Messages

So I have a weird issue going on. When I use the bridge mode and add all my ports not being used by WAN I get a negotiated speed of 1000baseTX<full-duplex> but when I use just one port (on the same nic) and delete the bridge then assign that one port as my LAN port, I only get 100baseTX<half-duplex> and I'm perplexed at how the same exact nic, same exact switch and same exact cables can have 2 different speeds...?

Here's my setup:
I have an old Dell Optiplex 5080 with some type of 4 port add on NIC in it. (I don't know the specs of it off the tope of my head). When I have em0, em2, em3 and em4 (em4 is the integrated NIC on the MB but I don't use it because it really is only capable of 100baseTX) added to a bridge and em1 is my WAN port, I can set the LAN interface to use the bridge and I get 1000baseTX<full-duplex> as expected because ifconfig says all the ports on the 4 port card are 1000baseTX<full-duplex> capable.

When I switch it so there is no bridge and em0, em2, em3 are used specifically as the LAN port assignment (individually set of course. Not all at once. I used each one to test separately) I get 100baseTX<half-duplex>..... What the heck...? How can it be 1000baseTX<full-duplex> one way and only negotiate 100baseTX<half-duplex> the other way???? How can I tell OPNsense that it needs to negotiate for 1000baseTX<full-duplex> (because it did before on the bridge) and not this limited 100baseTX<half-duplex>????

Thanks for the help in advance.

Hello everyone, I want to say thank you in advance to anyone who can help me out on this issue. It's an odd one for me and everything I'm seeing online says I should be able to fix this easily but the options seem not to be there.

My problem is when I click on a VPN interface I had created in order to enable it, I get an error when I click the enable check mark followed by the save button. This error implies I have a DHCP server running on the VPN connection and to disable it before enabling the interface but I can't seem to find the interface listed under the ISC DHCPv4 list for me to enable/disable the server.... So I'm confused on how DHCP is enabled if the interface isn't showing in the DHCP list of interfaces....???

I'm guessing only enabled interfaces show under the DHCP list but since mine isn't enabled it's not showing so I can't modify it through the GUI? Or maybe I'm overthinking it and there is a simple answer I've missed in the forums somewhere?

I've attached screenshots of the error and my DHCPv4 listings and none of the listings are the VPN. I've blocked out some name info for security reasons.

Any help would be appreciated, thanks!





UPDATE:
So someone private messaged me and told me to try a few things, one of those solutions was to simply delete the interface and re-add it so I did that and it worked. Not sure what the actual problem was but hopefully this solution helps others in the future.

First, the link to Aliexpress shows a device with 4 SFP+ ports.

Patrick, thank you for the added information and for pointing out the discrepancy in my Aliexpress link. I honestly had not noticed there were 4 ports on that one. I simply went to my order history so I assume they updated it with a 4 port version at some point. I would imagine you are probably right about the board being the same and that's why 4 ports show instead of only 2.

I have a theory I'm chasing down now and will come back and update this entire post accordingly.

I have updated the original post with an additional image and more details in the "Update" section.

Thanks for your reply! What I'm confused about is if they are the SFP+ ports, when I plug them into something like a PC or a network switch I get no UP status no matter how long I wait and why are there 4 ix ports listed if I only have 2 SFP+ ports?

In the video of this unit running on pfsense, there are only 2 ix ports listed. One for each SFP+ port. Not 4 ports like this one is showing.

[NOTE:]

UPDATE: Please see attached images and update section below original post for additional info.

First off I want to thank anyone ahead of time for any thoughts, assistance or info you can provide to help me solve my small problem.

I recently purchased a no-name firewall appliance for testing purposes at my work and wanted to see how it performed up against something of similar specs like a fortigate or cisco firewall which we have both of as backups/old units no longer in use. I was doing this to figure out the viability of using this firewall in a smaller branch out on the east coast that was going to have no more than 50 employees and maybe 80 devices in total connecting to the internet.

The device I purchased is this one but it was configured with the 16gb RAM and 128gb NVME storage (not that it matters since it came with onboard storage built in to the motherboard as well.

Here is the device - https://www.aliexpress.us/item/3256805052221179.html?spm=a2g0o.order_list.order_list_main.11.7e3a1802ogif1w&gatewayAdapt=glo2usa

Here is a video on said device - https://www.youtube.com/watch?v=a3EMMYTdOYo

Now, here is my "problem" (Not really a huge issue but definitely something I'd like to figure out if possible), I can't get the 2 SFP+ ports on this device to work/show up in the OPNsense GUI and quite frankly I'm not familiar enough with with the CLI and what commands to issue to see if it shows up there either. I would assume it isn't because from what I understand, if it shows up in the CLI it shows up in the GUI???

