Topics

1

General Discussion / In General ?

« on: September 11, 2021, 09:11:06 pm »

Hello everybody, I try to solve a couple of thoughts and questions around Opnsense;


1. Outgoing rules
I think about outgoing rules and wonder why it is default to allow all traffic...Mabye it was a marketing decision for a good start for new users ?
From my perspective a fw. should drop all outgoing traffic default = equally to incoming traffic and following up and just based on specific needs opening specific ports/ranges and protocols to specific hosts or networks; I would set my bots or malware to call back via port 53, 80, 443, 123, etc. right ?

2. Proxy
Is it still appropriate to use a proxy (2021) or a good idea and if why to use caching for http traffic in terms of performance or security ?
If I use unbound with eg. quad9 as a resolver against malware + blacklist against ad and malware why I also or need to use the blacklist on a proxy level as well ?
I like the idea of blocking traffic on a dns basis in general. Please do not get me wrong I just try to understand and to evaluate the benefit of using a proxy in terms of security and performance except the killa feature of using http inspection as well as ssl inspection = which is a full time job to maintain indeed and also depends on the  scan engines are in use for a proper feeling of security ./ 
   
3. How to completely disable ipv6 in a proper way on Opnsense ?

4. Wireguard
Is there something coming up with 22.1 in terms of kernel module and or a wrapper for User management ?

2

21.7 Production Series / Unbound behavior in General

« on: August 08, 2021, 05:39:05 pm »

Hello,

Imho I try to understand the default behavior of unbound on a default installation basis of Opnsense to decide which setup is recommended for my needs.

Unfortunately I was not able to find an equal documentation entry for Opnsense, Pfsense doc snip:

By default, the DNS Resolver queries the root DNS servers directly and does not use DNS servers configured under System > General Setup or those obtained automatically from a dynamic WAN. This behavior may be changed, however, using the DNS Query Forwarding option. By contacting the roots directly by default, it eliminates many issues typically encountered by users with incorrect local DNS configurations, and the DNS results are more trustworthy and verifiable with Domain Name System Security Extensions (DNSSEC).

Is it equal on Opnsense ?
Which results from a dhcp client perspective, the client gets the Opnsense ip as a dns server and Opnsense queries directly the root dns servers ?

If so, it means that the entries under System: Settings: General are getting ignored and will be never used unless I activate the DNS Query Forwarding option  Enable Forwarding Mode  true If I eg. wann use Quad9 there ?

Further I am pretty curious about the dns behavior If I start using Unbound DNS: DNS over TLS - Does this overrule all other dns rel. settings and if in which way ?

Thanks and Best !

3

Hardware and Performance / New OpnSense Netboard A20

« on: March 08, 2021, 10:21:35 am »

Hello,

Just found the new Hardware from OpnSense and I am pretty impressed:
https://shop.opnsense.com/product-categorie/hardware-appliances/

Does it use Core Boot ?
Is anybody using this already and is willing to share experience and or benchmarks ?

Thx & Best

4

21.1 Legacy Series / UFS > ZFS

« on: March 08, 2021, 09:37:33 am »

Hi,

is this on the roadmap ?

Best & greets

5

20.7 Legacy Series / Unbound - Blacklists in General ?

« on: September 05, 2020, 05:04:17 pm »

Hi,

I like the idea of blocking on dns level and now I am trying to understand how this is intendent to work here-

Eg. If I just want to use the predefined ones, I simply select eg. all check the enable button and done?
Doesn't look like....so I tried to schedule to download the unblound dsbl predefined ones, still no luck....

Or is it really necessary to extra add the corresponding urls. for the predefined ones as well....I thought its intendent for custom ones....Don't get it 

Thx & Best

6

Hardware and Performance / Squeezing APu2 - Performance

« on: September 03, 2020, 04:38:24 pm »

Hi,

I already tried a few tings but want to start from scratch so I resetet the opnsense 20.7.2 to factory defaults and everything except the wizard is untouched.

These are the bios settings (v4.12.0.3)

Code: [Select]

Boot order - type letter to move device to top.

  a USB
  b SDCARD
  c mSATA
  d SATA
  e mPCIe1 SATA1 and SATA2
  f iPXE (disabled)


  r Restore boot order defaults
  n Network/PXE boot - Currently Disabled
  u USB boot - Currently Enabled
  t Serial console - Currently Enabled
  k Redirect console output to COM2 - Currently Disabled
  o UART C - Currently Enabled
  p UART D - Currently Enabled
  m Force mPCIe2 slot CLK (GPP3 PCIe) - Currently Disabled
  h EHCI0 controller - Currently Disabled
  l Core Performance Boost - Currently Enabled
  i Watchdog - Currently Disabled
  j SD 3.0 mode - Currently Disabled
  g Reverse order of PCI addresses - Currently Disabled
  v IOMMU - Currently Disabled
  y PCIe power management features - Currently Disabled
  w Enable BIOS write protect - Currently Disabled
  x Exit setup without save
  s Save configuration and exit

