Messages

Great thread.  I have an N100 box, and I was somewhat disappointed in its idle power usage.  Hovers around 13-14w.  Its not a money power issue, I just like things efficeint.  Whats your idle power usage with that box?   I followed a lot of the tuneables in the link you mention and this one: https://binaryimpulse.com/2022/11/opnsense-performance-tuning-for-multi-gigabit-internet/   

To be honest, most of this is greek to me.

A strange behaviour I noticed in opnsense is when I run iperf3 tests after an update, I get really slow results.   When I open the Interface->Settings-> HArdware CRC, TSO, etc. I have to change it and change it back then click apply and voila it works great.  Get 10gig iperf3 results.  Weird.

Pretty happy with the system nonetheless, just trying to understand the best settings for my use case.   

Could you share what your settings are for the Interface->Settings->Hardware for the first 4 options?  Mine are are enabled (unchecked), but VLAN hardware is enabled.

THanks again.

You're doing Gods work here mimugmail!  Thank you.

I thought it was sarcasm, but it was true.   Trying to restore from backup bricks the plugin, so I had to reconfigure it from scratch.   Not a big deal.   Thanks for supporting this plugin by the way; fantastic having this on the router itself.

Hello OPNsense team.

I noticed a strange issue that has reproduced itself through the last three updates regarding performance.

24.7.12 -> 25.1 -> 25.1.2 -> 25.1.4

I run an iperf3 test on the 10gig interface and get this result (bad):

Code Select Expand

[SUM]   0.00-10.11  sec  3.68 GBytes  3.12 Gbits/sec   30             sender
[SUM]   0.00-10.11  sec  3.68 GBytes  3.12 Gbits/sec                  receiver

iperf Done.

Previous install instance had results like this (good):

Code Select Expand

[SUM]   0.00-10.01  sec  10.9 GBytes  9.34 Gbits/sec    0             sender
[SUM]   0.00-10.01  sec  10.9 GBytes  9.34 Gbits/sec                  receiver

iperf Done.

And the only way how to get performance is to go to the Interface -> Settings page and click SAVE.   This is without changing ANYTHING.  See attached picture.

Maybe my system is an outlier, I just thought I would post this to share my feedback.   There is something on the interface->settings page that is not auto-enabling these parameters through an OPNSense update.  You have to click the SAVE button to enable these settings. 

I'm OK with doing this, but its worth noting here as there is some "factory setting" preset that is being stealth applied in between patch updates.

Hope this is helpful to some.

 

Reading your message with the  "pray" comment.  Are you advising against updating to os-unifi9-maxit?   Currently using the one from your repository 8.6.9.  Just trying to understand the pray comment.  Thanks!

Not to necro an old thread.

I scratched my irrational impulse to upgrade to the latest OPNsense version  25.1->25.1.3 and this packet drop issue resurfaced.   Consistent loss of around 30% in iperf3 tests.

sysctl net.inet.ip.intr_queue_drops = 34112

I didn't set a backup point and realized I cannot roll back now.  Might have to fresh install again.

Something in the kernel from 25.1 is different from 25.1.3  I 'm not smart enough to figure out what it is.



 

I appreciate the help.  I am fairly new to OPNSense and came from Ubiquiti, so please excuse my dumb questions sometimes.   My reason for this thread was to see if I was missing something obvious to OPNsense and Plex because I know these are very popular applications for people with this type of enthusiast equipment equipment.

It appears my firewall is not the problem so I am missing creeping the topic a bit.  My reason for the follow up is "you don't know what you don't know", so if what I was doing was crazy, I pride myself on not being stubborn with tec, so I am more than willing to change.

Learned from you guys that I wasn't enabling the logging, and per your email what you wrote is correct:

Wrt rule #2, I stand with what I wrote if TRUSTED_RIG (2.x) is not on the IOT network (1.x).
Traffic originating from TRUSTED_RIG will get IN the FW on the 2.x interface.

As you wrote, it was a useless rule, so i deleted it.  I thought (incorrectly) that I needed to give the interface IoT an opening for my trusted rig to access those devices. Not sure  what I was thinking.  This is my first real firewall setup on OPNsense.


