Messages

1

General Discussion / Re: Block internet access from VLAN. But whats the right way to do it?

« on: May 11, 2024, 12:01:14 am »

I think they mean they only want to access the network locally.

If that's the case, you'd have to create rules on the interface(s) which should have access to the camera network. I suppose something like this:

Interface: LAN (or whichever VLAN you want to access the camera network from)
Protocol: TCP/UDP (or just TCP or UDP, depending on your needs)
Source: LAN net
Destination: IP(s) of the camera, OR the camera network net for simplicity (e.g. CAM VLAN net)
Destination port range: any (if you know the ports your cameras need then use those. If e.g. you simply want to access a web portal to your cameras, use 80 or 443 depending on encryption or not)

 I believe you don't need to configure any firewall rules on the CAM VLAN interface.

2

General Discussion / Re: One VLAN is faster than the others (and than LAN, too)

« on: May 10, 2024, 11:52:00 pm »

The devices are all 1000 MBit/s; I made sure of that when purchasing them. I hadn't thought about the cables yet though - good call! I'll check all of those to make sure they're not a bottleneck.

As for the speed indications, do you mean somewhere in the OPNsense GUI? I looked for something like that under Reporting, System, and in the Diagnostics section under Interfaces but couldn't find any speed indications anywhere. Googling didn't yield any useful results either. The only mention of speed indications I could find is in the Interfaces section of my dashboard, where all ports show up as 1000baseT <full-duplex> (as is the case in the code snippets below).

3

General Discussion / Re: One VLAN is faster than the others (and than LAN, too)

« on: May 10, 2024, 02:48:18 pm »

That could be the case.. I'm on a macBook with only USB-C, so I use an adapter for Ethernet. This is supposed to be a Gigabit device (https://en.sharkoon.com/product/TypeCCombo#specs), but indeed when I connect this to the port which is definitely receiving/giving 250 MBit/s, it maxes out just under 100 MBit/s. I had already tried it with a different device, but smarty-pants me used an old laptop and after a quick ifconfig, I noticed that it only supports 100 MBit/s -.-

So I checked again using iperf, and sure enough I'm getting fairly bad connection speeds over WiFi:

Code: [Select]

~ % iperf3 -c 192.168.1.1 -p 58447
Connecting to host 192.168.1.1, port 58447
[  5] local 192.168.101.104 port 50626 connected to 192.168.1.1 port 58447
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.01   sec  10.8 MBytes  89.7 Mbits/sec
[  5]   1.01-2.00   sec  9.00 MBytes  75.6 Mbits/sec
[  5]   2.00-3.01   sec  9.88 MBytes  82.8 Mbits/sec
[  5]   3.01-4.01   sec  10.4 MBytes  87.0 Mbits/sec
[  5]   4.01-5.01   sec  9.38 MBytes  78.6 Mbits/sec
[  5]   5.01-6.01   sec  8.00 MBytes  67.1 Mbits/sec
[  5]   6.01-7.01   sec  8.75 MBytes  73.4 Mbits/sec
[  5]   7.01-8.00   sec  8.38 MBytes  70.5 Mbits/sec
[  5]   8.00-9.00   sec  10.0 MBytes  83.9 Mbits/sec
[  5]   9.00-10.00  sec  6.88 MBytes  57.7 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  91.4 MBytes  76.6 Mbits/sec                  sender
[  5]   0.00-10.04  sec  91.2 MBytes  76.2 Mbits/sec                  receiver

Similarly, when doing the same test via Ethernet, I get only slightly better and definitely sub-par results:

Code: [Select]

~ % iperf3 -c 192.168.1.1 -p 42017
Connecting to host 192.168.1.1, port 42017
[  5] local 192.168.1.190 port 50704 connected to 192.168.1.1 port 42017
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  11.2 MBytes  94.2 Mbits/sec
[  5]   1.00-2.00   sec  11.2 MBytes  94.4 Mbits/sec
[  5]   2.00-3.00   sec  11.2 MBytes  94.3 Mbits/sec
[  5]   3.00-4.00   sec  11.2 MBytes  94.5 Mbits/sec
[  5]   4.00-5.00   sec  11.1 MBytes  93.3 Mbits/sec
[  5]   5.00-6.01   sec  11.2 MBytes  94.0 Mbits/sec
[  5]   6.01-7.00   sec  11.2 MBytes  94.4 Mbits/sec
[  5]   7.00-8.00   sec  11.2 MBytes  94.7 Mbits/sec
[  5]   8.00-9.00   sec  11.1 MBytes  93.4 Mbits/sec
[  5]   9.00-10.01  sec  11.4 MBytes  95.0 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.01  sec   112 MBytes  94.2 Mbits/sec                  sender
[  5]   0.00-10.01  sec   112 MBytes  94.1 Mbits/sec                  receiver
I'm not sure if I did this correctly though; ideally I'd want to check the connection between LAN and VLAN, right? The tests above were done from my laptop (in LAN) to the respective IP.

