OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of ibrewster »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - ibrewster

Pages: [1]
1
Hardware and Performance / USB 2.5Gb adaptor, ProxMox Install
« on: June 12, 2024, 07:16:38 pm »
I have a backup OPNSense install running under ProxMox installed on an intel Mac Mini (I don't know the exact model, but I can try to dig it up if it matters). OPNSense is fully updated as of this morning, running version 24.1.8-amd64.

To this hardware I added a 2.5Gbe USB adaptor, And set it up in ProxMox to do USB passthrough to the VM. From the OPNSense command line it now shows up like this in usbconfig:

Code: [Select]
root@gatekeeper2:~ # usbconfig -d 1.2 dump_device_desc
ugen1.2: <Realtek USB 10/100/1G/2.5G LAN> at usbus1, cfg=1 md=HOST spd=SUPER (5.0Gbps) pwr=ON (64mA)

  bLength = 0x0012
  bDescriptorType = 0x0001
  bcdUSB = 0x0320
  bDeviceClass = 0x0000  <Probed by interface class>
  bDeviceSubClass = 0x0000
  bDeviceProtocol = 0x0000
  bMaxPacketSize0 = 0x0009
  idVendor = 0x0bda
  idProduct = 0x8156
  bcdDevice = 0x3104
  iManufacturer = 0x0001  <Realtek>
  iProduct = 0x0002  <USB 10/100/1G/2.5G LAN>
  iSerialNumber = 0x0006  <4013000000>
  bNumConfigurations = 0x0003


ifconfig for the interface shows the following:

Code: [Select]
ue0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: LAN (lan)
options=80008<VLAN_MTU,LINKSTATE>
ether 8c:ae:4c:dd:d5:9e
inet6 fe80::8eae:4cff:fedd:d59e%ue0 prefixlen 64 scopeid 0x6
inet 10.27.81.247 netmask 0xffffff00 broadcast 10.27.81.255
inet 10.27.81.1 netmask 0xffffff00 broadcast 10.27.81.255 vhid 3
carp: BACKUP vhid 3 advbase 1 advskew 100
media: Ethernet autoselect
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

At any rate, I set that up as my LAN interface, and used iperf to run a test back to my main router (connected via a 10G link). Somewhat to my surprise, I saw I was only getting 100Mbps. After some digging, I found this: https://forum.opnsense.org/index.php?topic=27189.0, which suggested "setting the device into ECM mode". I tried that, which did help - I now get around 500Mbps.

Am I missing something/doing something wrong here? Looking at ifconfig, I would think it should show the media type - for example, one interface on my main router shows this for media:

Code: [Select]
media: Ethernet autoselect (10Gbase-Twinax <full-duplex,rxpause,txpause>)
But on the backup it's just "Ethernet autoselect" - no indication of what it selected. Also, the "SIMPLEX" bugs me (shouldn't it be "DUPLEX" or just not there?), but that's the same on my main OPNsense router (which is running bare metal on an old Intel i7), as well as my desktop Mac Studio (though settings shows full-duplex. Gah!), so maybe that's normal?

2
General Discussion / VLAN configuration clarification
« on: February 05, 2024, 08:05:39 pm »
Technically I have this working, but the configuration doesn't feel right to me, so I'm hoping someone can provide clarification.

Running OpnSense 23.7.10 on an intel Core i7-3770 3.4 with 24GB RAM.

For the LAN, I have two physical ports: em0 and em1. These are set up as members of a bridge (bridge1), which is then assigned to the LAN interface.

My wireless router is physically connected via a switch to em1. The wireless router creates a guest network, which is vlan tagged as VLAN 20 (I have no control over this, I can only turn the guest network on or off and assign a SSID).

In order to separate out the guest network traffic, I created a vlan 20 interface in the OPNsense box, assigned it a parent of em1, created a DHCP server for it, put in firewall rules to prevent traffic from the VLAN from reaching my internal network, etc.

As I said at the start, this all works, but my main concern is having em1 as the parent for the VLAN. Is that correct/kosher? What happens if I move the wireless to em0 at some point? My first thought was that the bridge should be the parent for the VLAN, but that isn't even an option, and may not even make sense. Then I was thinking maybe I should have a loopback interface be the parent, and add the VLAN as a member of the bridge, but I'm not sure about that either.

Do I have this set up correctly after all? Or is there a better way?

