"Recent posts
#1
Hardware and Performance / Re: Sanity check for N100 / i2...
Last post by nero355 - Today at 08:15:53 PMQuote from: Ozymandias on Today at 06:56:40 PMI was hoping that my router would run at full 2000 / 2000 speed.What is the CPU LOAD like during those benchmarks ??
Am I being unrealistic?
Have you tried simply downloading something instead of Ookla Speedtest.net benchmarks ?
Or any Public iPerf3 Servers ?
#2
Virtual private networks / OpenVPN Cipher Order
Last post by anomaly0617 - Today at 07:53:46 PMHi there,
I'm working on OPNsense 26.1.9-amd64, FreeBSD 14.3-RELEASE-p14, OpenSSL 3.0.20
I've been working on the OpenVPN Roadwarrior solution update, as part of the switch from Legacy to Instances. I've been using various sources for best practices based on the work environment it is being used in. One of the suggestions was to set the Data Ciphers to this order:
1st: AES-256-GCM
2nd: AES-128-GCM
3rd: CHACHA20-POLY1305
So I went to do that. It's a dropdown field with checkmarks for multiple options, but when you are done selecting the options, it puts them in alphabetical order. So then it looks like:
AES-128-GCM, AES-256-GCM, CHACHA20-POLY1305
I thought "Surely, OPNsense will configure OpenVPN to use the strongest possible encryption first, then work its way down to the least possible encryption. And yet, in the OpenVPN logs, I can see where I'm connecting to the site repeatedly on AES-128-GCM. So I went digging.
In /var/etc/openvpn/instance-[ID].conf:
Nope. We really are telling it to prioritize the encryption in alphabetical order.
Then I tried forcing it in my OpenVPN config export, in the custom fields area:
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Disconnect, reconnect and... AES-128-GCM again. So what's on the daemon on the firewall is what is preferred above what the client asks for.
I could edit the file, change the priority, and restart the daemon, but the first time I go into the GUI and make a minor edit, it will revert. So that's not a wise choice.
My suggestion: Shift this field to something like the local and remote network fields are in the Routing section. Let me choose from a list, but then let me click on the Text option and rearrange them.
Thanks!
I'm working on OPNsense 26.1.9-amd64, FreeBSD 14.3-RELEASE-p14, OpenSSL 3.0.20
I've been working on the OpenVPN Roadwarrior solution update, as part of the switch from Legacy to Instances. I've been using various sources for best practices based on the work environment it is being used in. One of the suggestions was to set the Data Ciphers to this order:
1st: AES-256-GCM
2nd: AES-128-GCM
3rd: CHACHA20-POLY1305
So I went to do that. It's a dropdown field with checkmarks for multiple options, but when you are done selecting the options, it puts them in alphabetical order. So then it looks like:
AES-128-GCM, AES-256-GCM, CHACHA20-POLY1305
I thought "Surely, OPNsense will configure OpenVPN to use the strongest possible encryption first, then work its way down to the least possible encryption. And yet, in the OpenVPN logs, I can see where I'm connecting to the site repeatedly on AES-128-GCM. So I went digging.
In /var/etc/openvpn/instance-[ID].conf:
- data-ciphers AES-128-GCM:AES-256-GCM:CHACHA20-POLY1305
- data-ciphers-fallback AES-128-CBC
Nope. We really are telling it to prioritize the encryption in alphabetical order.
Then I tried forcing it in my OpenVPN config export, in the custom fields area:
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Disconnect, reconnect and... AES-128-GCM again. So what's on the daemon on the firewall is what is preferred above what the client asks for.
I could edit the file, change the priority, and restart the daemon, but the first time I go into the GUI and make a minor edit, it will revert. So that's not a wise choice.
My suggestion: Shift this field to something like the local and remote network fields are in the Routing section. Let me choose from a list, but then let me click on the Text option and rearrange them.
Thanks!
#3
Hardware and Performance / Sanity check for N100 / i226 o...
Last post by Ozymandias - Today at 06:56:40 PMI've just upgraded from a PPPoE based 900 / 110 full fibre contract to a DHCP based 2000 / 2000 with YouFibre.
I get 2000 / 2000 with the supplied router using Windows 11 and Ookla speedtest.
I get 1400 / 1400 with my N100 i226 based router both from bare metal OPNsense cli and Windows 11 (direct connection to the router).
I get similar 1400 / 1400 iperf3 numbers to and from Win11 to OPNsense (and over 2000 both ways to Unraid on the network)
I was hoping that my router would run at full 2000 / 2000 speed. Am I being unrealistic?
System:
CWWK / Topton CW-ADLN-5L Ver: 1.0 Fengshang Edition
Bios Build Date and Time - 04/26/2023 14:02:13
Bios settings:
• ASPM disabled on all ports
• PCIe speed set to Auto on all ports
N100
16GB DDR5 Ram
1TB Samsung 980 NVMe
5 port Intel I226-V
EEPROM V2.17-0 eTrack 0x80000303
####
No line shaping or IDS/IPS.
Interfaces:
• Disable hardware checksum offload - checked
• Disable hardware TCP segmentation offload - checked
• Disable hardware large receive offload - checked
• VLAN Hardware Filtering - Disable VLAN Hardware Filtering
Tunables:
dev.igc.*.fc = 0
net.inet.rss.enabled = 1
net.inet.rss.bits = 2
net.isr.dispatch = deferred
net.isr.bindthreads = 1
net.isr.maxthreads = -1
/boot/loader.conf.local
hw.pci.enable_aspm = 0
I get 2000 / 2000 with the supplied router using Windows 11 and Ookla speedtest.
I get 1400 / 1400 with my N100 i226 based router both from bare metal OPNsense cli and Windows 11 (direct connection to the router).
