Messages

See this, point 1.

Thanks for your input with the list of essential topics. I'm a little unhappy about the fact that I'm lacking a lot of network background knowledge.

I know or am already familiar with some of the points mentioned there. So far, I have only operated OPNsense in "default mode", but as time goes on and I get more involved with network technology, I am finally starting to want to understand my network in more detail and to segment it.

So I finally want to configure a separate VLAN for home office or guest network separately from the rest.

My second current project is to integrate a Teltronika TRB500 5G gateway into my setup.

I have already found some useful articles here in the OPNsense forum. I've already tried out a few things and hopefully understood them (and implemented them correctly). :)

Ah okay, I see there's probably a lot of basic knowledge that I'm missing.

Sorry for my stupid question. :)

So firewall rules can only be applied among network interfaces and/or VLAN, NOT within?

@Patrick M. Hausen
I found another thread with a post of yours about preventing a VLAN from accessing a 'local RFC1918' network. Your approach there was to use a DENY all/everything rule on a restricted interface group as a firewall rule. I had successfully tried this in another situation and that is probably the reason why I was a bit confused with my current "VLAN internal firewall rule issue".

@all
Thanks for the help!

Hello,

I have recently started to look into the subject of VLANs. Unfortunately, I do not understand the basic functionality of the firewall rules there.

I have the following simple standard configuration:
OPNsense v25 on PCEngines board, interface is [LAN] and [WAN].
Existing firewall rules are only the automatically created rules

[WAN] = no rules (i.e. block everything)

and

[LAN] = allow everything

I have now set up a VLAN101, interface [VLAN101], on which DHCP service is running.

I have also set up a VLAN101 on my Ubiquiti switch and assigned this ID to some network ports there.

Devices that I now connect to these switch ports are assigned a corresponding DHCP address.

There are no separate firewall rules for/under the interface or the VLAN [VLAN101], apart from the automatic rules.

The issue I don't understand is by now:
Why can devices within the VLAN101 are able to ping each other?
Why can services be called up on the devices of the VLAN under their corresponding IP of the VLAN101, although it says that if no firewall rule exists everything is blocked by default until an exception is defined.

Where is my error in thinking?

[LAN]

Ich hab mich nun endlich mal überwinden können, mich mit Telekom VDSL IPv6 Zugang zu beschäftigen und würde mich gerne an diesem Thread anhängen, auch wenn dieser schon etwas älter ist. Aber so wie ich mir hier schon einige Tipps oder Erklärungen abholen konnte, so mag es ja vielleicht auch anderen gehen. Also gebe ich mal menen Senf dazu ab. :)

Mein Setup: Telekom VDSL 250/40, OPNsense 24.7.9_1-amd64
Die OPNsense kümmert sich um die Einwahl mit einem Vigor 165 (als einfaches Modem konfiguriert).

IP Adressbereich Anzeige auf dem ssh Login-Screen:

LAN
v4: .../24
v6/t6: .../64

WAN
v4/PPPoE: .../32
v6/DHCP6: .../64

Ich habe anhand der OPNsense Anleitung folgende Optionen konfiguriert (PPPoe Zugangsdaten sind selbstverständlich auch eingetragen und funktionieren sowohl bei ausschließlich IPv4 wie auch mit zusätzlich IPv6).

System: Einstellungen: Allgemein - Netzwerk

• Pv4 gegenüber IPv6 bevorzugen: Bevorzuge die Verwendung von IPv4 auch wenn IPv6 verfügbar ist = unchecked
• DNS-Server = leer
• DNS search domain = leer
• DNS-Server Einstellungen: Erlaube das Überschreiben der DNS Serverliste durch DHCP/PPP auf WAN = checked

Schnittstellen: Einstellungen - Netzwerkschnittstellen

• Erlaube IPv6: Erlaube IPv6 = checked

Schnittstellen: Einstellungen - IPv6 DHCP

• Freigabe verhindern = unchecked

Schnittstellen: [WAN] - Generic configuration

• IPv6 Konfigurationstyp = DHCPv6

Schnittstellen: [WAN] - DHCPv6 Clientkonfiguration

• IPv4-Verbindung verwenden = checked
• Präfixdelegationsgröße = 56
• Request prefix only = checked
• Send prefix hint = checked

Schnittstellen: [LAN] - Generic configuration:

• IPv6 Konfigurationstyp = Schnittstelle aufzeichnenn

Schnittstellen: [LAN] - IPv6-Schnittstelle aufzeichnen

• Übergeordnete Schnittstelle = WAN
• Assign prefix ID = 0
• Manuelle Konfiguration: Ermöglichen Sie die manuelle Anpassung von DHCPv6- und Router-Ankündigungen = checked (=> das aktiviert Dienste: Router Advertisements: [LAN])

