Messages

1

Hardware and Performance / traffic between untagged vlan and a tagged vlan basically dies

« on: February 03, 2022, 11:17:06 pm »

I am scratching my head on how to solve this.

I have one primary untagged LAN (60_LAN)  and 3 VLANs (70_VLAN/80_VLAN/90_VLAN). No VLAN is allowed to access the primary lan but primary lan can access all other VLANs.

My speeds from primary LAN to any other tagged LAN (60_LAN -> 70_VLAN) are atrocius. Connections can be established in the case of accessing a web page or starting a remote desktop session but the performance is very spotty. In other cases, I cannot establish a connection at all. iperf3 basically dies after getting to 2 Mbps. rsync won't work at all.

If I disable pf (from the GUI or the shell), everything works correctly with the expected speed and performance. As soon as I enable pf, all traffic from primary lan to other vlans goes to shit. All traffic between the tagged VLANs is fine with pf enabled.

I have disabled all hardware filtering etc.
I do not have any intrusion detection turned on.
I do not have any trafffic shaping/QoS rules.
I have a single WAN configuration.
I installed the vendor realtek driver (the card does not have issues passing traffic between tagged VLANs or between the tagged and untagged vlan if i disable pf)

What gives?

2

General Discussion / Re: Help me understand why this firewall rule is being invoked?

« on: January 31, 2022, 12:42:03 pm »

Okay. I am just trying to understand why these are now showing up in the firewall logs and not in the 2-3 days before?

For context, I am very new to firewalls and still learning.

FWIW, these devices have jumped routers in the last 2-3 days.

So is it correct to say that the original connections were established via the different router and opnsense has no context about the previous connections and thus this firewall rule is being matched?

Operationally, everything seems to be working fine so far.

3

General Discussion / Re: Help me understand why this firewall rule is being invoked?

« on: January 31, 2022, 12:27:55 pm »

So every single device on this LAN is now showing the same issue.

From a reverse lookup, this looks like the IP address of apple push servers.

I am not sure why they would be blocked. This was not happening 2-3 days ago and I have not made any significant changes to firewall rules. At least, I don't remember any.

4

General Discussion / Help me understand why this firewall rule is being invoked?

« on: January 31, 2022, 10:58:16 am »

I installed opnsense in a KVM, passed through two realtek NICs for LAN and WAN. LAN has 4 VLANs. I have not configured any firewall rules for any other VLANs. LAN has the default generated rules. All devices on LAN have WAN access without issue.

Now this particular device (a macbook) on LAN has blocked packets arriving on the firewall. See image Blocked.jpg. All other devices (imacs, iphones) are not seeing the same "default deny rule" being invoked.

What is triggering this rule only for this particular device?

5

22.1 Legacy Series / Re: Checksum issues with VirtIO in QEMU/KVM environment and OPNsense 22.1

« on: January 31, 2022, 10:46:06 am »

I had similar issues and recreating the opnsense vm using Q35/OVMF fixed the issue for me. Granted I'm passing through two interface cards for LAN and WAN and just using the bridged vtnet0 for accessing the opnsense GUI from the host in case shit hits the fan.

6

22.1 Legacy Series / Re: opnsense 22.1 for VMware ESXi ARM Fling on raspberry pi4B 8gb

« on: January 08, 2022, 12:20:11 pm »

Hello @efetropy,

Can you share the patches required to build opnsense 22.1 for a Raspberry Pi 4? I'd like to help with this.

I'm just getting started and have finally understood how to build it but missing the specific configuration for RPI4.

I don't know if any exists, but you can to create your own image using the opnsense tools.
A good starting point would be here https://github.com/opnsense/tools

You will need some adjustments though, e.g. a slightly modified device config file for you RPi 4B,
adjust some build scripts and so on. I can already tell you that cross compiling the development version 22.1 (based on FreeBSD 13) works for me.