Topics

I am moving over to a new machine. Setup OOtB then install all of the plugins from my old installation as importing the config does not install them automatically.

Once rebooted the crowdsec configuration does not seem to work as none of my network crowdsec agents can connect to the opnsense crowdsec lapi.

The setup config seems to have come across fine all of the options are configured exactly as my old opnsense installation.

I really don't want to have to manually go around all of the network servers with the crowdsec agent running and start again.

Are there some crowdsec config files I have to manually bring across from the old installation.

Any help appreciated.

Installer gets to 100% after creating file systems then when the file explorer window appears with the Exit at the bottom. Pressing Exit results in an installer error dialog.

Pressing continue show errors reading the directories creating during install.

Can't get past this stage. Tried reformatting the HDD and creating a clean partition table. Then installing again with the same results.

System is a Dell R330 with a 730 Raid controller. Configured as non raid mode.

Runs linux and windows OS fine on the same HDD.

Any help appreciated.

Tried downloading the latest DVD ISO from a few mirrors. Once downloaded I cannot get it to extract the ISO.

See attached image.

Does anyone else have this issue?

Cheers

I really need some help with this.

I have now a very simple setup.

The main OPNSense config is as it was with the addition of a single VLAN config. I restored the config from a previous point before I started messing with VLANS to ensure I was back at my base config for the network. I followed this guide https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-vlan-on-opnsense and setup the VLAN exactly as the LAN is configured but with a new subnet with the LAN interface as the parent. The new VLAN 50 interface OFFICE has DHCP services configured exactly the same as the LAN interface in the new subnet. e.g. 10.0.50.0/24 with an interface address of 10.0.50.254. I have cloned the firewall any rule from the LAN to the OFFICE net. Everything appears to be setup correctly. As I have an any rule on the LAN I can ping the OFFICE interface from outside the OPNSense server from my PC on the main switch.

On the HP Switch that OPNSense is connected to I have configured VLAN50 and the ACCESS and TRUNK ports to connect to OPNSense and the other switches. See attached image of the setup. This is a very simple setup to get one VLAN working. It doesn't work and I cannot get DHCP from OPNSense or even if I config a static IP in the OFFICE subnet I cannot ping the OPNSense OFFICE interface.

I am completely at a loss as to why this is not working. The VLAN config on the switch looks right. The OPNSense VLAN config looks right I have FW rules and DHCP and DNS services on the OFFICE VLAN.

In words the switch is configured as follows. See image for detail.

Port 1 TRUNK Untagged 1 Tagged 50 PVID 1 (LINK TO OPNSENSE)
Ports 11 and 12 ACCESS Untagged 50 PVID 50 (LAPTOP TEST PORTS)
Port 17 TRUNK Untagged 1 Tagged 50 PVID 1 (WAP with 2 wif networks 1 on the default VLAN and 1 on VLAN 50)
Port 25 TRUNK Untagged 1 Tagged 50 PVID 1 (LINK TO REST OF NETWORK)

This should work but it doesn't, OPNSense shows no packets on the OFFICE interface.

Can anyone please put me out of my misery and help me to get VLANS working.

Just to add I know the switch is working as I can config an admin address in the switch on the VLAN 50 subnet and I can ping it from the Laptop on the VLAN 50 network. So I know the switch ports as working as expected within the switch. I also know the switch VLAN config is working between switches. I can ping the HP on its VLAN50 address from the Netgear connected via a TRUNK to TRUNK connection to the HP oort 25 using the laptop manually configured with a VLAN50 ip.

BUT, I get the destination host unreachable and no route to host if I try to ping the OPNSense VLAN50 interface on 10.0.50.254. No packets are received on the OPNSense OFFICE (VLAN50) interface. Also the WAP on the HP TRUNK port 17 gets no DHCP service either. I can configure a static IP on the wifi connection and connect to the VLAN 50 wifi network but can't get anywhere.

It is like any VLAN subnet on the LAN interface is blocked and I suspect that pinging the VLAN 50 address from the default network is simply getting a response from the parent interface as stats show no packets on the VLAN 50 interface.

What is going on here?

Cheers

I am looking at moving the network primary OPNSense Server to new hardware. The new hardware will have different NICS.

Testing this we took a back up of the config on the old OPNSense and did a S&R on the old interface names replacing any ref to the old LAN interface with the new one same for the WAN.

It boots fine and in an isolated network the interfaces look good. Everything is configured as per the old OPNSense server.