EDIT:

Just saw this thread: https://forum.opnsense.org/index.php?topic=38562.0 which suggests setting up the VLAN twice, once for each physical port, and then creating a bridge containing the two VLANs. Unfortunately that doesn't seem to work: I got DHCP well enough with that setup, but no traffic was passed on the bridge interface. I guess I might have missed something, but at the end of the day all I did was change the device for the interface from the single VLAN device to the bridge device, so it seems like the settings should have all been tied to the interface, not the VLAN device. Dunno. Maybe I'll try this configuration again in a couple of days.

3
Virtual private networks / IPSec VPN seems to work, but no communication?
« on: October 31, 2023, 03:35:14 am »
I'm trying to set up a IPsec VPN for my remote laptop (mobile client). I chose IPsec because it is built-in to both OPNSense and MacOS, so no third-party or add-on software is needed on either end.

I configured everything following this guide: https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-ikev1xauth.html, and as far as I can tell all settings - other than IP addresses - are identical to what is shown there.

My LAN has a subnet of 10.27.81.0/24, and I gave the IPSec clients an address pool of 10.27.82.0/24.

From my laptop I can connect to the VPN without difficulty, and it says it gets an IP of 10.27.82.1, which is as expected.

The OPNsense screens all seem to indicate a successful connection, and when I try to ping or SSH a host on the inside network, the firewall log seems to indicate the packets are being passed (I was going to provide screen shots, but can't figure out how). However, nothing works: no ping responses, SSH can't connect, I can't get a web page, etc.

So the OPNsense seems to indicate everything is working fine, and the remote client seems to indicate everything is working fine, but no traffic actually passes.

What am I missing here? What diagnostics can I perform/what logs can I look at to figure out why it is not working?

4
General Discussion / General newbie OPNsense configuration questions
« on: October 27, 2023, 05:44:48 pm »
I've been working on setting up a new install of OPNsense, and I have a couple of questions about the config

1) One of the features I'm wanting to make use of in OPNsense is the content filtering. Looking at the various options provided, it looks like there are three "levels" of filtering available:
  - The filter results via OpenDNS option
  - DNSBL options for the unbound resolver
  - Web proxy blacklist filtering

Does it make sense to enable more than one of these options? That is, would using the DNSBL option in unbound make filtering queries via OpenDNS redundant? And if I am using the DNSBL, is there any point to using the web proxy filtering as well?

2) Pretty much every website these days is HTTPS. If I were to set up the web proxy, I would want to set it up in a transparent fashion that doesn't require changes on the client side (I don't want to have to re-configure my friends/families computers whenever they come to visit...), so while it could proxy SSL, it wouldn't be decrypting the traffic. As such, is there any point to running the web proxy if filtering is handled via unbound? For unencrypted traffic, the proxy can do caching, which provides a benefit there, but can it cache SSL traffic without decrypting it?

3) It looks like a lot of the performance options are disabled by default. For example, to my understanding turning on forwarding in the unbound DNS resolver can potentially speed up DNS queries noticeably, but it is off by default. Is there any reason I *wouldn't* want to enable the following options in unbound:
  - Query Forwarding
  - Prefetch DNS Key Support (there is a note that it will increase CPU usage, but I have a quad-core 3.4GHz i7, so I'm thinking that's plenty of CPU?)
  - Prefetch Support

4) Along the same lines as #3, are there any other options that are disabled by default that it would make sense to enable for best performance?

Thanks!

5
General Discussion / Unbound Force SafeSearch option blocks YouTube Live Streams?
« on: October 25, 2023, 08:20:55 pm »
I'm new to OpnSense, just setting up a test router to replace my current router that doesn't do enough for me, so please forgive me if I am missing something obvious.

I turned on the filtering options of the Unbound server, including the Force SafeSearch option, and testing looked good at first - everything worked as expected.

Then I went to YouTube and tried to pull up a live stream that I watch all the time (NASASpaceflight Starbase Live), only to find that *none* of their live streams were listed, and trying to go directly to the one in question gave a "video is not available" error. Much (very frustrating, due to caching I assume) testing later, I discovered that this appears to be due to the Force SafeSearch option. With it enabled, I can't see the live streams, with it disabled I can.

Is this a known issue? If so, is there any way to work around it? I honestly can't understand why forcing SafeSearch would have any effect on YouTube Live streams...

Thanks for any help!

EDIT: Running OPNsense version 23.7.7

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2