Messages

136

Hardware and Performance / Re: How to improve internet speed per connection

« on: June 11, 2024, 08:13:21 am »

Better reason than most  - the learning, not the bragging

Pare down the config to just NAT and test again. Tweak the NIC (in OPNsense) / CPU / RAM (in BIOS) settings to see if any increase speed. Once you're maxed out, add features that you need and then features that you want. Note where you see a drop and decide if the feature is worth it.

Bart...

137

Hardware and Performance / Re: How to improve internet speed per connection

« on: June 10, 2024, 06:41:38 pm »

Does anyone know how to increase the speed per connection?

Emigrate to South Korea?  What are you running that actually saturates 900 Mbps? Just curious.

138

High availability / Re: Only one device fail to connect to internet

« on: June 09, 2024, 08:56:34 am »

Is it Windows? Reset the stack from a command prompt:

netsh int ip reset
netsh winsock reset

reboot and try again

139

High availability / Re: Only one device fail to connect to internet

« on: June 08, 2024, 05:49:59 pm »

That means you don't have a default gateway set up.

Open your network config and add 10.10.10.1 as the default gateway.

Bart...

140

General Discussion / Re: Assign multiple IPs via DHCPv4 / DHCPv6 to the same Host/DUID/MAC Address

« on: June 08, 2024, 08:58:00 am »

If you are looking for a quicker way to assign multiple IP addresses to a host, check out Ansible or NixOS. Those are a better solution for your use case than tinkering with DHCP IMHO.

Bart...

141

High availability / Re: Only one device fail to connect to internet

« on: June 06, 2024, 09:47:17 pm »

Is the firewall IP in the list of hops, or are there no hops at all?

142

High availability / Re: Only one device fail to connect to internet

« on: June 05, 2024, 07:59:56 am »

If your PC runs Windows, open a command prompt and run:

tracert 8.8.8.8

Bart...

143

High availability / Re: Only one device fail to connect to internet

« on: June 04, 2024, 12:01:23 pm »

what about traceroute? Is the firewall in the path to 8.8.8.8?

144

High availability / Re: Only one device fail to connect to internet

« on: June 04, 2024, 08:50:28 am »

What tests do you do? Ping 8.8.8.8 is better than using a browser for instance since the firewall is a layer 3 device while the browser is on layer 7.

Do a ping and a traceroute from a working and non-working device to confirm it really is the firewall.

Bart...

145

24.1 Legacy Series / Re: GUI access failed with error

« on: May 30, 2024, 08:37:19 pm »

Try a different browser? Do SSH and console login still work?

146

General Discussion / Re: Sanity Checking My "Stick" Setup

« on: May 29, 2024, 08:02:02 am »

I know the risk of virtual firewalls but modern hypervisors are very good at workload isolation, much like modern switches' VLAN separation amply meets the security requirements for the likes of us 

A Proxmox cluster will mitigate the impact of hardware failures, upgrades, etc. Not that you should expect many issues with HP SFF hardware; they are very well designed.

Bart...

147

General Discussion / Re: Sanity Checking My "Stick" Setup

« on: May 28, 2024, 08:28:16 am »

Nothing wrong with VLAN separation instead of physical interfaces. I run OPNsense on a single NIC machine.

You may want to consider running a hypervisor such as Proxmox so you can separate DNS from the firewall to reduce the attack surface. This will also let you snapshot before updates, although that improves availability more than security.

That is dependent on the amount of RAM in the HP, you'd want at least 8 GB for an OPNsense VM and something like a Pi-hole LXC.

Bart...

148

24.1 Legacy Series / Re: Firewall frequently unresponsive, cannot update etc

« on: May 23, 2024, 07:47:40 pm »

It never hurts to take a backup. I would boot the firewall from Clonezilla and image the drive that gives you a roll-back even if it is badly broken. https://clonezilla.org/

Also back up the config to compare against the fresh clean one and/or copy bits such as certs and keys.

Bart...

149

24.1 Legacy Series / Re: Firewall frequently unresponsive, cannot update etc

« on: May 23, 2024, 07:57:46 am »

It's easier to start with a working config and adding things, rather than a broken setup and fix randomly.

Do a fresh install and add features until you hit issues.

Bart...

150

General Discussion / Re: A question from a newbie

« on: May 21, 2024, 02:18:13 pm »

I would appreciate if you could elaborate your hint.

Since your internet router (OPNsense) does not handle the WG tunnel, you have two routers on your network. You need to:

- sort out the routing manually, so every hop (router) knows how to get to each side of the conversation
- use automatic routing protocols, which is likely overkill
- SNAT the WG tunnel onto the 192.168.2.0 network
- terminate the WG tunnel on OPNsense

Background info:
https://networklessons.com/cisco/ccna-routing-switching-icnd1-100-105/introduction-to-routers-and-routing
https://networklessons.com/cisco/ccie-routing-switching/introduction-to-nat-and-pat

Bart...