Unplugging the OLD server and plugging in the new one and powering up, the network is down. I thought it might be the mac tables that would need to sort themselves out etc. But after 30 mins even though showing as connected I could not access the GUI on the main switch.

What needs to be rebooted to make this work? Obviously the new OPNSense is powering up as if it was the old one. MAC addresses will be different I guess for the LAN and WAN interfaces.

Just wanting to try out new hardware and test. How do others do this?

Cheers

Hello,

We are a long time user of OPNsense. The time has come I feel for us to be a little more security conscious and start to logically segment the network.

VLANS seem to be the answer. But I am a little confused on the practicalities. It seems its like a magic trick, someone who knows the trick makes it seems simple. YOu can sort of understand it, it makes sense but the practical implementation alludes us.

We can create VLANS in OPNsense. Configure DHCP on the VLAN. But are missing knowledge of the detail. For instance. We have OPNSense with a WAN with a /29 and a LAN /24. The LAN is 10.0.0.0/24 we have firewall rules and port forwards to various servers and all is well.

OPNsense is connected to our main network switch which has a number of servers for Virtualisation, NAS etc. also has security cameras, office PC's, WAP's a wireless link to another building which also has a WAP and security cameras, a link to another building which has 5 WAPS, Security Cameras, Smart TV's, a number of internet connected devices. All on the same /24 network.

Ideally in future world we would want to segment some of these devices.

When configuring a VLAN it asks for the DNS server and gateway. If I put the DNS server address as the OPNSense LAN address it can't see that as it is on a different network.

As a simple example to get started. We have a VLAN capable WAP in the office.

IT would be good to configure 2 networks on it. The default network called Office_Wifi and a Guest network on a different network.
Office_Wifi
Default 10.0.0.0/24
Guest_Wifi 10.0.10.0/24

I can configure the Guest_WiFi network in the WAP with VLAN id of 10 and set it's address as 10.0.10.1
DHCP would come from the OPNSense DHCP service.

So the WAP would have 2 networks. 10.0.0.0/24 and 10.0.10.0/24

At the OPNSense end I can configure a VLAN with an ID of 10 and setup the network as 10.0.10.0/24 But what DNS do I specify and what gateway address? The address of the OPNsense LAN 10.0.0.1 for both?

Then at the network switch I would need to setup VLAN 10 and add the port that the WAP is connected to? Would it need to be set as a trunk port as it could be carrying traffic from either of the 2 wifi domains and networks?

Do I need to configure the port that the OPNSense LAN is connected to as a Trunk port. Do I need to add that port to VLAN 10 also?

As a basic starter, I would love someone to assist with setting up this first VLAN to get the WAP serving the 2 groups; office staff and guests. With connected office staff being able to see the default network 10.0.0.0/24 and Guests being served a DHCP address by OPNsense and only able to access the internet.

Any help is appreciated. And apologies for the ramble just trying to get this stuff out of my head.

Cheers

Hello,

Hoping someone has a recommendation for an Intel based Quad Port GB Nic card for my Dell R720 Esxi 6.7 host. We run OpnSense on Esxi and the network performance is not great. We have tried all the tweaking that has been posted to try and get OpnSense xBSD using the ESXI VMXNETx adaptors to run at anything approaching wire speed.

All the linux VM's in the host run at wire speed and across the vswitch approaching 10G but the OpnSense VM is not great performance-wise. I reaised issues with the BSD devs but no one has even looked at them. I can also see many other users posting about the network performance issues.

The R720 has a Dell branded Broadcom Quad port card. and I am thinking maybe we switch that to an Intel based card as other posters have said that is the best option as the em driver is the best supported and is in the kernel.

Does anyone have a tested recommendation for an intel based quad port Copper GB card?

Cheers
Spart

I am sure this topic has come up before but, I was wondering why the dependency on BSD.

These days a base Ubuntu server which is capable of routing is using <200 MB of ram and runs on just about any type of hardware with decent NIC drivers that have very active development.

It would be awesome to have all of the OpnSense goodness on top of an enterprise grade mainstream Linux server OS that has mucho dinero spent on development.

Maybe it's just history and legacy but I think it's holding OpnSense back!

Cheers
Spart

Hello,

I updated to the latest version today. I noticed I am seeing traffic stats for lan to lan traffic. I thought at first something was sending data out from the lan. But then realised it was showing stats for direct lan to lan connections!

Very confused by this as this particular server is a Video Surveillance server with cameras talking to it directly across the lan.

My understanding of the traffic graph is it is showing traffic traversing the opnsense interfaces.

How am I seeing traffic that is going from an IP camera to the server across the lan?

