Messages

106

General Discussion / Re: Internet Only FW Rule

« on: August 18, 2020, 08:10:39 pm »

Maybe I know what you mean, but this question is not clear and I don't want to answer it on an assumption.

Please describe your environment and what you intend to do with such a rule. Do you want to block traffic flow between VLANs or private networks or what is the plan behind the question?

107

20.7 Legacy Series / Re: Virtualization inside OPNsense

« on: August 18, 2020, 07:12:25 pm »

Virtualization and firewall for security reasons are not the best combination. It adds a lot of complexity to the system stack.

Since the Intel Spectre and Meltdown security flaws it should be off the table to run critical systems on the same hardware. If you could not trust the hardware to separate the VMs and processes like they should do, it is not possible for a software layer on top to do so.

Beside this security aspect, the problem with sharing resources for your firewall with other VMs on the same box will lead to problems and trouble that never could be debugged. You will hardly find someone to support you or this solution since it is not clear what workloads are performed on the same hardware.

Sharing network resources and simulated device drivers for network cards will add another layer of complexity.

In my opinion it is a bad idea.
If you want to safe power, scale down your network boxes to only what you need.

108

20.7 Legacy Series / Re: HELP! opnsense stuck in upgrade to 20.7?

« on: August 18, 2020, 07:00:38 pm »

The log says something on port 5 "Generic Flash"

For me it looks like you have one sata SSD as ada0 and some second ssd or usb device that is connected as da0. This second device maybe is a usb cdrom or something else. Try to disconnect everything and find what device is causing the problem.

109

20.7 Legacy Series / Re: HELP! opnsense stuck in upgrade to 20.7?

« on: August 18, 2020, 06:34:50 pm »

Do you have a USB Flash stick connected to the Firewall?
Try to remove it and reboot if you don't need it to be connected.

110

20.7 Legacy Series / Re: Slow WAN after upgrade

« on: August 17, 2020, 06:07:16 pm »

Hi Falk,

can you please share info about your system and configuration?

111

20.7 Legacy Series / Re: IPv6 gateway marked as "down" after every reboot

« on: August 14, 2020, 03:57:57 pm »

fe80 is mostly a private IPv6 local address range.

How is your IPv6 Setup.
Can you please show the interface configuration and network plan and futher information what you want to configure.

Normally your provider will assign you a prefix over dhcpv6 or for static configuration. This prefix is a officeal public IPv6 range. This needs to be configured to be able to route traffic correctly.

112

20.7 Legacy Series / Re: IPv6 gateway marked as "down" after every reboot

« on: August 14, 2020, 01:34:23 pm »

What version are you using?

If the gateway is marked down, are you able to ping it?

113

Hardware and Performance / Re: Wireguard performance OPNSense?

« on: August 14, 2020, 12:02:00 pm »

Well hardware can be a limit.
Choose well supported NICs and a fast enough CPU with high clock to be on the safe side.

The current Wireguard implementation has it's limits but since it becomes a very popular solution lately, situation will change. I have no news on the kernel implementation, but I didn't check on it for some month ;-)

Site-to-Site I have some 1G/1G Tunnels running and performing o.k for me with IPsec.
Will try to test one of those in the near future.
My experiences are that >500Mbit VPN for some devices and connections are hard to handle for different reasons.

If I have controll over both sides for S2S VPN it is possible to achive very good results.

Normal Clients / PCs my experiences are very different.

114

Hardware and Performance / Re: Starting a new hardware build (on the cheap)

« on: August 14, 2020, 11:55:04 am »

Have fun with your new build and keep us up to date if everything works fine :-)

115

Hardware and Performance / Re: Running OPNSense in VM, what am i doing wrong?

« on: August 14, 2020, 11:52:25 am »

Well the anser is in your questoin. You run it as VM ;-)

No, I am jocking. I know many run it as VM. Since VM environments are very different it is not possible to debugg from remote quite well.

You never can expect the same performance from VM than directly on hardware. If driver emulation is in place then the results may differ alot. Thats due to the fact that maybe the implentation of such drivers are in some way incompatible or buffers and queues etc. are handled not optimal.

Maybe at some point someone will have time to do some testing with hardware and different virtualizations szenarios. This results will then only apply to his hardware and his vritualization szenario and as long as you pick your own hardware and your own environment the debugging is up to you.

116

Hardware and Performance / Re: SSD and Trim on current releases

« on: August 14, 2020, 11:46:55 am »

Btw. Trim should only make most sense with highly frequented storage.
Should not be the case with "normal" firewall setup.

Nevertheless it is supported by default.

117

20.1 Legacy Series / Re: Firewall rule processing - groups comes after interfaces?

« on: August 06, 2020, 05:29:37 pm »

Thank you for sharing :-)
Enjoy the learning journey!

118

20.1 Legacy Series / Re: OpenVPN: wrong timestamps in status

« on: August 06, 2020, 05:27:13 pm »

Thank you very much for sharing the solution and information! You are welcome.
If you could mark the first post as solved this helps others to find your solution. Have fun with your firewall!

119

20.7 Legacy Series / Re: Hyper-V install fails Gen2 (UEFI) VM

« on: August 06, 2020, 05:25:08 pm »

Thank you.

120

German - Deutsch / Re: Opensense FIX IP - Internet

« on: August 06, 2020, 05:24:46 pm »

Super! bitte das Thema im ersten Post auf gelöst setzen. Einfach den Betreff im ersten Post ändern.

For the record oder andere ein ähnliches Problem haben.

Eingehende und ausgehende IP sollte die gleiche sein und entsprechend mit Reverse-DNS-Eintrag versehen sein.
Diese IP sollte dann im SPF hinterlegt sein.