"
OpenVPN, IPSec, Wireguard, Zerotier allow multiple VPN instances or VPN Network membership. It would make sense to keep this UX consistent and allow/Add feature for Tailscale and Openconnect as well.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
Hardware and Performance / Re: OPNsense Firewall Hardware
February 23, 2025, 06:36:50 AM
The same vendor has N100 pc as well, check it https://clientronix.in/product/clientronix-alpha-100/
#3
24.7, 24.10 Series / Re: Netflow excessive CPU and disk I/O usage
January 07, 2025, 02:32:25 PMQuote from: Patrick M. Hausen on December 29, 2024, 02:07:02 PMNetflow creates a protocol entry of every single connection. On a busy gateway what you observe is just expected. It's a heck of a lot of data, so there is no "solution".
You could set up an external network management system and netflow aggregator and send the data there instead of processing it locally. Most products are commercial, though. I am still investigating if there is any open source tool I can use.
I use Elastiflow (renamed to NetObserve). They have a free tier license which is good enough for homelab use.
https://www.elastiflow.com/basic-license
#4
24.7, 24.10 Series / SOLVED: Unexplained drop in LAN to WAN speed
January 05, 2025, 07:09:52 PM
Solved.
Looks like mismatched jumbo frames enabled on the couple of switches might have been causing this issue. Disabled Jumbo frames on all devices across the network, which resolved the issue.
Looks like mismatched jumbo frames enabled on the couple of switches might have been causing this issue. Disabled Jumbo frames on all devices across the network, which resolved the issue.
#5
24.7, 24.10 Series / Re: Unexplained drop in LAN to WAN speed
January 03, 2025, 08:19:07 PM
I am running homelab with Elastiflow, Grafana (prometheus exporter) and Librenms (snmpv3), none of the observability platforms are showing any anomaly.
The last change I made was to add bunch of VLAN interfaces, planning to use trunked L3 switch for VLAN seggregation. I will remove these interfaces to check if it makes any difference.
The last change I made was to add bunch of VLAN interfaces, planning to use trunked L3 switch for VLAN seggregation. I will remove these interfaces to check if it makes any difference.
#6
24.7, 24.10 Series / Re: Unexplained drop in LAN to WAN speed
January 03, 2025, 08:07:07 AM
I have RSS enabled,
Tunables are also as per recommendations
Code Select
net.inet.rss.bucket_mapping: 0:0 1:1 2:2 3:3
net.inet.rss.enabled: 1
net.inet.rss.debug: 0
net.inet.rss.basecpu: 0
net.inet.rss.buckets: 4
net.inet.rss.maxcpus: 64
net.inet.rss.ncpus: 6
net.inet.rss.maxbits: 7
net.inet.rss.mask: 3
net.inet.rss.bits: 2
net.inet.rss.hashalgo: 2
hw.bxe.udp_rss: 0
hw.ix.enable_rss: 1
Tunables are also as per recommendations
Code Select
net.isr.bindthreads = 1
net.isr.maxthreads = -1
net.inet.rss.enabled = 1
net.inet.rss.bits = 2
#7
24.7, 24.10 Series / Unexplained drop in LAN to WAN speed
January 02, 2025, 02:12:32 PM
OPNsense 24.7.11_2-amd64
Intel Core i5-8500 CPU @ 3.00GHz Tiny PC
Generic NIC with Intel T4xI350
WAN 1 gbps
iperf3 LAN host to Opnsense Firewall ~ 900 mbps
Opnsense Firewall to WAN speedtest ~ 900 mbps
But LAN host to Speedtest (same server id) ~ 300 mbps
Tested across multiple LAN hosts
Disabled Zenarmor, no change
Disabled traffic shaping, no change
Not running any IDS/IPS, Crowdsec etc.
Any troubleshooting tips?