Cheers
Spart

We have today migrated our OPNSense router to a VMware ESXI 6.7 VM.

Install went well despite config import losing all PPPoE settings.

We had to reinstall suricata and a few other things.

It was up and running pretty quick.

However, the network performance is dreadful.

When creating the VM the closest option we could find was Other FREEBSD12 or later 64 bit

The vnic options were e1000e or VMXNET3

I had read somewhere that e1000e was the right choice so that is what we chose.

iperf3 run shows this:

Code Select Expand


Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 10 second test, tos 0
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  38.1 MBytes   320 Mbits/sec   57    624 KBytes       
[  5]   1.00-2.00   sec  35.0 MBytes   294 Mbits/sec    0    697 KBytes       
[  5]   2.00-3.00   sec  35.0 MBytes   294 Mbits/sec    0    751 KBytes       
[  5]   3.00-4.00   sec  33.8 MBytes   283 Mbits/sec    2    571 KBytes       
[  5]   4.00-5.00   sec  35.0 MBytes   294 Mbits/sec    0    611 KBytes       
[  5]   5.00-6.00   sec  32.5 MBytes   273 Mbits/sec    0    652 KBytes       
[  5]   6.00-7.00   sec  33.8 MBytes   283 Mbits/sec    0    690 KBytes       
[  5]   7.00-8.00   sec  33.8 MBytes   283 Mbits/sec    0    727 KBytes       
[  5]   8.00-9.00   sec  36.2 MBytes   304 Mbits/sec    1    540 KBytes       
[  5]   9.00-10.00  sec  33.8 MBytes   283 Mbits/sec    0    618 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
Test Complete. Summary Results:
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   347 MBytes   291 Mbits/sec   60             sender
[  5]   0.00-10.02  sec   345 MBytes   288 Mbits/sec                  receiver
CPU Utilization: local/sender 2.0% (0.2%u/1.7%s), remote/receiver 40.5% (11.3%u/29.2%s)
snd_tcp_congestion cubic
rcv_tcp_congestion newreno


Any other VM on the esxi host run pretty much at the full GB of the vswitch uplinks.

example from the lan server.

Code Select Expand


Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 10 second test, tos 0
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   111 MBytes   933 Mbits/sec                 
[  5]   1.00-2.00   sec   112 MBytes   940 Mbits/sec                 
[  5]   2.00-3.00   sec   112 MBytes   940 Mbits/sec                 
[  5]   3.00-4.00   sec   112 MBytes   941 Mbits/sec                 
[  5]   4.00-5.00   sec   112 MBytes   941 Mbits/sec                 
[  5]   5.00-6.00   sec   112 MBytes   941 Mbits/sec                 
[  5]   6.00-7.00   sec   112 MBytes   941 Mbits/sec                 
[  5]   7.00-8.00   sec   112 MBytes   941 Mbits/sec                 
[  5]   8.00-9.00   sec   112 MBytes   941 Mbits/sec                 
[  5]   9.00-10.00  sec   112 MBytes   941 Mbits/sec                 
[  5]  10.00-10.00  sec   334 KBytes   900 Mbits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
Test Complete. Summary Results:
[ ID] Interval           Transfer     Bitrate
[  5] (sender statistics not available)
[  5]   0.00-10.00  sec  1.09 GBytes   940 Mbits/sec                  receiver
rcv_tcp_congestion cubic
iperf 3.9


Can anyone assist with better settings or config changes please.

Cheers
Spart

Hello,

Today we are in the process of migrating our standalone OPNsense server to a ESXI VM. However, we have tried 3 different mirror DVD ISO images and they all show this error on trying to uncompress the bz2 image.

Can you advise please.

Cheers
Spart

Hello, I have followed the guides in the documentation and started with a simple bandwidth limiting pipe and rule for a host on the plan that frequently downloads large update many 10's of GB.

I have tried limiting the bandwidth of this host but when checking the live stats in ntopNG is can see it is using double what I have set as the limit.

This is a very simple rule almost a direct copy of the one in the docs.

Both the rule and pipe are activated and I can see them in the status page.

Is there some other service I need to start/restart to have these rules enforced or does it simply not work the way I am thinking.

Any help appreciated.

Cheers
Spart

Hello,

We are running a fully updated 20.7.8 system. Is there is guide to upgrading safely from 20.7.8 to the latest 21.7?

Cheers
Spart

I have struggled for a while troubleshooting what I thought was internet settings. In the end it turned out to be virtualbox network performance.