Dienste: Router Advertisements: [LAN]

• Router Advertisements = Nicht Verwaltet
• DNS options: Use the DNS configuration of the DHCPv6 server = unchecked
• DNS options: Do not send any DNS configuration to clients = unchecked
• DNS-Server = leer
• Domainsuchliste = leer

Was mich aber verunsichert ist, ob mein LAN weitestgehend sicher vor dem Zugriff von Außen ist. Ich bin leider kein Netzwerk/Firewall Experte, kenne aber Begrifflichkeiten wie NAT, Portweiterleitungen, DynDNS, etc. aus dem jahrelangen Umgang mit IPv4 basierendem DSL Zugriff und war mir bislang einigermaßen sicher, alles so sicher wie möglich konfiguriert oder deaktiviert zu haben. Ich nutze allerdings auch genaugenommen nur ganz "einfachen" Internetzugriff, sprich keine Dienste, die ich aus dem WAN ins LAN benötige, kein VPN Zugriff, keine Server/Dienste/Hosts, die von Außen erreichbar sein sollen.

Nun ist das ja mit IPv6 doch "etwas anders" und daher meine Unsicherheiten.

Konkrete Fragen:

• Was muss ich verstehen unter der Option
  Schnittstellen: Einstellungen - IPv6 DHCP
  Freigabe verhindern = unchecked
  
  
• Die Firewall default Regel sind für meinen "einfachen" Internetzugriff so zu verstehen, dass Geräte vom LAN auf das WAN zugreifen dürfen, aber umgekehrt nichts aus dem WAN in mein LAN zugreifen kann, von der Firewall also geblockt wird?
  
  
• Der Betrieb eines DHCPv6 Server/Dienst ist wenn ich es richtig verstehe nicht zwingend notwendig. Ich habe ihn mal testweise gestartet, mir ist aber die zu konfigurierende DHCP-range nicht klar. Hier fehlt mir einfach das Verständnis für den Syntax der IPv6 Adressgenerierung.
  
  Angezeigt wird xxxx - xxxx. Wenn ich diese range eintrage hatte ich bei einem Test ein Gerät/mir unbekannte MAC Adresse/IPv6 Adresse in den Leases.
  
  nslookup brachte zum Vorschein:p2003***.dip0.t-ipconnect.de
  
  Was ist das für ein Gerät? Ich hab daraufhin den DHCPv6 vorsorglich deaktiviert.

Sorry für diese vielen basic Fragen.  ::)

I think the reason for the slow website access is definitely not an OPNsense issue. Neither unbound DNS, Dnsmasq DNS nor OPNsense in general.

I have made several times a ping at the problematic website/domail ifun.de.
The response time generally was (very?) high, with regular dropouts on some devices, not always. But slow loading or stucking website.

However, since I also have the same problem with another ISP (my workplace has a dedicated line afaik), for example with an LTE/4G Fritzbox 6820v3 router, I assume that the problem is either on the side of the destination URL/domain or basically with Deutsche Telekom (all ISPs are probably Deutsche Telekom).

Using 4G/LTE Fritzbox 6820v3:

Code Select Expand

$ ping ifun.de
PING ifun.de (172.67.179.129): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
64 bytes from 172.67.179.129: icmp_seq=3 ttl=50 time=133.068 ms
64 bytes from 172.67.179.129: icmp_seq=4 ttl=50 time=121.438 ms
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
64 bytes from 172.67.179.129: icmp_seq=9 ttl=50 time=154.368 ms
Request timeout for icmp_seq 10
64 bytes from 172.67.179.129: icmp_seq=11 ttl=50 time=141.843 ms
64 bytes from 172.67.179.129: icmp_seq=12 ttl=50 time=115.333 ms
^C
--- ifun.de ping statistics ---
13 packets transmitted, 5 packets received, 61.5% packet loss
round-trip min/avg/max/stddev = 115.333/133.210/154.368/14.003 ms

Using iPhone hotspot:

Code Select Expand

$ ping ifun.de     
PING ifun.de (172.67.179.129): 56 data bytes
64 bytes from 172.67.179.129: icmp_seq=0 ttl=50 time=173.035 ms
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
64 bytes from 172.67.179.129: icmp_seq=5 ttl=50 time=146.799 ms
64 bytes from 172.67.179.129: icmp_seq=6 ttl=50 time=123.930 ms
64 bytes from 172.67.179.129: icmp_seq=7 ttl=50 time=139.072 ms
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
64 bytes from 172.67.179.129: icmp_seq=10 ttl=50 time=165.231 ms
64 bytes from 172.67.179.129: icmp_seq=11 ttl=50 time=136.977 ms
^C
--- ifun.de ping statistics ---
12 packets transmitted, 6 packets received, 50.0% packet loss
round-trip min/avg/max/stddev = 123.930/147.507/173.035/16.853 ms

