Messages

Thank you Tobi and Meyerguru

True that each WG connected device is still open on LAN for Layer2. I am aware that but I guess this problem exists in any case if you are using WG from a starbucks or the airport and there it is just considered as compromise that you could get.

I also know that best would be having a separation over different physical LANs. I've seen the migration from VLAN to physical separation in at my work.
Second best is VLANs, it was considered to be best in the past but nowerdays considered also to be kind of a compromise.
And my "third" best solution would be to take what I do have and try to improve on a SW level.
And fourth would be doing nothing and just having a big LAN without any control of who is accessing who.

In my case my thinking was to just consider the whole LAN (direct physical connection to OPNsense) as insecure and choose the sensible devices and put them in different WG subnets that are considered more secure than LAN. Then I force a routing over the OPNsense router (as it would be with VLANs) and I can control the routing and have options with the OPNsense firewall.

The disadvantage is of course that everything must be encrypted and decrypted through the tunnel and can't communicate directly between the devices.

This brings me back to my original question since I think I have understood the goods and the bads of my planned solution.

The real question was, what performance is to expect from WG?
Where are the bottle necks and why can't I see them in the stats?
Meyerguru thinks that I can be sure that my NIC runs on 10G. That could have been a good explanation if he would have been wrong and it runs on 1G. But maybe he is right and the WG performance I see is already the end of the road? If so, although I am no expert I would have expected much more bandwith in my configuration with 10G NIC and an old i7 CPU with good clock and more than enough RAM. Everybody is talking that WG is that fast and I am sure it is compared to it's successors but still I would have expected more at least over 200MByte/sec or at least seeing any CPU running hot due to the cryptography of the tunnel.
But all devices seem to fine and relaxed.

The thing why I am asking is, I have read that OPNsense or more precise the FreeBSD has troubles with many 10Gbit/s cards especially Realtek chipsets. This is why I was getting careful when I saw these numbers.
But I can't destinguish between WG performance and NIC performance since I can't force the traffic through the router (no VLAN support)

First off, I do not get how WireGuard could be an alternative to VLANs: If your switches do not support VLANs, you would have to put all of your clients into one network. In that situation, there is no security benefit if clients may only connect to your OpnSense via WG tunnels.

then please let me explain:
my plan is to configure all sensible clients in some WireGuard subnets. then the communication data is forced to be routed over the OPNsense router and I gain control over which subnet and device is allowed to communicate with which. And that's although on HW level all are connected over the same LAN equipment.
Of course you are right, this is just more secure if the WireGuard tunnels are really used and on the clients whole communication is routed through the tunnel.
I would say the point of encrypted VPN tunnels is that other clients can see that something is transmitted but can't see what, until the packets go to the router. There the router decides who is allowed to get in touch with whom. So it's not true if you say that every untrustworthy LAN device can communicate with other sensible devices... is it?

Consider that within your LAN, any client can communicate / infiltrate any other client directly, without going through OpnSense. That is the whole point of VLAN separation, besides making collision domains smaller, thus having less broadcast traffic.

Your physical connection is not at 1 Gbit/s, otherwise you would not see 500 MByte/s traffic.

not sure about that.
the 500 MByte/s are just when I connect directly without any WG tunnel. since both devices are in the same subnet in this configuration, the traffic goes directly without the need of any routing of the OPNsense device. So I still can't say if the OPNsense device really makes use of the whole 10Gbit/s.

The wireguard speed looks about right, with old CPUs, it is usually at ~600 MBit/s, which you see. That is not a factor of 10, but a limit imposed by the encryption speed of your CPU(s).

That's disapointing. The CPU runs typically on 20 or 30% for 6 cores and what I have read, WG should be able to make use of multiple cores.

Depending on the physical CPU and the chosen CPU emulation, you can or cannot use AES instructions. For these types of applications, I would switch the CPU type to "host" in Proxmox.

CPU host was set.

So currently I am still not sure if you are right and that's all what I can expect form my setup... O.o

BTW, allthough it is old, it is still a i7 and faster then evern N350, Pentium Gold or other typical micro appliance devices. CPU benchmarks shouldn't be that bad...

Hello,

I'm currently experimenting with segmenting my home network using WireGuard as an alternative to VLANs, which would require appropriate hardware support.

I seem to have the WireGuard instances and individual peers under control, but now I'm getting into the nitty-gritty of the expected performance.

My OPNsense runs under Proxmox on an older i7-6700 machine. Both CPU and RAM seem to have sufficient performance margins.
The device has an Intel X520 dual SFP+ network card that supports 10Gbit/s.

I am testing with Crystal Disk Mark to test on a CIFS network share on a file server that is on the 10G network. So all devices, file server, test notebook and OPNsense router are on 10G network.
Here are my results.

1.) direct connection (without OPNsense routing)
R: 505.19 MByte/s
W: 479.73 MByte/s

2.) Wireguard activated between Notebook and OPNsense.
OPNsense has paravirtualized NIC so Intel X520 is initialized by Proxmox.
R: 67.61 MByte/s
W: 50.55 MByte/s

3.) WireGuard with NIC PCIe passthrough in OPNsense VM. So OPNsense should have exclusive access to the 10Gbit/s network card.
R: 57.13 MByte/s
W: 27.25 MByte/s

So the question is now: What do I see with these results?

