Messages

Are these all PPPoE speeds ?

No, I was mostly showing LAN speeds between VMs (OPNSsense included)
My default WAN is 0.6Gbps but when I tweaked for these:

Code Select Expand

hw.vtnet.csum_disable 0
hw.vtnet.tso_disable 0
hw.vtnet.lro_disable 0
Then my LAN speed between VM increased to >16Gbps+ but then PPPOE wan decreased to 0.2Gbps

Are those changes applied already? I was testing OPNsense with many different options, best I had with those set up:

Code Select Expand

hw.vtnet.csum_disable 0
hw.vtnet.tso_disable 0
hw.vtnet.lro_disable 0I was reaching around 16Gbps speeds but then my PPPOE WAN decreased... from 0.6Gbps to 0.2Gbps
When I set options to:

Code Select Expand

hw.vtnet.csum_disable 1
hw.vtnet.tso_disable 1
hw.vtnet.lro_disable 1I can get max 4.5Gbit/sec OPNsense to other VMs.

When I go through physical network card, I'm reaching near max - 9Gbps. ( but that's probably  hiccups on the other side)



I was testing other VMs:
debian to debian on same network reaches 20Gbps
vanilla pfsense 2.8.1 to debian 4.46 Gbits/sec
and also vanilla freebsd 16.0 current to debian - and that's what worries me, because I get 17Gbps one way, and 5Gbps other way.

Does it mean that even in near future I won't achieve over >15 Gbps speed on OPNsense/FreeBSD?
Or haven't setup up sth obvious?

I was also testing vmxnet3 but speeds were only around 0.5 Gbits/sec

My setup  OPNsense (with extra 10Gbps network card passthrough exclusive) in Proxmox with few VMs.
and current settings are:

Code Select Expand

## System Tunables
| Tunable | Value | Description |
|---------|---------|---------|
| hw.vtnet.csum_disable | 1 | OWN Disables receive and send checksum offload |
| hw.vtnet.tso_disable | 1 | OWN Enables TCP Segmentation Offload |
| hw.vtnet.lro_disable | 1 | OWN Enables Large Receive Offload |
| vm.pmap.pti | 0 | OWN metldown mitigation |
| hw.ibrs_disable | 1 | OWN spectre mitigation |
| net.isr.bindthreads | 1 | OWN performance |
| net.isr.maxthreads | -1 | OWN performance |
| net.inet.rss.enabled | 1 | OWN performance |
| net.inet.rss.bits | 2 | OWN performance |
| net.isr.dispatch | deferred | OWN performance PPPoE |
| hw.vtnet.rx_process_limit | 2048 | OWN performance |

Right, thanks for screenshot, that will help a lot.
I was trying to replicate those 3 rules, in Destination NAT. Having in mind that, they exists for a reason.
I understand that I could block myself If I will forward 443 or 80 then I could block myself.
You cannot view this attachment.
This is what I'm struggling with to recreate.

Hi,
I'm not sure I understand...
- Regarding first and second:
  This is what I'm trying to do: recreate automatic anti-lockout rules for MGMT interface, that are created for LAN interface. (specifically - rule in Destination NAT # Anti lockout) and I'm stuck creating no rdr rule on interface MGMT, that acts the same as automatic rule on LAN
- Regarding third - do you suggest to Allow MGMT interface access to LAN interface, and leave Default Anti-Lockout rules on? Then on LAN interface I would like to deny access to firewall, allow for MGMT. Then I have, automatically created options on, and still possibility to lock myself out, or some leak in securing LAN-firewall.

Hi,
While setting OPNsense I noticed that default anti-lockout rules are set for LAN ( I have VLAN192) , later on I decided that I would like to have access to OPNsense on MGMT VLAN (in my case it's VLAN30) but I didn't found a way to change this "default" LAN.
Then I thought to recreate that rules by my own, and then disable, but I have an error in pf filter.

Code Select Expand

There were error(s) loading the rules: /tmp/rules.debug:113: syntax error - The line in question reads [113]: no rdr on vlan0.1.30 proto tcp from {any} to {(vlan0.1.30)} port {ssh} -> any # OWN anti-lockout

It's about the rules in Destination NAT
Original anti-lockout rule says in /tmp/rules.debug:

Code Select Expand

no rdr on vlan0.1.192 proto tcp to {(vlan0.1.192)} port {22} # Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on vlan0.1.192 proto tcp to {(vlan0.1.192)} port {80} # Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on vlan0.1.192 proto tcp to {(vlan0.1.192)} port {443} # Anti lockout, prevent redirects for protected ports to this interface ip

I was trying to recreate it:

Code Select Expand

no rdr on vlan0.1.30 proto tcp from {any} to {(vlan0.1.30)} port {ssh} -> any # OWN anti-lockout
I think the problem is with Source Address or Redirect Target IP but it's not possible to not select anything there.


Is there any way to recreate this rule in GUI or in shell, or just move default security rules to different interface?



PS. I found another post with very similar question but it's from 8 years ago, so decided to create a new one.