Messages

1

Hardware and Performance / Re: which switch

« on: October 22, 2019, 04:47:47 am »

Went with the Dell PowerConnect 2824 24 port 10/100/1000

Kinda noisy but not too bad so i added a 10 ohm quarter watt resistor to the plus line and now have a quiet switch . Fan light stays in the grn and all functions quietly with no heating up.

need to purchase a pot / adjustable rheostat and see how low i can get the fan and still have good cooling with a green fan light.

If you are ever looking to upgrade, I can highly recommend the Powerconnect 5524 and 5548. Dirt cheap on eBay and lots of features, incl. 10G SFP+ ports and ability to connect them into a stack via HDMI cables.

2

Hardware and Performance / Re: Weird speed issues with Mellanox ConnectX-3

« on: October 22, 2019, 04:42:55 am »

Did you use the local iperf Plugin? These values arent really stable.
Also note GB is ok, in your case it's Gb, correct?

I used iperf in the command line. Indeed, it’s Gb, not GB - sorry about that! I’ve also timed a large file transfer between my OPNsense box and another server on my LAN to rule out iperf issues. However, same result... I wonder if there’s a driver/module issue.

3

Hardware and Performance / Weird speed issues with Mellanox ConnectX-3

« on: October 20, 2019, 11:12:44 pm »

Hi,

I installed a Mellanox ConnectX-3 10G nic today. The card was recognized after I prompted the system to load the module (I added mlx4en_load="YES" to /boot/loader.conf.local. So far so good.

However, when I ran iperf3 I noticed that I am only getting about 1.4GB/s on the interface. I've tried turning on/off all the hardware offloading settings, but to no avail. Speed doesn't exceed 1.4GB/s. To rule out other issues, I've booted a live CD image of Ubuntu 18.04.3 on the same system and ran iperf3 from there. I was getting about 9.85GB/s - which I expected.

Is there anything that I overlooked in OPNsense? Is it a module issue in FreeBSD?

Thanks!

4

18.7 Legacy Series / Re: Port Forwarding with Plex not working.

« on: September 13, 2018, 06:07:40 pm »

I'm trying to allow plex to access outside my home network, but it says it can't connect.

Plex is running in a docker container in `network_mode: host`, so no docker subnet.

I have a NAT rule :

Source port: 32400
Source IP: any
Destination port: 32400
Destination host: 10.0.1.11
Redirect target port: 32400
Redirect target IP: 10.0.1.11

But when I try to allow plex access outside my network, it fails to connect.

I am using the uPNP plugin in OPNsense and tell Plex to to talk to uPNP. this allows for rotating/randomized external ports.

5

18.7 Legacy Series / Re: separate VLAN for VPN

« on: September 13, 2018, 06:04:39 pm »

thanks - I will have a look at the logs...

6

18.7 Legacy Series / separate VLAN for VPN

« on: September 12, 2018, 04:35:08 am »

Hello,

I have the following setup working quite well:

VLAN 10 traffic is using default gateway
VLAN 20 traffic is going over VPN gateway (OpenVPN client interface)

What doesn't appear to work is to have one VLAN20 traffic rule to ANY with VPN gateway. External traffic via the VPN interface works fine, but LAN traffic doesn't get through as soon as I use a non-default gateway.

So, right now I have two rules for VLAN 20:
1. from VLAN 20 to local subnets via default gateway
2. from VLAN 20 to ANY via VPN gateway

For all local traffic, the first rule applies and if not non-local traffic, rule 2 sends it out via the correct gateway.

Now, I don't understand why local traffic gets blocked if I just have a simple VLAN 20 to ANY rule with VPN gateway. Something must change if the gateway is not the default one.

Any thoughts?

Thanks!

7

17.1 Legacy Series / Re: Upgrade from 16.7.14: Firewall rules doesn't works as before

« on: February 04, 2017, 10:58:34 pm »

Franco,

I can report the same issue:

I have one regular WAN gateway and another gateway (WAN-VPN) that's connected to an OpenVPN Client. VLAN 20 traffic is specifically routed through the WAN-VPN gateway, at least it used to be. In 16.7.14 it works fine, in 17.1 VLAN 20 traffic goes out the default gateway although the WAN-VPN gateway is specified.

No other changes were made. I took a snapshot of my OPNsense VM right before upgrading to 17.1. The issue disappears when I revert back to the snapshot.

Hope this helps

8

16.7 Legacy Series / Google Backup issue

« on: October 12, 2016, 03:58:38 am »

Hi

I've been using Google Drive Backup for a while. I've recently re-installed OPNsense and noticed a weird behavior. Configuration backup works and the config file is written into Google Drive and shows up in the folder.

However, when I look at the file, it appears encrypted. I've already tried creating a new P12 key and tried to upload it to OPNsense. After the file is uploaded, it shows P12 key (not loaded)... So not sure it takes it.

What could be wrong?

Thanks

9

16.7 Legacy Series / Re: 16.7 packages?

« on: August 30, 2016, 12:25:50 am »

I just need the bwm-ng and vnstat as program installed without GUI.

They run with a script in the background every 5 seconds to update the rackmount LCD stats (Down/Up Speed , OnPeak/OffPeak usage).

Have you tried lcdproc? I've had a rackmount LCD in passthrough mode a while ago and it worked with one of the lcdproc drivers. There's no plugin for lcdproc, but I have a FreeBSD 10.3 VM build environment and compiled lcdproc there. I just copied the files over to my opnsense machine and it worked beautifully.