I also tried testing from my OPNsense LAN to VLAN30, but the test results for this in the Iperf tab on the webGUI state 192.168.103.1 as both the local and remote host, despite me having logged into 192.168.1.1 via SSH, where 192.168.1.1 is the LAN IP of my OPNsense. So I'm not sure the results are worth anything:

Code: [Select]

~ $ iperf3 -c 192.168.103.1 -p 9006
Connecting to host 192.168.103.1, port 9006
[  5] local 192.168.103.1 port 7345 connected to 192.168.103.1 port 9006
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.01   sec  2.85 GBytes  24.3 Gbits/sec    0   1.99 MBytes
[  5]   1.01-2.01   sec  2.84 GBytes  24.3 Gbits/sec    0   1.99 MBytes
[  5]   2.01-3.00   sec  2.81 GBytes  24.3 Gbits/sec    0   1.99 MBytes
[  5]   3.00-4.00   sec  2.85 GBytes  24.6 Gbits/sec    0   2.01 MBytes
[  5]   4.00-5.01   sec  2.83 GBytes  24.2 Gbits/sec    0   2.01 MBytes
[  5]   5.01-6.00   sec  2.82 GBytes  24.3 Gbits/sec    0   2.01 MBytes
[  5]   6.00-7.01   sec  2.85 GBytes  24.4 Gbits/sec    0   2.01 MBytes
[  5]   7.01-8.00   sec  2.81 GBytes  24.3 Gbits/sec    0   2.01 MBytes
[  5]   8.00-9.00   sec  2.84 GBytes  24.3 Gbits/sec    0   2.01 MBytes
[  5]   9.00-10.00  sec  2.82 GBytes  24.3 Gbits/sec    0   2.01 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  28.3 GBytes  24.3 Gbits/sec    0             sender
[  5]   0.00-10.00  sec  28.3 GBytes  24.3 Gbits/sec                  receiver
How do I properly test the connection between the LAN and a VLAN? (Assuming that is indeed what I want to test with iperf...)

4

Virtual private networks / Re: Some clarification on DNS via VPN

« on: May 10, 2024, 10:42:13 am »

some apps work such as browser, YouTube & Netflix whereas others don't, e.g. I cannot even try to update the TV OS or some of the installed apps as I get a network error (but everything works if there is no VPN).

Sounds like maybe your smart TV is somehow programmed to use a hardcoded DNS, and if that isn't reachable it just defaults to a network error? I don't know the first thing about smart TVs cause I never own(ed) one, but hardcoded DNS seems to be a common thing among IoT. You could try setting an override in your local DNS for whichever IP the TV wants to connect to for DNS. Say it's looking to connect to 1.1.1.1, so you set an override for 1.1.1.1 to go to e.g. 9.9.9.9. I'm not sure this would work, but might be worth a shot.

with VPN the DNS IP address is the ProtonVPN one (10.2.0.1) and with no VPN the DNS IP address listed is the same as the gateway that is 192.168.10.1   

This is to be expected, I believe, since in standard networks, the gateway often acts as a DNS server, too. Can other hosts in the 192.168.10.0/24 net resolve DNS queries (or rather, have them resolved by the DNS)? If not, then your DNS is likely the culprit.

5

General Discussion / Re: One VLAN is faster than the others (and than LAN, too)

« on: May 10, 2024, 10:29:42 am »

Ok good to hear; so there's probably something wrong with my config or potentially hardware (though I believe the HW should be fine). And yeah, I can see the interfaces fine and they don't seem to have any issues. They're all recognized as 1000baseT full-duplex, which is expected:

Code: [Select]

igb1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: LAN (lan)
options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
ether [REDACTED]
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb2: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: VLANs (opt5)
options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
ether [REDACTED]
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan02: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: PERSONAL (opt2)
options=4000000<NOMAP>
ether [REDACTED]
inet 192.168.101.1 netmask 0xffffff00 broadcast 192.168.101.255
groups: vlan
vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan03: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: WORK (opt3)
options=4000000<NOMAP>
ether [REDACTED]
inet 192.168.102.1 netmask 0xfffffffc broadcast 192.168.102.3
groups: vlan
vlan: 20 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan04: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: GUEST (opt4)
options=4000000<NOMAP>
ether [REDACTED]
inet 192.168.103.1 netmask 0xffffff00 broadcast 192.168.103.255
groups: vlan
vlan: 30 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan05: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: DMZ (opt6)
options=4000000<NOMAP>
ether [REDACTED]
inet 192.168.104.1 netmask 0xffffff00 broadcast 192.168.104.255
groups: vlan
vlan: 40 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Could this have something to do with different-size netmasks? I wouldn't think so, but that's the only apparent difference I can think of (VLAN20 is a /30 net, while the others are /24).