Code Select Expand

$ traceroute ifun.de
traceroute: Warning: ifun.de has multiple addresses; using 172.67.179.129
traceroute to ifun.de (172.67.179.129), 64 hops max, 40 byte packets
1  fritz.box (192.168.178.1)  5.899 ms  3.192 ms  3.158 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  80.156.5.67 (80.156.5.67)  83.004 ms  59.682 ms  25.632 ms
9  h-sb1-i.h.de.net.dtag.de (62.154.49.197)  39.279 ms  52.426 ms  38.748 ms
10  d-sb1-i.d.de.net.dtag.de (62.154.3.61)  141.174 ms  122.424 ms  163.809 ms
11  ams-sb6-i.ams.nl.net.dtag.de (217.239.60.109)  125.050 ms
    217.239.42.113 (217.239.42.113)  138.399 ms  122.960 ms
12  if-ae-0-2.tcore3.njy-newark.as6453.net (216.6.90.14)  138.540 ms  126.983 ms  133.358 ms
13  66.198.70.2 (66.198.70.2)  138.530 ms  150.004 ms *
14  162.158.61.105 (162.158.61.105)  143.686 ms *
    162.158.61.101 (162.158.61.101)  173.196 ms
15  172.67.179.129 (172.67.179.129)  118.694 ms * *

Hello,
i have the exact same problem like you described.

...

But maybe the reason is just that:

I think Telekom has some serious Peering problems with everyone who is not willing to do peering at their own locations and wants to get paid for that. For example Cloudflare has not a great backbone connection to Telekom. O2 or 1und1 has good open peering at DE-CIX. its like a walled garden, and the customers are the ones suffering. The problem is not always present, only when their network is more congested. You can try to use a vpn when there is slow loading, and suddenly the internet feels fast again.

Hello @b1ggi,
thanks for your feedback. Yesterday evening I again had bad slow loading times and set up OPNsense in a Proxmox VM to check for a hardware defect of my PCEngines APU4.

With the same result. The same pages always load extremely slowly without coming to an end. Embedded images on the website remain half loaded, at the bottom of the browser only a white page. No timeouts, no 404 error, whatever...

My OPNsense setup is also really really really basic. No VPN, no VLAN, no super special configurations, firewall rules etc. Just Telekom VDSL, IPv4 LAN with DHCP, Unbound-DNS.

The thought that it could also be due to the Telekom/routing/peering... etc. was also on my mind. Because: It's always the same pages that don't load (or only load from time to time). Not random global network problems on various pages.

Did some testing in the meantime. Seems to be a DNS related problem in general on my system, not related to (just) OPNsense.
As first mentioned that switching to Dnsmasq-DNS on OPNsense will fix slow website loading I have to add now that this was not the solution. Same behaviour, regardless of using Unbound-DNS or Dnsmasq-DNS.

Even with a public DNS ( e.g 8.8.8.8 ) manually set on my playing/working device same result. It's always the same pages that do not load or stuck while loading.

Examples:
https://ifun.de
https://www.jeffgeerling.com/

Set up OPNsense from scratch, same results.

Some info about my system:

• OPNsense on APU4 (default setup (no special setup like VLAN, firewall rules, etc.), IPv4 DHCP, IPv6 disabled,Unbound-DNS)
  
• german Telekom VDSL 250/40
• Vigor 165 VDSL modem
• Unifi 24-port POE switch
• Unifi U6-LR AP
• Unifi Network Controller running self-hosted on Raspberry Pi
• pi-hole (broadcasted as DNS by DHCP running on Raspberry Pi, pihole is disabled for now

Did a dns-cache flush on my devices as my last action. Everything seems to run much more smoother right now. Will watching it.

Hmm, I don't really know how or where to start to get rid of the error.

Unfortunately, I don't have the technical background, but what I can't explain is why the pages with Unbound DNS simply don't continue to load. It is just a DNS request, either it is resolved or not. So why are images on websites only half loaded? On different computers. No error logs. Just websites stucking while the (should) load.
Using Dnsmasq-DNS everything works like a charm.

That makes no sense.
I'm confused to the max...  :o

I have noticed a website loading performance problem when I use Unbound DNS. I only noticed this problem in the last few days, websites sporadically load very slowly and finally stuck. I blamed it on my playing computer running Ubuntu.

