Messages

Kurzes Update: Sobald ich das Glasfaser-Modem angeschlossen und bei der Telekom registriert habe, lief alles wieder einwandfrei! Danke nochmal für die Unterstützung.

Oha - da habe ich wohl mächtig auf dem Schlauch gestanden! Obwohl es dort ja steht und ich selbst vom ,,DSL-Modem"-Modus gesprochen habe, habe ich komplett über die Tatsache hinweggesehen, dass DSL-Modem eben nicht ,,Glasfaser-Modem" heißt. Manchmal sieht man den Wald vor lauter Bäumen nicht..

Ich werd mir jetzt gleich einmal ein Glasfaser-Modem besorgen und es bei der Telekom registrieren. Vielen Dank für deine Hilfe!

Das neue Gerät ist ein Speedport Smart 4 Plus; davor war es ein Speedport Smart 4. Daher hatte ich angenommen, dass sie sich nahezu identisch verhalten und der Plus lediglich noch ein Glasfaser-Modem integriert hat. Erste Recherchen im Internet vor meinem Post hatten auch ergeben, dass die Einrichtung der OPNsense bei beiden Geräten gleich verläuft.

Was du meiner Beschreibung entnommen hast stimmt genau so. Deine Annahme zu den Speedports trifft - zumindest meines Wissens nach - ebenfalls zu.

Meinem Verständnis nach wird das Gerät dann über den Reiter "DSL-Modem" in der GUI in den ONT-Modus versetzt. Eigentlich also alles genau so wie zuvor. Was auch zu meiner Verwunderung führt, dass es nun plötzlich nicht mehr funktioniert.

Der Anschluss an sich ist aufgeschaltet - zumindest funktioniert alles, wenn ich den Speedport mit den Werkseinstellungen verwende. Ist das Freischalten der MAC durch die Telekom neu? Ich werd mich in der Tat mal an die Telekom wenden. Beim DSL-Anschluss war das nämlich nicht vonnöten, daher die Frage.

Eine weitere Sache, die mir aufgefallen ist: In den Point-to-Point-Logs sieht man, wie sich das Device vergeblich mit '' zu verbinden versucht:

Code Select Expand

Date Severity Process Line

2025-01-09T22:03:24 Informational ppp [opt18_link0] PPPoE: Connecting to ''
2025-01-09T22:03:24 Informational ppp [opt18_link0] Link: reconnection attempt 48
2025-01-09T22:03:21 Informational ppp [opt18_link0] Link: reconnection attempt 48 in 3 seconds
2025-01-09T22:03:21 Informational ppp [opt18_link0] LCP: Down event
2025-01-09T22:03:21 Informational ppp [opt18_link0] Link: DOWN event
2025-01-09T22:03:21 Informational ppp [opt18_link0] PPPoE connection timeout after 9 seconds
2025-01-09T22:03:12 Informational ppp [opt18_link0] PPPoE: Connecting to ''

Ich hab mir diese Logs vorher noch nie angeschaut, daher hab ich keine Ahnung, ob das normal ist. Aber sich mit '' aka nichts verbinden zu wollen erscheint mir erst einmal suspekt.

Hallo zusammen,

Bei mir wurde heute ein neuer Glasfaseranschluss eingerichtet, welcher meinen DSL-Anschluss ersetzt hat. Zuvor habe ich einen Speedport im Modem-Modus verwendet und dahinter eine OPNsense-Firewall als Router betrieben. Das funktionierte auch einwandfrei.

Nun dachte ich, dass ich schlicht den neuen Speedport (mit Glasfasermodem) wieder in den Modem-Modus versetzen und meine zuvor genutzte OPNsense-Konfiguration weiterverwenden könnte. Das stellte sich jedoch als Trugschluss heraus. Die OPNsense bekommt einfach keine öffentliche IP-Adresse auf dem Interface.

Ich habe daraufhin die alte Konfiguration gelöscht und alles neu eingerichtet (VLAN 7 auf igb0 (=Uplink), WAN-Interface auf das VLAN gesetzt und die PPPoE-Einwahldaten eingegeben). Das hat auch nicht zum Erfolg geführt. Also habe ich eine alte Konfiguration aus einem Backup wiederhergestellt - immer noch keine IP.