6

Virtual private networks / Re: WireGuard: After adding a second peer, the first can't connect anymore

« on: May 08, 2024, 08:56:51 pm »

Sound like you mixed the masks with /24 and /32, may read the docs again

You're right, thank you! I had put 0.0.0.0/0 in the Allowed IP's field thinking I want to allow all traffic through the VPN. But that setting is done on the client, not the server... Thanks again; made my day!

7

Virtual private networks / Re: Some clarification on DNS via VPN

« on: May 08, 2024, 08:46:06 pm »

Sorry, I think I my reply can be misunderstood. What I mean is that I think you should add a rule like the one below the default LAN rule in my screenshot.

So basically, you have to create the Port Forward on the interface that should be routed through ProtonVPN, so LAN2 in your case:
Interface: LAN2
Protocol: TCP/UDP
Source: LAN2 net
Destination port range: DNS DNS
Redirect Target IP: 10.2.0.1
Redirect Target Port: DNS

I'm not sure this is the best way to do it, and I'm unaware of any downsides this might have to different setups, but it is working very well for me. dnsleaktest . com shows only ProtonVPN servers in the extended test.

Regarding additional firewall rules, I believe I only implemented the ones from the OPNsense guide. See if the Port Forward from above works for you and if you still have leaks, we can see if additional rules might be necessary!

8

Virtual private networks / Re: Some clarification on DNS via VPN

« on: May 08, 2024, 07:14:38 pm »

Should I use a port forward?

I did this for a network that is also supposed to be routed via ProtonVPN, and it works like a charm. I've attached a screenshot of the respective rule, where the redacted parts are the name of the interface.

9

Virtual private networks / [SOLVED] WireGuard: After adding a second peer, the first can't connect anymore

« on: May 08, 2024, 07:08:07 pm »

So I just tested this again and it seems like there might be a bug, else I don't understand this behaviour.

I created a WireGuard instance as per the road warrior documentation to connect my phone to my network, and it worked like a charm. I could reach both the Internet and my local network perfectly fine. I then proceeded to add a peer for my laptop, which also worked like a charm.

However, when I now try to connect with my phone, the handshake succeeds, but I can't connect anywhere anymore. Trying to access anything in my local network or the Internet results in timeouts. I checked the WireGuard logs and the firewall live view, but they don't show any obvious hints.

I already went through this a second time because I thought it may be my configuration or I missed something the first time around, but that does not seem to be the case as the exact same thing happened again. What surprises me is that it was working in the first place, so it shouldn't be a connection issue. And the handshake succeeds too, so it seems the connection gets established.

What might be the reason for this? And more importantly, a solution?

10

General Discussion / One VLAN is faster than the others (and than LAN, too)

« on: May 08, 2024, 06:40:38 pm »

Hi,

I noticed one of my VLANs is getting full throughput (the full 250 Mbit/s from my ISP), while both the LAN and other VLANs are only getting around 100 Mbit/s. I verified this via Ethernet connected to the managed switch that sits behind the OPNsense.

When I plug the cable into a port of VLAN20, I get 250 MBit/s. When I plug it into a port of LAN or VLAN10, I get the aforementioned 100 MBit/s. I would assume that, when there isn't any traffic on VLAN20, VLAN10 and LAN should get the same speed as VLAN20 does, right? Is there anything I can do to gain the full 250 MBit/s on those interfaces that aren't getting the full speed?

I didn't (knowingly) create any rules or set any settings that would cause this behaviour, especially since the VLANs are all configured pretty much the same (except for obvious things like IP addresses etc.).

11

General Discussion / Re: Can't reach LAN from VLAN despite explicit allow rule

« on: April 09, 2024, 06:35:04 pm »

Hi,

unfortunately you did not mention what you're actually trying to do. Ping, Http, Rdp? Are we talking IPv4/v6 and what setup is deployed?

In any case, when "trying to get into" your LAN check Firewall -> Log files -> Live View

It will tell you if it blocked packets and why. Configure your pass rule with enabled logging to also see possible passed packets. From there one could try to identify possible issues in your setup.

Hey, thanks for the quick reply and sorry for posting incomplete information. Using Live View, I managed to figure out my mistake: There is a VPN client running on my laptop which unfortunately doesn't do or have an option for split tunneling (I only recently started using the client). So all packets showed as coming from the VPN's external IP rather than my local IP and were therefore rightfully blocked. When disconnected from the VPN, I can reach LAN devices just fine.

Sorry for bothering you with my stupidity..!

12

General Discussion / Can't reach LAN from VLAN despite explicit allow rule

« on: April 09, 2024, 12:43:01 am »

Hey,

Basically the title.

I'm trying to get into my LAN from a VLAN, but despite a specific allow rule on the VLAN interface (PERSONAL) to allow all traffic to the LAN interface, I can't reach any of the devices there. I also tried adding the same a floating rule that includes both interfaces, but that didn't help either. Surely I must be doing something wrong?

Firewall: Rules: Floating
Protocol    Source          Port    Destination   Port. Gateway Schedule
IPv4 *    PERSONAL net    *    LAN net         *        *         *