First I connected my macbook via cat6 to the apu board on the lan port and wondering a bit about the ping times:

Code: [Select]

64 bytes from 192.168.1.1: icmp_seq=7 ttl=64 time=1.037 ms
64 bytes from 192.168.1.1: icmp_seq=8 ttl=64 time=0.798 ms
64 bytes from 192.168.1.1: icmp_seq=9 ttl=64 time=0.988 ms
64 bytes from 192.168.1.1: icmp_seq=10 ttl=64 time=1.153 ms
64 bytes from 192.168.1.1: icmp_seq=11 ttl=64 time=1.072 ms
64 bytes from 192.168.1.1: icmp_seq=12 ttl=64 time=0.755 ms
64 bytes from 192.168.1.1: icmp_seq=13 ttl=64 time=1.318 ms
64 bytes from 192.168.1.1: icmp_seq=14 ttl=64 time=0.911 ms
64 bytes from 192.168.1.1: icmp_seq=15 ttl=64 time=0.624 ms
Then I run iperf3 against the apu default:

Code: [Select]

./iperf3 -c 192.168.1.1             
Connecting to host 192.168.1.1, port 5201
[  4] local 192.168.1.100 port 61123 connected to 192.168.1.1 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  35.2 MBytes   295 Mbits/sec                 
[  4]   1.00-2.00   sec  34.5 MBytes   289 Mbits/sec                 
[  4]   2.00-3.00   sec  34.8 MBytes   292 Mbits/sec                 
[  4]   3.00-4.00   sec  35.4 MBytes   297 Mbits/sec                 
[  4]   4.00-5.00   sec  35.5 MBytes   298 Mbits/sec                 
[  4]   5.00-6.00   sec  35.4 MBytes   297 Mbits/sec                 
[  4]   6.00-7.00   sec  35.4 MBytes   297 Mbits/sec                 
[  4]   7.00-8.00   sec  35.8 MBytes   301 Mbits/sec                 
[  4]   8.00-9.00   sec  35.5 MBytes   298 Mbits/sec                 
[  4]   9.00-10.00  sec  35.5 MBytes   298 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   353 MBytes   296 Mbits/sec                  sender
[  4]   0.00-10.00  sec   353 MBytes   296 Mbits/sec                  receiver

And again with -P 2 -t 20

Code: [Select]

