Messages

1

Hardware and Performance / OpnSense & Modern CPU's (Efficiency & Performance Cores)

« on: February 02, 2024, 04:30:57 pm »

How does Opnsense handle a mix of efficiency and performance cores. For example if PPoE uses a single core I would hate for this to end up on an efficiency core?

Just thinking about a new firewall platform. I'd like both 2.5Gb and 2*SFP+ AND a decent CPU without it turning into a space heater

I have a I7-8565U based unit at the moment. Way more CPU than I need atm - but only has 1Gb NIC's and my local ISP is threatening (at some point in the future) a 2.5Gb upgrade - which is very very shiny as a concept

I also have a AliExpress N100 unit with Intel 2.5Gb (226) NIC's which I tried out yesterday. I do run Suricata. The N100 unit, with an idle(ish) network connection and running suricata was running at 60+% CPU which doesn't bode well for a busy 1Gb, let alone a 2.5Gb connection running hot. All the CPU was suricata, if I disabled that the CPU dropped to not much

2

General Discussion / Re: Backup & Restore

« on: December 29, 2023, 01:26:18 am »

I think you have missed the point.

I cannot restore a config held on the device - there seem to be no mechanism of chosing it. I have to select a backup on my PC

3

General Discussion / Backup & Restore

« on: December 28, 2023, 09:45:14 pm »

Last night I tried summat silly on my firewall. It didn't work (for several reasons including ID10T issues)

So I thought I would just restore - I keep a number of backups on the device for just that purpose.
BUT
There seems to be no method, through the GUI, of restoring the backup. Instead I have to SSH to the box and restore via shell.

In fact I restored by uploading a file from my Google Drive - so I don't have an issue here. I was just thinking that it seems odd to have the ability to backup via the GUI, but not be able to restore one of those backups via the GUI

4

Hardware and Performance / Re: Hardware Requirement

« on: December 10, 2023, 08:33:36 pm »

I think the C3758 may be too weak for that speed. An Alder Lake based system would probably do fine.

My research tends to agree with your comment on the C3758, and The C3758R is only slightly more powerful. A shame as I found one that ticked every single box (other than CPU, and a bit of price) https://www.aliexpress.com/item/1005005935384830.html?spm=a2g0s.imconversation.0.0.10c33e5fVySdGk&algo_pvid=86db9010-b8d2-4ad5-8a66-238ff912cfdf&algo_exp_id=86db9010-b8d2-4ad5-8a66-238ff912cfdf-27&pdp_npi=4%40dis%21GBP%21244.48%21232.26%21%21%21291.67%21%21%40210385a816994522908968069ec202%2112000035162002658%21sea%21UK%21138725599%21&curPageLogUid=jxRuWUz44AV2 and would have lasted me for ages

So I guess an N100 is my target, the N200 appearing to be not worth the price uplift or the lack of choice that I can find currently

5

Hardware and Performance / Hardware Requirement

« on: December 10, 2023, 01:19:51 pm »

Hi All,
I currently run an OpnSense Firewall on a 900Mb duplex connection. Its a somewhat overpowered i7-8565U with 16GB. Unfortunately (or fortunately) my ISP is offering an upgrade to 2.5Gb and the old hardware has no 2.5Gb ports and no upgrade path.
Its a https://www.pondesk.com/product/Intel-i78565U-6-LAN-4G-Fanless-Security-Gateway-Appliance_MNHO-084

I run a OpenVPN client connection and IPS and plan on doing more with it over time.

The new connection will be 2.5Gb duplex, based on PPoE and I will need some suitable hardware. My question is what is suitable hardware?
2 * 2.5Gb Ports and 1* 1Gb Port are required with preferably a spare 1Gb port as well
Dedicated hardware - I am not virtualising this
Low power, preferably fanless type hardware

The main question however is CPU.
Looking at various option:

• N100
• N200
• C3758R/C3758
• Something else?

I realise its not just about CPU - but thats probably a good starting point.
Budget - about £300UKP + VAT
I have looked at OpnSense hardware and its either waaay to expensive or not suitable

Thanks

6

Virtual private networks / PBR Failure or something I don't understand

« on: May 26, 2023, 02:50:03 pm »

Hi All,
This used to work. I upgraded the firewall to 23.1.7_3 and have since noticed that my PBR isn't working any longer. Note that I cannot say it was working just before I upgraded the firewall - its just that I now noticed it no longer works.

Some details:

• LAN: 192.168.38.0
• WAN: Is a PPoE Interface with a fixed IP
• VPN: I have 3 OpenVPN connection to a VPN Provider. These are up and working
              The 3 VPN Gateways are grouped into VPN_GW_Grp which prioritises each GW into different tiers
              So in practise I only use 1GW, with the others only if the first fails.
              A little overkill - but I was playing
• Rules: LAN: I have a rule under LAN: * * * * VPN_GW_Grp * which should force all traffic from the LAN to the VPN Gateway (PBR)
                This has a Local Tag of "VPN Only"
                This was (subject to testing) set to a source of set of hosts on my LAN
                Floating: A Kill Switch Rule set to block Tag matched traffic from exiting the default gateway
                LAN: A PBR bypass rule: "LAN Net" * 192.168.38.0/24 * * * - this is to solve a TrueNAS Scale routing issue

The PBR isn't working, and neither is the Kill Switch.
I was flailing around changing the VPN Gateway to a specific gateway (for testing) - and it briefly worked - but very shortly stopped working again.

I don't see whats going on - anyone have any ideas? I will provide what information I can on request

7

Web Proxy Filtering and Caching / Re: Web Proxy to use VPN Tunnel

« on: July 13, 2022, 10:01:54 am »

And I seem tyo have posted the same question twice - going senile I guess

8

Web Proxy Filtering and Caching / Re: Push Proxy traffic through specific gateway group

« on: July 13, 2022, 10:01:23 am »

I did think that - but its more ports than 443 / 80. So I am not sure that works reliably

9

Web Proxy Filtering and Caching / Re: Web Proxy to use VPN Tunnel

« on: July 13, 2022, 09:59:51 am »

So I guess either:
1. No one knows
2. Not possible

10

Web Proxy Filtering and Caching / Push Proxy traffic through specific gateway group

« on: July 12, 2022, 04:04:44 pm »

Hi,
Am currently playing with opnsense (and have a live pfsense FW). I have set up a test firewall with a couple of wireguard tunnels through a gateway group.

My question is can I force any traffic that uses the (non transparent) web proxy on the firewall through the gateways and NOT through the normal WAN interface and if the gateways are down then block the traffic.

I can't figure out how to do this

11

Web Proxy Filtering and Caching / Web Proxy to use VPN Tunnel

« on: July 10, 2022, 12:52:40 am »

I have set up OpnSense on a test box with a VPN to a VPN Provider. When I use the web proxy (I assume squid) on the OpenSense box the resulting request and traffic goes through the WAN interface and not the tunnel.

Is there a way of forcing the proxy to use the Wireguard Gateway, or ideally the Gateway Group?