"
Thanks Franco, I'm reading that now. I still don't see how it's a kernel or tuneable if IP can do 1GB why can't it do the same under PPPoE?
It is cutting 50% of the speed/bandwidth.
:D
It is cutting 50% of the speed/bandwidth.
:D
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
21.7 Legacy Series / Re: PPPoE WAN (IGB0) max speed 250 MBits APU4D4
January 13, 2022, 01:39:40 PM #2
21.7 Legacy Series / Re: IPv6 BT Openreach FTTP, OpenWRT and OPNsense - SOLVED
January 13, 2022, 01:34:00 PM
Exactly. I've searched this morning for any fixes but can't seem to find anything about BTOR. Lots of VLAN101, not it's not, yes it is...
Just strange that in IP it's 1GB traffic and in PPPoE it's 250MB/s. I wonder what the overhead differences are?
Just strange that in IP it's 1GB traffic and in PPPoE it's 250MB/s. I wonder what the overhead differences are?
#3
Romanian - Română / Re: pppoe slow
January 13, 2022, 11:00:17 AM
Natza,
Can I ask, what are your PPPoE tuneables please? I only get 250MBits over PPPoE
Can I ask, what are your PPPoE tuneables please? I only get 250MBits over PPPoE
#4
General Discussion / Re: FreeBSD PPPOE Single Thread Issue
January 13, 2022, 10:58:03 AM
That is what I have to do. ISP or Openwrt box at the ONT gives me full speed (500/73) and OPNsense only 250/73
#5
21.7 Legacy Series / Re: IPv6 BT Openreach FTTP, OpenWRT and OPNsense - SOLVED
January 13, 2022, 10:55:28 AM
Hi,
Yes of course. The PPPoE only gives me 250MB/s from the ONT. If I put my ISP box or my Openwrt router into the ONT then I get full 500MB/s out of the OPNsense interface.
When I had 150/30 FTTP it wasn't an issue, but at 500/73 it is an issue as I only get 250/73. With ISP & Openwrt I get 500/73.
I've been told there are tuneable to try and mitigate this and will try them out in due course. Both of us work from home and do a lot of teams calls so I can't investigate during the working day.
Yes of course. The PPPoE only gives me 250MB/s from the ONT. If I put my ISP box or my Openwrt router into the ONT then I get full 500MB/s out of the OPNsense interface.
When I had 150/30 FTTP it wasn't an issue, but at 500/73 it is an issue as I only get 250/73. With ISP & Openwrt I get 500/73.
I've been told there are tuneable to try and mitigate this and will try them out in due course. Both of us work from home and do a lot of teams calls so I can't investigate during the working day.
#6
21.7 Legacy Series / Re: PPPoE WAN (IGB0) max speed 250 MBits APU4D4
January 13, 2022, 10:51:43 AM
Thank you Franco, I'll have a look. I did try one tuneable but it made it worse. I'll search and if I get any improvement I'll update my thread 8)
#7
21.7 Legacy Series / IPv6 BT Openreach FTTP, OpenWRT and OPNsense - SOLVED
January 12, 2022, 06:23:27 PM
Finally got it all working. The trick was /56 from BT and the /60 on OPNsense WAN. Then it all worked.
