Messages

I also attached utilization screenshots, with the tunables it's higher, but since I don't mind using the hardware a bit more I'm ok with that.

(Second post, because only 4 pictures per posts allowed)

I finally found time for some tests..

I first tested with the tunables and a system running for couple weeks.

I then removed the tunables, rebooted, waited for 5 minutes and tested again.

Lastly I added the tunables again, rebooted, waited for 5 minutes and tested again.

As you see, the results are within tolerance, could be because my provider connection doesn't saturate the nic capacity of my apu2c4.

I think you need to set up a bridge with the two respective OPT interfaces, this could help:
https://forum.opnsense.org/index.php?topic=2981.0

You are currently running a WAN and a LAN interface, the two automatically created rules for the LAN interface are any to any rules and are allowing connection..

As far as I shortly researched the OPT interface configuration, you have to create the same rules as the automatic ones for LAN, so it will pass the same traffic as the LAN interface does.

Maybe this helps

Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Thanks, will try with interrupt value of 42000 and see if it gets a bit better :)

Hi EVIL_Sense,
after changing the 42000 value, have you noticed some changes / speed ?
i am willing to get this configured on a production soon as we are from 1024MB when IDS is activated we reach 400MB

Well, with 42000 I got a reasonable balance between resource usage and (at least I hope) good/better networking performance.

Can you share the value ? how much is before and after the IDS is activated ?
i am willing to configure this as the firewall is not near to me, if things missed up i will need to travel like 4 hrs go and 4 hr back.

I don't use IDS, so I can't give a statement on it.
Since I didn't write down the original settings and didn't make speed tests before and after, I'm not really able to provide reliable values. I could however try to remove the settings and measuring against the current state tomorrow.

As far as web filtering, that's what the proxy and acl is for. I point the proxy acl to shalla and then choose the categories. Then I set up the proxy acl to update and apply the new list once per week. The way you are going about this is not only a resource hog but gets outdated quickly, rather clunky and crude. In the beginning of the public internet I would have done it your way, now there are just too many hundreds if not thousands of malicious sites which change constantly.

Well I created a cron job task and added some more sources to the script, so I got that going for me.

Hi,

I am in the same situation. Mainly I'd like to exactly block ADs and trackers when my clients behind the firewall are surfing the web.
Apparently the best (and only) way is to work on the hosts file.

The link posted a couple of posts back is the way to go apparently.

Please let me know if you have any progress on this.

Thanks!!

EDIT: I tried to use the guide on link https://devinstechblog.com/block-ads-with-dns-in-opnsense/ but the script creates at the end an empty list and anyway unbound does not like when I add the "include" option and it stops working. I do not have time to investigate now, unfortunately.

Script works perfectly fine for me..

So am I the only one with this problem?
I disabled IDPS, curious if it will crash again...

I have the same issue but related to the DNS-TLS guide (with LibreSSL).

I just checked the errors I had when testing DNS-TLS against 9.9.9.9, they are exactly the same.

Hi,

I am using OPNSense with a FritzBox as a DSL Modem for WAN connection.
I had connected the Fritzbox to WAN-Side on OPNSense and also connected to my internal LAN network, so I was able to login to the Fritzbox to watch the DSL-Status.

But I don´t want the Fritzbox to "see" my internal network and its devices, so I have created an vlan interface on opnsense and switch etc. for the fritzbox.

I am able to ping the Fritzbox from the vlan interface on my opnsense (interface / diagnostics) but i am not able to access it from my lan. A rule for allowing access from lan to everywhere exists.
Also a ping from my lan to the opnsense adress on the vlan-interface works.
I think the FB is blocking access to it from outside its own network.

So I am trying to implement nat or something to fake the ip accessing the fritzbox, so it looks like its coming from fritzbox internal network.

I tried port forwarding on LAN with a fake-ip to the real-ip but no success so far.

Someone got a solution for me ;)

Sorry for bad english ;)

Regards,

Dennis

Maybe I'm not entirely understanding your problem, but appart from the OPNsense IP you won't see anything behind it on the FritzBox, since OPNsense acts as another routing instance.

Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Thanks, will try with interrupt value of 42000 and see if it gets a bit better :)

Hi EVIL_Sense,
after changing the 42000 value, have you noticed some changes / speed ?
i am willing to get this configured on a production soon as we are from 1024MB when IDS is activated we reach 400MB

Well, with 42000 I got a reasonable balance between resource usage and (at least I hope) good/better networking performance.

Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Thanks, will try with interrupt value of 42000 and see if it gets a bit better :)

I implemented the tuning settings on my apu2c4.

I added the settings to the tunables in the GUI and used the mentioned command's to check before and afterwards, without noticing something odd.

Like elektroinside said, it fells faster, but it seems that cpu usage and memory usage has slightly increased and sometimes the system feels slower than usual.
I'm not sure if this comes from the rx & tx packet descriptor size of 4096 or the high max interrupt rate of 64000 but it seems a bit too heavy for the little apu2c4 :D.

Suggestions are welcome :)

Danke Franco, dachte nicht, dass das so einfach wäre  ::) ;D

Gruss  :)

Ich habe dasselbe Shell Script im Einsatz und habe dafür eine Action geschrieben, um das Script per cron ausführen zu können.
Nun würde ich gerne den Neustart des DNS-Subsystems integrieren.. Am liebsten direkt in der action und im selben Block (update-hosts), notfalls angehängt am Script.

/usr/local/opnsense/service/conf/actions.d/actions_udapte-hosts.conf

Code Select Expand

[update-hosts]
command:/usr/home/update-hosts.sh
type:script_output
message:updating adblock file
description:Update adblock file


This is also how some MITM attacks/behaviors look like.
Not saying that your ISP does something similar, but something/somebody is interfering with it. Maybe a service running on that same port?

Every other TLS connection works fine and has the expected certificate, a test with openssl s_client to 9.9.9.9:853 succeeded..