Messages

1

Intrusion Detection and Prevention / Re: Point me in the right direction? Opnsense crash during speedtest with IDS/IPS on

« on: October 04, 2024, 03:26:07 pm »

I haven't been able to clear a moment to test some stuff yet, but think I'll soon be able to. Wanted to check something, are there some issues with PowerD and IDS/IPS?

I do have PowerD enabled, and it might contribute to some of my woes?

2

Intrusion Detection and Prevention / Re: Point me in the right direction? Opnsense crash during speedtest with IDS/IPS on

« on: September 25, 2024, 10:18:23 am »

From the information I gather online, I guess that the following two points are relevant.

• My Opnsense device has Realtek NICs
• I'm running VLANs (both on the LAN and WAN side by the way, the latter because of ISP requirements)

Historically there have been issues with the driver and netmap/MTU-things (I can find only vague information about this).

So I'm guessing these are some things to try (your advice needed here)

• Use the official Realtek driver
• Changing some netmap/MTU related settings via tunables (but which ones?)
• Something else?

3

Intrusion Detection and Prevention / Point me in the right direction? Opnsense crash during speedtest with IDS/IPS on

« on: September 23, 2024, 10:09:34 am »

Yesterday evening I enabled IDS and IPS on my Opnsense setup (running version    24.7.4_1, using Hyperscan as pattern matching algorithm, monitoring my LAN interface in promiscuous mode as I have two VLANs setup on the LAN and all hardware offloading and filtering disabled).

All seemed to be going well. My setup has 8GB of RAM of which about 30% was being used after the rules were loaded and when I ran a speedtest I got my usual 930/930 Mbit/s performance without maxing out the CPU. I left everything as is for a few hours and then came back to test something on my Wireguard setup. I ran a speedtest twice from a Wireguard client. The first one went fine, but after the second I noticed that I lost all connectivity. When I closed the VPN connection I was still without connection, and then I realised none of my devices have any connection to the router anymore. There was no way for me to connect to the router via my LAN anymore.

I rebooted the mini-PC on which I'm running Opnsense and that thankfully restored all connections. To rule out if it was anything VPN related, I again ran speedtest two or three times (this time without VPN) and again all connectivity was lost.

I have disabled IDS and IPS since and I can speedtest whatever I want without the LAN-connectivity crashing. I have tried looking in the logs (System -> Log Files and Services -> Intrusion Detecion -> Log File). These are the ERROR level messages I can find at the time of the crash

--- System | Log Files | General ---
2024-09-22T22:20:56   Error   opnsense   /usr/local/etc/rc.newwanip: The command '/usr/local/etc/rc.d/igmpproxy onestart' returned exit code '1', the output was 'igmpproxy already running? (pid=14925).'   
2024-09-22T22:20:56   Error   opnsense   /usr/local/etc/rc.newwanip: The command '/usr/local/sbin/ntpd -g -c '/var/etc/ntpd.conf'' returned exit code '1', the output was 'daemon control: got EOF'
2024-09-22T22:20:44   Error   dhcp6c   transmit failed: Can't assign requested address
---

After that I find some more errors, but it seems to me they are related to the shutting down and/or boot procedure