Openwrt:
/56 request from BT
IPv6 settings under DHCP - RA server mode, DHCPv6-Service server mode, NDP proxy hybrid, DHCPv6-Mode stateless & stateful
OPNsense:
WAN (igb0) IPv4 = DHCP
IPv6 = DHCPv6
DHCPv6 client config:
Config mode = basic
Request only IPv6 prefix = unticked (do not select)
Prefix delegation size = 60
Send IPv6 prefix hint = ticked/selected
Use IPv4 connectivity = ticked/selected
LAN (igb1 and others):
IPv4 type = static IPv4
IPv6 type = Track interface
Static IPv4 = 172.16.1.1 (or whatever you want)
IPv4 upstream gateway = auto-detect
Track IPv6 interface:
IPv6 interface = WAN
IPv6 Prefix ID = 0 (no idea what it does but it works)
Manual configuration = tick/selected
Hope that helps someone
8)
Openwrt:
/56 request from BT
IPv6 settings under DHCP - RA server mode, DHCPv6-Service server mode, NDP proxy hybrid, DHCPv6-Mode stateless & stateful
OPNsense:
WAN (igb0) IPv4 = DHCP
IPv6 = DHCPv6
DHCPv6 client config:
Config mode = basic
Request only IPv6 prefix = unticked (do not select)
Prefix delegation size = 60
Send IPv6 prefix hint = ticked/selected
Use IPv4 connectivity = ticked/selected
LAN (igb1 and others):
IPv4 type = static IPv4
IPv6 type = Track interface
Static IPv4 = 172.16.1.1 (or whatever you want)
IPv4 upstream gateway = auto-detect
Track IPv6 interface:
IPv6 interface = WAN
IPv6 Prefix ID = 0 (no idea what it does but it works)
Manual configuration = tick/selected
Hope that helps someone
8)
#8
21.7 Legacy Series / PPPoE WAN (IGB0) max speed 250 MBits APU4D4
January 12, 2022, 05:45:44 PM
Hello all,
I was using my apu4d4 (4 GB DRAM, 4 i211AT NICs) with OPNsense as my standalone fw/router. I managed to get an FTTP bandwidth / speed increase from 150/30 to 500/73 for no extra cost.
I spent an hour castigating my ISP for only giving me 250MBits and they told me that the line is reporting 510MBits.
So I spent a long day doing tests.
The APU4 NICS will do 1GB/s in IP mode, but will only do 250 (ish) MBits in PPPoE mode. Traffic shaping does not affect the speed only the bufferbloat score. I can get A+, A+, A+ but only at 250MBits. It will not go faster. When I use the ISP's router (IP not PPPoE) I can get 500MBits A+, A+, A+.
The final result is that in LAN / IP mode the NIC will run at 1 GB/s (near as) when it's connected to the ISP's router LAN port and when I use my other apu2e0 (2 GB DRAM, 2 i211AT NICs) with OpenWRT.
I finally found one post that stated that BSD has PPPoE issues and Linux (OpenWRT) does not. Is that true?
So I'm guessing that OPNsense does have a PPPoE issue, although it may be my hardware, but nothing I did would get the speed over 250MBits in PPPoE mode. I'm open to suggestions if it's possible as I'm trying to minimise boxes around the house, not increase them.
Thanks ;D
I was using my apu4d4 (4 GB DRAM, 4 i211AT NICs) with OPNsense as my standalone fw/router. I managed to get an FTTP bandwidth / speed increase from 150/30 to 500/73 for no extra cost.
I spent an hour castigating my ISP for only giving me 250MBits and they told me that the line is reporting 510MBits.
So I spent a long day doing tests.
The APU4 NICS will do 1GB/s in IP mode, but will only do 250 (ish) MBits in PPPoE mode. Traffic shaping does not affect the speed only the bufferbloat score. I can get A+, A+, A+ but only at 250MBits. It will not go faster. When I use the ISP's router (IP not PPPoE) I can get 500MBits A+, A+, A+.
The final result is that in LAN / IP mode the NIC will run at 1 GB/s (near as) when it's connected to the ISP's router LAN port and when I use my other apu2e0 (2 GB DRAM, 2 i211AT NICs) with OpenWRT.
I finally found one post that stated that BSD has PPPoE issues and Linux (OpenWRT) does not. Is that true?
So I'm guessing that OPNsense does have a PPPoE issue, although it may be my hardware, but nothing I did would get the speed over 250MBits in PPPoE mode. I'm open to suggestions if it's possible as I'm trying to minimise boxes around the house, not increase them.
