1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
General Discussion / Re: Strict NAT Gaming - Enable UPNP plugin the way to go?
« on: April 12, 2021, 11:05:05 pm »
I would use upnp and not port forwarding. Install the os-upnp plugin. The plugin is a webgui front-end for miniupnpd that will be installed once you install the os-upnp plugin. You can configure it under Services -> Universal Plug and Play.
Hopefully you have your Xbox and PC setup with static IP addresses. Under upnp settings make sure default deny is selected as well as upnp. In the access list add your Xbox and PC.
allow 1024-65535 192.168.1.121/32 1024-65535 <-- your Xbox IP
allow 1024-65535 192.168.1.122/32 1024-65535 <-- your PC IP
The Xbox and PC will be the only device that can use upnp with the default deny rule selected. You won't see it but part of the miniupnpd.conf file would look like this:
allow 1024-65535 192.168.1.121/32 1024-65535 <-- your Xbox IP
allow 1024-65535 192.168.1.122/32 1024-65535 <-- your PC IP
deny 0-65535 0.0.0.0/0 0-65535 <-- this default deny will prevent any other LAN device to use upnp
upnp should work for you. If both your sons play the same game at the same time this may pose a problem with with keeping an open NAT.
You will also need to set outbound NAT to hybrid and add 2 outbound rules, one for your Xbox and one for your PC with outbound static-ports.
Hopefully you have your Xbox and PC setup with static IP addresses. Under upnp settings make sure default deny is selected as well as upnp. In the access list add your Xbox and PC.
allow 1024-65535 192.168.1.121/32 1024-65535 <-- your Xbox IP
allow 1024-65535 192.168.1.122/32 1024-65535 <-- your PC IP
The Xbox and PC will be the only device that can use upnp with the default deny rule selected. You won't see it but part of the miniupnpd.conf file would look like this:
allow 1024-65535 192.168.1.121/32 1024-65535 <-- your Xbox IP
allow 1024-65535 192.168.1.122/32 1024-65535 <-- your PC IP
deny 0-65535 0.0.0.0/0 0-65535 <-- this default deny will prevent any other LAN device to use upnp
upnp should work for you. If both your sons play the same game at the same time this may pose a problem with with keeping an open NAT.
You will also need to set outbound NAT to hybrid and add 2 outbound rules, one for your Xbox and one for your PC with outbound static-ports.
3
21.1 Legacy Series / Re: Bad OpenVPN performance. aesni not working
« on: April 12, 2021, 08:31:59 pm »
This is someone who is posting erroneous results with manually edited times with a Subject "Bad OpenVPN performance. aesni not working" so it would be an eye catcher on the forum. Here are results from my OpenBSD 6.8 firewall which is using LibreSSL 3.2.2:
You can see the times on the right side are all around 3 seconds for my tests. It would seem cybernik is here to spread misinformation and make it seem OPNsense performs poorly compared to pfSense which is not the case as shown by opnfwb.
Code: [Select]
bsd# openssl speed -elapsed -evp aes-256-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-256-cbc for 3s on 16 size blocks: 77539523 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 38732198 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 256 size blocks: 9877820 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 1024 size blocks: 2479467 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 8192 size blocks: 310218 aes-256-cbc's in 3.01s
LibreSSL 3.2.2
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: information not available
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 413330.92k 823613.83k 840124.81k 843534.86k 844312.02k
You can see the times on the right side are all around 3 seconds for my tests. It would seem cybernik is here to spread misinformation and make it seem OPNsense performs poorly compared to pfSense which is not the case as shown by opnfwb.
4
General Discussion / Re: Traffic Shaping
« on: April 10, 2021, 08:08:09 pm »
OPNsense does have traffic shaping which will help with bufferbloat.
https://docs.opnsense.org/manual/shaping.html
shaper -> pipes | queues | rules
Under the rules tab you can specify IP addresses or subnets.
https://docs.opnsense.org/manual/shaping.html
shaper -> pipes | queues | rules
Under the rules tab you can specify IP addresses or subnets.
