Messages

1

Hardware and Performance / Re: Random Frequent CPU Spikes and Page Faults [Almost Resolved]

« on: August 08, 2023, 05:31:27 am »

Look at the information provided here.
https://bsd44.blogspot.com/2004/12/vmstat.html

Looks like faults is nothing but interrupts, so a high number shows a busy system.

Faults:
The faults section shows system faults. Faults, in this case, aren't bad, they're just received system traps and interrupts.

in Shows the number of system interrupts (IRQ requests) the system received in the last five seconds.

sy Shows the number of system calls in the last five seconds.

cs Gives the number of context switches, or times the CPU changed from doing one thing to doing another.

2

Virtual private networks / Re: Tailscale make install command not working

« on: August 07, 2023, 02:19:07 am »

the instructions are lacking, you always do the following:
make
then if successfull
make install

3

23.7 Production Series / Re: Apcupsd plugin - tell UPS to remain off

« on: August 03, 2023, 03:02:48 am »

Have you looked at these resources?? I'm in the process of connecting a UPS to my firewall and found these resources after searching the forum finding very little. looks like you can achieve your desired configuration by modifying/creating a custom conf file.

https://linux.die.net/man/8/apcupsd

http://www.apcupsd.org/manual/

4

Hardware and Performance / Re: Definitive list of supported wifi chipsets for ap mode

« on: July 27, 2023, 09:10:53 pm »

WIFI cards have 2 different modes: Infrastructure and Ad-Hoc. You want Infrastructure mode and not all drivers support it.

https://docs.opnsense.org/manual/how-tos/interface_wireless_internal.html

FreeBSD supports wireless adapters in access point (infrastructure) mode, but this functionality is limited to some drivers and there may be some, which do not support all options available via the web interface. Please make sure that you buy a wireless card that is supported to avoid these problems.

From my experience I ditched the wifi card out of my FW. Use an external solution to achieve my goal. My biggest roadblock if I remember correctly was I wanted 3+ SSIDs and could only get 2. This is the short list of headaches. If you search the forum you'll probably find most say do it with an external AP.

5

22.7 Legacy Series / Re: Forward the same port to two different systems

« on: July 08, 2023, 03:12:40 am »

Wan/NAT forward for each of the IP's to the destination host.

6

Hardware and Performance / Re: QAT Accelerator

« on: March 10, 2023, 04:26:28 pm »

I tested the QAT speed of my ATOM C3758 which has onboard QAT, using the openssl speed  command from this article.
https://stackoverflow.com/questions/64862544/how-to-check-compare-openssl-speed

I also saw a big decrease in CPU util on my openVPN connections after switching to the Q3758 CPU.

without using QAT
Doing aes-256 cbc for 3s on 16 size blocks: 11224359 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 64 size blocks: 2947524 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 744654 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 1024 size blocks: 186214 aes-256 cbc's in 2.98s
Doing aes-256 cbc for 3s on 8192 size blocks: 23475 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 16384 size blocks: 12084 aes-256 cbc's in 3.09s

Results with QAT
Doing aes-256-cbc for 3s on 16 size blocks: 43725132 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 64 size blocks: 15233718 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 256 size blocks: 4530328 aes-256-cbc's in 3.02s
Doing aes-256-cbc for 3s on 1024 size blocks: 1214440 aes-256-cbc's in 3.06s
Doing aes-256-cbc for 3s on 8192 size blocks: 150648 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 16384 size blocks: 75565 aes-256-cbc's in 3.01s

7

General Discussion / Re: Unbound DNS for VLANs via different gateways

« on: March 09, 2023, 06:43:53 pm »

Yes it can be done.
I have 10 VLANS
all but 2 have the default "*" gateway in the FW rule.

I have 1 openVPN connection to a US based endpoint.
In the FW rule for this VLAN the default gateway is changed to the connection name i.e. "openVPN_US"

1 have 1 openvpn connection to a EU based endpoint.
In the FW rule for this VLAN the default gateway is changed to the connection name i.e. "openVPN_EU"

1 note of interest, if you have issues getting DNS to resolve once the openVPN connection is up and active, I think I was unable to ping the LAN GW and DNS querys from command line against the IP would fail.
I created a Floating Rule to allow each VLAN access to its GW, I think it could be accomplished also by creating a rule on the VPN VLANs to allow them access to the GW and it should work.

Hopefully this helps.
zz00mm

8

Virtual private networks / Re: VPN Licenses

« on: August 28, 2022, 04:39:51 am »

My answer to your question: The number of sessions is what you are getting with the different providers. I have 2 - 1 session VPN accounts, configured as followed:

VLAN104     openVPNEU connecting to NL endpoint, LAN & WIFI traffic show they are exiting/coming from somewhere in the netherlands.