--- System | Log Files | General ---
2024-09-22T22:22:26   Error   opnsense   /usr/local/etc/rc.newwanipv6: The command '/bin/kill -'TERM' '87406''(pid:/var/dhcpd/var/run/dhcpdv6.pid) returned exit code '1', the output was 'kill: 87406: No such process'   
2024-09-22T22:22:15   Error   opnsense   /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '88443''(pid:/var/run/dhcpleases6.pid) returned exit code '1', the output was 'kill: 88443: No such process'   
2024-09-22T22:22:15   Error   opnsense   /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '87406''(pid:/var/dhcpd/var/run/dhcpdv6.pid) returned exit code '1', the output was 'kill: 87406: No such process'   
2024-09-22T22:22:12   Error   opnsense   /usr/local/etc/rc.newwanipv6: The command '/bin/kill -'TERM' '88443''(pid:/var/run/dhcpleases6.pid) returned exit code '1', the output was 'kill: 88443: No such process'   
2024-09-22T22:22:12   Error   opnsense   /usr/local/etc/rc.newwanipv6: The command '/bin/kill -'TERM' '87406''(pid:/var/dhcpd/var/run/dhcpdv6.pid) returned exit code '1', the output was 'kill: 87406: No such process'   
2024-09-22T22:22:10   Error   opnsense   /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '88443''(pid:/var/run/dhcpleases6.pid) returned exit code '1', the output was 'kill: 88443: No such process'   
2024-09-22T22:22:10   Error   opnsense   /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '87406''(pid:/var/dhcpd/var/run/dhcpdv6.pid) returned exit code '1', the output was 'kill: 87406: No such process'
---

I don't really know how to find out what's going on from here. Any help is appreciated, though it might take me a while to try out your hints as purposefully blowing out my whole internet connection can only be done at night.

4

Tutorials and FAQs / Re: PSN / PS4 / PS5 Nat Type 2 Tutorial

« on: September 15, 2024, 12:42:29 am »

Hi there, I followed these instructions but it has not worked for me.  Xbox is reporting it's still STRICT when I do the network test.

I created an Alias named CONSOLES which contain the static IP address of both my Xbox and PS5, and then thought I followed the instructions in your screenshot to create the entry as described - but no success at all.  I have pressed APPLY changes of course..

Today I spent some time figuring out how to get NAT Open and NAT Type 2 on Xbox and PlayStation respectively. Since I found this thread when googling for other people's attempts, I'm just leaving this comment for other future readers.

Microsoft and Sony follow different approaches, so you can't just copy/clone the rules for one system to the other. The major difference is that Xbox communicates from the port that you can manually select in the Xbox settings, whereas PlayStation communicates to some ports (3478:3480).

Xbox therefore requires setting up an outbound NAT rule on the predefined source port (in combination with a port forward). PlayStation just needs the outbound NAT rule mentioned here.

5

Hardware and Performance / Re: Help needed with upload speed loss in a 1 Gbit/s PPPoE connection [SOLVED]

« on: September 08, 2024, 10:12:54 am »

You must have changed your config somehow and you can track every difference in the configuration backup section. You can compare your current (working) configuration to a known bad configuration if you want to know.

Wasn't aware of this section, thanks for that hint! Pinpointed the problem now and leaving this behind for any future readers:

The problem was in my MTU setting on the PPPoE interface. My ISP claims that the PPPoE tunnel has an MTU of 1500, therefore many Opnsense×my ISP-guides claim a 1508 MTU needs to be inputted. This is incorrect. The MTU setting should just be left blank.

Now, I did try many different settings of the MTU, saved and hit apply changes. System -> Routes -> Status will show that that interface has the new MTU. But the new MTU setting isn't in effect. For some reason (I do not know what, maybe driver related??) my setup needs a reboot after changing the MTU setting. Only then the new MTU setting is in effect.

6

Hardware and Performance / Re: Help needed with upload speed loss in a 1 Gbit/s PPPoE connection [SOLVED]

« on: September 07, 2024, 05:01:35 pm »

The thing is, they're enabled now and all still works. It's very vague to me what's going on and would still like to know.

7

Hardware and Performance / Re: Help needed with upload speed loss in a 1 Gbit/s PPPoE connection

« on: September 07, 2024, 07:32:42 am »

I did try enabling RSS. But whether I did correctly, I'm not sure. Not at home right now, when I'm home and free I'll enable it again and paste the settings here.

I'm somehow getting 930/930 Mbit/s results now, but I wouldn't be able to tell you why. I was going through all my settings to make sure everything was back to default. I noticed that in Interfaces -> Settings, I had unchecked the disable hardware offloading settings and enabled hardware VLAN filtering (I did this after testing 930/810).

