Messages

1

General Discussion / Re: DNS Server Setup - All Devices on Quad9 except one on Cloudflare - Why?

« on: June 15, 2024, 02:54:47 am »

Hi there,

Thanks for sharing, turns out it's a Safari advanced setting, which when turned off fixes the issue, for iPhone users.

To fix (n case anyone else encounters this): Go to settings > Safari > Advanced > Advanced Tracking and Finger printing protection - Change to private browsing only. This way it provides the option if one wants to have that protection available.

I'll try this built in option on the firewall as well.

Cheers

2

General Discussion / DNS Server Setup - All Devices on Quad9 except one on Cloudflare - Why?

« on: June 08, 2024, 01:44:46 am »

Hi all,

Recently I've notice one device, my iPhone on my home private network uses cloudflare DNS servers, even though my Opnsense setup is set to use Quad9 DoT. Everything on my network successfully uses Quad9 DoT, except my phone, bizarre.

Testing methods
On my phone when carrying out DNSleak tests, cloudflare servers show up. When using other devices such as my laptop, dns leak tests and the "Am I on quad9" page show I'm using quad9.

General setup notes
Opnsense Firewall /gateway > Omada Switch > Omada EAPs
System DNS set to 9.9.9.9 and 149.112.112.112 Quad9 servers

Unchecked for allow DNS to be overridden
Unchecked "Do not use local DNS..."
Unchecked allow default gateway switching

Unbound enabled
DNS over TLS enabled for both IPV4 and IPV6 Quad9 servers

VLANs and DNS Setups
Omada -  - DNS for DHCP set to quad9
IOT - DNS for DHCP set to quad9
Private  - DNS for DHCP set to quad9
Guest  - DNS for DHCP set to google
Smart TV  - DNS for DHCP set to NordVPN

Any advice welcomed.

3

24.1 Legacy Series / Re: 24.1.2 Wireguard does not work after updating

« on: May 07, 2024, 01:37:11 am »

Hi all,

Has a fix been determined?

I've just upgraded (If one can call it that), from 23.7.12 to 24.1.6 - Same issue as identified, wireguard achieves a handshake but does not pass data through, despite having all the same settings that worked in 23.7.12.

In my case, I'm using wireguard for general policy routed nord VPN (Have used this setup for about 1.5 years without problems at gigabit speeds).

One thing I have noticed, which could be contributing to the problem:
My previous WG interface, I tried changing the MSS value, and it provides an error message "Cannot assign an IP configuration type to a tunnel interface" - Which is interesting as this was not an issue in 23.7.12. After seeing this, I checked my DHCPv4 for the WG tunnel, and noticed this is not enabled due to not having an IP range. Not sure if this is the root of the problem or not, but thought I'd mention it here if it helps.

I can confirm all the following are in tact:
Gateway
WG interface
WG peer
WG instance
WG handshake
FW rules
NAT rules

Cheers

[EDIT: Major breakthrough, I changed my WG interface to IPV4 configuration type to NONE and the tunnel started working immediately]

4

23.7 Legacy Series / Re: Unable to access web GUI - But able to access ssh - Please Help

« on: October 01, 2023, 01:00:01 am »

Hi there,

Here are some screens shots from the firewall log

These are the only blocked actions from my laptop to the firewall. Laptop connected via LAN ether cable, wifi off.

Block details

Code: [Select]

__timestamp__ 2023-10-01T09:35:31
ack 822559951
action [block]
anchorname
datalen 0
dir [in]
dst 3.217.221.243
dstport 8884
ecn
id 0
interface igb1
interface_name LAN
ipflags DF
ipversion 4
label Default deny / state violation rule
length 40
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 10
seq 970708305
src 10.0.10.100
srcport 62336
subrulenr
tcpflags RA
tcpopts
tos 0x0
ttl 64
urp 2048

5

23.7 Legacy Series / Unable to access web GUI - But able to access ssh - Please Help

« on: September 28, 2023, 11:23:13 am »

Hi there,

From version 22 onwards access to my web guide fails.

I can access via ssh no problems.

Interestingly, when I restart my firewall, then the web guy works as a one off.

6

Virtual private networks / Re: Wireguard Performance Capped - why?

« on: September 22, 2023, 11:27:21 am »

It's a decent system you have there, probably capped by the CPU for the encryption bits - a quad core would have been better.

What's the CPU % like when you do those tests ?

Any ideas? Currently with latest Opnsense and updated Wireguard KMOD, sitting at 500mbps. Surely there is a small tweak on the turntables or similar. I'm still thinking its running on one core.

7

Virtual private networks / Re: Wireguard Performance Capped - why?

« on: August 24, 2023, 06:57:35 am »

Hi there,

Here is a snap of my CPU usage while carrying out a speedtest CLI via LAN with ethernet cable to firewall.

Spikes to 60% to 80%. Two screen shot CPU charts attached.

