Messages

Can anyone help? I've tried everything bar reverting back to an old config, which I'd rather avoid.

Its highly consistent across all devices the internet will now only work when connected to Nord VPN via the app on all private networks other than then IOT network.

I'm wondering if switching from KEA to DNSMAQ would help?

Can anyone help out?
 I added a new interface/network to test if this is repeatable.

Same issue occurs - network is live, however no internet. However when I use the nord VPN app, the internet does work. But my IOT network still works without this strange occurrence, yet has same firewall rules etc.

UPDATE: strangely if I use my Nord VPN app on any device, my private network internet works. That rules out any NAT or firewall issues. Isolating some form of DNS issue.

Hi,

Thanks for the suggestions, I have implemented, here are the outcomes:

In summary, still no internet via private network. Let me know any additional information need to trouble shoot.

1) Changed listen interfaces on unbound to all
2) Added NAT port forward rule to !Private_net to port 53 and removed private network from existing floating rule performing similar function.
3) Disabled DNSSEC

I carried out the same nslookup on my functioning IOT network, same result as the private network.
nslookup google.com 10.0.60.1
Server:      10.0.60.1
Address:   10.0.60.1#53

** server can't find google.com: NXDOMAIN

VS performing same test, on IOT to 9.9.9.9

nslookup google.com 9.9.9.9
Server:      9.9.9.9
Address:   9.9.9.9#53

Non-authoritative answer:
Name:   google.com
Address: 142.250.203.174

Hi thanks for reaching out.

When you say "Ensure unbound is listening on local host" What does this mean explicitly? Current interfaces unbound listens to are:
LAN, Private, IOT, Guest, WG Tunnel

OK here are the the results from two NSLOOKUP tests

Not forcing through Unbound DNS
nslookup google.com 9.9.9.9
Server:      9.9.9.9
Address:   9.9.9.9#53

Non-authoritative answer:
Name:   google.com

Forcing through Unbound DNS
nslookup google.com 10.0.80.1
Server:      10.0.80.1
Address:   10.0.80.1#53

** server can't find google.com: NXDOMAIN

The floating rule has the ! to invert the sense, assuming that meets the criteria for everything but the firewall. My big question is should this redirect be via floating rules or perhaps a NAT port forward? I have seen dialogue for either way.

In the weekend I attempted to create a Private Network 2.0, new interface, new VLAN, new SSID etc - No internet connection, same as the original Private network.

Hope this helps, let me know if you require any other information.

Much appreciated.

UPDATE: strangely if I use my Nord VPN app on any device, my private network internet works. That rules out any NAT or firewall issues. Isolating some form of DNS issue.



Hi all,

I have a strange issue where my private network has no internet, yet IOT, Guest and Smart TV do.

My issue happened when I took steps to force to use unbound as a local resolver instead of quad9. I have DNS over TLS setup for quad9.

Current status
Opnsense Version: 25.7.2
KEA DHCP IPV4
IOT = No issues, works fine
Guest = No issues, works fine
Private = No internet and tests show NXDOMAIN

I suspect it's a DNS issue. Im not sure about the best way to approach this. Currently I have a floating rule to govern traffic through unbound. Unsure if this is best approach.

Floating Rule:
IPV4 > TCP/UDP
Source: any
Port: any
Destination: !This Firewall
Port 53 (DNS)
Gateway: any
Interfaces: LAN, Guest, IOT, Private

My IOT has the same rule set as private except for the web ports (For GUI access via private network)


IOT + Private > Wireguard VPN tunnel
Guest > WAN
Smart TV > Nord VPN DNS

Checks I've done:
Interface added to Unbound
NAT rule using alias combining IOT+Private
WG peer allows any IP
Subnet added to Kea DHCP

Topology:
Opnsense FW > Omada Managed Switch > WAPS

Hi there,

Thanks for sharing, turns out it's a Safari advanced setting, which when turned off fixes the issue, for iPhone users.

