Messages

Hi! Have been using this firewall for years, yesterday I did a new install at home and errors appeared non stop, hope someone cal help me. I have no screenshots or log, please tell me if you need something as I have not found any log showing error at all.

I know my setup is a bit complex, OPNsense on a Proxmox VM. Have been using and installing it for more than 5 years, I already used to this config and think all the basic stuff is with an OK config.

Error: at the beginning all work perfectly, OPNsense VM is always at 1% CPU usage and all works wonderfully. When around an hour passes I start to have internet problems: cannot ping websites or ping with a lot of packet loss, cannot download, cannot navigate. At the same time OPNsense menus start to be more and more laggy, at the end I cannot enter the OPNsense interface any more (I still can ping to that machine). Proxmox shows a CPU usage of that VM at around 40-50%, don't know why as it usually stays at around 1% usage (I got a good server).

Weird errors I had on the past, somehow related:

1.- This is something that happened mostly on virtualized setups. On the past we had to ENABLE parent interfaces, even if not used, if not the machine became irresponsive after a few minutes (as is happening now). This was deprecated and no longer needed.

2.- This is something new and no much documented. People with Orange France ISP had to do some setup, they have to go to the "use van priority" (with option 6 in this case) or the connection drops after a lease. I have Orange ISP on another country (Spain) but had to enable that option too because my connection was dropping too on each lease.

I am having now a mix of both problems, so I don't really know what to do. For each test I format and start from 0 and then wait for an hour after I have reinstalled and updated everything, then I see the errors and need to start from scratch. A reboot "fixes" all but again in an hour the party starts again.
For each try I totally format and start from zero, to have a basic working install (nothing weird or complex). A basic VM, a basic install and no a million rules or even VLAN involved.

Someone can give me any hints?

Thanks a million!

Hi! I need some kind of updated (January 2024) confirmation on this question, as I read contradictory responses in some forums and websites.

I already know the basics, OPNsense blocks all WAN connections by default and floating rules apply to all interfaces (so be careful with them).
As OPNsense blocks all connections by default lets think I will be opening some ports to host some service (disclaimer, this is very dangerous, just using this as an example)

Lets say I have a nice blocking list: "the_most_dangerous_ips", already created an alias.

As OPNsense block WAN connections by default I will create a floating rule: "block", direction "out", source "any", destination "the_most_dangerous_ips".

That works perfectly on all my VLAN, already tried : just have to ping any of those "dangerous ips" before and after the rule.

Now the question, that I have made in different forums on the past and always have different answers. Imagine I start opening ports to host a lot of services from my house (again disclaimer: this is totally dangerous, I put this example for learning purposes).

Remember I already have a good block list with all the nasty ip around, and a floating rule.

Scenario A: I can modify the outbound rule I already had to "block", direction "ANY", source "any", destination "the_most_dangerous_ips". In this scenario I changed the direction to "ANY", so I cant connect to those ip nor "be connected" from those ip.

Scenario B: The "Direction: Any" does NOT work in floating rules, I need to create another rule, this time with "direction: in", to be protected again inbound connection from those IP. If this is the real scenario I know probably its better just to put a WAN rule, not floating.

Hope someone can throw some light in this question, its easy to check if the outbound part works (and it works with "direction: any", but cant test the inbound part.

Thanks a lot in advance!

Good morning, this week I have finally decided to dismantle a part of my home lab and set up a bare metal OPNsense installation. I've been using this wonderful software for years, but two problems have arisen: I have less and less time to tinker, and my family is increasingly dependent on our home connection. It used to be no problem to take down the network and tinker for hours. Now, that time is non-existent, and I can only do it at night or when the family is out.

I'm in a bit of a hurry, so I bought a small computer (n100 with i226 cards) on Amazon. I know that on AliExpress there are computers with more ports, but I need it up and running now and can't wait that long.

