Messages

wenn die Kids immer vom gleichen Host aus spielen,
SRC:
HOST IP -
DEST: .epicgames.com
Port: ANY


Weiters kannst du einfach die Ports erlauben:
UDP: 3478-3479, 5060, 5062, 6250, 12000-12500 (mehr würde ich anfangs nicht probieren)
TCP: 433, 3478-3479, 5060, 5062, 5222, 6250

Try and Error

If I got it right, your solution is to use the Vlan interfaces with IP and DHCP instead of the bridges.

that is correct.
add the VLANs to your switch,
vlan2 (LAN), vlan3(IoT), vlan4(Guest), vlan5, vlan666 (internet)

add the vlans to the nic in PROXMOX also. keep in mind to you will have to configure a TAGGED port for SWITCH <-> PROXMOX with all needed VLANs afterwards
check out this video.
https://www.youtube.com/watch?v=stQzK0p59Fc

add the necessary nics to your OPNsense installation, add VLANs, add IP addresses to VLANs, add DHCP, add firewalls rules, add NAT (if you don't use the auto feature)

connect isp router to your switch, give this port its own VLAN (666) UNTAGGED port.

the ports connecting wired devices are UNTAGGED.
I assume that OPENwrt can handle also VLANs - same game: add the vlans you need (Guest, IoT, LAN), make wireless interfaces/bridges to the VLANs.

You will have a clean setup with OPNsense responsible for all traffic also inter VLAN traffic, DHCP, DNS, Wireguard, etc.
This should do the trick.

will this really double the overall OPNsense throughput?
Did you test/ measure this scenario - what was the outcome?

Why I am asking - this would indicate that the standard bridge functionality here should be used very, very carefully because of an possible heavy impact on the throughput. And somehow this does not sound practical in a way...

(20+ years experience)
keep your setup clean keep it simple. Only you are able to do it you don't need to :P
if you really have performance issues afterwards it will be easier to identify the issuer.

the performance itself depends on hardware and configuration. a good start is to use iperf to measure the internal throughput. for external you can use external test sites.

just to be clear after reading your posts several times: one physical link can carry multiple VLANs. if you want to use only one physical NIC you can do it.

Hi,

sorry to say but for me your setup makes no sense.
If you are using VLANs the only use-case for a bridge is for WIFI (bridge LAN <-> WIFI). (and bridging physical ports to VLANs on Firewall)

Microsegmentation with VLANs is absolutley fine but why you are using so many bridges?
What do you want achieve with your setup? especially with "bridge lan", "bridge IoT" and "bridge guest"?

What type of Wifi AP do you have? What type of switch do you have?


You already have VLANs which act as "Local LAN" - enable the VLAN interfaces and give them IP addresses. Enable DHCP for those interfaces, set the tagging on the switch correctly.

Tag the ports correctly on the switch (it will be only layer 2 - no ip addresses are involved) so your switch should that handle easily.
The VLAN routing it self is done on the OPNsense.

Make the firewall rules as described here:
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
for your two VLANs which should use Wireguard/Proton VPN to access the internet.

Another policy for your "normal internet" access clients. thats it.

So problem has been solved.
I got another appliance for the weekend which was installed from scratch - no backup.
the performance was incredible.

so I configured my "old" appliance also from scratch --> Tada! everything works as expected.

for me it seems that the backup file was not in a good shape or during import something weird happened.
so far so good.

Hi guys,

this is my first try wtih OPNsense, before I used Fortigate and Barracuda. I got a Sophos SG135 Rev3 appliance but Line speed is 300/50MBit. Cable connection with bridged modem/router.
WAN throughput with OPNsense is nearly scratching 100MBit/s down 50 MBit/s up

Internal speed from VLAN to VLAN nearly the same.
also removed LAGG configuration to test but result is the same.

When doing a speedtests or copy jobst the CPU runs up to 98% - don't think that this is any good.
For now I don't have any service but Unbound and mDNSresponder.
AV are IPS disabled. no proxy configuration.

Anyone else expriencing these issues?

thanks