4   ip6_direct     0     0        0        0        0        0        0
   5   5   ip         0    16        0      125        0     8996     9121
   5   5   igmp       0     0        0        0        0        0        0
   5   5   rtsock     0     0        0        0        0        0        0
   5   5   arp        0     0        0        0        0        0        0
   5   5   ether      0     0        0        0        0        0        0
   5   5   ip6        0     0        0        0        0        0        0
   5   5   ip_direct     0     0        0        0        0        0        0
   5   5   ip6_direct     0     0        0        0        0        0        0
   6   6   ip         0    65        0        0        0    16411    16411
   6   6   igmp       0     0        0        0        0        0        0
   6   6   rtsock     0     0        0        0        0        0        0
   6   6   arp        0     0        0        0        0        0        0
   6   6   ether      0     0   111034        0        0        0   111034
   6   6   ip6        0     0        0        0        0        0        0
   6   6   ip_direct     0     0        0        0        0        0        0
   6   6   ip6_direct     0     0        0        0        0        0        0
   7   7   ip         0    50        0        0        0    47801    47801
   7   7   igmp       0     0        0        0        0        0        0
   7   7   rtsock     0     0        0        0        0        0        0
   7   7   arp        0     0        0        0        0        0        0
   7   7   ether      0     0        0        0        0        0        0
   7   7   ip6        0     0        0        0        0        0        0
   7   7   ip_direct     0     0        0        0        0        0        0
   7   7   ip6_direct     0     0        0        0        0        0        0

Running sysctl -a | grep rss returns:

Code Select


net.inet.rss.bucket_mapping: 0:0 1:1 2:2 3:3 4:4 5:5 6:6 7:7
net.inet.rss.enabled: 1
net.inet.rss.debug: 0
net.inet.rss.basecpu: 0
net.inet.rss.buckets: 8
net.inet.rss.maxcpus: 64
net.inet.rss.ncpus: 8
net.inet.rss.maxbits: 7
net.inet.rss.mask: 7
net.inet.rss.bits: 3
net.inet.rss.hashalgo: 2
hw.bxe.udp_rss: 0
hw.ix.enable_rss: 1

#11

23.1 Legacy Series / Re: Question about applying firewall alias changes via API

July 25, 2023, 06:53:38 PM

Turns out the "apply" button in the UI is equivalent to the "reconfigure" endpoint here: https://docs.opnsense.org/development/api/core/firewall.html

All set. Thanks!

#12

23.1 Legacy Series / Question about applying firewall alias changes via API

July 20, 2023, 01:29:06 PM

Hey, all.

I'm working on a little tool to automatically update a specific alias related to port forwarding for another app. I'm currently using three of the firewall/alias endpoints (get, getAliasUUID, and setItem), and everything is working perfectly.

My only issue is that the changes don't seem to be applied (equivalent to pressing "apply" in the UI). Is there an endpoint for applying these changes, or is that what the firewall plugin is for? (firewall/filter_base/apply) After looking at the firewall plugin endpoints, I figured that was just for rules.

Any advice would be appreciated. Thanks much!

#13

23.1 Legacy Series / Re: 1 LAN - 2 PS4 - Battlefield2042

May 16, 2023, 01:48:32 PM

Ya, the outbound NAT rule(s) was my next question, too. If that's set up properly, it makes me wonder if Battlefield doesn't have alternate ports for this situation.

Here's a link to my current gaming setup in OPNsense. Maybe it'll help. Good luck!
https://forum.opnsense.org/index.php?topic=33609.msg162525#msg162525

#14

23.1 Legacy Series / Re: 1 LAN - 2 PS4 - Battlefield2042

May 15, 2023, 04:53:54 PM

When UPnP is enabled and a PS4 is on, do you see any entries in the "Services: Universal Plug and Play: Status" page?

#15

General Discussion / Re: [Request] NAT Setup guide for console (Xbox/PlayStation)

April 18, 2023, 09:41:47 PM

I have NAT Type Open on my Xbox Series X and NAT Type 2 on my PS5 using OPNsense. Per this guide, these are the ideal NAT types for consoles behind a firewall.

https://portforward.com/nat-types/

I'll try to provide the settings I'm using. Hopefully it helps!

I have a "Games" VLAN specifically for gaming devices. In it are my XSX, PS5, and two Nintendo Switches.
Each device has a static IP address.
I have an Outbound NAT rule for the Games Network. (see screen shots)
Under Firewall Rules, I have one for the Games interface allowing access to the Games Address on the UPnP ports. (see screen shots)
UPnP is turned on, but only for the Games Interface. Use my example in the screen shots.
Here are some screen shots of the important settings. Let me know if it seems like I've forgotten anything.

With these settings, everything works perfectly. Hope it helps!

Pages1 2 3