Messages

1

Hardware and Performance / Re: Alder Lake N100 fanless build

« on: July 21, 2023, 03:50:47 pm »

the 23.7-RC being based on FreeBSD 13.2 was great news. they specifically have some fixes in there for Alder Lake which hopefully addresses the problems using the N100.

i would imagine the plugins will come soon.

please keep us posted on your N100 journey. this really looks like a great firewall box to use for opnsense.

cheers, Wiz!!

2

Hardware and Performance / Re: Alder Lake N100 fanless build

« on: July 19, 2023, 02:30:52 am »

How did you go with this install? I was also interested in getting an N100 box, but saw a thread where there were issues with this chipset and FreeBSD.

i'm keen to run IPS and Zenarmor for my home network, and i think one of the pentium 5xxx or 6xxx boxes may not be powerful enough. the N100 would provide a nice CPU speed increase.

Cheers, Wiz!!

3

23.1 Legacy Series / Re: OpnSense keeps crashing(Version 23.1.11 f1305748e)

« on: July 09, 2023, 07:46:39 am »

There is a long thread on the servethehome forums where user Becks0815 has been trying to get OPNsense running natively on an N100 without success. Proxmox runs fine on the device so they have currently deployed it as a VM. After much experimentation they went back to try and run it natively again, without success.

It appears that Linux runs fine on the N100 and similar devices, but FreeBSD isn’t yet stable on this hardware.

I’m not excluding that you may have a hardware fault, but I don’t think N100 or N200 is a suitable platform at this stage.

I’m quite disappointed about this myself as I wanted to get a new firewall appliance for home and also wanted to run IPS. The N and J series boxes aren’t grunty enough (from my understanding) and I’m looking for an option better than repurposing an i5 desktop or similar.

Cheers, Wiz!!

4

23.1 Legacy Series / Re: Q in Q but not 802.1ad

« on: July 06, 2023, 03:13:35 pm »

greetings,

just curious if this change made it's way into a dev queue anywhere or whether i should be opening an issue on github? i'd love this option to be included somehow because each time i upgrade i need to manually patch those two files or my 802.1q inside 802.1q breaks.

many thanks

cheers, Wiz!!

5

23.1 Legacy Series / Re: Suricata ET Pro & Zenarmor combo vs Mimecast

« on: July 06, 2023, 03:10:35 pm »

these are different animals.

Mimecast provides e-mail security by blocking spam and malicious content and by sandboxing potential threats for isolated testing.

Proofpoint ET PRO, Suricata, Zenarmor, Crowdsec etc provide internet security by blocking potential threats both for clients accessing malicious hosts and threat actors trying to get into your publically accessible servers.

they both solve a different problem.

i use both of these and would recommend this combination

pro-tip: Don't get rid of Mimecast. It's top shelf. Don't believe that you can get better for cheaper. i have a whole variety of clients using a whole bunch of different mail security products and Mimecast is clearly the best by a mile.

cheers, Wiz!!

6

23.1 Legacy Series / Re: Having trouble created WAN to LAN Access Rule

« on: July 02, 2023, 06:08:01 am »

You need a NAT port forwarding rule. This will, by default, also create the firewall rule.

7

23.1 Legacy Series / Re: does one-to-one modify the source port number?

« on: July 01, 2023, 01:04:08 pm »

hi all,

just for anyone who reads this later or wants to know:

one-to-one NAT does not modify or mangle the source port number.

i did a setup today with our IP PBX and watched traffic arriving on the LAN interface and leaving the WAN interface. everything was identical with no change or translation of port numbers.

this was important to me and especially for RTP voice traffic that the port numbers stayed intact.

thanks again to the OPNsense team for their great work on this product.

cheers, Wiz!!

8

23.1 Legacy Series / does one-to-one modify the source port number?

« on: June 30, 2023, 12:51:43 pm »

greetings,

i have a public class C which will be facing my OPNsense box. i have configured a one-to-one NAT rule to map a public IP through to my phone system. i believe i have all of the appropriate firewall rules to permit inbound RTP and so forth.

one of the things i'm always careful with when implementing a new firewall is to ensure that there is no NAT ALG or similar on the box, as this always causes problems with SIP registrations with the voice provider.

i understand this is not in OPNsense unless i went out of my way to install the os-siproxd plugin, but I did see some notes online (perhaps quite old) that made reference to the source port being modified under certain circumstances.

on an outbound (SNAT) NAT rule i can see there is an option for "static-port" but this does not exists with a one-to-one NAT rule.

the way my phone system works: it assumes nothing is going to change the ports number when it talks out, and it stamps the outbound packets with the external WAN IP address that I have assigned it. this is the same WAN IP i am using in my one-to-one NAT rule.

are there any problems i should be looking out for with this?

many thanks in advance,

cheers, Wiz!!