Is it totally normal that with the WG tunnel the performance drops by a factor 10?
I do know that WG com is encrypted and this slows down the communication but I don't see any bottleneck on the HW side.

Is it possible that my network card is still running on 1Gbit/s instead of 10Gbit/s?

Hope someone can help!
Thanks!

That "something" must have broken your config. So you have to find out what it was.

If you followed different guides for Wireguard setup, they may have been for different purposes. Some do:

1. Wireguard road warrior setups to allow a client to connect from remote.
2. Wireguard site-to-site setups to connect two LANs with one another.
3. Wireguard setups to have some or all clients connect via a VPN provider like NordVPN to hide your true identity.

Those setups are incompatible with one another if you follow them blindly.

Maybe you put firewall rules in that do policy routing or try to avoid any traffic that does circumvent the VPN route (point 3).
Maybe your routes are too broad so that all of your traffic goes over the VPN (points 2 and 3).
Maybe you created firewall rules that block traffic.


Only you can tell. However, you can always use "System: Configuration: History" to compare the last configurations and restore one that works. Maybe just go back one day and try.

Thanks for you post.

It's definately just 1.) the changes I made shouldn't come to this result, as far as I understand networking but I am no expert...

The system - configuration - history just blew my mind.
Very cool feature I was not aware of.
I reverted to an older config and now it ist working again.
thanks.

I was just making my first steps with OPNsense and WireGuard.

After some learining I managed to get my first WG_Clients instance running. For testing I added my notebook, table and my phone.

First everything was working fine.

Then I did "something", please don't ask me what, I followed several different tutorials and then suddenly my whole network crashed in a sense that internet wasn't working and even other LAN <-> LAN connections without any WG clients activated or installed were not able to ping or communicate. So devices that should be independent to WG are not working any more. Luckyly the connection to the OPNsense firewall is still open that I am able to change settings.

So in the end I am at that point where I enable any WG Instance and my networking crashes fully reproduceable.

WG logs are empty.

I tried removing the WG interface and also removed and recreated the WG instance; still the same problem.

I went through all of my settings multiple times and I am really sure that it should work that way. I also see, when I activate the WG server and just ignore that the internet brakes, that the WG client tools are showing they have a connection and transmitting data. So I guess the VPN tunnel is OK?

And the IP config should be also fine.
LAN: 10.1.1.1/16
WG_Clients: 10.2.1.1/16
eg notebook: 10.2.2.2/32

it is also not working with my own DNS server (pihole) or google 8.8.8.8 .

And the WG port 51821, since 51820 is blocked by my fritzbox since it also supports WG...
But that should be fine since it was already working on 51821.

I added the WAN 51821 firewall rule and a general allow rule for the WG network.

I had some special routing configs but I removed everything and configured it to auto...

Can somebody help me find and point a finger to somewhat that can rise these issues?

I also noticed that the WG UI is kind of buggy.
eg the Peer generator can't save the newly created peers. So I was thinking, how stable is the WireGuard core at all in the OPNsense implementation?

Hope you can help, thanks.

Thanks for the answer.

Problem solved:

It's almost embarrassing...
By changing routers, the two Windows computers detected new networks and automatically switched the Windows Defender firewall to "public." xD

Thanks, Microsoft!

Hello,

I recently replaced my old Netgear router (FreshTomato) with a mini PC running Proxmox + OPNsense.
I have a Fritz!Box connected to the internet via the OPNsense WAN port. The LAN goes to several dumb switches and a mesh Wifi AP setup.
I run DNS via a standalone Pi-hole server.
The setup was exactly the same before, and I really only replaced the router.

The new OPNsense router is working well so far, and I'm happy with my decision to switch. My DHCP leases, port maps, and web servers are already up and running again, and Pi-hole is also neatly integrated.

The only problem:
My girlfriend uses a Windows 10 laptop as a monitor and keyboard for another work PC. (Don't ask why please.) This has previously been done via the wireless display function that is integrated in Windows. I'm not sure what technology is behind it, but I suspect something like Miracast.
The problem is that due to the new firewall, the notebook is apparently no longer automatically listed as a wireless display.

I've already worked on the problem a bit and tried various configurations with the help of chatbots.
Two firewall rules in particular:

Rule 1 (for Miracast Discovery):
Action: Pass
Interface: LAN
Direction: In
Protocol: TCP/UDP
Source: Any
Destination: Any LAN Net
Destination Port Range: From 1900 to 1900 (for SSDP)
Destination Port Range: From 5353 to 5353 (for mDNS)
Destination Port Range: From 7236 to 7236 (for Miracast Control)
Destination Port Range: From 5357 to 5358 (for mDNS/SSDP fallback)

Rule 2 (for Miracast Streaming - broader, as it is dynamic):
Action: Pass
Interface: LAN
Direction: In
Protocol: TCP/UDP
Source: Any LAN Net
Destination: Any LAN Net
Destination Port Range: From 49152 to 65535

Additionally, I have also installed the UPnP plugin and activated "Enable UPnP & NAT-PMP"

I'm not entirely clear on this and have a healthy dose of chatbot skepticism, so here's my question:
Do you know what exactly this Windows Wireless Display connection does?
How can I configure OPNsense so that it works again?

I'm not even sure whether this feature works over the internet or purely over the LAN.

Thank you in advance!