10

16.7 Legacy Series / Re: OpenVPn (client) and gateway

« on: August 13, 2016, 03:15:30 pm »

I noticed the same.

11

16.7 Legacy Series / Re: Funky Gateway behaviour

« on: August 10, 2016, 02:33:42 am »

Nevermind. I noticed that I hadn't checked "Skip rules when gateway is down". The VPN interface/connection doesn't initialize fast enough on boot so gateway is marked as down and the next one was used before I fixed it.

Still have the issue of having to restart the OpenVPN client on the firewall once after boot to bring up the gateway

12

16.7 Legacy Series / Funky Gateway behaviour

« on: August 09, 2016, 06:12:03 pm »

Hello,

I have one regular WAN gateway and one OpenVPN gateway (WAN_VPN) that is connected to an OpenVPN client on the firewall. Further, I have a VLAN 20 interface. Then, the rules are such that VLAN 20 can only use the WAN_VPN interface.

Here's the funky part: When I reboot the OPNsense, the machines on VLAN20 go through WAN, not WAN_VPN. However, if I save any settings on the firewall, regardless of whether I changed something or not, suddenly the VLAN 20 machines will go through WAN_VPN as they should. ?!

I've turned off all rules in VLAN20 and the machines won't get out as they should. However, if I turn a rule just directing any VLAN 20 traffic out the WAN_VPN gateway and reboot, the same funky behaviour happens.

Default gateway switching is turned off (not ticked).

Any thoughts?

13

16.1 Legacy Series / Re: Routing apple Bonjour

« on: July 25, 2016, 08:08:17 pm »

Hi Guys,
i managed to get this fxed.
let me explain what happens,
i have created a group of the productions LAN and VLANS.
i've traced the Airprint package using wireshark and figured out there was deny rule.
so checked the firewall rules and found out that the Productions interface doesn't have a Allow Any to Any, just on each interface.
Because on Pfsense it does Works and OPNSENSE not, so i compared the configuration and i noticed the different between the setup of Pfsense and Opnsense is the group of the Interfaces.
after i created any to any rules on the productions interface printers shows up on the iPads/iPhone.
even the bonjour services is working now.
i dont know if it does works out of the box or mdns-rep package does the job.

so to sum up :

it's working now thank you guys for your support. and no 5353    UDP is open or NAT to the printer
i am ready to provide any log/informatie needed to help you guys understand the idea behind.

when creating a group of interfaces, does the rules on the interface side apply as first than the group firewall rules ?

Glad you got this running. i think mdns-repeater does the trick as even with any to any rules, broadcast packets get dropped.

14

16.7 Legacy Series / Re: Initial observations

« on: July 24, 2016, 05:33:50 pm »

We could fix this with a small startup script in the meantime if you like as I see that we won't be able to fix that in time for 16.7 anymore.

The initialisation order is correct in the code: lagg, vlan, openvpn so I think it could be a timing issue.


Cheers,
Franco

Hmm, I think you might be right. lagg might need a moment to connect (dynamic LACP). That could explain why there isn't an issue without lagg. Let's try the startup script.

Many thanks!

15

16.1 Legacy Series / Re: Routing apple Bonjour

« on: July 24, 2016, 05:04:29 pm »

I think we night to solve the problem of not detecting the AirPrint printers first. Regardless of your firewall settings, the iPads on the other VLANs should be able to see them via mdns-responder. The might have issues connecting, but they should detect them.

An alternative to mdns-responder would be to use say a Raspberry Pi running avahi. You could connect the RPi to your switch and create a tagged trunk line from that port to the RPi. The RPi can be configured to be VLAN aware. Then configure avahi to run in reflector mode, specify the VLAN interfaces and Bob's your uncle. That's what I had running before moving to a VM.

It's easy.

If you can provide me the way of doing this, I'll appreciate it really .
Monday I'll ask the user about the printer using the mens-responder, if this is still not working we can try your PI and avahi.
I am sure the Anahi is working fine with the pfsense
Can you advise how to install avahi and configure it on the OPNsense ?
I'll be great full on having this fixed for our customer.

there's a pkg for pfsense but on OPNsense you need to build it from source from the ports. Avahi needs a build environment and a lot of dependencies and is rather difficult to build if you don't do this all the time.

for the RPi:

1. get a Raspberry Pi B+ 1, 2 or 3
2. Install Raspian as per www.raspberrypi.org, use the raspbian-lite image
3. Create a trunk port on your network switch with LAN and all VLANs that need mDNS
4. Connect your RPi to that port
5. SSH into your PI (default setting is dhcp so you should be able to find the IP in your DHCP server listing}
6. Update and upgrade: sudo apt update & sudo apt upgrade
7. Install vlan and avahi: sudo apt install vlan avahi-daemon
8. edit /etc/network/interfaces:
auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
        post-up ifup eth0.XX [add one line per VLAN, XX is the VLAN ID]

iface eth0.XX net dhcp [add one line per VLAN]
9. edit the following lines in /etc/etc/avahi/avahi-daemon.conf:

uncomment and edit:
allow-interfaces=eth0,eth0.XX [add all interfaces here, separated by ",")

enable-reflector=yes

10. reboot: sudo reboot

Should work.