9

23.1 Legacy Series / Re: Q in Q but not 802.1ad

« on: June 30, 2023, 12:43:10 pm »

i took a punt and i think i worked this out.

i assume that the interfaces.inc is run during initialisation and this is what changes it back

https://github.com/opnsense/core/blob/a4f6a8f8d604271f81984cfcbba0471af58e34dc/src/etc/inc/interfaces.inc#L164

i also changed this line to force 802.1q and did a reboot and it came back with the parent interface on 802.1q as i required.

this will be fine for the time being. i look forward to when there could be an option to disable this correctly so that my home hacks don't bite me when i go to perform my next upgrade.

cheers, Wiz!!

10

23.1 Legacy Series / Re: Q in Q but not 802.1ad

« on: June 30, 2023, 12:32:57 pm »

greetings,

i've experienced an issue here with my workaround. what i initially did was change the line you specified here:

https://github.com/opnsense/core/blob/24dbe30cadd83fa5a1fcea8ed6b38357794a4d6a/src/opnsense/scripts/interfaces/reconfigure_vlans.php#L77

i simply replaced this with: $vlan['proto'] = '802.1q';

when i save the settings for the parent interface, it correctly changes to 802.1q and everything is great.

but now i've discovered - when i reboot the box, the parent interface changes back to 802.1ad.

are you able to assist here? i was planning on putting this box into production tomorrow, but i don't want to have a scenario where a reboot would take out my WAN services.

many thanks in advance,

cheers, Wiz!!

11

23.1 Legacy Series / Re: Q in Q but not 802.1ad

« on: June 28, 2023, 01:53:59 pm »

Many thanks 

cheers, Wiz!!

12

23.1 Legacy Series / Re: Q in Q but not 802.1ad

« on: June 28, 2023, 01:19:21 pm »

i've just had a better think about this and realised i'm over-engineering this.

all is needed is a single global override. an additional option in "Interfaces > Settings" and then check for that in the reconfigure_vlans.php file.

cheers, Wiz!!

13

23.1 Legacy Series / Re: Q in Q but not 802.1ad

« on: June 28, 2023, 01:11:18 pm »

agreed.

the only thing i can think of would be to add a configuration setting into the VLAN such as "Bridge Protocol" with settings such as "Force 802.1q", "Force 802.1ad" and "Automatic" (where "Automatic" would be exactly what happens right now).

the thing i am very wary of is that I make a change to the code now to fix my problem, but when the next release of OPNsense comes out and I update, that change will be lost and if I (or someone else) edits the VLANS I/they will lose connectivity as a result.

i'm sorry that i'm not familiar enough with this code base to actually work on this. it would be a great enhancement for specific edge cases such as this.

cheers, Wiz!!

14

23.1 Legacy Series / Re: Q in Q but not 802.1ad

« on: June 28, 2023, 12:42:46 pm »

thank you. i shall play with this.

can i offer a suggestion/trick? i'm trying to play with this at the moment, but i'm not experienced with this code base so it's quite hard for me.

here's my idea:

when you create a VLAN which has a parent of a VLAN, you are forced to give the device a name starting with "qinq0".

if i create a VLAN natively to an interface, i can give it a name starting with "vlan0" and then come back afterwards and change the parent to another VLAN.

would it be possible to modify the code so if the device name starts with "vlan0" and it has a parent which is a VLAN, it would set the parent to 802.1q, but if the device name starts with "qinq0" it would set the parent to 802.1ad?

this seems like a smart way to give flexible options without having to add another "custom" setting.

what do you think?

cheers, Wiz!!

15

23.1 Legacy Series / Q in Q but not 802.1ad

« on: June 28, 2023, 11:34:37 am »

greetings,

i need to run multiple VLANS to my ISP and originally i thought they wanted Q-in-Q 802.1ad so I tested this up in my lab and provided some packet dumps to confirm all was ok.

it turns out what they are after is "classic" Q-in-Q with both packets tagged with 0x8100 (802.1q)

i have been advised that my carriage service provider will drop packets tagged with 0x88a8 (802.1ad).

is there a way to configure this up? i need to have two VLAN's encapsulated inside another VLAN with all packets tagged as 802.1q

many thanks in advance,

cheers, Wiz!!

edit: i can see this original change was discussed here:
https://github.com/opnsense/core/issues/5893
double tagged VLAN's used to be both set to 802.1q, but this is not standard and 802.1ad is the preference.

the commit here:
https://github.com/opnsense/core/commit/021f656fd6adc93d55a72221252eb6289711a6d7
changes behaviour so that once a VLAN is created with an upstream VLAN as a parent, the parent is changed from 802.1q to 802.1ad.

in general this makes good sense. in my case it would be great to see this as an option which could be turned on and off for each interface. probably a small change, but i don't have a suitable build environment to even test this.

in any case, what i'm asking for is if there is some config way or otherwise i can work around this.