On that note, I am trying to enable some kind of DoH blocklis.  I had this enabled on my edgerouter and it was great; I couldn't believe how much nefarious stuff out there is daily trying to probe your router.  Wasnt sure how to implement something similar on OPNSense.  Not asking you to do my research for me, but since you are a security specialist, you might share a link to someone implementing this on OPNsense.  Or do I use Adguard Home as the platform for this?

https://github.com/dibdot/DoH-IP-blocklists


Appreciate the help BTW.

Here's how I read these:
Rule #1: Allow IOT Net to access the DNS server at IOT address (OPN hosted, Unbound or AGH or whatever). Very typical.
Rule #2: That's an IN (from the perspective of the FW) rule on the IOT interface and your TRUSTED RIG is probably not on that network so it won't be a source. This rule likely never fires.
Rule #3: Same? I'm not sure why your "work" devices would be on the IOT network. These devices are not depicted in your OP.
Rule #4: Allow access to the internet from the IOT interface (the source might as well be IOT_net. exceptions exists but unlikely in your case).
It's not blocking anything BTW.

The last rule is not enabled so I ignore it.

None of these rules are logging anything... the i is grey. If you want to see artifacts in the logs or live view, you need to enable logging.

Appreciate the help.  I enabled logging and did not see anything on either server or IoT interfaces.  I can pretty much conclude that it is 100% the kubernetes truenas application that is blocking this connection as the attempt to connect / discover the device is not even making it to the firewall.  I'm going to have to put on my big boy pants and learn how to docker compose a proper Plex Media Server.yml via jailmaker if I ever want to get this working.  So far I've failed miserably at doing this due to various bugs I can't discern.

I don't want to sidetrack the thread, as to the firewall rules.  But to your questions:

Rule #3: Same? I'm not sure why your "work" devices would be on the IOT network. These devices are not depicted in your OP.

I have one access point in the house on a single SSID (you are right its not on the flow chart but basically anything wifi is connecting via IoT network subnet).

My laptop and my wifes laptop are static IP's assigned to this TRUSTED_LAPTOPS alias that can basically go anywhere in my local network.  I have my reasons for doing this, but mainly has to do with 4 teenage or teenage children in my house with infinite devices all connecting, their friends,etc.  My main goal is to block porn/dark internet bad shit access from my Wifi for them via Adguard home.  Yes I know some people can get around this using cell networks (not my kids due to MDM on their phones) but thats another parents problem, not mine as far as I am concerned. 

I have my reasons for setting it up like this, in that I trust firewall rules over my knowledge of implementing VLANS (total noob).  Basically any device on my wifi that isn't manually assigned to Trusted Laptops (Alias) can only use the DNS server (adguard) to get to the internet.

I assume you think I am nuts.  From reading the how to's here and reddit, everyone is saying to have multiple SSID's for wifi, multiple VLANs, etc and manage all the cross talk via the VLAN permissions?  I just think policing the TRUSTED ALIAS firewall rule is easier and fits my needs just fine (its only 4 devices tops).  I checked it from multiple devices not on the TRUSTED_LAPTOPS alias on my wifi and they cannot access my server (unless through plex).

Managing multiple VLANS over trunk interfaces, multiple SSID's, etc. seems like way more work and overhead, and nightmare fuel for me to debug if something breaks with a future Windows 11 update, etc.  Probably childs play for a guy like you, but I like this way because its easier (for me) and the youtube (Home Network Guy) video convinced me it works.  It does work now as far as I can see.

Rule #4: Allow access to the internet from the IOT interface (the source might as well be IOT_net. exceptions exists but unlikely in your case).
It's not blocking anything BTW.

Do I have to define which networks it has to block?  Basically I don't want anything on that IOT (192.168.3.x) subnet being able to connect to my main rig (192.168.2.x) and server (192.168.1.x) subnets.    IT appeared to me the Private Networks alias is an industry standard term for anything with a 127, 192, 10, subnet.  I don't care what I have to type here but is an alias I make called 192.168.2.0, 192.168.3.0 better?

THanks guys.  I was away this weekend at my sons hockey tournament.  My original post has the metwork mapped out so these are PHYSICAL interfaces controlling the subnets.  Logging is set to whatver the Vanilla OPNsense factory settings are.

