Messages

Fair enough....hopefully someone chimes in.  I do appreciate your input.  And that thread you pointed was a little over my head....but excellent nonetheless.

Okay, so.....OPNenthu.  If I remove the weight, what decides the priority, between the high priority and low priority queues?

I was more referring to what ports were considered high or low; instead of me specifying the ports for Microsoft Teams, I just specified HTTP/HTTPS as lower and let Teams fall into the higher priority by default.

I'll dig in what you posted...Thanks!

The status screen.

I've been trying to figure out how to take advantage of Traffic Shaper for MONTHS!  I finally found a configuration that not only works, it works perfectly for what I wanted.  I just figured I'd post this in the hopes it helps someone else, like it helped me.

First off, I initially used buffer bloat sites to measure how well the Traffic Shaper was working.  However I found that a bad buffer bloat score can be solely caused by a bad workstation config as well.  For example, I move my laptop from a C- to an A+ with the following command;

  netsh int tcp set global autotuning=disabled

Anyway, I typically use Teams for work, and a few weeks ago one of the kids was downloading a game and it KILLED my throughput.

The article below solved my issue perfectly!

Thank you OPNSense Team for making such a top notch product, available for us plebs.

And thank you Manuel Laggner for the article.

https://www.laggner.info/posts/opnsense-traffic-shaping/

Hear, hear!  I'm guessing I'm having great results due to my hardware, but my upgrades have been picture perfect.  Thank you team!

If you have inbound port forwarding rules or IPv6 allow rules for publicly accessible services, Crowdsec or blocklists are worth considering, IMHO.

Not a fan of IDS/IPS in general, because I think it's a fundamentally flawed concept.

I stopped using Crowdsec because the free blocklists are really not worth the effort of configuring and maintaining the service. For a company I would consider it, but just a bit under 100$ per month for the most basic subscription is prohibitive for me as a private user. All the interesting blocklists are subscription only.

100$ per year like I pay for Proxmox and I would be in.

So I just use FireHOL and friends for inbound connections, now.

If you do not have inbound connections for public services at all, I don't see a reason to use any of these products/technologies.

Install AdGuard Home for some DNS based filtering for outbound and you are good to go.

Rock 'n Roll  I have no inbound connection for anything on the public side.

Thank you!

-S

Hey there.

If I have the default deny all rules on my external interfaces, does IDS or CrowdSec offer any advantage on those interfaces?  I vacillate every time I read something on this.

Thank you in advance,
Stan

I bought a HUNSN from Amazon and it's been rock solid.

This is the one I bought.  I might have went a little overboard with 16 GB RAM and 256 GB SSD...but I've got room to grow.

https://www.amazon.com/dp/B0CG1BVGDX

Just to close the loop on this, if anyone is curious.

It turns out that I had to adjust my System > Gateway > Configuration items.  Specifically, Weight and Priority on each interface.  I had Priority correct, but  Weight was set opposite of what it should have been.

Hope this helps someone.
-S

Ditto!  Thank you!

side-note: using ".local" for anything other than mDNS is generally not recommended

Since presumably "ourhome.local" is internal-only, you could change [Services > Unbound DNS > General > Local Zone Type] to "static"

It IS internal only.

Thanks!  I'll check out the options there (Local Zone Type).
-S

Just wondering what everyone is doing so the request for _ldap._tcp.dc._msdcs and wpad, don't get forwarded to the internet.  I'm not running a Windows domain, and I noticed these requests were being forwarded through Unbound DNS.

I've added them as overrides, pointing them to the firewall.  Should I bother?  Is this a bad idea?

Thanks in advance.

The rest of my screenshots

Hey all!  Long time lurker, first time poster. :D

I have a question regarding how to prefer one WAN interface over the other.

I have 2 ISP's and one LAN.

I'll attach pics to show what I'll attempt to describe.

My i3 ISP is 1 gb up/down, and Spectrum is 500 mb up/down.  I'm TRYING to make traffic prefer i3 over Spectrum.

Gateway Configuration - i3 Priority = 25, Spectrum = 50.

Gateway Group - both Tier 1.

Firewall Shaper Pipes - 450 Mbit/s pipe and 850 Mbit/s pipe.

Firewall Shaper Queues - 450 MB Pipe with weight of 75 for Upload, 450 MB Pipe with weight of 100 for Download, 850 MB Pipe with weight of 75 for Upload, 850 MB Pipe with weight of 100 for Download.

Firewall Rules - i3 Download Rule using the 850 MB Download Queue, i3 Upload Rule using the 850 MB Upload Queue, Spectrum Download Rule using the 450 MB Download Queue, Spectrum Upload Rule using the 450 MB Upload Queue.

Firewall Shaper Status consistently shows the Spectrum connection getting more of the traffic, and I don't understand why.