Intel Core i5-8500 CPU @ 3.00GHz Tiny PC
Generic NIC with Intel T4xI350
WAN 1 gbps
iperf3 LAN host to Opnsense Firewall ~ 900 mbps
Opnsense Firewall to WAN speedtest ~ 900 mbps
But LAN host to Speedtest (same server id) ~ 300 mbps
Tested across multiple LAN hosts
Disabled Zenarmor, no change
Disabled traffic shaping, no change
Not running any IDS/IPS, Crowdsec etc.
Any troubleshooting tips?
#8
24.1, 24.4 Legacy Series / Re: OpenVPN - Selective Routing to External VPN Endpoint
February 25, 2024, 08:34:24 AM #9
24.1, 24.4 Legacy Series / Re: OpenVPN - Selective Routing to External VPN Endpoint
February 23, 2024, 10:33:01 AM
Some additional troubleshooting, packet capture only shows packet leaving the interface, but nothing from remote
Also, lan clients can ping VPN interface IP on firewall
Btw, I have only route-noexec enabled on the VPN client configuration
Also, lan clients can ping VPN interface IP on firewall
Btw, I have only route-noexec enabled on the VPN client configuration
#10
24.1, 24.4 Legacy Series / OpenVPN - Selective Routing to External VPN Endpoint
February 22, 2024, 09:28:58 PM
Versions OPNsense 24.1.2_1-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
I have OpenVPN client connected to a VPN provider, VPN connection is up and Interface/Gateway are also up (VPN -->OpenVPN-->Instances). I can ping and traceroute through the tunnel IP to internet (Gateway --> Diagnostic) from the firewall itself.
I have use case similar to https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html where I need only few LAN client traffic to traverse through the VPN connection/interface.
For some reason, I cannot seems to get it working. I have the Outbound NAT and Rule on LAN interface configured but none these LAN clients cannot seem to be able to reach internet. Traceroute/Ping just timeout. Removing the LAN interface firewall rule cause all traffic to go through WAN interface, which is not what I want.
Any ideas how to troubleshoot or fix this?
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
I have OpenVPN client connected to a VPN provider, VPN connection is up and Interface/Gateway are also up (VPN -->OpenVPN-->Instances). I can ping and traceroute through the tunnel IP to internet (Gateway --> Diagnostic) from the firewall itself.
I have use case similar to https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html where I need only few LAN client traffic to traverse through the VPN connection/interface.
For some reason, I cannot seems to get it working. I have the Outbound NAT and Rule on LAN interface configured but none these LAN clients cannot seem to be able to reach internet. Traceroute/Ping just timeout. Removing the LAN interface firewall rule cause all traffic to go through WAN interface, which is not what I want.
Any ideas how to troubleshoot or fix this?
#11
23.7 Legacy Series / [SOLVED] LAN clients cannot ping internet IPv6 addresses
December 02, 2023, 04:08:20 PM
Solved this with following config, IPV6 works with Etisalat Dubai, which gives /64 prefix. LAN clients get IPv6 Global Addresses and routing to external IPv6 addresses
[WAN]
[LAN]
Services: Router Advertisements: [LAN]
[WAN]
Code Select
IPv4 Configuration Type: PPPoE
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration
Use IPv4 connectivity: Checked
[LAN]
Code Select
IPv4 Configuration Type: Static IPv4
IPv4 Configuration Type: Track Interface
Track IPv6 Interface
IPv6 Interface: WAN
Manual configuration: Checked (Allow manual adjustment of DHCPv6 and Router Advertisements)
Services: Router Advertisements: [LAN]
Code Select
Router Advertisements: Unmanaged
#12
23.7 Legacy Series / Re: LAN clients cannot ping internet IPv6 addresses
November 16, 2023, 04:29:39 AM
That would required DHCPv6 and Route Advertisement enabled, right?
QuoteThat is perfectly ok and intended. Your LAN clients will (if all else goes well) be able to communicate using the GUA from that single /64 and your OPNsense will route the packets using a link-local address.