Thanks ;D
#9
Virtual private networks / Re: Wireguard Opnsense (server) with 4 clients - finally working
November 05, 2021, 12:28:17 PM
Hi yes,
The docs are not clear (to me or I didn't see it or misunderstood them) in stating that you need separate ports per client/peer or not. As I understood it only different IP's were required. But that didn't work. Only one client would connect. They are very technical and some of the knowledge is or was above my own at the time.
Thanks for the reply, I will try and follow the official guide again once I'm home as I'm on holiday at the moment and needed to get it working so I can stream the football from my house to my laptop.
Thanks Greelan.
The docs are not clear (to me or I didn't see it or misunderstood them) in stating that you need separate ports per client/peer or not. As I understood it only different IP's were required. But that didn't work. Only one client would connect. They are very technical and some of the knowledge is or was above my own at the time.
Thanks for the reply, I will try and follow the official guide again once I'm home as I'm on holiday at the moment and needed to get it working so I can stream the football from my house to my laptop.
Thanks Greelan.
#10
Virtual private networks / Wireguard Opnsense (server) with 4 clients - finally working
November 05, 2021, 10:42:32 AM
Hello all,
APU4, Opnsense version 21.7.4, Amd64
I have multiple laptops and phones (work and personal) in my house hold and I've had OpenVPN and OpenWRT working faultlessly for years but I've decided to update my setup.
Setup is now FTTP (150/30) from ADSL FTTC, moved to Opnsense (APU4) as my main router/gateway and demoting OpenWRT WRT3200 AP/switch to now being a dumb AP, building VLAN's (DMZ, IoT, work lan and wife lan) and getting them working (tricky little things).
Traffic shaping finally working, including getting bufferbloat A+ results, which was much easier on OpenWRT. I use Pihole but my wife loves the Google ads and searches so she has her own VLAN with no Pihole ::) Keeps her happy.
It's been a long journey as both my wife and myself now have to work from home (thanks Covid) and I only have limited time to play / test / break / fix my networks, or risk the anger of an angry wife. So the WAF (wife acceptance factor) has to be so that she can't see I've upgraded.
I'm sure it can still be improved, but as of now it's working seamlessly and passed the WAF test 8)
After reading so many web sites and tutorials that my eyes have gone blind 8) I finally have it working. There are always one or two steps that are missing. There may be a different way, or many different ways, but this works for me, including with Unbound adblocking for the WireGuard peers (clients). I actually want to use Pihole in this chain but I've yet to work out the firewall & port forward rules for this, working multi-peer Wireguard was my priority.
This may be utterly obvious to those that are wise owls, but to someone always learning and new to WireGuard ONE missing step has had me baffled for weeks. I had a feeling it was firewall related, and it was!
You need to add rules to the WAN interface per WG* interface as well as rules for each WG* interface.
So I hope this helps someone else ;D 8)
I will assume that you have one working road warrior into your wireguard server and now you want to add more devices. Once you have one fully working setup then it is just a matter of cloning the existing setting but increasing ports and interfaces to match.
I use the same server IP 10.0.0.1/24
Peers are:
10.0.0.2/32
10.0.0.3/32
10.0.0.4/32
10.0.0.5/32
Getting one peer (client) up and running is easy enough if you follow all the usual tutorials. It is getting multiple peers (clients) working as well that I'll explain. See below.
I will type up a nice step by step tutorial document over the next few weeks and post it on here. It's nice to be able to finally share knowledge back.
You need to add firewall rules on the WAN that match the ports you are using, so here is an example. These are the MISSING instructions from everything I have read so far.
Firewall WAN:
WG0 protocol ipv4/6, source *, port *, destination WAN address, port 51820, gateway *, schedule *, description - what ever you want to call it - Allow WG0 remote access to the WireGuard VPN
Now for the next bit, look at the interface number and port. They have changed ;)
WG0 protocol ipv4/6, source *, port *, destination WAN address, port 51820, gateway *, schedule *, description - what ever you want to call it - Allow WG0 remote access to the WireGuard VPN
WG1 protocol ipv4/6, source *, port *, destination WAN address, port 51821, gateway *, schedule *, description - what ever you want to call it - Allow WG1 remote access to the WireGuard VPN
WG2 protocol ipv4/6, source *, port *, destination WAN address, port 51822, gateway *, schedule *, description - what ever you want to call it - Allow WG1 remote access to the WireGuard VPN
Repeat these incremental interface and port number steps for EVERY client (peer) that you want to access your WG server.
