"
It is dependent on VM cores and pricing varies based on customer billing location + tax requirements.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
General Discussion / Re: software cost of opnsense azure image
March 04, 2026, 07:11:08 PM
We spun up 8 core machine and rate was applied at $0.12 per hour which is different than $0.05 per hour published on the plan. SO it doesn't look like it is flat rate.
#3
General Discussion / Re: software cost of opnsense azure image
March 04, 2026, 01:56:33 AM
This is what shows in cost.
PublisherType Marketplace
ChargeType Usage
ServiceFamily Azure Marketplace Services
ServiceName Virtual Machine Licenses
Meter OPNsense® Firewall/Router/VPN/IDPS - OPNsense - 8 Core Hours
Though it shows 8 core hours but I actually charged cost is flat, quite low but it does has some little bit extra than $0.05/hour price mentioned on image. Maybe its Azure marketplace fees/commission or taxes, idk. Will observe for few days to confirm that's the case, if needed will ask Azure support.
PublisherType Marketplace
ChargeType Usage
ServiceFamily Azure Marketplace Services
ServiceName Virtual Machine Licenses
Meter OPNsense® Firewall/Router/VPN/IDPS - OPNsense - 8 Core Hours
Though it shows 8 core hours but I actually charged cost is flat, quite low but it does has some little bit extra than $0.05/hour price mentioned on image. Maybe its Azure marketplace fees/commission or taxes, idk. Will observe for few days to confirm that's the case, if needed will ask Azure support.
#4
General Discussion / software cost of opnsense azure image
March 03, 2026, 07:55:30 PM
Hi,
Has anyone used opnsense azure image: https://marketplace.microsoft.com/en-en/product/virtual-machines/decisosalesbv.opnsense?tab=Overview
I see $0.05/hour software cost that shows up in the azure image (in addition to hardware/infrastructure costs). Will this software cost be static and will it increase based on VM CPU cores or throughput? Can someone who has used it please clarify.
Has anyone used opnsense azure image: https://marketplace.microsoft.com/en-en/product/virtual-machines/decisosalesbv.opnsense?tab=Overview
I see $0.05/hour software cost that shows up in the azure image (in addition to hardware/infrastructure costs). Will this software cost be static and will it increase based on VM CPU cores or throughput? Can someone who has used it please clarify.
#5
Hardware and Performance / Re: UI performance with large number of interfaces
March 03, 2026, 06:20:36 AM
We are going to use Azure Image to setup shared VPN Gateway. It will have route based VPN setup for multiple customers. So it will be 60+ VPN tunnel interfaces.
#6
Hardware and Performance / UI performance with large number of interfaces
March 03, 2026, 02:17:14 AM
Hi All,
We are currently have 60+ tunnels in our existing VPN software which we want to migrate to opnsense.
1) How many maximum number of VTIs can opnsense handle without performance issues in UI?
2) Is there a way to arrange the interfaces in groups so as make them not appear as a long list in UI?
3) How does search option at top right perform if i search an interface when count is 100+ ?
We are currently have 60+ tunnels in our existing VPN software which we want to migrate to opnsense.
1) How many maximum number of VTIs can opnsense handle without performance issues in UI?
2) Is there a way to arrange the interfaces in groups so as make them not appear as a long list in UI?
3) How does search option at top right perform if i search an interface when count is 100+ ?
#7
Virtual private networks / Re: snat per tunnel interface for overlapping ips in route based vpn
March 02, 2026, 11:34:48 AM
In our case, remote subnet overlap is not within single vpn connection but between two different vpn connections. Since connections are different and tunnels are unique, wouldn't opnsense be able to route traffic correctly?
#8
Virtual private networks / Re: snat per tunnel interface for overlapping ips in route based vpn
March 02, 2026, 01:59:55 AM
It does say in the doc here : https://docs.opnsense.org/manual/vpnet.html#route-based-vti
that NAT rules can be specified on VTI interfaces in pure VTI-based setups without issue.
Has anyone tried it? This can probably help for our use case. Will try out.
that NAT rules can be specified on VTI interfaces in pure VTI-based setups without issue.
Has anyone tried it? This can probably help for our use case. Will try out.
#9
Virtual private networks / snat per tunnel interface for overlapping ips in route based vpn
February 26, 2026, 08:02:31 PM
We have requirement to Route based VTI with overlapping customer remote networks in different tunnels to be routed to different applications at our end. In order to achieve the same, we need to create unique tunnel interfaces per connection and have ability to do SNAT on each tunnel interface so that we can differentiate the customers based on local networks.
