Messages

Just installed 24.7.2

Traceroutes / ICMP behaviour seems back to normal (for IPv4 at least). I don't use IPv6 so can't test that.

Huge thanks to Franco for getting an update out so quick to fix it and to doktornotor and the others for testing and submitting the bug report to FreeBSD.

Maybe the reverts are the best for 24.7.2

I get your sentiment but it looks better to move ahead and follow-up in the FreeBSD ticket. Who knows how long it will take to fix all use cases?


Cheers,
Franco

Hi Franco,

Is it safe to expect the 24.7.2 release this week?

So it's the new kernel? Anybody confirmed it? Might also be possible to confirm with pfctl -d / test traceroute / pfctl -e as a quick test that pf is doing it.

To be frank we're doomed when we ship security updates too late according to some.

And now we're doomed because we ship security issues in a timely manner because the same corner that said we don't ship them soon enough feeds suboptimal patches to FreeBSD.

Isn't it ironic...

Jokes aside this should probably be reported to https://bugs.freebsd.org but at this point I have no hopes somebody even cares giving the number of past and pending issues in that general direction.


Cheers,
Franco

The bug was not present on 24.7 and was definitely introduced with 24.7.1.

Any chance this particular change can be reverted?

As soon as I switch to ICMP or TCP it's working again.

I believe mtr uses ICMP by default, and if I use

Code Select Expand

mtr dns.google

I get a result just like yours. However, if I use the -T or -u flags (for TCP or UDP) then the trace works normally.

Updated to 24.7.1 earlier today. All went well, except I can no longer run traceroutes from any Windows machines, on any VLAN.

Traceroutes from a Linux machine (my Raspberry Pi for example) work just fine, and traceroutes from the OPNsense Web GUI are working properly as well.

My ISP has routing / peering issues with some server providers sometimes, so I use WinMTR often to diagnose issues and report them so they can get resolved.

However, after the 24.7.1 update, it seems something funky is happening with ICMP and anything after the first hop gets dropped and I just see 'Request timed out'.

I haven't made added any new rules recently, and my existing firewall rules are exactly the same as they were before updating.

As I understand, Windows traceroutes use ICMP whereas on Linux they use UDP.

Any tips on how to go about diagnosing this or any insight on what changed with 24.7.1 that suddenly started causing this? It was fine on all previous versions, including 24.7_9.

Screenshots attached (Linux vs Windows).

https://imgur.com/a/yhDp4Jo

I think the first question(s) that should be answered:

Do you really need to limit the guest network? Do you have guests that often, that heavily use your bandwidth? Do you have 'things' in your Home network that would really be that impacted by a guest downloading something - even if total bandwidth was 50/50 shared?

Spoiled brat kids who come over with one iPad each tend to sit and update every app in existence, all simultaneously so I'd rather they didn't have access to the full 150.

I would suggest the following approach:

- Get everything working, i.e shaped, with 2 pipes, 2 queues, 2 rules, impacting everything
- Rules applying to just 1 interface, i.e WAN.
- Then, if you really want to, duplicate the above and modify the rules so that the source/destinations match for the home/guest subnets using FQ Codel (not weighted). Again, just on WAN interface.
- Whilst there is nothing stopping you from having 150/150 and 30/15 pipe, at the point of the link/connection being saturated the firewall thinks you have more bandwidth than you do unless you:

I guess me foolishly trying to combine FQ Codel and WFQ earlier (without fully understanding them both) was causing some weird behaviour.

Tried your approach and all is well now. Got a great bufferbloat result as well:

https://www.waveform.com/tools/bufferbloat?test-id=1730cbc7-8534-4d22-9816-d5194bec2116

Thank you very much for your help.

I made some changes to my 150/150 rules, and bufferbloat is still at A+ thankfully.

But based on your post about the firewall expecting  me to have 180 Mbit/s total available bandwidth (150 for main and 30 for guest) I still don't understand how my guest bandwidth limits were working before....

P.S. There is no source/destination subnet set on the guest rules, also cannot see 'direction' there as well, nor mask on Queue.

I found conflicting information all over the internet and OPNsense documentation.

Some articles tell you to specify mask in traffic shaper rules and some say to leave it blank. The article linked in my main post says to set mask as 'Destination' for both download and upload pipes, whereas this article says to leave mask empty.

https://docs.opnsense.org/manual/how-tos/shaper_guestnet.html

Would really need to see the Pipe, Queues and Rules - with Advanced Mode toggled - themselves.  Something is certainly not matching on the upload rules, possibly Queue mask is wrong/not set, or Rule direction wrong or not set.