Daraufhin habe ich ein Traffic Capture auf igb0 gemacht, um zu sehen, ob dort irgendetwas auffällig ist. Das einzige, was dort alle paar Sekunden durchläuft, ist so ein Paket:

Code Select Expand

Interface    Timestamp    SRC    DST    output
igb0    2025-01-09 20:56:52.899060    [ZENSIERT]    ff:ff:ff:ff:ff:ff    ethertype 802.1Q (0x8100), length 40: vlan 7, p 0, ethertype PPPoE D (0x8863), PPPoE PADI [Host-Uniq 0xC014176001F8FFFF] [Service-Name]
Also Broadcast-Traffic. Soweit ich sehe kommt aber nichts zurück.

igb0 ist per Ethernet mit LAN1/Link auf dem Speedport verbunden. Ich dachte eigentlich, dass der Anschluss an einen regulären LAN-Port (2-4) erfolgt, aber im Speedport stand auf der Unterseite "DSL-Modem", dass der Anschluss an LAN1/Link erfolgen müsse. Ich hatte es probeweise auch mal an einem anderen Port versucht, doch das blieb auch erfolglos.

So langsam gehen mir die Ideen aus, wo das Problem liegen könnte. Hat jemand eine Idee?

I think they mean they only want to access the network locally.

If that's the case, you'd have to create rules on the interface(s) which should have access to the camera network. I suppose something like this:

Interface: LAN (or whichever VLAN you want to access the camera network from)
Protocol: TCP/UDP (or just TCP or UDP, depending on your needs)
Source: LAN net
Destination: IP(s) of the camera, OR the camera network net for simplicity (e.g. CAM VLAN net)
Destination port range: any (if you know the ports your cameras need then use those. If e.g. you simply want to access a web portal to your cameras, use 80 or 443 depending on encryption or not)

I believe you don't need to configure any firewall rules on the CAM VLAN interface.

The devices are all 1000 MBit/s; I made sure of that when purchasing them. I hadn't thought about the cables yet though - good call! I'll check all of those to make sure they're not a bottleneck.

As for the speed indications, do you mean somewhere in the OPNsense GUI? I looked for something like that under Reporting, System, and in the Diagnostics section under Interfaces but couldn't find any speed indications anywhere. Googling didn't yield any useful results either. The only mention of speed indications I could find is in the Interfaces section of my dashboard, where all ports show up as 1000baseT <full-duplex> (as is the case in the code snippets below).

That could be the case.. I'm on a macBook with only USB-C, so I use an adapter for Ethernet. This is supposed to be a Gigabit device (https://en.sharkoon.com/product/TypeCCombo#specs), but indeed when I connect this to the port which is definitely receiving/giving 250 MBit/s, it maxes out just under 100 MBit/s. I had already tried it with a different device, but smarty-pants me used an old laptop and after a quick ifconfig, I noticed that it only supports 100 MBit/s -.-

So I checked again using iperf, and sure enough I'm getting fairly bad connection speeds over WiFi:

Code Select Expand

~ % iperf3 -c 192.168.1.1 -p 58447
Connecting to host 192.168.1.1, port 58447
[  5] local 192.168.101.104 port 50626 connected to 192.168.1.1 port 58447
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.01   sec  10.8 MBytes  89.7 Mbits/sec
[  5]   1.01-2.00   sec  9.00 MBytes  75.6 Mbits/sec
[  5]   2.00-3.01   sec  9.88 MBytes  82.8 Mbits/sec
[  5]   3.01-4.01   sec  10.4 MBytes  87.0 Mbits/sec
[  5]   4.01-5.01   sec  9.38 MBytes  78.6 Mbits/sec
[  5]   5.01-6.01   sec  8.00 MBytes  67.1 Mbits/sec
[  5]   6.01-7.01   sec  8.75 MBytes  73.4 Mbits/sec
[  5]   7.01-8.00   sec  8.38 MBytes  70.5 Mbits/sec
[  5]   8.00-9.00   sec  10.0 MBytes  83.9 Mbits/sec
[  5]   9.00-10.00  sec  6.88 MBytes  57.7 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  91.4 MBytes  76.6 Mbits/sec                  sender
[  5]   0.00-10.04  sec  91.2 MBytes  76.2 Mbits/sec                  receiver


Similarly, when doing the same test via Ethernet, I get only slightly better and definitely sub-par results:

Code Select Expand

~ % iperf3 -c 192.168.1.1 -p 42017
Connecting to host 192.168.1.1, port 42017
[  5] local 192.168.1.190 port 50704 connected to 192.168.1.1 port 42017
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  11.2 MBytes  94.2 Mbits/sec
[  5]   1.00-2.00   sec  11.2 MBytes  94.4 Mbits/sec
[  5]   2.00-3.00   sec  11.2 MBytes  94.3 Mbits/sec
[  5]   3.00-4.00   sec  11.2 MBytes  94.5 Mbits/sec
[  5]   4.00-5.00   sec  11.1 MBytes  93.3 Mbits/sec
[  5]   5.00-6.01   sec  11.2 MBytes  94.0 Mbits/sec
[  5]   6.01-7.00   sec  11.2 MBytes  94.4 Mbits/sec
[  5]   7.00-8.00   sec  11.2 MBytes  94.7 Mbits/sec
[  5]   8.00-9.00   sec  11.1 MBytes  93.4 Mbits/sec
[  5]   9.00-10.01  sec  11.4 MBytes  95.0 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.01  sec   112 MBytes  94.2 Mbits/sec                  sender
[  5]   0.00-10.01  sec   112 MBytes  94.1 Mbits/sec                  receiver

I'm not sure if I did this correctly though; ideally I'd want to check the connection between LAN and VLAN, right? The tests above were done from my laptop (in LAN) to the respective IP.

I also tried testing from my OPNsense LAN to VLAN30, but the test results for this in the Iperf tab on the webGUI state 192.168.103.1 as both the local and remote host, despite me having logged into 192.168.1.1 via SSH, where 192.168.1.1 is the LAN IP of my OPNsense. So I'm not sure the results are worth anything:

Code Select Expand

~ $ iperf3 -c 192.168.103.1 -p 9006
Connecting to host 192.168.103.1, port 9006
[  5] local 192.168.103.1 port 7345 connected to 192.168.103.1 port 9006
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.01   sec  2.85 GBytes  24.3 Gbits/sec    0   1.99 MBytes
[  5]   1.01-2.01   sec  2.84 GBytes  24.3 Gbits/sec    0   1.99 MBytes
[  5]   2.01-3.00   sec  2.81 GBytes  24.3 Gbits/sec    0   1.99 MBytes
[  5]   3.00-4.00   sec  2.85 GBytes  24.6 Gbits/sec    0   2.01 MBytes
[  5]   4.00-5.01   sec  2.83 GBytes  24.2 Gbits/sec    0   2.01 MBytes
[  5]   5.01-6.00   sec  2.82 GBytes  24.3 Gbits/sec    0   2.01 MBytes
[  5]   6.00-7.01   sec  2.85 GBytes  24.4 Gbits/sec    0   2.01 MBytes
[  5]   7.01-8.00   sec  2.81 GBytes  24.3 Gbits/sec    0   2.01 MBytes
[  5]   8.00-9.00   sec  2.84 GBytes  24.3 Gbits/sec    0   2.01 MBytes
[  5]   9.00-10.00  sec  2.82 GBytes  24.3 Gbits/sec    0   2.01 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  28.3 GBytes  24.3 Gbits/sec    0             sender
[  5]   0.00-10.00  sec  28.3 GBytes  24.3 Gbits/sec                  receiver

How do I properly test the connection between the LAN and a VLAN? (Assuming that is indeed what I want to test with iperf...)

some apps work such as browser, YouTube & Netflix whereas others don't, e.g. I cannot even try to update the TV OS or some of the installed apps as I get a network error (but everything works if there is no VPN).

Sounds like maybe your smart TV is somehow programmed to use a hardcoded DNS, and if that isn't reachable it just defaults to a network error? I don't know the first thing about smart TVs cause I never own(ed) one, but hardcoded DNS seems to be a common thing among IoT. You could try setting an override in your local DNS for whichever IP the TV wants to connect to for DNS. Say it's looking to connect to 1.1.1.1, so you set an override for 1.1.1.1 to go to e.g. 9.9.9.9. I'm not sure this would work, but might be worth a shot.

with VPN the DNS IP address is the ProtonVPN one (10.2.0.1) and with no VPN the DNS IP address listed is the same as the gateway that is 192.168.10.1  ???  ::)

This is to be expected, I believe, since in standard networks, the gateway often acts as a DNS server, too. Can other hosts in the 192.168.10.0/24 net resolve DNS queries (or rather, have them resolved by the DNS)? If not, then your DNS is likely the culprit.