5
21.1 Legacy Series / Re: [Q] update ntopng directly from their repo?
« on: April 10, 2021, 06:19:49 pm »
When I recently tested ntopng I installed the plugin which was at version 3.4.0. I opened the ntopng webui and a popup window showed asking if I wanted to update to the latest 4+ version. I clicked on update but it didn't update and instead sent me to the ntop website. I found instructions on the ntop website on how to update to the latest version:
https://www.ntop.org/guides/ntopng/third_party_integrations/opnsense.html
You can install the enterprise version, and although it's just a demo, you can revert to the community edition by going to the OPNsense webui and under Services -> ntopng -> License check the community edition checkbox. All this information is provided in the link above.
I wasn't able to test it long and it seemed to work fine.
https://www.ntop.org/guides/ntopng/third_party_integrations/opnsense.html
You can install the enterprise version, and although it's just a demo, you can revert to the community edition by going to the OPNsense webui and under Services -> ntopng -> License check the community edition checkbox. All this information is provided in the link above.
I wasn't able to test it long and it seemed to work fine.
6
21.1 Legacy Series / Re: Trying to block single host from internet only.
« on: April 10, 2021, 04:36:08 pm »
I use the following rules on OpenBSD to prevent incoming and outgoing packets from a single IP on my LAN to the Internet. The rules should be very similar on OPNsense. These rules needed to be evaluated before network address translation rules otherwise it wouldn't work for me.
block quick on $WAN from any to 192.168.1.101
block quick on $WAN from 192.168.1.101 to any
Unfortunately at this time, I'm unable to test OPNsense to see if the rules would work.
block quick on $WAN from any to 192.168.1.101
block quick on $WAN from 192.168.1.101 to any
Unfortunately at this time, I'm unable to test OPNsense to see if the rules would work.
7
21.1 Legacy Series / Re: Having some UPnP issues.
« on: April 03, 2021, 03:17:59 pm »Why do not just create alias group for devices and port
Then Port forward with group, you’re already in hybrid nat
And remove upnp
This is just not feasible in a gaming household. Too many games, too many consoles and PC's running at the same time playing games. The amount of ports one would have to port forward would be unreasonable.
But as cranky has shown and what you are suggesting is an alternative method that does work. Although, it's just not suitable for my network.
8
21.1 Legacy Series / Re: Having some UPnP issues.
« on: April 03, 2021, 05:06:54 am »And in outbound nat, I have it in hybrid mode, and a rule for source lan net with the wan address at the nat address and static port enabled.
ZPrime he already has his outbound NAT using hybride mode with a single rule with static-ports for his entire LAN network.
thecodemonk, I recently installed OPNsense within the last week and configured everything manually. I use upnp as well and also noticed no mappings were shown under upnp -> status. So I was experiencing the same issue as you. I reinstalled the upnp plugin. That did not seem to fix the issue. I then reinstalled miniupnpd under packages and then rebooted OPNsense. After that, mappings started to show up under upnp -> status.
Make sure you reboot your consoles or PC. I've noticed my Xbox or PS5 won't send AddPortMapping requests after they are up and running so no port mappings will show up in OPNsense until you reboot. But this isn't always the case.
Let me know if this works for you.
9
21.1 Legacy Series / Re: OPNsense gaming performance?
« on: March 27, 2021, 09:12:07 pm »
You can't unfortuntately. This applies to OpenBSD as well. It's just not possible until miniupnpd implements the appropriate code for pf. Most of the miniupnpd iptables and netfilter code was contributed to the project by other coders to make it fully functional under linux. Playing the same game using mutilple PC's or consoles of the same type just won't work at this time with a BSD based distro using pf.
This is a miniupnpd limitation for pf based packet filtering and not a pfSense or OPNsense caused limitation. It's not something that pfSense or OPNsense can fix on their end. Also, the IPFILTER (ipf) and IPFW code that FreeBSD uses is outdated in the miniupnpd repository and hasn't been updated for about 9 years now. BUT you're still golden when it comes to gaming with one PC or a single console.