VLAN105     openVPNUS connecting to US endpoint, LAN & WIFI traffic show they are exiting/coming from somewhere in the US.

To add additional headache to the mix, I have a cron job that resync/reconnects the VPN sessions at 4am every morning, The VPN connection configuration have multiple targets(s) selected at random. So everyday on the US connection, the traffic shows coming from a different city. Same for the NL connection.

I could do the above with 1 - 5 session account, which would only consume 2 of the 5, leaving the other sessions to be used on portable/mobile devices as needed.

Right now free VPN service is being used to test/setup. Planning on moving to a non free VPN service soon.

9

Virtual private networks / Re: Trying to set up a VPN only LAN and DNS doesnt seem to work

« on: August 17, 2022, 07:57:55 pm »

I had a similar issue when I created 2 VPN vLANs on my network, first I saw that I was unable to ping the GW when the VPN session was up, thus when I attempting nslookup against the GW it would fail. From some  threads here on the forum, I finally used the following solution. Created a floating rule using alias's to allow access to the GW on the vLAN. I've attached screenshots that will hopefully help. Another option would be to use a different DSN server(s) which I did initially as part of troubleshooting to figure out the problem.

10

Web Proxy Filtering and Caching / Re: Web request directing to web server

« on: August 10, 2022, 10:08:14 pm »

Looks like you have 3 options:

1) Port forward a different port for each domain thru the firewall to the web server for that domain. (Do this to test if the website is working thru firewall)

2) Put all the domain web pages on 1 Server, port forward thru the firewall to web server and let host headers do the work for you. (This is what I have used in the past)

3) Setup a reverse proxy that you port forward to thru the firewall and then let the reverse proxy do it's work. If you get this to work, then you could move your reverse proxy to the firewall if desired as NGINX is an option as well as traefik (traefik can be retreived by using the mimugmail repo addin)

Thats all I can provide as I'm currently working on option #3 without port forwarding at this time.

Happy firewalling

11

22.1 Legacy Series / Re: Ad-guard plugs in not avaiilable

« on: August 10, 2022, 07:56:43 pm »

Are you running the commands like this?

fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

then

pkg update

In linux/bsd if you want to run both commands as 1, you have to combine them together with '&&'
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf && pkg update

12

22.7 Legacy Series / Re: [Solved]PHP error on mongodb after installation to 22.7

« on: August 01, 2022, 10:24:05 pm »

Thanks for the find, just completed update to 22.7 and same thing happening on my firewall. Looks like it's resolved.

13

22.1 Legacy Series / Re: How to add "local-zone" entries for Unbound with "always_nxdomain"?

« on: July 11, 2022, 10:16:55 pm »

https://www.routerperformance.net/opnsense-repo/

Has an additional Repo that can be added and a custom Unbound option addition. You could try it. I prefer creating the additional .conf file. This way upgrades haven't caused me any issues so far.

14

22.1 Legacy Series / Re: How to add "local-zone" entries for Unbound with "always_nxdomain"?

« on: July 10, 2022, 10:50:14 pm »

I put custom conf files into directory "/usr/local/etc/unbound.opnsense.d"

If you look at /usr/local/etc/unbound.conf" you'll see that it has a wildcard *.conf include statement.

When the unbound service is started, it copies *.conf from above directory into /var/unbound/etc

I believe this is covered in the unbound document section. I use custom conf files to perform some additional blocks myself.
UPDATE: Forgot the link
https://docs.opnsense.org/manual/unbound.html#advanced-configurations

I've been blocking using unbound/dnsbl , not using nxdomain, so I'll have to try it and see how it works.

15

Virtual private networks / Re: Import List of Remote Servers Into an OpenVPN Client Configuration?

« on: April 28, 2022, 03:27:12 am »

Another option that should work. I use ProtonVPN and several weeks ago the DNS stopped resolving for us-free-01 thru us-free-08 and nl-free-01 thru nl-free-11 for some strange reason. Once the DNS resolv issue was corrected, pulled all the IP address's via nslookup/dig and put them into a file "/usr/local/etc/unbound.opnsense.d/protonvpncom.conf" using a different hostname for each. As you can see in the attachment us-free and nl-free was used as to not interfere with external resolution.

I think this could be used in a similar fashion to create upto 64 hostnames with multiple IP's, plus this would survive any kind of software update. I've modified file(s) in the past and they were wiped out with update/upgrades, so keeping the info somewhere that it doesn't get erased.

Just another idea to consider.