I tried just about every combination of virtual nic in Vbox and the myriad of settings. Throughput was variable at best. One second 95% of the available ISP bandwidth the next 20% with no idea why.

I am not a networking expert.

The OpnSense setup is a VirtualBox VM running on a Dell R710 24 cores and 128GB of memory. 1 x 4 port Intel GB Nic.

2 of the nic ports are dedicated to the VM and bridge networking. Tried virtio but could not get it to run.

The fastest Vbox emulated nic was Intel Pro1000 MT Server. The rest were variously slower. The VM has 16Gb of memory and 4 cores.

In the end a ridiculously modest old Dell Optiplex Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz (2 cores) with a pcie x 1 HP 2 Port GB Nic massively outperformed the VM. Full maximum ISP bandwidth all of the time. I use a dedicated Rpi4 to monitor the internet connection 24x7 running this awesome little build https://github.com/geerlingguy/internet-monitoring

From a graph that looked like a bad picture of the mountains with massive variability in the bandwidth my network was seeing. It is now essentially a solid block running at the max profile (40Mb Down 10 Up) BT provide us with a tiny amount  of variability of a few tens of kbs.

The reason I moved to a VM was to cut down on the number of machines I was running.

If someone knows the trick to getting full performance or nearly full performance out of a Vbox virtual nic then please post it as I would love to virtualise opnsense again.

Iperf between the lan side of opnsense and my desktop was c. 80mb using the virtual nic. using the Physical dell optiplex it's essentially 1Gb running at 980ish mb. So sometimes much worse than a 10th of the potential.

Any advice appreciated.

Cheers
Sspart :(

I need some help with this implementation.

Following a 20.7 upgrade earlier I cannot get redis or ntopng to start. Log is full of these lines. If I reboot and watch it start then redis connection fails on startup of opnsense server.

Code Select Expand

2020-11-08T16:03:39 root[11641] /usr/local/etc/rc.d/ntopng: WARNING: failed to start ntopng
2020-11-08T16:03:39 ntopng[78906] [Redis.cpp:150] ERROR: to specify a redis server other than the default
2020-11-08T16:03:39 ntopng[78906] [Redis.cpp:149] ERROR: Please start it and try again or use -r
2020-11-08T16:03:39 ntopng[78906] [Redis.cpp:148] ERROR: ntopng requires redis server to be up and running
2020-11-08T16:03:38 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:35 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:33 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:30 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:28 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:25 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:23 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:20 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:18 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:15 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:13 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:10 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:07 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:05 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:02 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out]
2020-11-08T16:03:00 ntopng[78906] [Redis.cpp:99] ERROR: Connection error [Operation timed out

Any help appreciated please.

Cheers
Spart

Hi we have recently been trying to replace an old 887VA with a  VDSL Bridge config with a 897VA with essentially the same config.

Opnsense PPPoE connection completes perfectly and we can see the Public IP's are assigned correctly but there is no traffic via the wan port. Also the network starts to behave weirdly. Websites failing etc. We though it was something to do with Arp tables but having rebooted everything. The Cisco Router. The OPNSense box, the central switch when everything comes up all looks good but  no routing of traffic is happening. If we power off the 897VA and plug the 887VA back in all bursts back into life.

The config is the same. It feels like it is a MAC address ARP issue on the wan link like it is trying to send to the old router.

Does anyone have any experience of swapping our a router and the gotchas involved. We just expected this to work as it is upstream of the OPNSense box and the PPPoE connection seems to work just fine.

Help appreciated as we need to retire the 887 as it is out of support and we have a new 897 to replace it.

Cheers
Spart

HI I am trying to swap out a Cisco 887VA-K9 with a later model 897VA-K9 teh configs are the same this is configured for simple bridging and the PPPoE is managed by OPNSense.

The cisco is simple acting as a FTTC VDSL2 Modem and bridge to OPNSense WAN interface using a point to point config.

In the 887VA-K9 this works perfectly.

In the 897VA-K9 all looks well in the WAN overview page. Connected and IP address etc. But I get very weird issues on the lan with connectivity websites time out cannot run speedtest etc. It's as if there is some kind of routing issue. The log gets constantly spammed with these messages:

arprequest: cannot find matching address

I could not find much information about this in respect of my issue.

I tried rebooting OPNSense in case it was an arp table issue having changed out the router. There is a MAC address set on the WAN interface page that matches the MAC of the WAN Nic in the server I can see this get assigned to the WAN PPPoE connection. This works perfectly when the 887VA-K9 is plugged in.

If I unplug the 897VA-K9 and plug the 887VA-K9 in all bursts into life.