Ok good to hear; so there's probably something wrong with my config or potentially hardware (though I believe the HW should be fine). And yeah, I can see the interfaces fine and they don't seem to have any issues. They're all recognized as 1000baseT full-duplex, which is expected:

Code Select Expand

igb1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: LAN (lan)
options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
ether [REDACTED]
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb2: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: VLANs (opt5)
options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
ether [REDACTED]
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan02: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: PERSONAL (opt2)
options=4000000<NOMAP>
ether [REDACTED]
inet 192.168.101.1 netmask 0xffffff00 broadcast 192.168.101.255
groups: vlan
vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan03: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: WORK (opt3)
options=4000000<NOMAP>
ether [REDACTED]
inet 192.168.102.1 netmask 0xfffffffc broadcast 192.168.102.3
groups: vlan
vlan: 20 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan04: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: GUEST (opt4)
options=4000000<NOMAP>
ether [REDACTED]
inet 192.168.103.1 netmask 0xffffff00 broadcast 192.168.103.255
groups: vlan
vlan: 30 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan05: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: DMZ (opt6)
options=4000000<NOMAP>
ether [REDACTED]
inet 192.168.104.1 netmask 0xffffff00 broadcast 192.168.104.255
groups: vlan
vlan: 40 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Could this have something to do with different-size netmasks? I wouldn't think so, but that's the only apparent difference I can think of (VLAN20 is a /30 net, while the others are /24).

Sound like you mixed the masks with /24 and /32, may read the docs again

You're right, thank you! I had put 0.0.0.0/0 in the Allowed IP's field thinking I want to allow all traffic through the VPN. But that setting is done on the client, not the server... Thanks again; made my day!

[Interface]

Sorry, I think I my reply can be misunderstood. What I mean is that I think you should add a rule like the one below the default LAN rule in my screenshot.

So basically, you have to create the Port Forward on the interface that should be routed through ProtonVPN, so LAN2 in your case:
Interface: LAN2
Protocol: TCP/UDP
Source: LAN2 net
Destination port range: DNS DNS
Redirect Target IP: 10.2.0.1
Redirect Target Port: DNS

I'm not sure this is the best way to do it, and I'm unaware of any downsides this might have to different setups, but it is working very well for me. dnsleaktest . com shows only ProtonVPN servers in the extended test.

Regarding additional firewall rules, I believe I only implemented the ones from the OPNsense guide. See if the Port Forward from above works for you and if you still have leaks, we can see if additional rules might be necessary! :)

Should I use a port forward?

I did this for a network that is also supposed to be routed via ProtonVPN, and it works like a charm. I've attached a screenshot of the respective rule, where the redacted parts are the name of the interface.

So I just tested this again and it seems like there might be a bug, else I don't understand this behaviour.

I created a WireGuard instance as per the road warrior documentation to connect my phone to my network, and it worked like a charm. I could reach both the Internet and my local network perfectly fine. I then proceeded to add a peer for my laptop, which also worked like a charm.

However, when I now try to connect with my phone, the handshake succeeds, but I can't connect anywhere anymore. Trying to access anything in my local network or the Internet results in timeouts. I checked the WireGuard logs and the firewall live view, but they don't show any obvious hints.

I already went through this a second time because I thought it may be my configuration or I missed something the first time around, but that does not seem to be the case as the exact same thing happened again. What surprises me is that it was working in the first place, so it shouldn't be a connection issue. And the handshake succeeds too, so it seems the connection gets established.

What might be the reason for this? And more importantly, a solution?

Hi,

I noticed one of my VLANs is getting full throughput (the full 250 Mbit/s from my ISP), while both the LAN and other VLANs are only getting around 100 Mbit/s. I verified this via Ethernet connected to the managed switch that sits behind the OPNsense.

When I plug the cable into a port of VLAN20, I get 250 MBit/s. When I plug it into a port of LAN or VLAN10, I get the aforementioned 100 MBit/s. I would assume that, when there isn't any traffic on VLAN20, VLAN10 and LAN should get the same speed as VLAN20 does, right? Is there anything I can do to gain the full 250 MBit/s on those interfaces that aren't getting the full speed?

I didn't (knowingly) create any rules or set any settings that would cause this behaviour, especially since the VLANs are all configured pretty much the same (except for obvious things like IP addresses etc.).