Interface 1:  Server (Plex Media SErver is IP address 192.168.1.48:32400)
Interface 2:  IoT (HDHomerun is ip address 192.168.3.77)

Pic related is my IoT rules.  Don't bully me if I cannot keep NSA glowies out of my system like you guys can with special elaborate rules; I followed this guys firewall rules system to a letter https://www.youtube.com/watch?v=TjXkWSjYqlM&t=1s   Seemed logical and correct.

Just as an update, some super helpful guy over on Plex explained the problem pretty well and how what I am experiencing is expected.
https://forums.plex.tv/t/live-dvr-plex-media-server-cant-detect-hd-homerun-over-different-subnet-to-server/906937/2

Neither him nor I could explain why my firewall doesn't show ANY traffic between subnets for this process when watching the live view.   I am just not qualified at this time to delve into the why or how within OPNsense over a relatively peripheral network need right now.   I am sure its some obscure Linux permission issue on Truenas or the k3s environment regarding ports.

Just thought I would share this here as the Plex expert explained in good detail the network protocols plex / hdhomerun use to communicate to each other.

"There was evidence.."?  I don't understand the post.  Tell me what else I need to install to make mDNS "installed".  Pic related is what downloading the plugin creates on 25.7 appears to look like.   

I tried every possible permutation of the ip4 subnet argument point.   Leaving it blank does nothing else.   My truenas server is 192.168.1.48 with PLex on port 32400.  The HD Homerun is on 192.168.3.77 (different subnet) no idea on the port it uses. 

I did install it and it appeared to install fine.  It didn't solve the problem, but this is not an OPNsense problem at this point.  Sorry to waste your time. 

Its a Kubernetes problem / Truenas  problem that fights you tooth and nail whenever you try to do simple basic networking stuff. 

I cannot understand why I can access my HDhomerun from EVERY device in the house via its IPaddress but Plex cannot and will not do so even when I enter it manually.   

I then started down trying to install plexmediaserver within dockge, which resoundedly defeated me in trying to mount network media via docker compose.  Sigh.
 Chatgpt is clueless and incorrect.

This is a (me) / Truenas problem gentlemen.  Us normies just can't have nice things.   Appreciate the help.  OPNsense is working great.

Before I replied, I had done a quick search. There's apparently plenty of people that have Plex and the tuner in separate VLANs.
It's apparently more difficult with the SiliconDust DVR because this one relies entirely on discovery via broadcast.
At least Plex lets you enter an IP for the tuner... So tuner discovery is out of the way.
Figuring out the rest should be simpler.

I think my local situation is probably making this more complicated than it needs to be.  I am using the AdguardDNS plugin so I have to look into how the mdns solution can play nice with both operating right now.   The mimugmail version of adguard on opnsense is extremely simple to install and get working, but  how it plays with mdns will have to be trial and error.   To be clear manually entering the ip address of my HDhomerun works for all devices (even IoT devices with no trust status), except the stupid plexmediaserver plugin on Truenas.  Its got to be that k3s setup.  I will try Plexmediaserver as a docker and see if that solves it first.  THe mdns rule I tried did not work, but I will admit I'm a total noob with mdns as of 5 minutes ago learning about it.

 

I wanted to say thank you for the help.  Lots to digest here, but I will start with the Firewall rule marjohn56 recommended and respond. 

Hello All,
Strange issue.  I have a HD Homerun and I want to connect my Plex Media Server to it.  The problem is Plex Media Server is in a K3s on Truenas and cannot autodetect any device outside of the local subnet.  It is (HD Homerun) connected to the IoT network just fine and I can access it, but Plex Media Server cannot.  I pretty much have default standard firewall rules for my different subnets and everything works fine.

My Question to you Wizards is:  Is this an OPNsense firewall rule issue or a Truenas K3S issue?   If OPNsense is there a firewall rule you can steer me towards?

HDhomerun ip 192.168.3.77
Truenas Plex Ip:  192.168.1.48:32400
router ip: 192.168.2.100

I suspect this is a Truenas issue, but probably somebody here has encountered this before locally and it may be  a OPNsense firewall blocking cross subnet auto ip detection / connections. 

Appreciate the help.