Code: [Select]

Speedtest by Ookla

      Server: GSL Networks - Sydney (id: 44735)
         ISP: GSL Networks Pty
Idle Latency:    10.62 ms   (jitter: 1.46ms, low: 8.15ms, high: 13.23ms)
    Download:   524.55 Mbps (data used: 582.9 MB)                                                   
                 28.76 ms   (jitter: 16.32ms, low: 12.80ms, high: 267.36ms)
      Upload:    44.16 Mbps (data used: 48.1 MB)                                                   
                 10.01 ms   (jitter: 8.59ms, low: 5.30ms, high: 363.70ms)
 Packet Loss:     0.0%
  Result URL: https://www.speedtest.net/result/c/41e54725-8ec0-4f0a-a840-d3c2d397bf1d



8

Virtual private networks / Wireguard Performance Capped - why?

« on: August 21, 2023, 12:26:34 pm »

Hi all,

Looking for some advice on further tuning ideas to maxmise my Wireguard (Via Nord VPN) performance.

This time totally stalled at how to get my Wireguard VPN performance close to my 1Gb internet connection speed. Currently caps out around 450 to 550Mbps. The speed completely flatlines which leads me to believe its simply a setting which is maxing the throughput/processing.

Firstly, my ISP allows these speeds and have done direct connection to internet router getting about 975Mbps.


Key Questions I have

• Does the DNS config affect speed? (Currently using Unbound in forwarding mode to Quad9 Servers)
• Are there specific turnables settings others have used and found a speed boost?
• What specific MSS and MTU settings were used and where did you apply these?

I have played around with the MTU and MSS settings, between 1380 to 1420. Not seen any major jump across a range of combinations. Additionally not sure where is the best place to enter these as there seems to be several locations to do it

• The wireguard tunnel
• WG interface
• LAN interface
• Interface normalisation settings
• System settings

Use Case
Simple home setup using Nord VPN for wireguard, just trying to get maximum speed.


Current Setup

• Protectli FW6Br2 Intel i3-8130U 2.2Ghz 2 core 4 thread CPU with 16GB DDR4 Ram and 256GB SSD (According to Protectli Wireguard speeds of 900Mbps capable)
• OPNsense 23.7.1_3-amd64
• FreeBSD 13.2-RELEASE-p2
• OpenSSL 1.1.1v 1 Aug 2023

Test ResultsTesting via ethernet cable into LAN port via Speednet CLI Test

Speedtest by Ookla

      Server: Network Solutions Group - Sydney (id: 30430)
         ISP: GSL Networks Pty
Idle Latency:    12.25 ms   (jitter: 4.04ms, low: 8.57ms, high: 16.21ms)
    Download:   455.10 Mbps [==========-         ] 54%   - latency: 273.32 ms       Download:   464.39 Mbps [===========\        ] 55%   - latency: 273.32 ms       Download:   465.29 Mbps [===========|        ] 56%   - latency: 273.32 ms       Download:   465.38 Mbps [===========/        ] 56%   - latency: 273.32 ms 

Upload:    45.21 Mbps (data used: 35.0 MB)                                                   

                 47.27 ms   (jitter: 4.05ms, low: 14.23ms, high: 81.45ms)

Opnsense Setup
LAN Interface MTU = 1420
WG Interface MTU &  MSS = 1420
Using Unbound DNS forwarding to Cloud9 servers - Not using local resolver - Unsure which is best for my application

Notable Turnables I've adjusted based on various gudes - In particular https://binaryimpulse.com/2022/11/opnsense-performance-tuning-for-multi-gigabit-internet/
https://forum.opnsense.org/index.php?topic=24409.msg116941#msg116941

kern.ipc.maxsockbuf = 614400000
net.inet.rss.bits = 2
net.inet.rss.enabled = 1
net.inet.tcp.abc_1_var = 52
net.inet.tcp.minmss = 536
net.inet.tcp.mssdflt = 1240
net.inet.udp.checksum = 1
net.inet.udp.maxdgram = 57344
net.isr.defaultqlimit = 2048
net.isr.dispatch = deferred
net.isr.maxthreads = -1
net.local.dgram.maxdgram = 8192
net.pf.source_nodes_hashsize = 1048576
set.hw.ibrs_disable = 1
vfs.read_max = 32


Any help or advice much appreciated.

9

Virtual private networks / Nord Wireguard Setup - One Final Tweak Required

« on: August 14, 2023, 12:33:43 pm »

N/A

10

Virtual private networks / Multiple Open VPN Tunnel Setup Issues

« on: July 17, 2023, 12:24:32 pm »

N/A

11

Virtual private networks / Re: Multiple VPN client tunnels & bypass rules

« on: July 17, 2023, 09:18:44 am »

To route traffic a particular way depending on source instead of destination - so called policy routing - you would normally place an allow rule on LAN (or other internal interface) and explicitly set the gateway.

So I the issue I encountered using NordVPN, is openVPN gets confused as the certificate is the same for different servers.

So should there be one WAN or LAN per tunnel? or one gateway and one interface per tunnel?

Do you have any examples?

12

Virtual private networks / Re: Multiple VPN client tunnels & bypass rules

« on: July 16, 2023, 01:03:17 pm »

I'm having the same issue, both in terms of setup and lack of information on the topic of multi open VPN client tunnels.

The only glimmer of hope I found was potentially setting up another WAN then link second openVPN gateway and interface to that second WAN.

Yet to work it out.

I ended up with one tunnel working on LAN and OPT1, but the second tunnel wouldn't work on OPT2 and had a socket bind error, which prevented the tunnel connection.