Also each interface has it's own firewall rule, which are below the WAN rule on my server. Mine start with WG0, WG1, WG2, WG3 and WG4.
Rules are:
protocol ipv4/6, source WG0 net and description "WG0 inbound allow". All the other options are * (any).
protocol ipv4/6, source WG1 net and description "WG1 inbound allow". All the other options are * (any).
protocol ipv4/6, source WG2 net and description "WG2 inbound allow". All the other options are * (any).
NAT outbound rules:
Clone the rule for WG0 and adjust it to match the interface ie WG1, WG2 etc
DNS:
I have Unbound working on my opnsense with adblocking. Make sure you add EACH interface that you want to use Unbound to the configuration.
Unbound / general / network interfaces
When you have completed all that, I go to the lobby page and re-start wireguard-go.
After the missing WAN rules it's all working for me 8)
APU4, Opnsense version 21.7.4, Amd64
I have multiple laptops and phones (work and personal) in my house hold and I've had OpenVPN and OpenWRT working faultlessly for years but I've decided to update my setup.
Setup is now FTTP (150/30) from ADSL FTTC, moved to Opnsense (APU4) as my main router/gateway and demoting OpenWRT WRT3200 AP/switch to now being a dumb AP, building VLAN's (DMZ, IoT, work lan and wife lan) and getting them working (tricky little things).
Traffic shaping finally working, including getting bufferbloat A+ results, which was much easier on OpenWRT. I use Pihole but my wife loves the Google ads and searches so she has her own VLAN with no Pihole ::) Keeps her happy.
It's been a long journey as both my wife and myself now have to work from home (thanks Covid) and I only have limited time to play / test / break / fix my networks, or risk the anger of an angry wife. So the WAF (wife acceptance factor) has to be so that she can't see I've upgraded.
I'm sure it can still be improved, but as of now it's working seamlessly and passed the WAF test 8)
After reading so many web sites and tutorials that my eyes have gone blind 8) I finally have it working. There are always one or two steps that are missing. There may be a different way, or many different ways, but this works for me, including with Unbound adblocking for the WireGuard peers (clients). I actually want to use Pihole in this chain but I've yet to work out the firewall & port forward rules for this, working multi-peer Wireguard was my priority.
This may be utterly obvious to those that are wise owls, but to someone always learning and new to WireGuard ONE missing step has had me baffled for weeks. I had a feeling it was firewall related, and it was!
You need to add rules to the WAN interface per WG* interface as well as rules for each WG* interface.
So I hope this helps someone else ;D 8)
I will assume that you have one working road warrior into your wireguard server and now you want to add more devices. Once you have one fully working setup then it is just a matter of cloning the existing setting but increasing ports and interfaces to match.
I use the same server IP 10.0.0.1/24
Peers are:
10.0.0.2/32
10.0.0.3/32
10.0.0.4/32
10.0.0.5/32
Getting one peer (client) up and running is easy enough if you follow all the usual tutorials. It is getting multiple peers (clients) working as well that I'll explain. See below.
I will type up a nice step by step tutorial document over the next few weeks and post it on here. It's nice to be able to finally share knowledge back.
You need to add firewall rules on the WAN that match the ports you are using, so here is an example. These are the MISSING instructions from everything I have read so far.