Now, here's the real doozey of a headscratcher... The GUI does show 6 igc ports (igc0, igc1,igc2, igc3, igc4, igc5) like it should because there are 6 RJ45 ports at 1gb each connected to a 2.5gb processing card for each one. I know this because the guy in the video ran the numbers and figured out that they are 2.5gb nics operating at 1gb speeds each. (NOTE: The SFP+ Ports as indicated in the video as well, do not go through the 2.5gb NICS and rather are directly connected to the CPU which in my case is a Intel(R) Atom(TM) CPU C3758R @ 2.40GHz (8 cores, 8 threads) so there should be no limiting factor on the SFP+ ports in terms of speed other than the processors ability/load)

Now outside of the igc ports I also see 4 ix ports (ix0, ix1, ix2, ix3) listed as well. All the igc and ix ports are listed under the drop down menu on the "interfaces ---> assignments" page in the GUI. See attached picture

So I guess I have 2 problems now that I think of it... 1 being why do I have 4 ix ports that don't do anything or change in terms of up/down status no matter what I do (they are always down) and problem 2 is if the ix ports are not the SFP+ ports broken out (which is one theory of mine - ix0 being SFP+ Port number 1 downlink and ix1 being SFP+ port number 1 uplink - but I honestly have no idea if that's how they work or not I'm just shooting theories out) then where are the ix ports being allocated or seen at/what is making them appear in the GUI?

I hope I've been clear enough on my problem but just in case I've not been, my main question is how do I get my 2 SFP+ ports on this 3rd party cheap china firewall to work or is there a way for me to run a command to figure out what the ports are listed as hardware wise so I can see if they are supported or not and my second less pressing problem is where are the ix ports coming from since I only have 2 SFP+ ports and the system is listing 4 of the ix ports???

It's probably also worth mentioning that this particular firewall has a couple other options like being able to use a cellular card and sim card combo to connect to the internet over cell towers and a few other odd bits as covered in the video BUT on pfsense in the video, he is able to see ix0 and ix1 as the 2 SFP+ ports. Granted that's pfsense not opnsense so I know there are differences there.

I should probably also mention that when I connect a RJ45 cable to the SFP+ port using an adapter (This adapter to be exact - https://www.amazon.com/gp/product/B01KFBFL16/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1) I get a link light on the device itself but no matter how long I wait the ix ports in the GUI never turn from red to green.

Again, this isn't a huge issue for me as the 6 igc ports at 1gb is fine for the application this firewall is in/going in but if I can get the 10gb SFP+ ports working, I would be very happy.

Thanks again to anyone for providing feedback, help, thoughts and whatever info you have on this.


-----------------------------------------------------------------------------------------------------------------------------
UPDATE SECTION:

So I was able to finally find out that

Code Select Expand

ifconfig -v was the command I needed in order to list out all my PCI devices, their associated info and what they were classified as. I've attached a image to help clarify. As you can see from that image, ix0 and ix1 are listed as the SFP+ ports so it is in fact seeing them but then why are they not able to be brought online/up when something is plugged into them?????? Any help would be greatly appreciated!




UPDATE #2:
So after some playing around with the interfaces and cables I rebooted the machine just to start fresh and what do you know.... The good 'ole "have you turned it off and back on again" method actually worked. Once it was rebooted it would allow me to plug and unplug cables into the SFP+ Ports and it saw them accordingly and let me use them. Curiously enough though, the speeds are horrible on them. Not sure why but I get a much lower (about 1/2) speed on download and extremely low (1/10th) speed on Upload when using the SFP+ Ports. I'm not really sure what happened there. And another issue is when switching the LAN over to that port, the whole network goes down and doesn't come back up. Even after a reboot it still does not connect. It acts like it's disconnected at the port but it's not. So more tweaking and experimentation and I'll post my results here when I get around to it.

Thanks everyone for your help!

Thanks guys!

You have multiple ways how to fix this if its DNS server related:

1. [Easy] Use IP of the server instead his hostname
2. [Easy] On OPNsense DHCP set the DNS server to be your standalone DNS server
3. [Depends on you skills] Create on your standalone DHCP server proper pools & on OPNsense Create Relay to forward DHCP to the Server

Okay so I was able to fix it. I chose your option 2. I feel kind of stupid for not seeing it before but there is a option for the DNS server in the AccesscontrolVLAN under "Services ---> ISC DHCPv4 ---> AccesscontrolVLAN" so I set the correct DNS server (It had the gateway of the vlan in it instead) and now it works. I don't know why I didn't notice that before when setting it up but now it all works as it should. Thanks guys for all the help! And especially thanks for dealing with my newbie-ness.

