Topics

I cannot seem to determine if DHCP and Unbound can be setup to behave like I would prefer.

I have the OPN system on the domain arl.lab.xyz with hostname opnsense.
I have the LAN DHCP server setup to provide the domain lan.arl.lab.xyz
I have another interface called DEV setup to provide the domain dev.arl.lab.xyz
Both are different interfaces to different networks with different subnets naturally.

When I query DNS I can ask for opnsense.arl.lab.xyz no problem.
I have a client (client1) on the lan interface, so it's DHCP lease says it's client1.lan.arl.lab.xyz HOWEVER when I query DNS, this is invalid. It appears to be setting them as client1.arl.lab.xyz and ignoring the subdomain used in the DHCP server.

Is this a bug in the DHCP server setting values in unbound? All leases on all interfaces just get assigned to the domain of the system itself.

Here is one puzzling me...
Network is simple. vLAN 1 is my WAN, vLAN 2 is my LAN.
OPNsense is on a VM in my Xen farm and connected to both vlans via 10GbE.

If I put another VM on the LAN vLAN and iperf3 to/from the client and the OPNsense LAN IP, it hits 9.35Gbps. Great!
If I iperf3 to the WAN interface on OPNsense... same.. fast!
If I iperf3 to a peer VM (just cloned my client and started iperf3 as a server) I get 9+ Gbps... great!
If I iperf3 from the same VM on the LAN to a system out on the WAN I get 600Kbps and it sawtooths 600Kbps / 0 / 0 /600 / 0 / 0 and averages 200Kbps overall.

So I ran iperf3 from the OPNsense VM directly to the same target and get 2.45Gbps and tons of retries. Thousands of retries per second... only on the WAN. LAN looks clean for retries (low numbers).

So I am thinking it is something with the NAT between the LAN/WAN.

I'm testing now removing NAT and just letting OPNsense route that way. Thankfully I don't NEED NAT on my network, but for my ultimate purpose I need NAT functional.

Will post results of getting NAT out of the loop.

Any ideas would be appreciated. I would blame Xen, but the LAN to LAN tests are super fast even from OPNsense to a client VM.

Let me know if anything needs clarified. I was debating drawing it up as a diagram if needed.

EDIT: Turning off packet filtering totally and disabling NAT rule generation changed OPNsense to external WAN host iperf results from ~2.4Gbps to 3.0Gbps. Retries also went from around 5K down to 300 total.

We allow our users of VPN to sign into the management GUI and only access the password management page. This lets them self-service a password change. What we would also like to allow is self-service for TOTP seeds (at a minimum the ability to get their QR). I cannot determine if there is already a permission in the access-control.

Any way to allow self-service for this? I would even be willing to accept self service to their own account management page (but not other users')

Thanks!

I am having many issues with OPNSense in a virtual environment. What it boils down to is when the packet filter is enabled and has any rules to allow traffic inbound they do not work. If I drop the filter (pfctl -d) then the traffic flows. This happens in three different hypervisors with both 16.1, 15.7, and the current Alpha.

A more specific example is if I open 443 to the WAN IP for management. Traffic is blocked. I can see the block on the firewall log even though there is a rule allowing the traffic. So I click the green arrow to create a new rule. The rule appears, and the traffic is still blocked. Once again if I disable the pf totally it works. It's baffling that I cannot get a virtualized copy working with the pf also fully functional.

Thoughts where to look next? I created an OPT1 interface and put a allow all to everywhere rule and it seems to be working. My LAN segment is working with NAT for VM clients. I just can't open the WAN for anything. I'll gather and post any data that might be helpful if asked.

<EDIT>
Adding a floating rule seems to have allowed traffic through. My wan rule (attached) and my layout (attached) should allow the client to talk to the server. The server can ping/ssh to the client no problem.
As for the float rule. I added another allow everything to everything and it started working.