Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - dp

#1
I have been informed that the shaping project is not a priority as there is no demand for it from the community. I find this a bit odd as I see a lot of products on the market to do just this. It would be nice that if you are someone that would like to see true shaping and blocking per segment to please make your voices heard. Commenting here is one way but email them and tell them.

Now when I say shaping I am referring to being able to do things such as limit bandwidth to a network or group of networks. But not just anything but per application. So I can restrict YouTube or video streaming to a set amount in total or per person but not to exceed x amount for the entire group. And at the same time allow the same YouTube traffic to certain host with no restriction. I also want to block applications to some groups but allow it to others. Also prioritize traffic in group A of a certain type or application over traffic in another group.

So it is not simply blocking of an app or things like P2P but creating limits on apps and prioritizing the traffic. To my knowledge There are no shaping plugins for OpnSense.

So please speak up and spread the word. If we are to ever see shaping we need to be heard.

Thanks.
#2
Dazes and confused here.

I am on 21.1.4 with an HA setup. I added a NAT today and applied it to the active firewall. Then did a sync to the passive. Then one of our websites went down. I did a fail over to the passive and it came back up. Weird part is even after a reboot of the active it still blocks traffic to the web server. Swap to the passive unit and site is back online. Nothing in the logs stands out. I did have an issue with GEOIP as it appears the zip file is bigger now but I just increased the Max Table Entry size and it is happy again.

The configurations show sync so I am completely puzzled why it works on one and not the other even after a reboot. These are running on physical servers with two 1 Gig interfaces in a LAGG for WAN and two 1 Gig interface in a LAGG for LAN.

I have not updated yet as we are building new servers on new hardware with 10 Gig interfaces to replace the older hardware.

Has anyone ever seen anything like this? I am even a loss of what to search for in the forum. Will pull any logs you want to see.

Thanks.
#3
Upgraded the firewalls last night to 20.7.2. HA setup with broke failover(another story/bug). All was well and traffic was flowing without issue. Then at 9:42 the firewall stopped passing traffic. My boss had to go pull the cables on the active firewall to force it to failover to the HA unit. At this point I am concerned that I will have the same failure in the backup unit.

The only plugins I am running are Sensei and Mail Backup. No IDS. The only information I can find on this entry is tied to netmap incompatibility with the NIC. The card is a four port HP card that reports as an Intel Pro 1000.

From the general logs:

2020-09-23T09:45:19   /flowd_aggregate.py[71076]   vacuum src_addr_000300.sqlite
2020-09-23T09:42:28   kernel   548.444820 [1787] netmap_ring_reinit called for em0 RX0
2020-09-23T09:42:28   kernel   548.444791 [1742] nm_rxsync_prologue em0 RX0: fail 'head < kring->nr_hwcur || head > kring->nr_hwtail' h 301 c 301 t 300 rh 301 rc 301 rt 300 hc 300 ht 300
2020-09-23T09:39:50   /flowd_aggregate.py[71076]   vacuum src_addr_details_086400.sqlite
2020-09-23T01:54:49   opnsense[46459]   /usr/local/etc/rc.filter_synchronize: Filter sync successfully completed with https://10.101.0.16/xmlrpc.php.
2020-09-23T01:54:48   kernel   arp: 00:24:81:7e:1c:c3 is using my IP address 164.106.234.141 on lagg1!
#4
I need to do some testing with few weird configurations that are not possible from the GUI or the console menu. When I research configuration of the interfaces most sites send me to rc.conf to enter the configuration. However when I look at that file it is empty so that means Opnsense is doing it different. Is there any documentation, if it is even possible, on how to do this?

As a side note I do see most of the configuration in the xml file and know most of it is parsed from there and written to the system at boot time. Is there any documentation of what can be added to the xml file?
#5
I tried to search on this but got no leads. More and more equipment now comes with an out of band management interface. I know you can setup a third interface for management but unless it is isolated from the routing table somehow there are issues with routing on that interface and asymmetrical routing when trying to talk to that interface. Is there a way to create an interface that does not participate in the main routing of the firewall?

And yes I often miss things that are right in front of my face so if I did in this case please point me in that direction. This is going into main production next week and I am having to drink from the fire hose to learn it in time.

Thanks