Messages

61

General Discussion / Re: Strange behaviour when Raspberry PI 4 connected to my OPNsense device

« on: November 25, 2021, 03:04:16 am »

Do you have a usb nic anywhere by any chance. Some usb nics send a reset packet that broadcasts over the network that causes problems with many devices.

62

21.7 Legacy Series / Re: I cant work out how everyone else managed to get mtu of 1500 working on pppoe

« on: November 24, 2021, 08:14:33 pm »

I see... I did set the parent interface to 1508 but I had not considered/didnt know the hardware would make a difference. I am using a protectli box so the nics are intel gigabit nics. If that doesnt support this then that would make sense I cant get it to work.

63

21.7 Legacy Series / Re: I cant work out how everyone else managed to get mtu of 1500 working on pppoe

« on: November 23, 2021, 09:47:33 pm »

Thank you both for your replies. Unfortunately when I do ifconfig my MTU is not changed despite setting it. I dont know why this is:

pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492

I have checked and rebooted multiple times and for sure edited the MTU on the dummy interface and the pppoe connection in addition. There must be something different but I cant work it out.

64

Virtual private networks / Re: allowed number of Endpoints.

« on: November 23, 2021, 02:20:04 pm »

I think something else must be wrong as mine displays all of them (currently 12) in that list endpoints section.

65

21.7 Legacy Series / I cant work out how everyone else managed to get mtu of 1500 working on pppoe

« on: November 23, 2021, 02:10:18 pm »

Hi,

Im with an ISP that allows the MTU of 1492 to be brought up to 1500 on a pppoe connection. Its not clear to me how everyone else achieved this. I have read several topics on the forum and tried the suggestions but I cant seem to get it to work on OPNsense 21.7.5-amd64.

I had a pppoe connection on top of em0 interface working on MTU of 1492 and started by setting the MTU to 1508 there which then states "calculated MTU 1500"

This had no effect so I read other posts that said you needed to make a dummy interface of em0 and simply enable it and set an mtu of 1508 there which I also did.

This also had no effect even after rebooting. The pppoe dials and ends up with an mtu of 1492 at the end. What is the method people use to force an mtu as I am clearly missing a step?

Kind regards
P

66

Zenarmor (Sensei) / Re: Trusting Sensei

« on: November 19, 2021, 05:34:40 pm »

If privacy is such a concern to you then dont use sensei. I has to have some data collection to manage licensing, sync with the cloud portal etc. Thats a fact of life for commercial products. Dont use Azure, dont use O365, dont use AWS, dont use anything where some data has to be stored elsewhere. IE nothing useful since everything is using cloud these days. Good luck but you will find it impossible integrating useful products like this if you cannot have a single bit of your data leave your site. Simple fact of life. Ship has already ailed on this. No turning back now.

67

General Discussion / Re: MTU for VLAN parent device

« on: October 28, 2021, 10:55:51 pm »

oops sorry you are right it is 28 not 18. 20 = ip header and 8 = ICMP header.

Regards the test then it seems you have confirmed the MTU is 1500 and there is no issue?

"root@vfw02:~ # ifconfig vtnet4_vlan91
vtnet4_vlan91: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 6e:61:51:08:8c:94
        inet6 fe80::6c61:51ff:fe08:8c94%vtnet4_vlan91 prefixlen 64 scopeid 0x14
        inet 172.16.1.3 netmask 0xffffff00 broadcast 172.16.1.255
        inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255 vhid 68
        groups: vlan
        carp: BACKUP vhid 68 advbase 1 advskew 100
        vlan: 91 vlanpcp: 0 parent interface: vtnet4
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>"

relevant info from above = mtu 1500 and IP 172.16.1.3

Test info:
root@vfw01:~ # ping -D -c 3 -s 1472 172.16.1.3
PING 172.16.1.3 (172.16.1.3): 1472 data bytes
1480 bytes from 172.16.1.3: icmp_seq=0 ttl=64 time=0.959 ms
1480 bytes from 172.16.1.3: icmp_seq=1 ttl=64 time=0.351 ms
1480 bytes from 172.16.1.3: icmp_seq=2 ttl=64 time=0.319 ms

Message indeed is received and replied to.