Today, however, I also noticed the performance problem on my main computer runnming macOS and I think I have been able to locate the source of the error in my OPNsense firewall after gradually decommissioning all devices one after another.

I can't say whether this was caused by an OPNsense update or has been the case for some time.

Unfortunately, I don't have the technical Linux/BSD background to be able to provide detailed diagnostics or logs.

I think I have localised the problem with OPNsense, because when I switch to Dnsmasq DNS instead of Unbound DNS I no longer have any website performance problems.

My system

OPNsense 24.7.7-amd64
FreeBSD 14.1-RELEASE-p5
OpenSSL 3.0.15

Under System > Settings > General the option "Allow DHCP/PPP to overwrite DNS server list on WAN" is disabled as long as I am using Unbound DNS. If I understand this correctly, the upstream/root DNS servers are then queried for Unbound DNS. I had to reactivate this option when using Dnsmasq DNS, as otherwise there was no DNS resolving in the WAN.

Is this a known problem?

Ich habe mal etwas herum probiert und aktiviert

• ,,Do not use the local DNS service as a nameserver for this system"
• ,,Erlaube das Überschreiben der DNS Serverliste durch DHCP/PPP auf WAN"

und dann in der Shell der OPNsense ein nslookup (genau genommen drill unter FreeBSD ;)) gemacht (vorher die Dienste mal neu durchgestartet) und siehe da, es wird eine externe IP verwendet (rootserver?). Mache ich o.g. Optionen wieder aus, wird per localhost 127.0.0.1 aufgelöst. Ich nehme an somit per Unbound?

Hallo,

ich bin etwas verunsichert ob der DNS Einstellungen meiner OPNsense. Netzwerktechnisch auch eher Anfänger versuche ich die Option zu verstehen.

Mein Setup ist kurz zusammengefasst wiefolgt:

• Unbound läuft ohne Forwarder
• DHCP auf LAN läuft und vergibt als DNS die IP meines Pi-hole
• Upstream in Pi-hole ist meine OPNsense

DNS Anfragen verstehe ich nun so, dass ein Client Pi-hole anfragt (dort wird entsprechend der Blocklist gefiltert) und dann Anfrage an OPNsense Unbound. Unbound guckt bei den Rootservern. Und alles ist gut...

Was macht bzw. würde die Funktion ,,Erlaube das Überschreiben der DNS Serverliste durch DHCP/PPP auf WAN" unter den allgemeinen Einstellungen machen? Ist aktuell ausgeschaltet, afair aber Default an?

Hello,

if you have successfully set up both optimizations, then you also have an Ethernet USB device which you assign to the WAN adapter. IP on this adapter set to DHCP (IPv6 according to DHCPv6).
Unfortunately the iOS 14 tethering seems to be broken, so there are currently problems. With iOS 13.x everything was fine.  :-\

Hello,

sorry for double post on the same topic in the german section of the forum.  :D

I own a Compex WLE600VX WiFi card. According to some information on the net, it should be supported by FreeBSD 12. I have the Compex WLE600VX WiFi card on my APU 2C4 board with OPNsense 20.1.2, but unfortunately the device does not show up. Since OPNsense is based on HardenedBSD 12.1, is there any experience with using the Compex WLE600VX WiFi card with OPNsense 20.x?   

Huhu,

gibt es schon Erfahrungsberichte, hat schon jemand die Karte Compex WLE600VX zum Laufen bekommen? Wo ja nun 20.1 basierend auf FreeBSD 12 schon eine Weile veröffentlicht wurde...

Ich hab die Karte auf meinem APU 2C4 mit OPNsense 20.1.2, doch per default wird die Karte erstmal nicht erkannt... :(

[if_ipheth_load="YES"]

Sorry for the double post and the reference to my thread in the german speaking area but I would like to try it here as well in the hope that someone who only speaks english will read along.  :)

See https://forum.opnsense.org/index.php?topic=6383.msg40831#msg40831

For using my iPhone as tethered WAN device I made two Tuneables under System > Settings > Tunables. One tunable is if_ipheth_load="YES", the second tunable loads hw.usb.quirk.0="0x05ac 0x12a8 0 0xffff UQ_CFG_INDEX_3".

So far, anytime I plugin my iPhone to OPNsense firewall, the message "Trust this Computer?" shows up in my iPhone display and after confirming/trusting my iPhone will be recognized as an ethernet interface that has been assigned to my WAN interface. The poor thing is that after my iPhone has been de-attached and then re-attached to OPNsense it won't get any DHCP WAN IP until I restart all services from ssh shell.

How can I fix this? How can I make the WAN interfaces get a new WAN DHCP IP without start all services manually?