Customer A Remote Network 192.168.0.0/24 -> SNAT in customer A's VTI to VIP A -> Customers A's local app subnet
Customers A's local app subnet -> VIP A -> DNAT to Customer A Remote Network 192.168.0.0/24
Customer B Remote Network 192.168.0.0/24 -> SNAT in customer B's VTI to VIP B -> Customers B's local app subnet
Customers B's local app subnet -> VIP B -> DNAT to Customer A Remote Network 192.168.0.0/24
How can we achieve this in opnsense?
Customer A Remote Network 192.168.0.0/24 -> SNAT in customer A's VTI to VIP A -> Customers A's local app subnet
Customers A's local app subnet -> VIP A -> DNAT to Customer A Remote Network 192.168.0.0/24
Customer B Remote Network 192.168.0.0/24 -> SNAT in customer B's VTI to VIP B -> Customers B's local app subnet
Customers B's local app subnet -> VIP B -> DNAT to Customer A Remote Network 192.168.0.0/24
How can we achieve this in opnsense?
#10
General Discussion / Re: default deny rule blocking the traffic
February 25, 2026, 03:38:34 PM
We removed SNAT from F5 and put it in OPNSENSE. Additionally, We figured out it to be asymmetric traffic issue. Traffic was entering one interface and leaving other interface. We allowed sloppy state in firewall rule and it worked.
#11
General Discussion / Re: default deny rule blocking the traffic
February 24, 2026, 03:36:04 PM
Its an IPSec Route based VPN. Here is the logical architecture diagram of the traffic that is working for us from remote end over public to opnsense.
Remote End -> OPNSENSE External Interface -> OPNSENSE VPN Tunnel -> OPNSENSE Internal Interface -> F5 LB -> App Machine
We have requirements for our app machines to reverse call certain private URLs on remote end via VPN Tunnel established above and We are not able to get this working.
Below is the logical architecture we are trying to achieve:
App Machine -> F5 -> OPNSENSE Internal Interface -> OPNSENSE VPN Tunnel Interface -> Remote End URL
Unfortunately traffic is being dropped at OPNSENSE Internal interface by default deny rule which we do not have control over.
Remote End -> OPNSENSE External Interface -> OPNSENSE VPN Tunnel -> OPNSENSE Internal Interface -> F5 LB -> App Machine
We have requirements for our app machines to reverse call certain private URLs on remote end via VPN Tunnel established above and We are not able to get this working.
Below is the logical architecture we are trying to achieve:
App Machine -> F5 -> OPNSENSE Internal Interface -> OPNSENSE VPN Tunnel Interface -> Remote End URL
Unfortunately traffic is being dropped at OPNSENSE Internal interface by default deny rule which we do not have control over.
#12
General Discussion / default deny rule blocking the traffic
February 24, 2026, 01:50:00 PM
Folks,
We are evaluating opnsense as a shared vpn gateway platform. We are trying to send traffic from our F5 machine to opnsense but it is getting blocked at opnsense. Below is the rule details from Firewall -> Log Files -> Live View. Please help us understand why this is happening. We have been troubleshooting for hours but of no success. Thanks.
__timestamp__ 2026-02-24T12:39:58
ack 0
action [block]
anchorname
datalen 0
dir [in]
dst 10.77.33.101
dsthostname 10.77.33.101
dstport 443
ecn
id 2507
interface hn2
ipflags DF
ipversion 4
label Default deny / state violation rule
length 40
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 4
seq 2427568749
src 198.18.250.10
srchostname 198.18.250.10
srcport 65005
status 2
subrulenr
tcpflags RA
tcpopts
tos 0x0
ttl 255
urp 0
We are evaluating opnsense as a shared vpn gateway platform. We are trying to send traffic from our F5 machine to opnsense but it is getting blocked at opnsense. Below is the rule details from Firewall -> Log Files -> Live View. Please help us understand why this is happening. We have been troubleshooting for hours but of no success. Thanks.
__timestamp__ 2026-02-24T12:39:58
ack 0
action [block]
anchorname
datalen 0
dir [in]
dst 10.77.33.101
dsthostname 10.77.33.101
dstport 443
ecn
id 2507
interface hn2
ipflags DF
ipversion 4
label Default deny / state violation rule
length 40
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 4
seq 2427568749
src 198.18.250.10
srchostname 198.18.250.10
srcport 65005
status 2
subrulenr
tcpflags RA
tcpopts
tos 0x0
ttl 255
urp 0
Pages1
