Messages

I got a working site-2-site wireguard connection, using the tutorial: https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

The two sites are in different countries and I would like to force the traffic of my TV, on site #1, to access the internet through site #2 so I can use some local news apps.

Is there a simple way to do this?
I'm using the latest version: OPNsense 23.1.11_1-amd64

So you are suggesting that device can't access any other device on the LAN because of some other reason, when I'm adding the firewall rule?
Or is it somethings wrong with how I set up the rule?
Before I add the rule the device can ping google.com and other devices on the LAN.
After the rule is applied it can't ping either google.com or any other devices on the LAN.

But if I do that then the device is also blocked from accessing the LAN, not only the internet, which is undesirable.

I'm trying to block some LAN ip addresses from accessing the internet.
I created an alias with one ip, for testing, and then created a blocking rule in Firewall: Rules: Floating for WAN but when testing the device can still access the internet.
If I'm changing the rule interface from WAN to LAN then it works (no access to LAN).
What am I missing?

I tried now to set the MTU to 9000 for both ports on both NICs, using the GUI.
Same problem as before.

I then tried to set it using command line:

Code Select Expand


ifconfig ix0 mtu 9000 up & ifconfig ix1 mtu 9000 up & ifconfig ix2 mtu 9000 up & ifconfig ix3 mtu 9000 up &

Still same problem as before.

I have a NAS, and a computer, with ASUS XG-C100C 10 Gbit NICs.
In between I have a OpnSense router with two Intel X550-T2 10 Gbit NICs.

When transferring a big file from NAS to computer I get about 6.8 - 7.2 Gbit, according to the Windows 11.
The NAS has an SSD Raid that can deliver 10 Gbit of data without a problem.
I was hoping to increase this to closer to 10 Gbit by setting the MTU in OpnSense and jumbo frame in Windows 11.

If I set the MTU to 9000 on the Intel NIC in OpnSense GUI the connection to my computer drops out back and fourth. If I ping the router 4-5 pings get through and 4-5 pings then doesn't.
If I do a ipconfig, while MTU is set, it says that the MTU is 1500:

Code Select Expand


ix2: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN10GB1 (opt2)
        options=4803828<VLAN_MTU,JUMBO_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,NOMAP>
        ether xxxx
        media: Ethernet autoselect (10Gbase-T <full-duplex,rxpause,txpause>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>


If I remove the MTU value in the GUI and set it using the command line

Code Select Expand

ifconfig ix2 mtu 9000 up it shows up as 9000 if checked with ifconfig but it gets reset back to 1500 after a while and I don't think it actually worked since I can't verify using

Code Select Expand

ping -f -l 9000 ... even after setting the computer NIC jumbo frame.

Any suggestions to get this to work?

Code Select Expand


pciconf -lvc
ix2@pci0:4:0:0: class=0x020000 rev=0x01 hdr=0x00 vendor=0x8086 device=0x1563 subvendor=0x8086 subdevice=0x0001
    vendor     = 'Intel Corporation'
    device      = 'Ethernet Controller 10G X550T'
    class        = network
    subclass   = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 64 messages, enabled
                 Table in map 0x20[0x0], PBA in map 0x20[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 256(512) FLR RO
                 max read 512
                 link x4(x4) speed 8.0(8.0) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 915049ffff200000
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                     0 VFs configured out of 64 supported
                     First VF RID Offset 0x0180, VF RID Stride 0x0002
                     VF Device ID 0x1565
                     Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 0017[1a0] = TPH Requester 1
    ecap 000d[1b0] = ACS 1
    ecap 0018[1c0] = LTR 1
    ecap 0019[1d0] = PCIe Sec 1 lane errors 0


I use only IP address to connect to the device.
Maybe it's not Unbound, but disabling it breaks the chain to the actual problem. But I have no clue what it would be.

An update:
I started to disable services and the problem went away when I disabled Unbound.
The only thing I have in Unbound is a mapping for a subdomain to an ip, but if I disable it the problem is still present so I don't thing it has to do with that.

My Unbound config, from backup:

Code Select Expand

    <unboundplus version="1.0.4">
      <service_enabled/>
      <advanced>
        <hideidentity>0</hideidentity>
        <hideversion>0</hideversion>
        <prefetch>0</prefetch>
        <prefetchkey>0</prefetchkey>
        <dnssecstripped>0</dnssecstripped>
        <serveexpired>0</serveexpired>
        <serveexpiredreplyttl/>
        <serveexpiredttl/>
        <serveexpiredttlreset>0</serveexpiredttlreset>
        <serveexpiredclienttimeout/>
        <qnameminstrict>0</qnameminstrict>
        <extendedstatistics>0</extendedstatistics>
        <logqueries>0</logqueries>
        <logreplies>0</logreplies>
        <logtagqueryreply>0</logtagqueryreply>
        <logverbosity>1</logverbosity>
        <privatedomain/>
        <privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
        <insecuredomain/>
        <msgcachesize/>
        <rrsetcachesize/>
        <outgoingnumtcp/>
        <incomingnumtcp/>
        <numqueriesperthread/>
        <outgoingrange/>
        <jostletimeout/>
        <cachemaxttl/>
        <cacheminttl/>
        <infrahostttl/>
        <infracachenumhosts/>
        <unwantedreplythreshold/>
      </advanced>
      <dnsbl>
        <enabled>0</enabled>
        <type/>
        <lists/>
        <whitelists/>
        <address/>
      </dnsbl>
      <forwarding>
        <enabled>0</enabled>
      </forwarding>
      <dots/>
      <hosts>
        <host uuid="xxxxxxxxxxx">
          <enabled>1</enabled>
          <hostname>yyyyyy</hostname>
          <domain>xxxxx.com</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>192.168.0.199</server>
          <description>xxxxxx</description>
        </host>
      </hosts>
      <aliases/>
      <domains/>
    </unboundplus>

I tried that. The MAC address remains the same.
I cleared out the arp table on my computer between connecting/disconnecting the router:

Code Select Expand

arp -d *

I don't know what to make of this and I'm not even sure where to start looking.

I have a audio matrix (the t.racks DSP 408) with a static ip.
If I set a static ip on my computer, and connect directly to the DSP, the provided network software for the matrix works perfectly.
If I connect the computer and matrix together using a switch (Netgear GS108) it also works.
If I connect my router, running Opensense (23.1.1_2-amd64) to the same switch I can ping the DSP but not connect using it's software.

My first thought was that there might be another device with the same ip, but there isn't.
Any thoughts about this or where to start looking?

Thank you for the excellent info, that worked nicely.

I've got some different situations that rely on sending a sub-domain to a specific LAN ip.
I was using OpenWRT before and simply hardcoded it in /etc/hosts.
What is the correct/good way to do it in OPNsense?

For example would I like "test.example.com" to point to 192.168.0.100 and "test.example2.com" to point to 192.168.0.101
I don't want to use "example.com" or "example2.com" etc as my local domain.

I've been looking into Ubound DNS but I'm not sure what to use there or how to configure it.
I've also seen that you can add a domain for the DHCP4. Is that the way to go?