Can you explain further what you want to do? Are you wanting to change this interface to MTU 1600?

68

Virtual private networks / Re: IPSec RoadWarrior iPhone no traffic passed.

« on: October 26, 2021, 09:02:59 pm »

I followed the same guide and my iphone is working so you would need to actually provide further info at this point for us to see where you went wrong.

69

General Discussion / Re: MTU for VLAN parent device

« on: October 26, 2021, 09:01:44 pm »

I dont understand your reply. Can you repeat the test as I indicated and post the output?

70

General Discussion / Re: MTU for VLAN parent device

« on: October 25, 2021, 10:04:53 pm »

For ping you must remove 18 bytes to test an mtu of 1500 so in your test:

ping -D -c 3 -s 1500 172.16.1.3

This is testing an MTU of 1518.

Please use

ping -D -c 3 -s 1472 172.16.1.3

to test an MTU of 1500.

P

71

General Discussion / Re: Simple: How to assign two IP Subnets to one interface?

« on: October 25, 2021, 05:58:21 pm »

You need to remove the IP addressing on the physical interface you want to use so its like a blank physical interface, and then create 2 different vlans that reside ontop of this physical interface - one for the .0.1/24 range and one for the .2.0/24 range.

Then you have two separate networks on top of a single port. You probably are going to want to configure a way in to do this (eg a wireguard connection) because you will be disrupting the LAN when you do this as Im guessing LAN is currently bound to the physical interface. However 2 vlans on top of an interface dont support that so you will be removing the ip addressing on the lan interface and recreating it as a vlan in order to complete this. This will leave you with no connection to the box from the lan for a short period of time so if no accommodation is made for that you are locking yourself out.

so your end result will be a physical interface that is blank : eg em2
then 2 different vlans on top of that will be something like Vlan5 on em2 and Vlan7 on em2.
This means 2 virtual interfaces now reside on top of a physical interface and are physically distinct (separated by vlan tag). Now 2 networks can be manipulated via normal firewall rules on the IP sec connection. devices behind this can be either in one network or the other on the LAN side by configuring vlan as appropriate on your switch.

P

72

21.7 Legacy Series / Re: A rule that should not block on the firewall blocked something temporarily.

« on: October 17, 2021, 04:22:02 pm »

Ok thanks.

73

21.7 Legacy Series / Re: A rule that should not block on the firewall blocked something temporarily.

« on: October 17, 2021, 03:39:48 am »

Actually I dont know the answer but I like this answer. It is an answer that makes sense to me. Im not sure how to interpret what flags would indicate this but here are a few of the packets. Do the flags indicate what you suggest?
It is an answer that would make sense to me. I included 1 packet that was legitimately blocked to compare. Its flag is S which is different.

P

74

21.7 Legacy Series / Re: A rule that should not block on the firewall blocked something temporarily.

« on: October 16, 2021, 02:50:02 am »

No issue. The top rule allows out port 443 and the block rule below blocks any port (ie all ports *)

75

21.7 Legacy Series / A rule that should not block on the firewall blocked something temporarily.

« on: October 15, 2021, 09:59:12 pm »

Hi there,

I had a strange occurrence. I have rules that block certain IP's on my home network and an allow rule above this block rule that allows certain IP's that I dont want captured in the block.

Last night a netflix CDN IP was blocked . I noticed today (the next day) when reviewing the logs. However this IP was already in the allow rule. The effect this had was momentarily netflix would not work and I refreshed a few times and thought nothing of it. However I noticed today that IP was blocked and so I went to add it to the list of allowed IP's and discovered it was already in the list.

This means temporarily the rules did not function as expected last night. However there were no changes to the firewall and in fact I was not logged onto it at all either at that time or around that time (due to watching netflix).

Why would the firewall temporarily ignore a firewall rule? The problem seems to have resolved itself with no intervention. I have not added this IP later on into the alias of allowed IP's. I can confirm it was already in there and did not require a change to the firewall.

Kind regards
Pete