#13
23.7 Legacy Series / Re: LAN clients cannot ping internet IPv6 addresses
November 15, 2023, 10:01:13 PM
The IPv6 I get on WAN/LAN are identical except last octet with /64 prefix
The reddit post mentioned above is the exact situation I am in.
Can someone translate it to OPNsense setup?
If I change WAN to "Request only an IPv6 prefix", the WAN interface only get a link-local address
Code Select
LAN 2001:XX:XX:XX:XX:XX:XX:2f10/64
WAN 2001:XX:XX:XX:XX:XX:XX:2f13/64The reddit post mentioned above is the exact situation I am in.
Can someone translate it to OPNsense setup?
QuoteI gave up on MikroTik and used cisco ISR router. I was able to configure dialer interface via ppp, request dhcp-pd prefix and create own DHCP with ULA addresses. So now I have both stable internal IPv6 network and ipv6 internet access.
If I change WAN to "Request only an IPv6 prefix", the WAN interface only get a link-local address
Code Select
fe80::7e5a:1cff:fe6d:2f11
#14
23.7 Legacy Series / Re: LAN clients cannot ping internet IPv6 addresses
November 15, 2023, 02:49:54 PM
The WAN and LAN are set to these
I cannot even ping the LAN interface of the OPNsense from any of the LAN clients, which I think is due to incorrect or non-existing default route.
Please refer to the default route from one of the LAN clients
Code Select
WAN
===
IPv4 Configuration Type: PPPoe
IPv6 Configuration Type: SLAAC
LAN
===
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: Track Interface
- Tracking interface for LAN seems to be working as I am getting /64 prefix IPv6 on LAN as well
- I cannot enable Router Advertisement, as soon as I enable it, I loose IPv6 on the LAN interface
- WAN/LAN get /64 prefix IPv6 with identical IP's except for last octets
I cannot even ping the LAN interface of the OPNsense from any of the LAN clients, which I think is due to incorrect or non-existing default route.
Please refer to the default route from one of the LAN clients
Code Select
ip -6 route show default
default proto ra metric 1024 expires 1566sec mtu 1492 pref medium
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev eno2 weight 1
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev wlo1 weight 1 #15
23.7 Legacy Series / [SOLVED] LAN clients cannot ping internet IPv6 addresses
November 13, 2023, 05:38:15 PM
Another IPv6 setup help,
I am running OPNsense 23.7.5, Etisalat UAE ISP and need help with setting up IPv6. I was able to get IPv6 on the WAN and LAN interfaces as well as LAN clients seems to get the IPv6
I can ping IPv6 address on internet from the OPNsense itself, but I cannot ping the LAN clients
LAN clients cannot ping OPNsense IPv6 address or any IPv6 on the internet
Default route on the LAN clients
Any help appreciated
I am running OPNsense 23.7.5, Etisalat UAE ISP and need help with setting up IPv6. I was able to get IPv6 on the WAN and LAN interfaces as well as LAN clients seems to get the IPv6
- OPNsense get /64 prefix on both LAN/WAN interfaces 2001:--redacted--/64
- LAN clients also get /64 address 2001:--redacted--/64
Code Select
WAN
===
IPv4 Configuration Type: PPPoe
IPv6 Configuration Type: SLAAC
LAN
===
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: Track InterfaceI can ping IPv6 address on internet from the OPNsense itself, but I cannot ping the LAN clients
LAN clients cannot ping OPNsense IPv6 address or any IPv6 on the internet
Default route on the LAN clients
Code Select
ip -6 route show default
default proto ra metric 1024 expires 1566sec mtu 1492 pref medium
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev eno2 weight 1
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev wlo1 weight 1- Any attempt to enable - Allow manual adjustment of DHCPv6 and Router Advertisements - I lose IPv6 on the LAN interface
- Floating firewall rule to allow IPv6 ICMP for both direction, on any inferface is in place
Any help appreciated