Having virtualized for years, the process seems straightforward to me, but I have a big question: I only have 2 NICs and need to check something about VLANs.
1 NIC will be dedicated to WAN, that's for sure. I want the other to default to LAN and wanted to add VLANs on that interface.
However, I have read many times that for security reasons, "tagged" and "untagged" traffic should never be mixed, and I'm afraid this might be one of those situations, I need confirmation.

In my mind, I will set up some VLANs on the LAN interface, always using VLANs and leaving only the LAN for emergency connections (which I hope to never have to use). Of course, I will use a switch where all the traffic to the firewall port will be "tagged", and in the rest of the ports pretty much the same (except for some like consoles or some IoT devices that have to go "untagged").

What do you think of this approach? Would it violate the "never mix tagged and untagged" rule? I wont create any DMZ or expose anything outside for now, but I need to be sure my idea is solid about security.

Thanks a million in advance

After 22.1 something changed and now you need to have the parent interface enabled (vtnet2 in this case), then you can create that "VLAN 10" and  it will work perfectly. You had to have unused parent interfaces enables to make VLAN work over them.

That was reverted in 22.7.4:

Last but not least the "assign VLAN parent and enable" migration note from 22.1 is no longer required as the boot will attempt to configure all existing hardware devices once with the selected defaults.

https://docs.opnsense.org/releases/CE_22.7.html

All totally cleared and explained, thanks a million for your time!

Hi! This is a bit technical question and my English is far from perfect, hope I am using the right words but sorry if I make any mistake.

This is about VIRTUALIZED setups and OPNsense. Sorry for the caps but its important.

Until 22.1 we could use VLAN without the parent interface enabled. For example: if I wanted so create the "VLAN 10" over vtnet2 I could just create it and it worked, not needed to have the "vtnet2 interface enabled. Well, to be more precise you could create it after 22.1, but it will badly work.

After 22.1 something changed and now you need to have the parent interface enabled (vtnet2 in this case), then you can create that "VLAN 10" and  it will work perfectly. You had to have unused parent interfaces enables to make VLAN work over them.

I am not blaming OPNsense for this, its made for a reason and that's absolutely OK. Why I am opening a thread then?

Yesterday I was installing 23.7 from scratch on a new computer. In the first setup I was prompted to create VLANs, I said "yes". I created a new VLAN, I choose the desired interface for it (vtnet0) and did continue with the installation, all was perfect.
When I finished and went to the dashboard a big thing surprised me: the VLAN created in the installation was there but...I didn't see the parent interface on the list of enabled interfaces! I double checked, the installed didn't created and enabled the parent interface. I could even create an interface with that parent interface (vtnet0), it was not created on install. Just had the "vlan10_vtnet0" (or something similar) and nothing more, I expected a "vtnet0" parent created and enabled too.

Has something changed related to this between 22.1 and 23.7? We can now create VLAN without enabling their parent interfaces? There is a new option now to bypass this that did not see? Cant understand why this has changed.

Thanks a million in advance!

Suricata and IPS in general is also quite heavy on resources.
...

Just one opinion about your last post. You are totally right in that point and would like to add something. At the beggining I was a bit fan of IPS but after months and months I realized its draining a lot of resources and...just for a very bit protection!

Right now IPS just watches for non encrypted traffic (please tell me if this has changed on OPNsense), with a very heavy resource cost. I think there is no official number but people on reddit usually are ok with the "90% encrypted, 10% non encrypted" idea.

What I always recommend is not using IPS but IP blocklists. Blocklists will just block all the unwanted traffic of the used IPs (remember to use good and updated lists). With IPS you will have to pray for two things: for that "bad traffic" to be non encrypted and to have an active rule for that kind of attack in case the traffic is non encrypted.

Blocklist resource cost is totally negligible.

Hi!
This week I have been trying to add some Mullvad WireGuard Gateways to my setup, so I can have some VLAN that connect to internet using Mullad WireGuard.

I have followed the "official" guide step by step:
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

Each time I failed I just did a format and start from scratch, I am pretty sure I am following all the steps and the connections are well done (that's the reason I don't post screens, the guide is very straightforward) .

