Messages

Thanks for your replies guys.  I am currently running FRR but I don't see anything in there for routing instances, VRF, etc.  I could maybe do it manually in FRR's configuration, but I'm unsure if that would be persistent.

I'll check out the kernel requirements such as the mentioned vimage, so thanks for that.  If it's fully enabled on the kernel in 21.7, I'll play around with it.

I have implemented policy-based rules to get this working ATM, but multiple tables would be preferable.

Thanks,

Hi Guys,

Is there any support for VRF's?  I have a use case for a Management/OOB interface.

Thanks,

If DNS is resolving you might be looking in the wrong place.  You might also be hitting locally cached DNS records, so under testing, you might want to clear it. Below is my dig of worldclassroom.webster.edu.  Additionally, some ISP's block root DNS server, so you might need to forward.

You're not using firefox are you with DNS over HTTPS?

Code Select Expand

dig worldclassroom.webster.edu

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> worldclassroom.webster.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30238
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;worldclassroom.webster.edu.    IN      A

;; ANSWER SECTION:
worldclassroom.webster.edu. 17268 IN    CNAME   webster-vanity.instructure.com.
webster-vanity.instructure.com. 141 IN  CNAME   canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com.
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 34.197.146.108
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 34.236.11.156
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 3.222.218.57

;; Query time: 0 msec
;; SERVER: X.X.X.X#53(X.X.X.X)
;; WHEN: Mon Sep 23 15:31:45 BST 2019
;; MSG SIZE  rcvd: 218



If you think the rules are correct, try resetting the states, under Diagnostics.

The Global DNS settings are for the firewall itself unless you don't have a DNS server enabled, then those servers are pushed via DHCP to the client.  I am sure you get that but just wanted to clarify.

What DNS Server are you using on opnsense?  I don't recall the default, its ether Unbound DNS or Dnsmasq DNS.  I'd suggest checking out the settings.

I haven't used IPSEC on opnsense before, but have on many enterprise devices, so this might not help.

This is normally a routing or subnet issue from the firewall itself, therefore not as you would normally traverse it.  I would suggest you SSH into opnsense and press 8 for shell.  I'd check if you can ping the host on the opposite side of the tunnel and take a look at the routing tables (netstat -rn).

it sounds like the client isn't using the DNS Server your wanting.

Where are you defining the DNS Servers 8.8.8.8 and 9.9.9.9?  If you check the DHCP settings, you'll see the DNS servers field, if this is empty, it will with use the interface IP if a DNS service is enabled, otherwise the global DNS settings.  So you may have a DNS server running.

Check the host to verify its DNS server.  If I recall correctly, its "cat /etc/resolv.conf" on Mac.

Thanks,

Hi Guys,

I don't know if I'm doing something wrong here, but I cannot get weights to work on queues.

I have the following:

Pipe:
Bandwidth - 100Mb
Scheduler - Weighted Fair Queueing

Queue 1:
Pipe - Above
Weight - 100

Queue 2:
Pipe - Above
Weight - 1

Rule 1:
Destination Address: host 1
Target - Queue 1

Rule 2:
Destination Address: host 2
Target - Queue 2

The queues are working, but no matter what I use for weight, it is always around 50/50.

Thanks,

I'm basing some of my config on the documentation examples.  Additionally, I do want to monitor the WAN interface for direct connections, but I will test this.

Sup guys,

Netflow appears to be counting traffic twice, this port UPnP.  Am I seeing this correctly, check out the pictures.

EDIT: I'm also seeing the same thing with NAT rules.

Thanks,

Did you ever get an answer on this?  I'm looking to do something similar with FQ_CoDel.

I ended up testing on pfSense and had the same issue.  Someone posted that it could be down to queue size, which it was however on pfSense I can take this up as high as I link, on OPNsense it's limited to 100, is there any reason why?  I'd like to bump this up higher.

Thanks,

OK this was my own stupidity, ipfw isn't firewall rules per se and technically isn't failing open...

Sorry Guys,

nobody?

so it basically failed open and no comment.

Hi Guys,

I hit reset in the Traffic Shaper and although I have rules in the GUI I have lost all rules when I run 'ipfw -a list' I now get:

Code Select Expand


root@OPNsense:~ # ipfw -a list
65535 17072 4146486 allow ip from any to any