However, FQ - Fair Queue, or Flow Queue - is not really meant for doing 'multitier' on 1 connection - it's for 'fair' sharing, all traffic, amongst all flows, on 1 pipe.

With 2 pipes, 150/150 and 30/15, the firewall expects the total bandwidth available to be 180/165 - i.e there is no overlap and/or subtracting the 30 guest from the 150 total limit.

Whilst it's true that it is possible to restrict the Guest to 30/15, if you're running your main pipe at capacity (150 download, 30 on the guest, simultaneously) it's going to be over saturated.

Thanks for the explanation.

It's weird though, because I had 2 pipes of 100/100 before and 20/10 and it worked just fine. Guests were limited to 20 down and 10 up, and I'd still get 100/100 on my 'home' VLAN.

Here's an imgur link since the forum only allows 4 attachments per post.

https://imgur.com/a/uHw0ENe

Hi,

I recently upgraded my ISP plan from 100/100 to 150/150.

I have traffic shaping with FQ-CoDel enabled on my main interface called 'Home', based on this tutorial.

https://forum.opnsense.org/index.php?topic=7423.0

Works like a charm, I get A+ bufferbloat and lag free online gaming.

I also had bandwidth limits of 20 Mbit/s down and 10 Mbit/s up on my Guest interface.

Instead of editing the existing rules, I deleted the old ones and added new bandwidth limits for the guest interface with 30 Mbit/s down and 15 Mbit/s up. However, no matter what I try, the rules aren't getting applied and the 'Status' tab under Firewall Shaper doesn't show the rules for the guest interface.

I followed this (previously) for setting bandwidth limits on the guest interface, and it worked fine.

https://docs.opnsense.org/manual/how-tos/guestnet.html

If I run a speedtest while connected to my Guest network, I get the full 150 Mbit/s up and down, so the rules aren't being applied.

Screenshots attached.

Currently running 23.7.9, and have tried rebooting multiple times after applying the shaper rules but it makes no difference.

Hi,

Recently bought myself a Qotom Mini PC with 5x Intel I225-V NICs and a Celeron J4125. First thing I did was install OPNsense on it. I've been experimenting with the various features and trying to learn about VLANs.

Up until now, I didn't have any managed switches at home and pretty much every thread I come across on this forum and the forum of a similarly named firewall suggest to use a managed switch rather than an unmanaged one.

It's hard to come by managed switches in my country, especially at a reasonable price, so I asked a friend to buy one from the US and bring it with him when he returns in a few days. It's a Netgear GS308T, an 8-port managed switch that supports 802.1q VLAN tagging which I believe is what I need.

My ideal setup would consist of 3 VLANs management (VLAN10), trusted (VLAN20) and guest (VLAN30). I do not require a specific one for IoT devices since I do not have any in use at home.

The OPNsense box, along with some other devices will be placed in a networking closet and the Netgear switch will be in another part of the house.

I expect to use the interface igb0, which is the first port on the left of the OPNsense box to connect to the Netgear switch and pass 3 different VLAN tags to the switch, which will then pass them on to the OpenWrt APs allowing me to use 1 SSID for trusted devices and 1 SSID for the guest network.

However, there are 3 wired devices in the networking closet (Plex Server, Synology NAS and a Raspberry Pi) that I would want on the trusted VLAN. Conveniently, the OPNsense box has 3 physical Ethernet ports that are currently not used (igb1, igb2 and igb3).

Since the 3 VLANs I created earlier will be passed on to the switch using interface igb0, would I be able to use the igb1, igb2 and igb3 ports to connect the 3 devices in the networking closet and put them on the trusted VLAN?

I made a crappy diagram on Microsoft Paint and attached it to this post to try and get my point across in case anyone wants to avoid reading this wall of text.

I'd like to know if what I'm describing above is possible and if anyone has any suggestions / recommendations for my planned setup.

I'm not a complete newbie to networking, but the concept of VLANs are still somewhat new to me, and I'm not familiar with OPNsense enough to know if this is possible or not.

I can't share any screenshots of my existing configuration since I haven't done any of them yet. The OPNsense box has not replaced my main router yet since I'd like to figure everything out first and thoroughly test my planned config.