Firewall WAN:
WG0 protocol ipv4/6, source *, port *, destination WAN address, port 51820, gateway *, schedule *, description - what ever you want to call it - Allow WG0 remote access to the WireGuard VPN
Now for the next bit, look at the interface number and port. They have changed ;)
WG0 protocol ipv4/6, source *, port *, destination WAN address, port 51820, gateway *, schedule *, description - what ever you want to call it - Allow WG0 remote access to the WireGuard VPN
WG1 protocol ipv4/6, source *, port *, destination WAN address, port 51821, gateway *, schedule *, description - what ever you want to call it - Allow WG1 remote access to the WireGuard VPN
WG2 protocol ipv4/6, source *, port *, destination WAN address, port 51822, gateway *, schedule *, description - what ever you want to call it - Allow WG1 remote access to the WireGuard VPN
Repeat these incremental interface and port number steps for EVERY client (peer) that you want to access your WG server.
Also each interface has it's own firewall rule, which are below the WAN rule on my server. Mine start with WG0, WG1, WG2, WG3 and WG4.
Rules are:
protocol ipv4/6, source WG0 net and description "WG0 inbound allow". All the other options are * (any).
protocol ipv4/6, source WG1 net and description "WG1 inbound allow". All the other options are * (any).
protocol ipv4/6, source WG2 net and description "WG2 inbound allow". All the other options are * (any).
NAT outbound rules:
Clone the rule for WG0 and adjust it to match the interface ie WG1, WG2 etc
DNS:
I have Unbound working on my opnsense with adblocking. Make sure you add EACH interface that you want to use Unbound to the configuration.
Unbound / general / network interfaces
When you have completed all that, I go to the lobby page and re-start wireguard-go.
After the missing WAN rules it's all working for me 8)
#11
20.1 Legacy Series / Re: VPN Passthrough
April 04, 2020, 05:59:37 PM
1723/TCP for the protocol. Thanks to wikipedia https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocolbelow:
A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a GRE tunnel to the same peer.
A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a GRE tunnel to the same peer.
#12
20.1 Legacy Series / Re: VPN Passthrough
April 04, 2020, 05:50:17 PM
Hi Again,
Openvpn this time. Go to to:
firewall > NAT > port forward
Then add this:
Interface = WAN
TCP/IP Version = IPv4
Protocol = UDP
Source = leave as "advanced"
Destination = This Firewall
Destination port range = 41194
Redirect target IP = 192.168.1.1 (my wifi router)
Redirrect target port = other and 41194
Pool options = default
Description = openvpn to wifi router
NAT reflection = Enable
Filter rule association = Rule NAT openvpn (it named itself)
Then SAVE and apply your changes.
The NAT rules made themselves automagically,
Hope that helps,
Hopmeister
Openvpn this time. Go to to:
firewall > NAT > port forward
Then add this:
Interface = WAN
TCP/IP Version = IPv4
Protocol = UDP
Source = leave as "advanced"
Destination = This Firewall
Destination port range = 41194
Redirect target IP = 192.168.1.1 (my wifi router)
Redirrect target port = other and 41194
Pool options = default
Description = openvpn to wifi router
NAT reflection = Enable
Filter rule association = Rule NAT openvpn (it named itself)
Then SAVE and apply your changes.
The NAT rules made themselves automagically,
Hope that helps,
Hopmeister
#13
20.1 Legacy Series / Re: VPN Passthrough
April 04, 2020, 03:40:26 PM
I forgot to add I used nano to edit this file:
Add a line to the file /etc/sysctl.d/local.conf
net.netfilter.nf_conntrack_helper = 1
and reboot router
Add a line to the file /etc/sysctl.d/local.conf
net.netfilter.nf_conntrack_helper = 1
and reboot router
#14
20.1 Legacy Series / Re: VPN Passthrough OpenVPN and PPTP
April 04, 2020, 03:06:26 PM
Hi thea1ien,
I have openvpn passthrough and finally PPTP portforward working for my wife's work pc.
PPTP setup is as follows:
system > firmware > plugins - install this >> os-pptp (I rebooted after this)
Then go to to:
firewall > NAT > portforward
Then add this:
Interface = WAN
TCP/IP Version = TCP/UDP
Source = (I put the actual IP of the server here)
Source port range = PPTP
Destination = This Firewall
Destination port range = PPTP
Redirect target IP = 192.168.1.1 (my wifi router)
Description = what ever you want to name the VPN
NAT reflection = Enable
Filter rule association = Rule it named itself
Then SAVE and apply your changes.
