Topics

1

Hardware and Performance / Large number of PF State Lookups?

« on: September 04, 2018, 07:13:45 pm »

I am seeing what appears to be 6 times the number of state lookups compared to my PPS.

If I look at I see an average of 600-1000 PPS over the last hour.

In `pfctl -s info` I see between 5000-7000 state lookups a second.

State Table                          Total             Rate
  current entries                      357
  searches                        21275522         5310.9/s
  inserts                            18675            4.7/s
  removals                           18318            4.6/s
Counters
  match                              20103            5.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s


I did tcpdump on my interfaces and I am not seeing any abnormal about of traffic (broadcasts, multicast, etc..).  This appears to mainly be my Nest camera's sending video to mother google.

I expected the PPS to be close to the state lookups numbers.  Am I missing something or is this normal?

2

General Discussion / Firewalling SLAAC hosts

« on: August 26, 2018, 08:08:20 am »

I recently got IPv6 working.  I am using Track Interface on my LAN interface as I do not have static IP's.  I am looking at setting up squid to do things like block youtube during homework time.  I also need to do things like disable internet access at night to prevent them from sneaking and playing games etc...

I can do these things with IPv4, but I want to play with IPv6 to learn more.  Like I want to figure out how to force my IoT devices to use my secondary ISP connection (Multi-WAN), but with IPv6 and the lack of NAT, its unclear how I would do this without preventing OPNsense from responding to router advertisements coming from these devices.  This is a topic for another day .

I was hoping to be able to write Firewall rules based on hostname, but as the SLAAC hosts are not getting addresses via DHCP, they are not in the DNS zone file.  With devices getting multiple IPv6 addresses that are not static, its unclear to me how to write a firewall rule.

Any tricks for say using the MAC address and querying the NDP table?

3

18.7 Legacy Series / Thunderbolt or USB-C Ethernet Performance and/or interface recommendations

« on: August 14, 2018, 02:36:21 am »

I had a 1Gbps Comcast link installed today and setup multi-wan with my existing 100Mbps AT&T link.  I got that all working and PBR on the firewall to split my traffic and failover.  But as I started testing speeds I noticed that my USB-C NIC maxes out at 60Mbps.  I assumed my AT&T connection was only capable of 60Mbps before, but now I am finding its a interface issue (likely driver).  As I am using an Intel NUC, I only have one physical interface can I am using that on the LAN side, so I am stuck with Thunderbolt or USB-C for my WAN interfaces.  They are coming up as ue0 and ue1.

ugen1.4: <Realtek USB 10100 LAN> at usbus1, cfg=1 md=HOST spd=SUPER (5.0Gbps) pwr=ON (64mA)
ugen1.5: <Realtek USB 101001000 LAN> at usbus1, cfg=1 md=HOST spd=SUPER (5.0Gbps) pwr=ON (64mA)

I tried to see if another driver supported these NIC's but that does not appear to be the case.

Does anyone have recommendations for different NIC's
OR
Know how to boost the performance on the ones I have?

Thanks
Mark

4

17.7 Legacy Series / SSL inspection fails for some sites

« on: September 06, 2017, 08:20:22 pm »

I am trying to setup SSL inspection for a few machines on my network.  I setup Squid in transparent mode with port forward.  I am able to get to https://www.yahoo.com without issue but if I try to get to https://opnsense.org I get the following error in the cache.log.

2017/09/06 14:13:08 kid1| Error negotiating SSL connection on FD 26: error:140A1175:SSL routines:ssl_bytes_to_cipher_list:inappropriate fallback (1/-1)

I am using an internal CA and I have imported the certificate into the browsers trusted root.

Any idea's?

5

17.1 Legacy Series / dnsmasq not picking up IPv6 hostnames?

« on: May 23, 2017, 08:00:57 pm »

Hello all, I am new to OPNsense and this is the first time I am plying with IPv6.  I want to write firewall rules based on hostname.  Therefore I want to make sure my hosts IPv6 address is in DNS.  I have IPv4 working as expected, but the IPv6 addresses are not showing up in DNS.  I do see dnsmasq listeing on my IPv6 space with this command line argument --listen-address=2602:306:<removed>, but no IPv6 addresses in /var/etc/dnsmasq-hosts.  I was looking for a guide on the wiki, but I do not see one .  What are I missing...

Thanks!
Mark