I get similar 1400 / 1400 iperf3 numbers to and from Win11 to OPNsense (and over 2000 both ways to Unraid on the network)
I was hoping that my router would run at full 2000 / 2000 speed. Am I being unrealistic?
System:
CWWK / Topton CW-ADLN-5L Ver: 1.0 Fengshang Edition
Bios Build Date and Time - 04/26/2023 14:02:13
Bios settings:
• ASPM disabled on all ports
• PCIe speed set to Auto on all ports
N100
16GB DDR5 Ram
1TB Samsung 980 NVMe
5 port Intel I226-V
EEPROM V2.17-0 eTrack 0x80000303
####
No line shaping or IDS/IPS.
Interfaces:
• Disable hardware checksum offload - checked
• Disable hardware TCP segmentation offload - checked
• Disable hardware large receive offload - checked
• VLAN Hardware Filtering - Disable VLAN Hardware Filtering
Tunables:
dev.igc.*.fc = 0
net.inet.rss.enabled = 1
net.inet.rss.bits = 2
net.isr.dispatch = deferred
net.isr.bindthreads = 1
net.isr.maxthreads = -1
/boot/loader.conf.local
hw.pci.enable_aspm = 0
#4
26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...
Last post by meyergru - Today at 04:59:20 PMThat is basically the OPs question. I know that the DDNS feature has been added to Kea recently, but I think that Unbound has no RFC2136 support, so you really need anther DNS server that supports it, like BIND, which makes the setup quite complex.
#5
26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...
Last post by nero355 - Today at 04:52:24 PMQuote from: meyergru on Today at 03:33:47 PMThe only disadvantage I can see is that you have to create static reservations for all hosts you need to be resolvable, because there is no equicalent of ISC dynamic DHCP bindings in OpnSense's implementation of Kea DHCP yet.Doesn't the new KEA DDNS feature solve that issue ?!
#6
26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...
Last post by meyergru - Today at 03:33:47 PMWe discussed this back and forth already and not an exact answer to your question, but:
IMHO, the easiest way is to just use Kea DHCP static reservations, where the names of the host entries can directly be used in Unbound directly when you check "Register DHCP Static Mappings". That way, there is no need for any additional DNS resolver and you can control which names are being registered, which cannot be done if the hosts themselves present their names.
The only disadvantage I can see is that you have to create static reservations for all hosts you need to be resolvable, because there is no equicalent of ISC dynamic DHCP bindings in OpnSense's implementation of Kea DHCP yet.
However, I need exactly those hosts to have static IPs as well, so I do not miss anything. Also, more often than not, I also want to have aliases for hosts, sometimes to have different services on the same one, so I need to configure those in Unbound anyway.
IMHO, the easiest way is to just use Kea DHCP static reservations, where the names of the host entries can directly be used in Unbound directly when you check "Register DHCP Static Mappings". That way, there is no need for any additional DNS resolver and you can control which names are being registered, which cannot be done if the hosts themselves present their names.
The only disadvantage I can see is that you have to create static reservations for all hosts you need to be resolvable, because there is no equicalent of ISC dynamic DHCP bindings in OpnSense's implementation of Kea DHCP yet.
However, I need exactly those hosts to have static IPs as well, so I do not miss anything. Also, more often than not, I also want to have aliases for hosts, sometimes to have different services on the same one, so I need to configure those in Unbound anyway.
#7
Tutorials and FAQs / Re: HOWTO - Redirect all DNS R...
Last post by RamSense - Today at 03:23:41 PM@yourfriendarmando thanks for this. I like the color's with categories. Never used that before. I can follow your guide until the [Firewall :: Rules [New] or classic, same concept] part. (I use the [New])
Can you write the firewall rules out so it is clear what belongs to what part of the firewall-rule?
And [local_link] is missing in your guide(?)
N.B> with NAT: I assumed the Destination ::
Invert Source: [X] ->should be-> Invert Destination: [X]
Source Address: This Firewall -> Destination Address: This Firewall
Can you write the firewall rules out so it is clear what belongs to what part of the firewall-rule?
And [local_link] is missing in your guide(?)
N.B> with NAT: I assumed the Destination ::
Invert Source: [X] ->should be-> Invert Destination: [X]
Source Address: This Firewall -> Destination Address: This Firewall
#8
26.1, 26,4 Series / Re: ISC DHCP static mappings a...
Last post by dieter42 - Today at 02:32:46 PMTrue, that's what i plan to do.
#9
26.1, 26,4 Series / Kea + Unbound + Bind for local...
Last post by cinergi - Today at 02:01:38 PMHello,
Just wondering if anyone is using Kea DHCP together with Unbound for default DNS resolution and Bind for local zone resolution via dynamic RFC2136 updates from Kea? This seems like an elegant way to get local resolution of DHCP-assigned addresses while using Kea instead of dnsmasq. But does it work well in practice?
Thanks!
Just wondering if anyone is using Kea DHCP together with Unbound for default DNS resolution and Bind for local zone resolution via dynamic RFC2136 updates from Kea? This seems like an elegant way to get local resolution of DHCP-assigned addresses while using Kea instead of dnsmasq. But does it work well in practice?
Thanks!
#10
26.1, 26,4 Series / Re: ISC DHCP static mappings a...
Last post by dseven - Today at 01:50:27 PMAhh, I see. I would assume so too.
If you're committed to Kea, it might be a good idea to clear the ISC config (https://forum.opnsense.org/index.php?topic=52058.msg268107#msg268107) and uninstall the plugin.
If you're committed to Kea, it might be a good idea to clear the ISC config (https://forum.opnsense.org/index.php?topic=52058.msg268107#msg268107) and uninstall the plugin.