Then add this:
Interface = WAN
TCP/IP Version = IPv4
Protocol = GRE
Source = single host or network (I put the IP address of the PPTP server here)
Destination = This Firewall
Destination port range = PPTP
Redirect target IP = 192.168.1.1 (my wifi router)
Description = what ever you want to name the VPN
NAT reflection = Enable
Filter rule associaton = mine named itself
Then SAVE and apply your changes.
Then I rebooted.
On my OpenWRT router set up the port forwarding by going to:
networks > firewall > portforwards
Then edit accordingly:
Name = what you want to call your port forward rule
Protocol = I put TCP & UDP (I know it's not both but I've not changed it from testing yet)
Source zone = WAN
External port 1723
Destination zone = LAN
Internal IP address = ip of pc
Internal port = 1723
Save, apply. Then do the following (Thanks to WildCatRu on Openwrt forum) > https://forum.openwrt.org/t/solved-ar71xx-kernel-4-9-pptp-passthrough-not-working-tl-wr942n-v1/11162/15
Message 14/15:
I ssh'd into the wifi router and did this that way - the GUI wasn't working.
Install the packages
opkg update
opkg install kmod-nf-nathelper-extra
Add a line to the file /etc/sysctl.d/local.conf
net.netfilter.nf_conntrack_helper = 1
and reboot router
I'll do the Openvpn port forwards later on today.
Hope that helps.
I struggled for days on getting this working and it took the IT support team 2 weeks to actually tell me that it was PPTP and not L2TP so I could set up the correct portforwards.
regards,
Hopmeister
I have openvpn passthrough and finally PPTP portforward working for my wife's work pc.
PPTP setup is as follows:
system > firmware > plugins - install this >> os-pptp (I rebooted after this)
Then go to to:
firewall > NAT > portforward
Then add this:
Interface = WAN
TCP/IP Version = TCP/UDP
Source = (I put the actual IP of the server here)
Source port range = PPTP
Destination = This Firewall
Destination port range = PPTP
Redirect target IP = 192.168.1.1 (my wifi router)
Description = what ever you want to name the VPN
NAT reflection = Enable
Filter rule association = Rule it named itself
Then SAVE and apply your changes.
Then add this:
Interface = WAN
TCP/IP Version = IPv4
Protocol = GRE
Source = single host or network (I put the IP address of the PPTP server here)
Destination = This Firewall
Destination port range = PPTP
Redirect target IP = 192.168.1.1 (my wifi router)
Description = what ever you want to name the VPN
NAT reflection = Enable
Filter rule associaton = mine named itself
Then SAVE and apply your changes.
Then I rebooted.
On my OpenWRT router set up the port forwarding by going to:
networks > firewall > portforwards
Then edit accordingly:
Name = what you want to call your port forward rule
Protocol = I put TCP & UDP (I know it's not both but I've not changed it from testing yet)
Source zone = WAN
External port 1723
Destination zone = LAN
Internal IP address = ip of pc
Internal port = 1723
Save, apply. Then do the following (Thanks to WildCatRu on Openwrt forum) > https://forum.openwrt.org/t/solved-ar71xx-kernel-4-9-pptp-passthrough-not-working-tl-wr942n-v1/11162/15
Message 14/15:
I ssh'd into the wifi router and did this that way - the GUI wasn't working.
Install the packages
opkg update
opkg install kmod-nf-nathelper-extra
Add a line to the file /etc/sysctl.d/local.conf
net.netfilter.nf_conntrack_helper = 1
and reboot router
I'll do the Openvpn port forwards later on today.
Hope that helps.
I struggled for days on getting this working and it took the IT support team 2 weeks to actually tell me that it was PPTP and not L2TP so I could set up the correct portforwards.
regards,
Hopmeister
Pages1
