Topics

Hello,

I'm currently experimenting with segmenting my home network using WireGuard as an alternative to VLANs, which would require appropriate hardware support.

I seem to have the WireGuard instances and individual peers under control, but now I'm getting into the nitty-gritty of the expected performance.

My OPNsense runs under Proxmox on an older i7-6700 machine. Both CPU and RAM seem to have sufficient performance margins.
The device has an Intel X520 dual SFP+ network card that supports 10Gbit/s.

I am testing with Crystal Disk Mark to test on a CIFS network share on a file server that is on the 10G network. So all devices, file server, test notebook and OPNsense router are on 10G network.
Here are my results.

1.) direct connection (without OPNsense routing)
R: 505.19 MByte/s
W: 479.73 MByte/s

2.) Wireguard activated between Notebook and OPNsense.
OPNsense has paravirtualized NIC so Intel X520 is initialized by Proxmox.
R: 67.61 MByte/s
W: 50.55 MByte/s

3.) WireGuard with NIC PCIe passthrough in OPNsense VM. So OPNsense should have exclusive access to the 10Gbit/s network card.
R: 57.13 MByte/s
W: 27.25 MByte/s

So the question is now: What do I see with these results?

Is it totally normal that with the WG tunnel the performance drops by a factor 10?
I do know that WG com is encrypted and this slows down the communication but I don't see any bottleneck on the HW side.

Is it possible that my network card is still running on 1Gbit/s instead of 10Gbit/s?

Hope someone can help!
Thanks!

I was just making my first steps with OPNsense and WireGuard.

After some learining I managed to get my first WG_Clients instance running. For testing I added my notebook, table and my phone.

First everything was working fine.

Then I did "something", please don't ask me what, I followed several different tutorials and then suddenly my whole network crashed in a sense that internet wasn't working and even other LAN <-> LAN connections without any WG clients activated or installed were not able to ping or communicate. So devices that should be independent to WG are not working any more. Luckyly the connection to the OPNsense firewall is still open that I am able to change settings.

So in the end I am at that point where I enable any WG Instance and my networking crashes fully reproduceable.

WG logs are empty.

I tried removing the WG interface and also removed and recreated the WG instance; still the same problem.

I went through all of my settings multiple times and I am really sure that it should work that way. I also see, when I activate the WG server and just ignore that the internet brakes, that the WG client tools are showing they have a connection and transmitting data. So I guess the VPN tunnel is OK?

And the IP config should be also fine.
LAN: 10.1.1.1/16
WG_Clients: 10.2.1.1/16
eg notebook: 10.2.2.2/32

it is also not working with my own DNS server (pihole) or google 8.8.8.8 .

And the WG port 51821, since 51820 is blocked by my fritzbox since it also supports WG...
But that should be fine since it was already working on 51821.

I added the WAN 51821 firewall rule and a general allow rule for the WG network.

I had some special routing configs but I removed everything and configured it to auto...

Can somebody help me find and point a finger to somewhat that can rise these issues?

I also noticed that the WG UI is kind of buggy.
eg the Peer generator can't save the newly created peers. So I was thinking, how stable is the WireGuard core at all in the OPNsense implementation?

Hope you can help, thanks.

Hello,

I recently replaced my old Netgear router (FreshTomato) with a mini PC running Proxmox + OPNsense.
I have a Fritz!Box connected to the internet via the OPNsense WAN port. The LAN goes to several dumb switches and a mesh Wifi AP setup.
I run DNS via a standalone Pi-hole server.
The setup was exactly the same before, and I really only replaced the router.

The new OPNsense router is working well so far, and I'm happy with my decision to switch. My DHCP leases, port maps, and web servers are already up and running again, and Pi-hole is also neatly integrated.

The only problem:
My girlfriend uses a Windows 10 laptop as a monitor and keyboard for another work PC. (Don't ask why please.) This has previously been done via the wireless display function that is integrated in Windows. I'm not sure what technology is behind it, but I suspect something like Miracast.
The problem is that due to the new firewall, the notebook is apparently no longer automatically listed as a wireless display.

I've already worked on the problem a bit and tried various configurations with the help of chatbots.
Two firewall rules in particular:

Rule 1 (for Miracast Discovery):
Action: Pass
Interface: LAN
Direction: In
Protocol: TCP/UDP
Source: Any
Destination: Any LAN Net
Destination Port Range: From 1900 to 1900 (for SSDP)
Destination Port Range: From 5353 to 5353 (for mDNS)
Destination Port Range: From 7236 to 7236 (for Miracast Control)
Destination Port Range: From 5357 to 5358 (for mDNS/SSDP fallback)

Rule 2 (for Miracast Streaming - broader, as it is dynamic):
Action: Pass
Interface: LAN
Direction: In
Protocol: TCP/UDP
Source: Any LAN Net
Destination: Any LAN Net
Destination Port Range: From 49152 to 65535

Additionally, I have also installed the UPnP plugin and activated "Enable UPnP & NAT-PMP"

I'm not entirely clear on this and have a healthy dose of chatbot skepticism, so here's my question:
Do you know what exactly this Windows Wireless Display connection does?
How can I configure OPNsense so that it works again?

I'm not even sure whether this feature works over the internet or purely over the LAN.

Thank you in advance!