The setup works. Works wonders, using wireguard-go or kmod (the guide didnt used kmod, used it once just for testing). I have created (just for testing) 5 different new Gateways using Millvad, each one in a different country (for testing latency and those things too). And they are working.

Whats the problem?

I can connect to any of those VLAN, check Mullvad is totally working (https://mullvad.net/en/check/) and confirm I can browse all Internet no problem.
BUT when I change from the Mullvad VLAN I was using to the normal VLAN and I go to the OPNsense dashboard I check the Gateway Status and see ALL MULLVAD CONNECTIONS got "packetloss" status. It reverts back to 1% or 0% loss after a minute or so (and go high again if i reconnect to any of the Mullvad Gateways).

I have a normal setup, I format between each big configuration change to start fresh and I am really sure I have followed the tutorial step by step.

I have tried using 1.1.1.1 for monitoring, same result. At the moment I am using Mullvad "official DNS" to monitor each Gateway.

The problem is that I really don't know if I have a problem or its the dpinger service that's not very reliable. So I don't know if I must troubleshot anything or just disable the Gateway monitoring at all. 

Latency in all Gateways is stable, goes from 35ms to 55ms (I will end using the 35 ms one). RTTd is around 10ms in all of them and Loss is usually 0%, but when I use one of them ALL shows more than 20% and "packetloss" warnings.

There are no error logs, apparently the connection is OK and seems its working. But I dont feel very safe having color warnings on screen telling there are problem with ALL my Gateways each time I use one of Mullvads so I don't know what to think.

Someone knows if this is normal or something is happening? Thanks a lot in advance!

Have had many problems updating since last week too. As I am trying new setups I am using both 21.7 and 22.1 and have problems updating both of them.

I live in Spain, don't know if that is relevant (mirror distance?). With the default setup I cant upgrade, always end with errors. I need to go to the settings and select a mirror so updates work again.

Have tried with 2 or 3 mirrors, all of them works. Just need to select a mirror before updating, if not update fails.

Hi! I was using 2 ways of blocking ads inside OPNsense itself, using Unbound and Using Aliases.

1srt way, Using Unbound is easy:
Services > Unbound DNS > Blocklist > URLs of Blocklists.
In there I enter the desired lists. I though it was working as expected.

2nd way, Using Aliases appears easy too:
Firewall > Aliases. Inside that panel just create a new Alias using "URL Table (IPs)" option, entering there the desired lists.

I was using the first method, but doing a new setup with the second one makes me wonder if the first one is really working:

1.- Want to create a Firewall Alias. I know when creating a URL Table you have to select the "Refresh Frequency". By default I was not getting any "Loaded" rule (waited more then 30 minutes after creating without any luck, hoping it would populate on creation). The first list refresh should be automatic or its intended and I must wait for the first refresh (or force by a cron job) to be populated?

2.- This is more important. After doing a cron job to force the lists to be populated I encountered they loaded just "a few" rules ("a few": around 30000 entries of a total of around 200000. The default limit is 1000000, so that its not the problem). In some lists it didnt load anything. To test this I went to Diagnostics > Aliases for checking.

3.- Related to that prior questions I have another one: I now Aliases are not taking the full list of rules. How can I know what is happening when using the same lists on Unbound blocklists? Now I doubt Unbound is using the full lists of rules, apparently Unbound dont have any panel with info about which rules is really using.

PD: I am using the green ticked rules from "https://firebog.net/".

Thanks a lot in advance!

Hi! Have been using OPNsense for years with no problems, but on 22.1 a "big change" was introduced and now I don´t know the best way to configure the firewall.

My setup so far:

3 NIC for OPNsense:
- WAN    assigned and enabled on the install. I use an ISP VLAN over it so its unnasigned when I configure it.
- LAN      assigned and enabled on the install. I never touch this one, its just my "emergency interface".
- "OPT"   not assigned and not enabled on the install on purpose. All my VLAN go here (always unnasigned)

On 22.1 a big change appeared, all parent interfaces must be assigned and enabled (if they have VLAN on them). So I need to change my prior plan in order to continue using OPNsense.

