Messages

well nice..but their new hardware is saying greater than 10 gig firewall performance hence the question as to how they are actually getting those kind of speeds.

Jsut curious how you would do this.  so far i see lots of posts saying the max is rellay 109gbps.  Obviously the folks at pf say if you want to go faster than 10gbps you have to use tnsr as bsd using the kernel isn't capable of going faster.  How would you do it under opnsense as i noted the addition of 25gb interfaces on their appliances?

no..didn't know that was required..did i miss it in the documentation?

I have a rule setup that is from my current ip any access is allowed to the system..so shell, webgui..everything.  This rule is et so ONLY this p address has this access.  However when i try to use my hes****.ddns.net opnsense will not allow the access.  I have checked that the ip i have entered and the current ddns address resolve to the same ip.  I also have other firewalls that work fine with this ddns.net dynamic address.  it is the sole deployed opnsense that cannot seem to get it right.  Any ideas as to why this is?

nope.  dns is getting dropped at the firewall.  i tired setting up the rule and not only did it not allow dns to pass during the failover but it also blocked dns from passing when we went back to primary.  I am at a loss now.  so I am going to do the next best thing.  I am going to tell the dhcp serves to send out that the dns is 9.9.9.9 and 149.112.112.112.  when the system failed over i was able to take a endpont and modify it's dns to quad 9 and it could surf.  So somehow internal dns is not changing over when the system fails over.  I think it's that weird rule..apparently how to format it and precisely where to put it escapes me.

i found a way around it..i think.  the system nameservers are quad9.  since unbound is setup i guess by default i told unbound to use the system nameservers as the default forwarders.  That should eliminate the need for that firewlal rule..i'll report back when i test it.

As said, I never understood this DNS rule... Maybe someone other can explain it...
Gateway groups are not really neccessary for failover multi WAN, it works fine using GW priorities. With GW groups and policy based routing you are just a little more flexible for some scenarios.

now that's interesting..no need for gateway grups..hrmm i wonder if just using gateway priorities negates that dns rule then.

It would be nice if you wrote about what you are referring to.
I assume https://docs.opnsense.org/manual/how-tos/multiwan.html

The rule is placed above (before) the default allow rule on each interface that uses the gateway group.
To be honest: I never understood this rule, but never cared about as I have such a rule anyway for redirecting DNS.

What are you intended to do?
For Failover only, you need to use different tiers, where the main gateway ist the lower one.

so i need to put that rule on every interface..so all the vlan interfaces and the base interface that serves the vlans as well?
also why not set both on the same tier but on different priorities?
yes failover only.  although i had it working earlier without adding that dns rule...so that's odd. 

for step 5:
Step 5 - Add allow rule for DNS traffic

were does this rule go?  does it go under firewall rules for the failover interface group or do i need to add it to every other internal interface?  We are not using unbound for dns.

also can both interfaces be tier 1 with different priorities?

nope..they won't be..that's not how hypervisors work.

i worked around it.  I have the pfsense wan interface on the same subnet as my internal workstation.  i'll jsut move it back to the cable modem when i am out of the office..:)

so i have the following setup:
wan---cable modem(dhcp no static..no routing jsut a modem--dumbswtch

off the dumbswitch is the opnsense on one port with a 76.x.x.x dhcp ip
on the other port is a pfsense on 69.x.x.x. dhcp.

when i am behind the onsense i cannot get to the 69 address.  all other access vectors work fine.  i am sure there is a setting i am missing.  a pointer would be appreciated.

Hi
not working with proxmox but..

I assume Proxmox reports the real figure. Why does OPNsense say something completly different?

maybe vice versa?
https://forum.proxmox.com/threads/difference-in-cpu-consumption.78552/

the reason is two differing points of view.  opnsense is reporting the load from the resources it's granted.  proxmox is reporting the load based on the entire host system..not jsut the singular vm.  both are correct.

i've posted about ipv6 issues as well.  if i run opnsense in live mode..ipv6 works flawlessly.  the instant i install it and boot to the local disk on the same hardware ipv6 simply stops working..no idea what's going on...:)

lack of support hours available from Deciso in the US...hence the move to another vendor for business clients.

That's a flat out lie. We do have happy support customers in the US and all you need is to acquire a contract.

If you intent to keep spreading misinformation I have no alternative to taking action as a moderator.


Cheers,
Franco

my intent is not misinformation.  Sorry you see it that way.  According to you site support is 9-5 central european time..which does not line up with business hours in the US.  so i will reword..there is not support from decosio during US business hours..which is something i require from a vendor.  My apologies for my error in wording there.  Original post has been corrected with the original text placed in parentheses for the record.