./iperf3 -c 192.168.1.1 -p 5201 -P 2 -t 20
Connecting to host 192.168.1.1, port 5201
[  4] local 192.168.1.100 port 61125 connected to 192.168.1.1 port 5201
[  6] local 192.168.1.100 port 61126 connected to 192.168.1.1 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  34.5 MBytes   290 Mbits/sec                 
[  6]   0.00-1.00   sec  35.1 MBytes   294 Mbits/sec                 
[SUM]   0.00-1.00   sec  69.7 MBytes   584 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   1.00-2.00   sec  33.8 MBytes   284 Mbits/sec                 
[  6]   1.00-2.00   sec  34.6 MBytes   290 Mbits/sec                 
[SUM]   1.00-2.00   sec  68.4 MBytes   574 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   2.00-3.00   sec  34.0 MBytes   286 Mbits/sec                 
[  6]   2.00-3.00   sec  35.1 MBytes   294 Mbits/sec                 
[SUM]   2.00-3.00   sec  69.1 MBytes   580 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   3.00-4.00   sec  33.7 MBytes   282 Mbits/sec                 
[  6]   3.00-4.00   sec  34.7 MBytes   291 Mbits/sec                 
[SUM]   3.00-4.00   sec  68.3 MBytes   573 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   4.00-5.00   sec  34.2 MBytes   287 Mbits/sec                 
[  6]   4.00-5.00   sec  34.9 MBytes   293 Mbits/sec                 
[SUM]   4.00-5.00   sec  69.1 MBytes   580 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   5.00-6.00   sec  33.9 MBytes   284 Mbits/sec                 
[  6]   5.00-6.00   sec  34.6 MBytes   290 Mbits/sec                 
[SUM]   5.00-6.00   sec  68.5 MBytes   575 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   6.00-7.00   sec  32.8 MBytes   275 Mbits/sec                 
[  6]   6.00-7.00   sec  33.3 MBytes   279 Mbits/sec                 
[SUM]   6.00-7.00   sec  66.1 MBytes   555 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   7.00-8.00   sec  33.6 MBytes   282 Mbits/sec                 
[  6]   7.00-8.00   sec  34.4 MBytes   289 Mbits/sec                 
[SUM]   7.00-8.00   sec  68.1 MBytes   571 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   8.00-9.00   sec  33.4 MBytes   280 Mbits/sec                 
[  6]   8.00-9.00   sec  33.5 MBytes   281 Mbits/sec                 
[SUM]   8.00-9.00   sec  66.9 MBytes   561 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]   9.00-10.00  sec  33.0 MBytes   277 Mbits/sec                 
[  6]   9.00-10.00  sec  33.6 MBytes   282 Mbits/sec                 
[SUM]   9.00-10.00  sec  66.6 MBytes   559 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]  10.00-11.00  sec  34.3 MBytes   287 Mbits/sec                 
[  6]  10.00-11.00  sec  34.9 MBytes   293 Mbits/sec                 
[SUM]  10.00-11.00  sec  69.1 MBytes   580 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]  11.00-12.00  sec  34.0 MBytes   286 Mbits/sec                 
[  6]  11.00-12.00  sec  34.9 MBytes   293 Mbits/sec                 
[SUM]  11.00-12.00  sec  69.0 MBytes   578 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]  12.00-13.00  sec  33.8 MBytes   284 Mbits/sec                 
[  6]  12.00-13.00  sec  34.3 MBytes   288 Mbits/sec                 
[SUM]  12.00-13.00  sec  68.1 MBytes   572 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]  13.00-14.00  sec  32.6 MBytes   274 Mbits/sec                 
[  6]  13.00-14.00  sec  33.1 MBytes   277 Mbits/sec                 
[SUM]  13.00-14.00  sec  65.7 MBytes   551 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]  14.00-15.00  sec  26.6 MBytes   223 Mbits/sec                 
[  6]  14.00-15.00  sec  27.0 MBytes   226 Mbits/sec                 
[SUM]  14.00-15.00  sec  53.6 MBytes   449 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]  15.00-16.00  sec  27.0 MBytes   226 Mbits/sec                 
[  6]  15.00-16.00  sec  27.3 MBytes   229 Mbits/sec                 
[SUM]  15.00-16.00  sec  54.3 MBytes   456 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]  16.00-17.00  sec  27.6 MBytes   231 Mbits/sec                 
[  6]  16.00-17.00  sec  27.9 MBytes   234 Mbits/sec                 
[SUM]  16.00-17.00  sec  55.5 MBytes   465 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]  17.00-18.00  sec  27.7 MBytes   232 Mbits/sec                 
[  6]  17.00-18.00  sec  27.9 MBytes   234 Mbits/sec                 
[SUM]  17.00-18.00  sec  55.6 MBytes   466 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]  18.00-19.00  sec  27.6 MBytes   231 Mbits/sec                 
[  6]  18.00-19.00  sec  27.8 MBytes   233 Mbits/sec                 
[SUM]  18.00-19.00  sec  55.4 MBytes   465 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[  4]  19.00-20.00  sec  27.6 MBytes   231 Mbits/sec                 
[  6]  19.00-20.00  sec  27.7 MBytes   232 Mbits/sec                 
[SUM]  19.00-20.00  sec  55.3 MBytes   464 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-20.00  sec   636 MBytes   267 Mbits/sec                  sender
[  4]   0.00-20.00  sec   636 MBytes   267 Mbits/sec                  receiver
[  6]   0.00-20.00  sec   647 MBytes   271 Mbits/sec                  sender
[  6]   0.00-20.00  sec   647 MBytes   271 Mbits/sec                  receiver
[SUM]   0.00-20.00  sec  1.25 GBytes   538 Mbits/sec                  sender
[SUM]   0.00-20.00  sec  1.25 GBytes   538 Mbits/sec                  receiver

Can somebody confirm equal results ?

The cpu boost seems to go dynamic up to 1400MHz without the turnables set and seem to have no effect on iperf tests but maybe on proxy and idp !?
https://github.com/pcengines/apu2-documentation/blob/master/docs/apu_CPU_boost.md

Does somebody ?

Futher I was woundering that I was not able to get simular results based on this:
https://teklager.se/en/knowledge-base/opnsense-performance-optimization/

Somebody ?

7

Hardware and Performance / OpnSense on Sophos Red's

« on: April 28, 2020, 07:07:47 pm »

Dear all,

I am on the go switchin from Sophos to OpnSense...for many good reasons...

Therefore I thought if it's possible and a good idea- ideally painless to install OpnSense onto my reds (15 and 50) for my remote sites indeed !?

Does anybody has tried that yet and or could share their experineces about that ?

Best & Greets!