Messages

Hello Guys,

i have the following setup in my lab and having some trouble with the corresponding firewall rules:


- OPNsense as OpenVPN Instance (server) [OPNsense 24.1-amd64] -> 192.168.100.1
- Server 1 connected via .ovpn [Debian 12 Bookworm] -> 192.168.100.240
- Server 2 connected via .ovpn [Debian 11 ] -> 192.168.100.241
- Client [MacOS] -> 192.168.100.105

As you might noticed i have some Client specific overrides in place for the ip addresses.

My goal here is that i can communicate freely within the VPN Network.

As soon as the the Server 2 tries to access a service on Server 1 i am prompted with a "Default deny / state violation rule" message in the live view of the Firewall Rules.

I places rules in the VPN Interface itself in the OpenVPN Group and even in the WAN interface and disabled "Block private networks" there for testing.

But none of the rules are working, or being matched.

Even though i have tested, any any rules, as well as rules just for the /24 subnet of the vpn.

But it seems the OPNsense just ignores my rules.

EDIT:

I've set up a small testing lab so i can verify this even happens with Inter-VLAN Shaping.
I did this so i could rule out my ISP connection.

And well... Shaping Traffic between two VLANs on the OPNsense with some Network Switches in between and two notebooks on the ends running iperf3 -> success.

I was able to get stable rates up to 800 Mbit/s shaped. I don't need that much but it was nice to see that my firewall can handle this.

So the plot thikens that my "problem" has something to do with the Cable Modem provides by the ISP.
-----------------------------------

Hey Guys,

i have a (rather big) problem with the Shaper option in OPNSense.

Beforehand this is my configuration:

Firewall Hardware: Fujitsu RX100 S8 - Intel Xeon E3-1270V3 - 16 GB DDR3 Memory
Networking Hardware (for some testing): HP Dual SFP+ PCIe Card with 1G HP SX Transceiver
Internet Connection: 1Gbit/s Download / 50 Mbit/s Upload via Cable Modem
OPNSense Version: OPNsense 24.1-amd64

What i want to achive: i currently try to limit the download bandwith for one of my clients in advance to reserve bandwith for other clients in my network.

I added a pipe with varios download speeds and created a rule with a /32 mask just for that one client.
All speeds until 50-60 Mbit/s work great. Any speed above wont really work.
In advance that the cpu is the problem i changed the CPU from a Xeon E3-1220V3 to the above mentioned Xeon E3-1270V3. But this did not really made a big differnence.

I am getting varios speeds for example a Pipe dedicated to 300 Mbit/s is getting anywhere from 150 - 200 Mbit/s sometimes even less or slighty more.

I thaught maybe the Networking Hardware in the Server could be the Problem so i changed to the above mentioned Fiber Card, but (as sadly expected) no change.

Then i changed to another firewall of mine (running the same software) with a Pention G4000 and some DDR4 Memory, but also no big change.

I also changed kern.hz to 1000 / 4000 / 8000 but also no change here.

My Pipe are standard configured with the bare minimum.
My Rule is set to WAN and the destination to the Client with a /32 Mask.

The Firewall itself does not have any configuration expect LAN and WAN Port Assignments.

Maybe any of you guys have a solution or even idea to this.

ps.
I tested a bigger Server (Xeon Silver and 200+ GB of RAM) with another Internet Connection and everything runs somethly. I will test my main firewall with this Internet connection if possible.

Hi,

ich habe aktuell folgende Problematik.

Ich möchte meine Internetleitung aufteilen und teilweise reservierte Bandbreite einrichten.

Ich habe eine 1 Gbit/s Leitung mit netto ca 900 Mbit/s im Download.

Wenn ich jetzt eine Download Pipe erstelle mit werten größer 100 Mbit/s passiert beim Speedtest alles von 30 bis 90 MBits aber nicht die eingestellte Geschwindigkeit. Alles kleiner als der Wert funktioniert.


Übersehe ich hier eventuell etwas?

Meine Ziel ist einem dedizierten Client (IP) eine bestimmte Download und Upload Geschwindigkeit zu reservieren.