Messages

Does this article apply to you?

https://protectli.com/kb/how-to-install-opnsense-on-the-vault/

I would use upnp and not port forwarding. Install the os-upnp plugin. The plugin is a webgui front-end for miniupnpd that will be installed once you install the os-upnp plugin. You can configure it under Services -> Universal Plug and Play.

Hopefully you have your Xbox and PC setup with static IP addresses. Under upnp settings make sure default deny is selected as well as upnp. In the access list add your Xbox and PC.

allow 1024-65535 192.168.1.121/32 1024-65535 <-- your Xbox IP
allow 1024-65535 192.168.1.122/32 1024-65535 <-- your PC IP

The Xbox and PC will be the only device that can use upnp with the default deny rule selected. You won't see it but part of the miniupnpd.conf file would look like this:

allow 1024-65535 192.168.1.121/32 1024-65535 <-- your Xbox IP
allow 1024-65535 192.168.1.122/32 1024-65535 <-- your PC IP
deny 0-65535 0.0.0.0/0 0-65535 <-- this default deny will prevent any other LAN device to use upnp

upnp should work for you. If both your sons play the same game at the same time this may pose a problem with with keeping an open NAT.

You will also need to set outbound NAT to hybrid and add 2 outbound rules, one for your Xbox and one for your PC with outbound static-ports.

This is someone who is posting erroneous results with manually edited times with a Subject "Bad OpenVPN performance. aesni not working" so it would be an eye catcher on the forum. Here are results from my OpenBSD 6.8 firewall which is using LibreSSL 3.2.2:

Code Select Expand

bsd# openssl speed -elapsed -evp aes-256-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-256-cbc for 3s on 16 size blocks: 77539523 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 38732198 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 256 size blocks: 9877820 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 1024 size blocks: 2479467 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 8192 size blocks: 310218 aes-256-cbc's in 3.01s
LibreSSL 3.2.2
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: information not available
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc     413330.92k   823613.83k   840124.81k   843534.86k   844312.02k


You can see the times on the right side are all around 3 seconds for my tests. It would seem cybernik is here to spread misinformation and make it seem OPNsense performs poorly compared to pfSense which is not the case as shown by opnfwb.

OPNsense does have traffic shaping which will help with bufferbloat.

https://docs.opnsense.org/manual/shaping.html

shaper -> pipes | queues | rules

Under the rules tab you can specify IP addresses or subnets.

When I recently tested ntopng I installed the plugin which was at version 3.4.0. I opened the ntopng webui and a popup window showed asking if I wanted to update to the latest 4+ version. I clicked on update but it didn't update and instead sent me to the ntop website. I found instructions on the ntop website on how to update to the latest version:

https://www.ntop.org/guides/ntopng/third_party_integrations/opnsense.html

You can install the enterprise version, and although it's just a demo, you can revert to the community edition by going to the OPNsense webui and under Services -> ntopng -> License check the community edition checkbox. All this information is provided in the link above.

I wasn't able to test it long and it seemed to work fine.

I use the following rules on OpenBSD to prevent incoming and outgoing packets from a single IP on my LAN to the Internet. The rules should be very similar on OPNsense. These rules needed to be evaluated before network address translation rules otherwise it wouldn't work for me.

block quick on $WAN from any to 192.168.1.101
block quick on $WAN from 192.168.1.101 to any

Unfortunately at this time, I'm unable to test OPNsense to see if the rules would work.

Why do not just create alias group for devices and port
Then Port forward with group, you're already in hybrid nat

And remove upnp ;)

This is just not feasible in a gaming household. Too many games, too many consoles and PC's running at the same time playing games. The amount of ports one would have to port forward would be unreasonable.

But as cranky has shown and what you are suggesting is an alternative method that does work. Although, it's just not suitable for my network.

And in outbound nat, I have it in hybrid mode, and a rule for source lan net with the wan address at the nat address and static port enabled.

ZPrime he already has his outbound NAT using hybride mode with a single rule with static-ports for his entire LAN network.

thecodemonk, I recently installed OPNsense within the last week and configured everything manually. I use upnp as well and also noticed no mappings were shown under upnp -> status. So I was experiencing the same issue as you. I reinstalled the upnp plugin. That did not seem to fix the issue. I then reinstalled miniupnpd under packages and then rebooted OPNsense. After that, mappings started to show up under upnp -> status.

Make sure you reboot your consoles or PC. I've noticed my Xbox or PS5 won't send AddPortMapping requests after they are up and running so no port mappings will show up in OPNsense until you reboot. But this isn't always the case.

Let me know if this works for you.

You can't unfortuntately. This applies to OpenBSD as well. It's just not possible until miniupnpd implements the appropriate code for pf. Most of the miniupnpd iptables and netfilter code was contributed to the project by other coders to make it fully functional under linux. Playing the same game using mutilple PC's or consoles of the same type just won't work at this time with a BSD based distro using pf.

This is a miniupnpd limitation for pf based packet filtering and not a pfSense or OPNsense caused limitation. It's not something that pfSense or OPNsense can fix on their end. Also, the IPFILTER (ipf) and IPFW code that FreeBSD uses is outdated in the miniupnpd repository and hasn't been updated for about 9 years now. BUT you're still golden when it comes to gaming with one PC or a single console.

I'm not trying to blame the miniupnpd developer. He clearly doesn't use BSD distros for testing purposes and most of the information he obtains is from bugs posted to his respository reference miniupnpd not working properly with pfSense.

A linux based firewall/router with miniupnpd is the only working solution for playing the same game with multiple consoles of the same type or multiple PC's. That's why consumer grade routers (Asus, Netgear, etc) using Linux with miniupnpd works great.

Actually - this is the only reason (speedtest) I ever use that feature.... would it be possible to integrate some plugin to run /usr/local/bin/speedtest

There is currently work being done on a speedtest plugin by mihakralj. To the follow the progress see the following pull request:

Initial pull request for the speedest plugin #2298

abcuser2021 sole purpose here is to spread misinformation with an attempt to discredit OPNsense.

Linux, OpenBSD, Windows and FreeBSD and others normally don't provide up to date downloads unless you download current snapshots or experimental builds. One must download the release version then install all the updates.

If you're getting hacked you have some serious problems not related to OPNsense.

I haven't had the time to test alternative methods. It's also probably been over a year that I've installed OPNsense, and believe there's been quite a few changes to the install process. I'm thinking below should also work:

From console menu
1. install
2. reboot
3. restore

I'm glad you got it to work. Saved me alot of time last time I did it. There's also a recent bug reported regarding importing an encrypted backup #4861. Mabye some potential issues maybe resolved during the code audit.

I recall being able to import mine. I think I did a complete install but didn't really configure anything beyond getting past the point of the initial install. Then from the shell I ran the opnsense-importer to import my config.xml from a USB drive and then rebooted.

Anyone happen to be using Suricata or a RealTek NIC?

lite it's probably a good idea to change the subject of your post to [SOLVED] opnsense not detecting 25Gb NIC at this point.