So I checked the boxes again, disabled VLAN hardware filtering and rebooted Opnsense. I rebooted Opnsense. Afterwards I tested 930/930.

To verify that my speed loss was related to these settings, I undid what I just did (unchecked the boxes again and enabled hardware VLAN filtering) and rebooted again. I again tested 930/930.

So something happened when I rebooted Opnsense. But I really don't understand what changed since I did reboot Opnsense many times in the last few days when changing and reverting some of the ISR and RSS related tunables for example.

So now I'm happy my setup performs as it should, but upset that I can't reproduce the issue. Still don't know what's going on!

8

Hardware and Performance / Re: Help needed with upload speed loss in a 1 Gbit/s PPPoE connection

« on: September 06, 2024, 04:34:41 pm »

Not sure if I recall correctly but PPPoE is a bit tricky, I know there are posts on the forum where people were dealing with something similar in regards of PPPoE. You tried as well tunables, specifically did you enable RSS? And did you have it properly configured?

Regards,
S.

I did try enabling RSS. But whether I did correctly, I'm not sure. Not at home right now, when I'm home and free I'll enable it again and paste the settings here.

9

Hardware and Performance / Re: Help needed with upload speed loss in a 1 Gbit/s PPPoE connection

« on: September 06, 2024, 04:18:38 pm »

Do you have a shaper configured?

Regards,
S.

I do not. Is it something I should have in place?

10

Hardware and Performance / Help needed with upload speed loss in a 1 Gbit/s PPPoE connection [SOLVED]

« on: September 06, 2024, 03:52:21 pm »

Hello all. I have a symmetrical 1 Gbit/s FttH connection at home.
I switched from my ISP provided router to a mini PC running Opnsense this week. Let me first mention the issue I'm encountering before detailing my setup and what I've tried to determine the cause.

Issue
On my ISP provided router, whenever I ran the Ookla speedtest I would get 930/930 Mbit/s down/up results. Since I switched to Opnsense, I consistently get 930/810 Mbit/s results.

Setup
My mini PC is an MSI Cubi N ADL. It has an Intel N100 processor, 8 GB RAM, 512 GB SSD and two Intel 1 Gbit/s capable NICs.

My ISP splits the network on the WAN side. It uses PPPOE on VLAN6 for regular internet, VLAN4 for IPTV and VLAN7 for VoIP.

I have wired connections throughout the house.

Root cause analysis, so far
iperf3
I ran iperf3 (regular and reverse mode) with Opnsense as server and my laptop as client. There are two switches between the Opnsense box and my laptop. I get consistent 950/950 Mbit/s results. This tells me the issue is not on the LAN side.

ONT
I connected my ISP provided router to the ONT again and plugged my laptop into the ISP router. I get (again) consistent 930/930 Mbit/s results. So the issue is not with the ONT or the ethernet cables.

NICs
I connected the MSI/Opnsense box to the ISP provided router and set up the WAN interface of Opnsense in DHCP mode. I plugged the laptop into the MSI/Opnsense box. I get consistent 930/930 Mbit/s results. So the issue is not in the NICs of my MSI mini PC.

Speculative stuff: Tunables
I reverted to the ONT <-> MSI/Opnsense <-> Rest of my network setting with the VLANs setup for the WAN side.

I've found some posts on this forum, other forums suggesting all kinds of tunables settings for enabling multi-threading and whatnot. These settings didn't make a difference. I get 930/810 Mbit/s with all permutations of these settings.

Speculative stuff, MTU
I've tried changing the MTU from default (defaults to 1492) to 1500 (calculates 1492), 1508 (calculates 1500) and 1512 (calculates 1504). Doesn't make a difference for the speedtest, except that on 1512 the WAN side breaks down completely.

Request
Does anyone have any idea what could be the cause of the speed loss on the upstream? I'm pretty sure it's related to the PPPoE configuration in some way, but I don't know how to pinpoint the problem now.

Any help and or suggestions are appreciated. Thanks in advance.