I'm not trying to blame the miniupnpd developer. He clearly doesn't use BSD distros for testing purposes and most of the information he obtains is from bugs posted to his respository reference miniupnpd not working properly with pfSense.
A linux based firewall/router with miniupnpd is the only working solution for playing the same game with multiple consoles of the same type or multiple PC's. That's why consumer grade routers (Asus, Netgear, etc) using Linux with miniupnpd works great.
This is a miniupnpd limitation for pf based packet filtering and not a pfSense or OPNsense caused limitation. It's not something that pfSense or OPNsense can fix on their end. Also, the IPFILTER (ipf) and IPFW code that FreeBSD uses is outdated in the miniupnpd repository and hasn't been updated for about 9 years now. BUT you're still golden when it comes to gaming with one PC or a single console.
I'm not trying to blame the miniupnpd developer. He clearly doesn't use BSD distros for testing purposes and most of the information he obtains is from bugs posted to his respository reference miniupnpd not working properly with pfSense.
A linux based firewall/router with miniupnpd is the only working solution for playing the same game with multiple consoles of the same type or multiple PC's. That's why consumer grade routers (Asus, Netgear, etc) using Linux with miniupnpd works great.
10
20.7 Legacy Series / Re: Command prompt in webgui
« on: March 27, 2021, 03:31:43 pm »Actually - this is the only reason (speedtest) I ever use that feature.... would it be possible to integrate some plugin to run /usr/local/bin/speedtest
There is currently work being done on a speedtest plugin by mihakralj. To the follow the progress see the following pull request:
Initial pull request for the speedest plugin #2298
11
General Discussion / Re: It's Wrong Not To Have An Update Up-To-Date Image On The Download Page
« on: March 27, 2021, 03:13:28 pm »
abcuser2021 sole purpose here is to spread misinformation with an attempt to discredit OPNsense.
Linux, OpenBSD, Windows and FreeBSD and others normally don't provide up to date downloads unless you download current snapshots or experimental builds. One must download the release version then install all the updates.
If you're getting hacked you have some serious problems not related to OPNsense.
Linux, OpenBSD, Windows and FreeBSD and others normally don't provide up to date downloads unless you download current snapshots or experimental builds. One must download the release version then install all the updates.
If you're getting hacked you have some serious problems not related to OPNsense.
12
21.1 Legacy Series / Re: How do I import a config.xml during install?
« on: March 27, 2021, 02:23:31 pm »
I haven't had the time to test alternative methods. It's also probably been over a year that I've installed OPNsense, and believe there's been quite a few changes to the install process. I'm thinking below should also work:
From console menu
1. install
2. reboot
3. restore
I'm glad you got it to work. Saved me alot of time last time I did it. There's also a recent bug reported regarding importing an encrypted backup #4861. Mabye some potential issues maybe resolved during the code audit.
From console menu
1. install
2. reboot
3. restore
I'm glad you got it to work. Saved me alot of time last time I did it. There's also a recent bug reported regarding importing an encrypted backup #4861. Mabye some potential issues maybe resolved during the code audit.
13
21.1 Legacy Series / Re: How do I import a config.xml during install?
« on: March 26, 2021, 11:09:39 pm »
I recall being able to import mine. I think I did a complete install but didn't really configure anything beyond getting past the point of the initial install. Then from the shell I ran the opnsense-importer to import my config.xml from a USB drive and then rebooted.
14
20.7 Legacy Series / Re: kernel: pflog0: promiscuous mode dis-/enabled MORE OFTEN THAN every 15 min
« on: March 18, 2021, 01:51:50 am »
Anyone happen to be using Suricata or a RealTek NIC?
15
21.1 Legacy Series / Re: opnsense not detecting 25Gb NIC
« on: February 14, 2021, 01:58:30 am »
lite it's probably a good idea to change the subject of your post to [SOLVED] opnsense not detecting 25Gb NIC at this point.