Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Chip Schweiss

Pages1
#1
18.7 Legacy Series / Port Forward NAT rule on all interfaces
October 17, 2018, 04:11:15 PM
On my installation, everything is pure routing, no NAT with one exception.  I have many network interfaces (>20).

For applications that serve HTTP/S I use an external proxy that terminates HTTP/S and proxies to the application specific port.   

So I've been setting up NAT rules that match the IP address of the application host and NATs port 80 and 443 to the proxy host.  This works as intended, but I need two nat rules on every interface for every application.   There are a dozen or so applications like this to deploy so the NAT rule count will explode.

Is there a way to make a NAT rule that is applied to all interfaces so that any time the destination matches an IP and port it will apply?

#2
Hardware and Performance / Need 10Gb/s throughput
August 24, 2018, 05:59:50 PM
I started working with OPNsense as virtual machine to segment several VLANs and manage firewall rules between them.  After not being able to get past ~3 Gb/s throughput I tried putting it on repurposed server with 12 2.66Ghz cpu cores and Intel X520-DA2 NIC.   After importing my config, my results are basically the same, ruling out virtualization as the bottleneck.  Granted this is Westmere generation CPUs, but with Linux on them has no problem keeping 10Gb/s flooded.

With Linux doing the routing and firewalling between VMs I can achieve ~7Gb/s, between physical machines 10Gb/s is possible, but not with OPNsense.

Changing any combination of hardware offloading settings has very little change in the performance.

My question is, is there any hardware known to handle 10Gb/s+ with OPNsense?   

Thanks!
-Chip
#3
18.7 Legacy Series / Only root can SSH after upgrade
August 10, 2018, 09:13:54 PM
After upgrading to 18.7, now only root can login via SSH.  Any other admin user get the message "This account is currently not available." and is disconnected.

As root I can see, root is the only user in the wheel account.

What is the correct way to fix this?
#4
18.1 Legacy Series / WAN CARP IP without NAT
April 10, 2018, 09:30:27 PM
I'm trying to set up an HA OPNsense pair of servers.  Internet NAT is handled by an upstream gateway.   The WAN IP address on OPNsense is still a private IP address and no NAT is done when routing through OPNsense.

If I set a static IP on each OPNsense server on the WAN subnet and the CARP virtual IP to the address I want as the floating gateway IP, how do I get this to work without using NAT to specify the outbound IP address?

Thanks!
-Chip
Pages1