My instinct is it is something to do with the MAC of the 897 vs the 887 but the WAN interface has the same settings for both.

Any help appreciated as we would like to swap these old 887 units out.

Cheers
Spart

Is there a build of OPNSense for the Cisco Meraki MX6x series devices.

Openwrt is running on a number of these devices so bsd is working on them.

They seem very capable devices and super cheap due to the crazy cisco license costs.

Cheers
Spart

Hi I have a BT FTTC VDSL Connection with 5 Public IP's and I am looking to connect my OPNSense machine to a CISCO 887VA in bridge mode acting as a modem.

I can get a PPPOE connection but cannot figure out how to configure the WAN interface or my Public IP's. When connected the BT service provides an IP address that I do not recognise and creates a new gateway interface. It is in a totally different IP range to my public IP's.

Currently I use the cisco in router mode and essentially lose 1 ip that I have to assign to the OPNSense WAN interface. Then I set the gateway as the Dialer 0 (BVI) interface of the Cisco. All works perfectly. But wasted resources as I do nothing on the cisco other than connect it and configure the dialer interface with my Public IP range. I simply want it to act as a dumb bridge and once it has negotiated a physical connection I want the OPNSense box to do everything else PPPOE IP addressing etc.

I tried setting the OPNSense WAN interface to the address I would normally assign to the Cisco but it shows as down and the address the OPNSense gets from the PPPOE connection is a completely different IP range.  Plus it creates a new WAN Gateway  which is where I get a bit stuck.

Just looking for anyone else that has managed to config OPNSense with BT PPPOE connection and static IP's. Have now reverted back to my working config but would really like to sort this and reclaim one of my wasted public IP's as I should be able to give the OPNSense WAN Gateway the same address as I give the cisco essentially the gateway address as advised by BT.

Any help appreciated. Below is the config for the cisco bridge. Which did work as I could see an assigned IPV4 and IPV6 address to new Gateways that it automatically configured.

Code Select Expand


!
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname ***********
!
boot-start-marker
boot system flash c880data-universalk9-mz.154-3.M9.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret **********************
enable password ***********************
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
memory-size iomem 25
clock timezone GMT 0 0
!         
no ip source-route
no ip routing
no ip domain lookup
no ip cef
no ipv6 cef
!         
license udi pid *****************
license accept end user agreement
license boot module c880-data level advsecurity
!         
username *********************************************
!         
controller VDSL 0
operating mode vdsl2
firmware filename flash:VA_A_38k1_B_38h_24g1.bin
modem ukfeature
!         
bridge irb
!         
interface Ethernet0
no ip address
no ip route-cache
!         
interface Ethernet0.101
encapsulation dot1Q 101
no ip route-cache
bridge-group 1
!         
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!         
interface FastEthernet0
no ip address
duplex full
speed 100
load-interval 30
!         
interface FastEthernet1
no ip address
duplex full
speed 100
load-interval 30
!         
interface FastEthernet2
no ip address
duplex full
speed 100
load-interval 30
!         
interface FastEthernet3
switchport access vlan 3
no ip address
duplex full
speed 100
load-interval 30
!         
interface Vlan1
no ip address
ip virtual-reassembly in
no ip route-cache
load-interval 30
bridge-group 1
!
! Configure a vlan access port so I can get to the cisco from a connected laptop for config.       
interface Vlan3
ip address 192.168.x.x 255.255.255.0
no ip route-cache
!         
ip forward-protocol nd
no ip http server
no ip http secure-server
!         
logging trap debugging
!         
bridge 1 protocol ieee
!         
!         
!         
end       



Any help appreciated.
Cheers
Spart

Just wanted to provide some feedback to the 20.7 and ultimately 20.7.1.

We had been running 20.1.x for a while and once we were notified that the 20.1.x series had come to an end in the upgrade dialog we waited for a while until the point release came out with fixes for the initial release of 20.7

The upgrade went perfectly and after a few reboots during the process OPNsense was back up and running no config issues. We then upgraded to the latest 20.7.1 and all is well. All upgrades were via the web client.

The only feedback would be a little more information on the screen stating you need to wait for a while when initiating the upgrade. Our OPNsense runs in a VM on one of our DELL R710 servers and has CPU X5650 @ 2.67GHz (4 cores) and 4 GB of memory. This talks directly to our managed switch on the lan side and our Cisco router on the WAN side.

We were a client of Untangle for over 10 years but they had no intelligent path to IP6 and it seems little interest.

Cheers
Spart