To fix (n case anyone else encounters this): Go to settings > Safari > Advanced > Advanced Tracking and Finger printing protection - Change to private browsing only. This way it provides the option if one wants to have that protection available.

I'll try this built in option on the firewall as well.

Cheers

Hi all,

Recently I've notice one device, my iPhone on my home private network uses cloudflare DNS servers, even though my Opnsense setup is set to use Quad9 DoT. Everything on my network successfully uses Quad9 DoT, except my phone, bizarre.

Testing methods
On my phone when carrying out DNSleak tests, cloudflare servers show up. When using other devices such as my laptop, dns leak tests and the "Am I on quad9" page show I'm using quad9.

General setup notes
Opnsense Firewall /gateway > Omada Switch > Omada EAPs
System DNS set to 9.9.9.9 and 149.112.112.112 Quad9 servers

Unchecked for allow DNS to be overridden
Unchecked "Do not use local DNS..."
Unchecked allow default gateway switching

Unbound enabled
DNS over TLS enabled for both IPV4 and IPV6 Quad9 servers

VLANs and DNS Setups
Omada -  - DNS for DHCP set to quad9
IOT - DNS for DHCP set to quad9
Private  - DNS for DHCP set to quad9
Guest  - DNS for DHCP set to google
Smart TV  - DNS for DHCP set to NordVPN

Any advice welcomed.

Hi all,

Has a fix been determined?

I've just upgraded (If one can call it that), from 23.7.12 to 24.1.6 - Same issue as identified, wireguard achieves a handshake but does not pass data through, despite having all the same settings that worked in 23.7.12.

In my case, I'm using wireguard for general policy routed nord VPN (Have used this setup for about 1.5 years without problems at gigabit speeds).

One thing I have noticed, which could be contributing to the problem:
My previous WG interface, I tried changing the MSS value, and it provides an error message "Cannot assign an IP configuration type to a tunnel interface" - Which is interesting as this was not an issue in 23.7.12. After seeing this, I checked my DHCPv4 for the WG tunnel, and noticed this is not enabled due to not having an IP range. Not sure if this is the root of the problem or not, but thought I'd mention it here if it helps.

I can confirm all the following are in tact:
Gateway
WG interface
WG peer
WG instance
WG handshake
FW rules
NAT rules

Cheers

[EDIT: Major breakthrough, I changed my WG interface to IPV4 configuration type to NONE and the tunnel started working immediately]

Hi there,

Here are some screens shots from the firewall log

These are the only blocked actions from my laptop to the firewall. Laptop connected via LAN ether cable, wifi off.

Block details

Code Select Expand

__timestamp__ 2023-10-01T09:35:31
ack 822559951
action [block]
anchorname
datalen 0
dir [in]
dst 3.217.221.243
dstport 8884
ecn
id 0
interface igb1
interface_name LAN
ipflags DF
ipversion 4
label Default deny / state violation rule
length 40
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 10
seq 970708305
src 10.0.10.100
srcport 62336
subrulenr
tcpflags RA
tcpopts
tos 0x0
ttl 64
urp 2048

Hi there,

From version 22 onwards access to my web guide fails.

I can access via ssh no problems.

Interestingly, when I restart my firewall, then the web guy works as a one off.

It's a decent system you have there, probably capped by the CPU for the encryption bits - a quad core would have been better.

What's the CPU % like when you do those tests ?

Any ideas? Currently with latest Opnsense and updated Wireguard KMOD, sitting at 500mbps. Surely there is a small tweak on the turntables or similar. I'm still thinking its running on one core.

Hi there,

Here is a snap of my CPU usage while carrying out a speedtest CLI via LAN with ethernet cable to firewall.

Spikes to 60% to 80%. Two screen shot CPU charts attached.