If you do the same but trying to reach the File Server you should see exactly the same behavior but different protocol and ports.

Unfortunately I do not see the same behavior. On windows 10 with CMD I can run ipconfig and it will show me my VLAN address of 192.168.10.x and then I can type ping 192.168.1.x being the file share server and I get a reply. Same thing if I go into file explorer and type the ip address \\192.168.1.x\ in the file explorer search bar.

It does not work though when I use the server name. if i do ping ServerName i get no response and same if I try accessing in file explorer using \\ServerName\

Could be. Try to do from that machine that its not working in CLI or Konsole. If it cant translate e.g. no IP is provided you know for sure.

Like stated above, when I try to ping/access the server I can get ping and access to work using IP but not ServerName.

Yes, you can tell your DHCP server (OPNsense in this example) what DNS server to advertise within the DHCP offer.
Yes, you can route between two or more different networks, thats why we call such devices routers.
If you keep your any any rule as is, traffic for DNS will be permitted to the DNS server you choose. If you will remove that rule and want to to explicit rules than you need to as well create a rule IN permitting DNS traffic.

So I have not changed my any rule and I do have my DNS server listed in "System ---> Settings ---> General ---> DNS Servers" and it is a address on my default network of 192.168.1.xxx with gateway set to none

Is that an appropriate setup so the VLAN's use that DNS server? Also, unbound DNS & OpenDNS are both disabled so I believe it should be using the DNS server in "System ---> Settings ---> General ---> DNS Servers"

P.S. you can even use other DHCP server than is OPNsense, just by creating relay on OPN, the OPN will forward DHCP discovery to the dedicated DHCP server. If your DHCP server can offer addresses for multiple networks its not a problem (I have this setup, as I have DNS/DHCP/NTP server standalone from OPN)

Can you explain the "Relay" function you mention here? I have a DHCP/DNS/NTP server on my default network of 192.168.1.0/24 which is what I have programmed into the DNS server section at "System ---> Settings ---> General ---> DNS Servers" so in theory it should be using that server for DNS but your comment implies that the VLAN's may also be able to use it? Can you help me understand how?

Do I just need to turn DHCP off on the VLAN's and create new scopes on my DHCP server that match those subnets and then it will work or am I over simplifying that/completely wrong?

I've attached images of the DNS Server section of OPNSense as well as a screen grab of my DHCP Server Scope Settings with some info blocked for security reasons but you should be able to understand it. As you can see I only have one scope on my DHCP server and it's 192.168.1.1-192.168.1.250 with a few addresses exluded from that range. Do I simply need to make 2 other scopes that are encompassing of the VLAN's subnets and then turn off DHCP on the VLANs????


Thanks again!

Seimus,

Thanks again for your speedy reply. You asking me to do some of this stuff led me to a discovery.

I have attached the requested screenshots but I believe I have figured out the issue. As you can see in the screenshot for the Live view, the traffic is passing correctly from the AccesscontrolVLAN to the LAN. That's why I'm able to ping everything. (IP's are blocked out for security)

I discovered through the file explorer under my pc where network stores shows up that one of the stores was working and one was not. I had not previously looked at that particular page as I was using file explorer to connect to the stores I wanted directly in the file explorer address bar. This led me to looking at the properties of the 2 stores which as you can see, they are both the same NTFS file system type but again one is working and one is not.

I further investigated and figured out that the one that is working was created based on its IP address and the one that is not working was created based on PC name not the IP of that server which is 192.168.1.x as you can see in the filter.

This should mean that  it's a DNS problem correct? I believe it's due to the fact that my VLAN has a DHCP and DNS server of the firewall while my default network DHCP and DNS server is not the firewall but rather my internal Domain Controller that is also on the default network.
Does that mean I can make the VLAN's use my default network DNS server of 192.168.1.x and it'll work?
Is it even possible to route DNS traffic on the VLAN's to my default network DNS server since the subnets are different? BTW: The default network DHCP/DNS server is also the domain controller for my network.



Cookiemonster,

I'm still fairly new to all this. Can you describe in more detail what you mean by tagged and untagged? The unifi switch routes all traffic to "Third-Party-Router" for all networks. One network is the default network which routes traffic to the OPNsense firewall 192.168.1.0/24 network. The VLAN's in OPNSense are configured with Tags 10 and 100 depending on the VLAN. The unifi switches are also configured with those tags. Traffic seems to be routing correctly but maybe I have missed something or am not aware of best practices for how it should be setup?

Seimus,

Thank you for the clarification. I do not currently have any WAN rules set to open other than a couple for my servers that host websites. Those work fine and I do not believe those would conflict with my VLAN as the rules apply to my default network (192.168.1.0/24) not the VLAN networks.

