Messages

1

General Discussion / Re: Is there a way to do the equivalent of "pass in quick proto tcp" in the GUI?

« on: April 22, 2023, 11:46:28 am »

Just bumping this in the hope someone can help here please? I'm essentially trying to forward traffic from one host to another, while preserving the source IP.

2

General Discussion / Re: Is there a way to do the equivalent of "pass in quick proto tcp" in the GUI?

« on: April 16, 2023, 09:16:54 am »

Thanks - I just tried that, and all it seems to have done is not create a firewall rule.

When I look at Wireshark on the target, I see traffic coming from the original source, but the destination is the server targeted by the NAT rule, and not the original target.

The documentation at https://docs.mitmproxy.org/stable/concepts-modes/#transparent-proxy specifically warns about this:

This distinction is important: when the packet arrives at the mitmproxy machine, it must still be addressed to the target server. This means that Network Address Translation should not be applied before the traffic reaches mitmproxy, since this would remove the target information, leaving mitmproxy unable to determine the real destination.

Any ideas here please?

I somehow need to send traffic from one host to another on the same subnet, but keep the original destination (something called "masquerade" I think, in Linux parlance).

3

General Discussion / Is there a way to do the equivalent of "pass in quick proto tcp" in the GUI?

« on: April 15, 2023, 11:46:14 pm »

I searched the forum for this, and the closest I could find was this: https://forum.opnsense.org/index.php?topic=2063.0

I'm just trying to setup redirection to a transparent proxy, following the instructions here for OpenBSD (as this is what opnsense is under the hood) https://docs.mitmproxy.org/stable/howto-transparent/#openbsd

It says to add this to /etc/pf.conf:

Code: [Select]

mitm_if = "re2"
pass in quick proto tcp from $mitm_if to port { 80, 443 } divert-to 127.0.0.1 port 8080

This assumes running on a local machine, but on my opnsense router I'd have to tell it another IP address on the vlan.

However, it's not clear to me how to achieve the same in opnsense. Originally I simply tried port forwarding, before realising that wouldn't work.

Any ideas here please? If it's not possible in the GUI, how do I do it manually?

4

Hardware and Performance / Re: Poor Throughput (Even On Same Network Segment)

« on: April 27, 2022, 04:50:08 pm »

Further to my previous post, I actually fixed this just by turning on all the hardware acceleration options in "Interface -> Settings"

That includes CRC, TSO, and LRO. I removed the 'disabled' check and rebooted.

Now get rock solid iperf3 result:

Code: [Select]

[  5] 166.00-167.00 sec   112 MBytes   941 Mbits/sec
[  5] 167.00-168.00 sec   112 MBytes   941 Mbits/sec
[  5] 168.00-169.00 sec   112 MBytes   941 Mbits/sec
[  5] 169.00-170.00 sec   112 MBytes   941 Mbits/sec
[\code]

And NIC processing load dropped to just 25% or so:

[code]
  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
   11 root        155 ki31     0B    32K RUN      1   3:14  77.39% [idle{idle: cpu1}]
   11 root        155 ki31     0B    32K RUN      0   3:06  71.26% [idle{idle: cpu0}]
   12 root        -92    -     0B   400K WAIT     0   0:55  28.35% [intr{irq29: virtio_pci1}]
91430 root          4    0    17M  6008K RUN      0   0:43  21.94% iperf3 -s

What confused me was:

1) The acceleration is disabled by default (not sure why?)
2) I thought it would apply to virtio devices, but clearly they're implementing the right things to support it.

EDIT

Arghh - perhaps not. While this fixed the LAN side, suddenly the WAN side throughput plummets.

This is strange because it's using the same virtio to a separate NIC of exactly the same type.

5

Hardware and Performance / Re: Poor Throughput (Even On Same Network Segment)

« on: April 27, 2022, 04:20:42 pm »

EDIT - Resolved - see next post

Original post:

I'm chiming in to say I have seen similar issues. Running on proxmox, I can only route about 600 mbps in opnsense using virtio/vtnet. A related kernel process in opnsense shows 100% cpu usage and the underlying vhost process on the proxmox host is pegged as well.

I'm seeing throughput all over the place on a similar setup (I.e in a Proxmox VM)

Code: [Select]

[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  97.0 MBytes   814 Mbits/sec
[  5]   1.00-2.00   sec   109 MBytes   911 Mbits/sec
[  5]   2.00-3.00   sec   111 MBytes   934 Mbits/sec
[  5]   3.00-4.00   sec   103 MBytes   867 Mbits/sec
[  5]   4.00-5.00   sec   100 MBytes   843 Mbits/sec
[  5]   5.00-6.00   sec   112 MBytes   937 Mbits/sec
[  5]   6.00-7.00   sec   109 MBytes   911 Mbits/sec
[  5]   7.00-8.00   sec  75.7 MBytes   635 Mbits/sec
[  5]   8.00-9.00   sec  68.9 MBytes   578 Mbits/sec
[  5]   9.00-10.00  sec  96.6 MBytes   810 Mbits/sec
[  5]  10.00-11.00  sec   112 MBytes   936 Mbits/sec

And while that's happening, I see the virtio_pci process maxing out:

Code: [Select]

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
   12 root        -92    -     0B   400K CPU0     0  21:42  94.37% [intr{irq29: virtio_pci1}]
51666 root          4    0    17M  6600K RUN      1   0:18  68.65% iperf3 -s
   11 root        155 ki31     0B    32K RUN      1  20.4H  13.40% [idle{idle: cpu1}]
   11 root        155 ki31     0B    32K RUN      0  20.5H   3.61% [idle{idle: cpu0}]

Are there any settings that could help with this please?

I'm on 22.1.6