Topics

1

21.7 Legacy Series / IPv6 BT Openreach FTTP, OpenWRT and OPNsense - SOLVED

« on: January 12, 2022, 06:23:27 pm »

Finally got it all working. The trick was /56 from BT and the /60 on OPNsense WAN. Then it all worked.

Openwrt:
/56 request from BT
IPv6 settings under DHCP - RA server mode, DHCPv6-Service server mode, NDP proxy hybrid, DHCPv6-Mode stateless & stateful

OPNsense:
WAN (igb0) IPv4 = DHCP
IPv6 = DHCPv6
DHCPv6 client config:
Config mode = basic
Request only IPv6 prefix = unticked (do not select)
Prefix delegation size = 60
Send IPv6 prefix hint = ticked/selected
Use IPv4 connectivity = ticked/selected

LAN (igb1 and others):
IPv4 type = static IPv4
IPv6 type = Track interface
Static IPv4 = 172.16.1.1 (or whatever you want)
IPv4 upstream gateway = auto-detect

Track IPv6 interface:
IPv6 interface = WAN
IPv6 Prefix ID = 0 (no idea what it does but it works)
Manual configuration = tick/selected

Hope that helps someone
 

2

21.7 Legacy Series / PPPoE WAN (IGB0) max speed 250 MBits APU4D4

« on: January 12, 2022, 05:45:44 pm »

Hello all,

I was using my apu4d4 (4 GB DRAM, 4 i211AT NICs) with OPNsense as my standalone fw/router. I managed to get an FTTP bandwidth / speed increase from 150/30 to 500/73 for no extra cost.

I spent an hour castigating my ISP for only giving me 250MBits and they told me that the line is reporting 510MBits.
So I spent a long day doing tests.

The APU4 NICS will do 1GB/s in IP mode, but will only do 250 (ish) MBits in PPPoE mode. Traffic shaping does not affect the speed only the bufferbloat score. I can get A+, A+, A+ but only at 250MBits. It will not go faster. When I use the ISP's router (IP not PPPoE) I can get 500MBits A+, A+, A+.

The final result is that in LAN / IP mode the NIC will run at 1 GB/s (near as) when it's connected to the ISP's router LAN port and when I use my other apu2e0 (2 GB DRAM, 2 i211AT NICs) with OpenWRT.

I finally found one post that stated that BSD has PPPoE issues and Linux (OpenWRT) does not. Is that true?

So I'm guessing that OPNsense does have a PPPoE issue, although it may be my hardware, but nothing I did would get the speed over 250MBits in PPPoE mode. I'm open to suggestions if it's possible as I'm trying to minimise boxes around the house, not increase them.

Thanks 

3

Virtual private networks / Wireguard Opnsense (server) with 4 clients - finally working

« on: November 05, 2021, 10:42:32 am »

Hello all,

APU4, Opnsense version 21.7.4, Amd64


I have multiple laptops and phones (work and personal) in my house hold and I've had OpenVPN and OpenWRT working faultlessly for years but I've decided to update my setup.

Setup is now FTTP (150/30) from ADSL FTTC, moved to Opnsense (APU4) as my main router/gateway and demoting OpenWRT WRT3200 AP/switch to now being a dumb AP, building VLAN's (DMZ, IoT, work lan and wife lan) and getting them working (tricky little things).
Traffic shaping finally working, including getting bufferbloat A+ results, which was much easier on OpenWRT. I use Pihole but my wife loves the Google ads and searches so she has her own VLAN with no Pihole  Keeps her happy.

It's been a long journey as both my wife and myself now have to work from home (thanks Covid) and I only have limited time to play / test / break / fix my networks, or risk the anger of an angry wife. So the WAF (wife acceptance factor) has to be so that she can't see I've upgraded.

I'm sure it can still be improved, but as of now it's working seamlessly and passed the WAF test 

After reading so many web sites and tutorials that my eyes have gone blind  I finally have it working. There are always one or two steps that are missing. There may be a different way, or many different ways, but this works for me, including with Unbound adblocking for the WireGuard peers (clients). I actually want to use Pihole in this chain but I've yet to work out the firewall & port forward rules for this, working multi-peer Wireguard was my priority.

This may be utterly obvious to those that are wise owls, but to someone always learning and new to WireGuard ONE missing step has had me baffled for weeks. I had a feeling it was firewall related, and it was!

You need to add rules to the WAN interface per WG* interface as well as rules for each WG* interface.

So I hope this helps someone else 

I will assume that you have one working road warrior into your wireguard server and now you want to add more devices. Once you have one fully working setup then it is just a matter of cloning the existing setting but increasing ports and interfaces to match.

I use the same server IP 10.0.0.1/24

Peers are:
10.0.0.2/32
10.0.0.3/32
10.0.0.4/32
10.0.0.5/32

Getting one peer (client) up and running is easy enough if you follow all the usual tutorials. It is getting multiple peers (clients) working as well that I'll explain.  See below.

I will type up a nice step by step tutorial document over the next few weeks and post it on here. It's nice to be able to finally share knowledge back.

You need to add firewall rules on the WAN that match the ports you are using, so here is an example. These are the MISSING instructions from everything I have read so far.

Firewall WAN:
WG0 protocol ipv4/6, source *, port *, destination WAN address, port 51820, gateway *, schedule *, description - what ever you want to call it - Allow WG0 remote access to the WireGuard VPN

Now for the next bit, look at the interface number and port. They have changed 
WG0 protocol ipv4/6, source *, port *, destination WAN address, port 51820, gateway *, schedule *, description - what ever you want to call it - Allow WG0 remote access to the WireGuard VPN
WG1 protocol ipv4/6, source *, port *, destination WAN address, port 51821, gateway *, schedule *, description - what ever you want to call it - Allow WG1 remote access to the WireGuard VPN
WG2 protocol ipv4/6, source *, port *, destination WAN address, port 51822, gateway *, schedule *, description - what ever you want to call it - Allow WG1 remote access to the WireGuard VPN

Repeat these incremental interface and port number steps for EVERY client (peer) that you want to access your WG server.

Also each interface has it's own firewall rule, which are below the WAN rule on my server. Mine start with WG0, WG1, WG2, WG3 and WG4.

Rules are:
protocol ipv4/6, source WG0 net and description "WG0 inbound allow". All the other options are * (any).
protocol ipv4/6, source WG1 net and description "WG1 inbound allow". All the other options are * (any).
protocol ipv4/6, source WG2 net and description "WG2 inbound allow". All the other options are * (any).

NAT outbound rules:
Clone the rule for WG0 and adjust it to match the interface ie WG1, WG2 etc

DNS:
I have Unbound working on my opnsense with adblocking. Make sure you add EACH interface that you want to use Unbound to the configuration.
Unbound / general / network interfaces

When you have completed all that, I go to the lobby page and re-start wireguard-go.

After the missing WAN rules it's all working for me