Messages

You need to set up NAT reflection :
https://docs.opnsense.org/manual/how-tos/nat_reflection.html

Alternatively, you could use WG Tunnel and have it automatically disable the VPN while on selected WiFi:
https://github.com/wgtunnel/android

The only thing we have done is set it up to use a VPN.

Are connection problems while on VPN? What VPN? Same if it's disabled?

Possibly related to this?

Here's Grok's take. Can't verify if it works but it should get you started in the right direction.

I forgot mention that on the screeen from Proxmox -> pve -> Network , there is no setup any IP and gateway on the vmbr1 (VLANs_ETH0) - I setup IP and gateway for VLANs_ETH0 on the OPNsense and on WAN the same, so only is setup on the MAGMT_ETH1 setup 192.168.1.178/24.

This is confusing. You should only have IP and gateway on vmbr2 MAGMT (and not the same as LAN 192.168.1.1/24, as others have said), leave the other two blank.

It is also not clear how many DHCP servers you have on the network.

Is the TP Link SG108PE port towards Fujitsu S920 set up as trunk?

How are your interfaces set up in OPNsense?

Possibly related to #7148 and #6909?

For FQ_C bad performance or problems during slow/new start are usually caused by two reasons ECN & limit.

What is the final suggestion on ECN enable/disable? Resources, manuals, guides and forum posts are inconsistent regarding this. Some say to enable both for download and upload, some to disable it for upload. OPNsense guide isn't quite clear if it should be enabled or disabled for upload.

What does slow start refer to exactly and is there an easy way to test it?

Thank you!

Possibly related?

#7148
#6909

Hi, valid point and thanks for the advice, I can give it a try and based on the setup guide on quad9 its anyway not mentioned https://www.quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls.

I've had issues with Quad9 DoT and DNSSEC, too. They explicitly say to disable it in their Pfsense guide:
https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/

Not sure why it's not mentioned for Opnsense.

After this (I was pretty sure a fresh install would help, because migration could have screwed things up maybe), I decided to disable DNSSEC and DoT, but leave Unbound DNS as default DNS.

This setup is now stable for at least 24 hours!

Can you try disabling DNSSEC while using DoT? It should be disabled as your DoT/DoH server is the one ensuring DNSSEC anyway.

You need to set up NAT reflection :

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

There is an issue with BSD here, either with the X520 interface, or something else within the OS. I will test the other interface cards when they arrive to see if they can improve the stability. There is still an issue with OPNsense here though where it is 20% the speed out of the box with the 10g interfaces then its FreeBSD base OS.

Hi, have you managed to test the new adapters?

Compare the content of /tmp/rules.debug before and after you hit Save and look if something similar to this is missing before saving:

Code Select Expand

nat on vtnet1 inet from (wg2:network) to any port 500 -> (vtnet1:0) static-port # Automatic outbound rule
nat on vtnet1 inet from (wg1:network) to any port 500 -> (vtnet1:0) static-port # Automatic outbound rule

nat on vtnet1 inet from (wg2:network) to any -> (vtnet1:0) port 1024:65535 # Automatic outbound rule
nat on vtnet1 inet from (wg1:network) to any -> (vtnet1:0) port 1024:65535 # Automatic outbound rule

Does running

Code Select Expand

/usr/local/etc/rc.filter_configure also fix the issue for you?

Possibly related to #6909?

You can use Unbound config to segregate responses via access-control-view