Code Select Expand


Speedtest by Ookla

      Server: GSL Networks - Sydney (id: 44735)
         ISP: GSL Networks Pty
Idle Latency:    10.62 ms   (jitter: 1.46ms, low: 8.15ms, high: 13.23ms)
    Download:   524.55 Mbps (data used: 582.9 MB)                                                   
                 28.76 ms   (jitter: 16.32ms, low: 12.80ms, high: 267.36ms)
      Upload:    44.16 Mbps (data used: 48.1 MB)                                                   
                 10.01 ms   (jitter: 8.59ms, low: 5.30ms, high: 363.70ms)
Packet Loss:     0.0%
  Result URL: https://www.speedtest.net/result/c/41e54725-8ec0-4f0a-a840-d3c2d397bf1d



[Use Case]

Hi all,

Looking for some advice on further tuning ideas to maxmise my Wireguard (Via Nord VPN) performance.

This time totally stalled at how to get my Wireguard VPN performance close to my 1Gb internet connection speed. Currently caps out around 450 to 550Mbps. The speed completely flatlines which leads me to believe its simply a setting which is maxing the throughput/processing.

Firstly, my ISP allows these speeds and have done direct connection to internet router getting about 975Mbps.


Key Questions I have

   
• Does the DNS config affect speed? (Currently using Unbound in forwarding mode to Quad9 Servers)
• Are there specific turnables settings others have used and found a speed boost?
• What specific MSS and MTU settings were used and where did you apply these?

I have played around with the MTU and MSS settings, between 1380 to 1420. Not seen any major jump across a range of combinations. Additionally not sure where is the best place to enter these as there seems to be several locations to do it

   
• The wireguard tunnel
• WG interface
• LAN interface
• Interface normalisation settings
• System settings

Use Case
Simple home setup using Nord VPN for wireguard, just trying to get maximum speed.


Current Setup

   
• Protectli FW6Br2 Intel i3-8130U 2.2Ghz 2 core 4 thread CPU with 16GB DDR4 Ram and 256GB SSD (According to Protectli Wireguard speeds of 900Mbps capable)
• OPNsense 23.7.1_3-amd64
• FreeBSD 13.2-RELEASE-p2
• OpenSSL 1.1.1v 1 Aug 2023

Test ResultsTesting via ethernet cable into LAN port via Speednet CLI Test

Speedtest by Ookla

      Server: Network Solutions Group - Sydney (id: 30430)
         ISP: GSL Networks Pty
Idle Latency:    12.25 ms   (jitter: 4.04ms, low: 8.57ms, high: 16.21ms)
    Download:   455.10 Mbps [==========-         ] 54%   - latency: 273.32 ms       Download:   464.39 Mbps [===========\        ] 55%   - latency: 273.32 ms       Download:   465.29 Mbps [===========|        ] 56%   - latency: 273.32 ms       Download:   465.38 Mbps [===========/        ] 56%   - latency: 273.32 ms 

Upload:    45.21 Mbps (data used: 35.0 MB)                                                   

                 47.27 ms   (jitter: 4.05ms, low: 14.23ms, high: 81.45ms)

Opnsense Setup
LAN Interface MTU = 1420
WG Interface MTU &  MSS = 1420
Using Unbound DNS forwarding to Cloud9 servers - Not using local resolver - Unsure which is best for my application

Notable Turnables I've adjusted based on various gudes - In particular https://binaryimpulse.com/2022/11/opnsense-performance-tuning-for-multi-gigabit-internet/
https://forum.opnsense.org/index.php?topic=24409.msg116941#msg116941

kern.ipc.maxsockbuf = 614400000
net.inet.rss.bits = 2
net.inet.rss.enabled = 1
net.inet.tcp.abc_1_var = 52
net.inet.tcp.minmss = 536
net.inet.tcp.mssdflt = 1240
net.inet.udp.checksum = 1
net.inet.udp.maxdgram = 57344
net.isr.defaultqlimit = 2048
net.isr.dispatch = deferred
net.isr.maxthreads = -1
net.local.dgram.maxdgram = 8192
net.pf.source_nodes_hashsize = 1048576
set.hw.ibrs_disable = 1
vfs.read_max = 32


Any help or advice much appreciated.

N/A