1.- The WAN interface. By default it creates some firewall rules and I THINK (please tell me if I am wrong) this interface has some configuration rules too (different from LAN interface from example).
If I add the ISP VLAN over it it becomes unnasigned. I can create a "fake wan" interface no problem and all will work. That "fake wan" interface is assigned and enabled, but don´t give it an ip or anything else. The problem here is that I am speaking of a WAN interface that I created myself. With no special firewall rules as a "normal one", or no special configuration. I just create the "fake wan" to have a parent interface and all works but...I am creating a security hole doing this?
Another approach would be leaving the parent WAN interface untouched and just create a VLAN on it so I can have the ISP connection over it. I like this idea very much. The problem here? The default WAN interface has its "special" configuration and firewall rules, the one I create not. Is there a guide to create this VLAN with some security?
As you can see my only concern here is creating a security breach messing with the WAN interface.

2.- The "OPT" interface. this question is similar to the prior one. I create a "fake opt" interface too so all the VLAN over it have a enabled and assigned parent interface. Thsi interface don´t have firewall rules (everything blocked by default), not IP, it just a "fake opt". That is what I think but I have "dangerous" VLAN over it (DMZ and such). Do I need any special configuration for this interface?

3.- My plan on the next weeks is using Suricata and/or Zenarmor. I know I must select the parent interfaces for them to work. My "OPT" interface is a "fake one" too, just asigned and enabled so the VLAN over it work, but it has no IP or not configuration at all (not even firewall rules to allow connection). This configuration its valid for Suricata/Zenarmor or they need a full working, full internet, full setup parent interface?

Thanks a lot in advance!

Thanks a lot in advance!

Hi, a bit late but I can mark this problem as solved.

On 22.1 they introduced a big configuration change: at least in the kind of setup I am using I need to assign and enable all parent interfaces.

Hi, have been struggling for days with this problem, now I have found a workaround I write here tying to solve it in a better way.
First of all, sorry for not pasting here error codes or similar, I am a "GUI guy" and don´t have anything logged. If you need me to do any test please explain (as I were a 4 years boy please, I rarely use CLI) and will do no problem.

Problem: network with very degraded state after a few minutes with 22.1

I use OPNsense in a Proxmox server. Have been using it for years, it is not my first rodeo. Nothing special in my setup: a good hardware server with a Cisco g250 switch and a modern PC for testing. Using Intel cards everywhere, on my server a 10gtek i350-t4 card https://www.amazon.es/I340-T4-E1G44HT-Controladora-1Gigabit-Ethernet/dp/B01H6NE4X2.

Cat5e cable everywhere and 1gb fiber connection (not ppoe).

In case there is something weird about my configuration I just did a full format each few tries (got good hardware so I can reinstall everything in a few minutes).
For the test I just plugged the PC to the OPNsense machine, not switch involved.

OPNsense installs no problem and network always works. But after a few minutes the network speed is absolutely horrible. Haven´t performed an iperf (sorry), can confirm internet speed changes from 1GB/1GB to aroun 10mb/10mb, always with a log of latency. Network continues working but server ends freezing while doing pings, creating VMs or just changing configuration options.

Have tried with lot of configurations: doing passthrough, creating bridges and passing them, creating bonds...all with or without "advanced parameters" (changing MTU, changing multiqueue, using others than virtio drivers...), is always the same: after a few moments network becomes almost unusable.

This error happens with and without VLANs at all. With the default LAN happens too.
Have tried with and without updates to both Proxmox and OPNsense.
Have tried downloading again from different servers (in the rare case my ISO was bad).

Have tried not using internet at all, can even freeze all network just using pings between virtual machines.

The error dissapear entirely going to a 21.7 OPNsense.

I think this is something related with my server network card. Have been using it for years, errors just happens on 22.1 (I know on 22.1 Realtek cards need special configuration to work, maybe some Intel manufacturers too?)

Thanks a lot in advance!