Topics

1

22.1 Legacy Series / Unbelievably slow inter-vLan traffic in KVM OPNsense after 21.7->22.1 upgrade

« on: April 15, 2022, 03:23:19 pm »

Hi all, at my parent's house I have setup OPNsense as a KVM guest in a small Linux homeserver. Two Intel ethernet adapters are directly mapped from the linux host system to the OPNsense instance. One is uplink and one outputs 4 trunked vLANs which are then distributed thoughout the house and to an AP via a switch. (separate segments for trusted and untrusted server devices, parents and kids)

The KVM virtualized Firewall always wasnt the fastest, but for the task at hand ("fast enough for netflix") the vLan to vLan throughput was good enough at about 100+MBits.

However, after updating to 22.1, sending data from one vLan to another through the OPNsense router (e.g. streaming from fileserver to tablet) has come down to a mere crawl, maxing out at about 300-500kilobytes per second, with the permanent rate more at the lower end of that range. Once I swap in the backup image of 21.1, all is back to normal.

I have not changed any settings beyond the update. What could have gone wrong? Any ideas where to begin looking? Although I am quite proficient as a linux user, my BSD experience is limited and outdated.

2

17.7 Legacy Series / Strange routing dropouts for restricted vLan

« on: September 03, 2017, 08:00:08 pm »

Hi all,

a few months ago I started changing my home network for the (hopefully) better, beginning with the installation of opnsense as core router. My vanilla "one router, one subnet, one SSID" home network was replaced by a set of 5 subnets: one management (vlan 1), one private (2), one for kids (3), one for guests (4) and one for all the IoT crap I like but dont trust (vLan5). Since this is a private side project it had to fit my sparse spare time and since I encountered certain problems creating a proper external WLan AP solution for vLans 2-5, the router ran for months while we continued to use only vLan 1.

Now the AP is there and I have moved the 5-vLan setup to production. That went quite well so far but now I get very strange routing problems on vLan 5: after some time running as expected, the subnet becomes inaccessible (from management subnet: "no route to host"). When I reboot opnsense, the routing turns back to normal and the subnet becomes available again. There are no scheduled firewall rules or anything of that sort in my configuration that I would be aware of. Morevoer, I could not find any pfsense log entries that look suspicious around the time when the subnet becomes unavailable. Unfortunately my BSD knowledge ist rather limited so I didnt look very far under the hood.

Facts that might be worth mentioning:
 * vLan5 is trunked on the same LAN port as all other vLans, none of which exhibits this problem.
 * It is, however, the only one of the vLans that is not WAN-routed by default but single IPs get their tailored set of access rules to whereever they need to.
 * Allowed outgoing connections also die when the routing dies.
 * Listing the routes in the OPNsense GUI "after the fact" still lists correct routes for the affected subnet.

Here is my version information:

OPNsense 17.7-amd64
FreeBSD 11.0-RELEASE-p11
OpenSSL 1.0.2l 25 May 2017

I'd appreciate any suggestions on how to tackle problem and find the root cause of it.

3

Development and Code Review / API Disappointment story - or: how to export the WAN IP

« on: March 24, 2017, 06:09:47 pm »

Hi all,

I just wanted to share with you the experiences I had trying to use the API in 17.1

I am a fresh opnsense user and I have my own, homegrown "dyndns" solution which includes a challenge-response authentication that I could not easily integrate with the mechaisms in the opnsense GUI. So I needed to extract the WAN ip from the router for a custom script. I found the API section in the dev wiki and it seemed the perfect tool for the task.

However, after reading the nice examples I began searching for the API documentation ... and did not find any. I could not believe that this should be it so I kept searching harder, but an hour later I had realized that the API docs are basically UTSL - so I cloned the source and grepped. Then I made a user for API access.
Since the API sections I had discovered did not intuitively match most of the rights that can be granted in the UI and I got lots of "Authentication error"s, I soon WTFed and granted all rights to it for the sake of exploration. Goodbye security. I did, however, not find a single API call that would allow me to simply extract the currently used WAN IP. After a lot of trying and cursing and at least three hours wasted, I disabled the API user, went to the shell and created a simple cronjob, that greps the WAN IP from ifconfig and dumps it into a file named "ip" in the web root. Done in 10 minutes.

Base line:

Trying to use the API turned out to be a very frustrating endeavour for me, mostly because the wiki page made it look like being a lot more usable than it actually is.
If you have an API but no documentation whatsoever, please mention that in a prominent place. Also the fact that by far not every part of opnsense has API support should be mentioned somewhere. If possible, the API should be extended in a way that authentication errors include information about which rights are missing to use a certain call.

Please note that this post is meant to be constructive criticism and not a personal insult. I am aware that this is open source and I am not entitled to demand anything. I thought, however, you might be interested in my experience.

4

17.1 Legacy Series / Hello from new User and some questions about UX weirdnesses

« on: March 24, 2017, 05:40:26 pm »

Hi all,

some time ago I decided our home network would need a bit more structure than just a Wifi Router with Merlin on it. So I replaced our three switches with vLan capable units and a piece of hardware with four intel GBit ports for a router and created a plan on how to put family, guests, kids, home automation and shady china hardware into separate networks for better manageability. I just had no experiency with any OSS router distro so I went searching. After some reading I decided to try opnsense. I downloaded and installed the 17.1 into a KVM guest with 3 of the network interfaces directly attached. It installed flawlessly, I created the required interfaces and routing and put it into the closet and I am still able to write this little story. So far, it was a success.

Unfortunately, shortly after installing the router, the opnsense GUI started to act strangely. I am using the default root user which I did not alter in any way (except the pw of course).

• For example, in the dashboard, the GUI shows the IDS (suricata) as running (also, the console mentions it starting on boot). When I go to Services/IDS, it is "off". No rules are shown and no alerts. When I try to switch it to "on", the spinner in the "Apply" button starts spinning forever and that is it.
• When I go to "Reporting/Insight", there is no graph drawn. The drop down in the lower graph shows two items: "401" and "Authentication failed". Resetting the RRD Data in Setttings did not fix it, but caused Reporting/Health to fail. with a JS Alert "Error while fetching RRD list". Maybe the latter is temporary.
• When I go to "System/Firmware/udpates" I can click on the "Check for updates" button. It then says "Checking... (may take up to 30 seconds)" ... forever. When I go to the "Packages" tab, I get "No packages were found on your system. Please call for help.". At this point I made a backup of the VM and went to the console, selecting "upgrade from console". It went on and installed roughly 50 packages (I did not recognize any suspicious error messages scrolling by \o/), effectively moving opnsense from 17.1 to 17.1.3 and rebooted. However all the GUI errors mentioned above are still present, which makes me wonder how to deal with this.
• I found several other flaws which I will report separately.