As far as the rules for my AccesscontrolVLAN, see the attached photo for details on those rules. I did not know that OPNSense blanketed outgoing connections but it makes sense. In the attached picture there is an out rule, could that be causing issues or is it basically null/void because of OPNSense having the default out allow configuration you spoke of?

[First off:]

Hi everyone,

I don't think this is the right place to post this issue but after 30 minutes or so of searching the various forum topics, using the search bar and looking for a "problems" forum, I can't seem to find any solution to my problem. Admins, please feel free to move this post if you want or point me in the direction of where I can post this so it's in the accurate spot.

First off: Thank you in advance to anyone who can help me with my issue!
Secondly: Please bare with me as I'm brand new to OPNSense and have not had much formal education on systems like it. I've mainly only ever used residential systems and made them work for my purpose.

Setup: I have a firewall with OPNSense installed that has 6 RJ45 ports (igc0, igc1...ect) operating at 1gb each and 2 SFP+ ports operating at 10gb each but those 2 SFP ports do not register in OPNSense. (Or maybe they do? It shows 4 ix ports under the drop down in the "Assignments" tab but when I plug a RJ45 cable into the SFP+ to RJ45 adapters and the light comes on, no matter what, nothing changes in OPNSense as to any ports activating but that's a separate issue)
My WAN connection is on igc0 and my LAN connection on igc1.
I have 2 VLAN networks setup with both of them having igc1 (IE: the LAN interface) set as the parent under "Interfaces ---> Other Types ---> VLAN"
The first VLAN has an ID of 10 and is the Access Control VLAN for my Access control RFID door readers and has a subnet of 192.168.10.1/24
The second VLAN has an ID of 100 and is the Guest WIFI VLAN for my Aruba Instant On Access Points with a subnet of 192.168.11.1/24
I also have several Ubiquiti Unifi POE+ switches that all my equipment is plugged in to. These are setup to use VLAN network 10 and VLAN network 100 tags as well as default network which is my standard 192.168.1.0/24 network that everything not assigned to a VLAN operates on. I can change individual ports to run on the 2 VLAN networks using these switches and when I change anything from the default network to one of the VLAN's using the management portal of the switches, that device connects to the appropriate VLAN and obtains a DHCP lease from the firewall since DHCPO is turned on for each VLAN.

It's worth mentioning that that default network (IE: 192.168.1.0/24 network) is setup without DHCP in the firewall as I have my own DHCP/DNS server which is a windows 2019 server.


Here's my main problem: When I am connected to the default network (IE: 192.168.1.0/24) and try to ping any of the devices on the VLAN's or on my default network, it works just fine. I can also access my file shares on my default network because I'm connected to my default network (duh right?). When I'm on either VLAN network however, I can ping anything on the default network but I can not access any of my file shares on the default network presumably because I'm on a different subnet?

Now obviously, windows firewall would prevent me accessing the file shares from a different subnet but the firewall for that server (Let's call that server App1) is disabled so that's not the problem and once more, I can ping App1 from either VLAN, I just can't access the file shares. I do have 2 firewall rules in the firewall rules section under the VLAN's that states:

Firewall Rule #1 in the top position:
Action: Pass
Quick: Enabled
Interface: AccesscontrolVLAN (The name of the VLAN Interface as well)
Direction: in
TCP/IP Version: IPv4
Protocol: Any
Source: Any
Destination: Any

Firewall Rule #2 in the bottom position:
Action: Pass
Quick: Enabled
Interface: AccesscontrolVLAN (The name of the VLAN Interface as well)
Direction: out
TCP/IP Version: IPv4
Protocol: Any
Source: Any
Destination: Any

Now from what I understand about OPNSense, it uses the firewall rules of the VLAN (in this case the AccesscontrolVLAN) to route traffic in/out of that VLAN to the WAN and LAN interfaces and that the WAN and LAN interfaces are basically "Open" and do not block anything to VLAN's so you have to control all the VLAN traffic using the rules under the specific VLAN you want to apply those rules to? So in this particular case, there should be nothing stopping me from accessing the default network servers, shares, ect... from the VLAN's since I basically have a rule that says all traffic in and another rule that says all traffic out of the VLAN's is supposed to be accepted... Right??? or am I crazy/missing something?

Again, I can ping anything on the VLAN's from my default network and visa versa I can ping anything on my default network from my VLAN's but I can not access/open a file share in windows file explorer if the file share is located on my default network and I'm trying to access it from the VLAN.

Sorry for the lengthy post, I just wanted to make sure I provided as much info as needed to make sure I'm not missing something important.

Thanks again to anyone who can help me out with this issue!