"Recent posts
#1
26.1 Series / DEC840 slow upload test when u...
Last post by marcog - Today at 11:10:20 AMHi everyone,
I'm dealing with a frustrating upload speed issue on my DEC840 that I can't seem to figure out.
Currently, my WAN is connected to my ISP's ONT using an FS SFP-10G-T (SFP+ to RJ45) transceiver in one of the DEC840's 10G ports. When I run a speed test, I get around 2 Gbps download, but my upload is capped at roughly 500 Mbps.
Suspecting the copper transceiver was the bottleneck, I moved the WAN connection to one of the DEC840's native 1 Gbps RJ45 ports. As expected, my download speed dropped to ~940 Mbps, but surprisingly, my upload actually increased to ~700 Mbps.
Thinking I was on the right track and just dealing with a issue on the transceiver, I bought an unmanaged switch with 2.5 Gbps RJ45 ports and 10 Gbps SFP+ ports bypass it.
- I connected the ONT to the switch's 2.5G port.
- I connected the DEC840 to the switch's 10G port via a 10Gtek SFP+ DAC cable, completely bypassing the FS copper adapter.
To my surprise, when I retried the speed test, I was right back to where I started: 2 Gbps down, and stuck at ~500 Mbps upload.
It seems like there is an underlying issue with how OPNsense/FreeBSD is handling outbound traffic on the SFP+ interface itself, regardless of whether I use a transceiver or a switch.
I should also mention that I'm dealing with the infamous PPPoE for this connection. While I am seeing packet loss during the speed tests, that still doesn't explain the 200 Mbps discrepancy. If PPPoE single-core performance was the only bottleneck, the 1G RJ45 port shouldn't be outperforming the 10G SFP+ port
Has anyone experienced this or have any ideas on what tunables/settings I should check next?
Thanks in advance!
I'm dealing with a frustrating upload speed issue on my DEC840 that I can't seem to figure out.
Currently, my WAN is connected to my ISP's ONT using an FS SFP-10G-T (SFP+ to RJ45) transceiver in one of the DEC840's 10G ports. When I run a speed test, I get around 2 Gbps download, but my upload is capped at roughly 500 Mbps.
Suspecting the copper transceiver was the bottleneck, I moved the WAN connection to one of the DEC840's native 1 Gbps RJ45 ports. As expected, my download speed dropped to ~940 Mbps, but surprisingly, my upload actually increased to ~700 Mbps.
Thinking I was on the right track and just dealing with a issue on the transceiver, I bought an unmanaged switch with 2.5 Gbps RJ45 ports and 10 Gbps SFP+ ports bypass it.
- I connected the ONT to the switch's 2.5G port.
- I connected the DEC840 to the switch's 10G port via a 10Gtek SFP+ DAC cable, completely bypassing the FS copper adapter.
To my surprise, when I retried the speed test, I was right back to where I started: 2 Gbps down, and stuck at ~500 Mbps upload.
It seems like there is an underlying issue with how OPNsense/FreeBSD is handling outbound traffic on the SFP+ interface itself, regardless of whether I use a transceiver or a switch.
I should also mention that I'm dealing with the infamous PPPoE for this connection. While I am seeing packet loss during the speed tests, that still doesn't explain the 200 Mbps discrepancy. If PPPoE single-core performance was the only bottleneck, the 1G RJ45 port shouldn't be outperforming the 10G SFP+ port
Has anyone experienced this or have any ideas on what tunables/settings I should check next?
Thanks in advance!
#2
Russian - Русский / Re: os-xray — плагин Xray-core...
Last post by Pavlik24rus - Today at 07:31:50 AMQuote from: Stilicho2011 on March 20, 2026, 06:10:35 PMЯ сейчас добавлю немного пользователей, которые не были в курсе такой полезняшки. Надеюсь, что развитие не остановится, а пользователи помогут с prОчень приятно, с твоего канала я начал самохостить и опенсенс в этой связке от туда появился)
#3
General Discussion / Re: Forwarding/Policy Routing:...
Last post by pfry - Today at 06:56:15 AMClient-selected forwarding? The gateway used by the client is simply translated to a MAC address (assuming an 802.1-compatible medium, such as Ethernet or Wi-Fi), so there is nothing for the firewall to match. The only relatively transparent client-selectable packet element (other than source IP address) I can spot offhand that can be matched by pf is priority/DSCP. Other folks may have different/better ideas.
#4
General Discussion / Forwarding/Policy Routing: Ca...
Last post by kfm - Today at 06:26:27 AMHi,
I am trying to set up a single OpnSense instance to serve as a default gateway with multiple upstream VPNs, where the upstream VPN that gets used for forwarding client traffic is selected based on which ip address the client used for a gateway.
So, for example, assume my opnsense instance has address 10.0.0.10/24 and ip alias 10.0.0.20/24 on its LAN interface. If a LAN client used 10.0.0.10 as its gateway, I would like to forward this traffic through VPN A. But if a client used 10.0.0.20 as the gateway, then I want to forward that traffic through VPN B.
Is this possible? I know how to do it with multiple interfaces in the opnsense, but I can't figure out how to accomplish this on a single interface/subnet.
I am trying to set up a single OpnSense instance to serve as a default gateway with multiple upstream VPNs, where the upstream VPN that gets used for forwarding client traffic is selected based on which ip address the client used for a gateway.
So, for example, assume my opnsense instance has address 10.0.0.10/24 and ip alias 10.0.0.20/24 on its LAN interface. If a LAN client used 10.0.0.10 as its gateway, I would like to forward this traffic through VPN A. But if a client used 10.0.0.20 as the gateway, then I want to forward that traffic through VPN B.
Is this possible? I know how to do it with multiple interfaces in the opnsense, but I can't figure out how to accomplish this on a single interface/subnet.
#5
Russian - Русский / Re: os-amneziawg — плагин Amne...
Last post by Zlobniy Shurik - Today at 05:27:23 AMQuote from: Arxont on March 20, 2026, 02:42:17 PMAwg v2 тоже работает нормально, немного переделал плагин, уже сутки подключение держится, но что то никак не могу сделать чтобы определенные сайты открывались через awg, делаю все по инструкции и ... ничего.Та же проблема... И так, и эдак, а не получается селективный роутинг настроить.
Есть у меня тестовый сайт, который без VPN открывается у меня наполовину (без CSS и картинок).Как не выпендривался, а или без картинок (то есть, связь идёт по обычному каналу), или вообще интернета нет. Тот же сайт через десктопный клиент амнезии с того же самого сервера амнезии открывается влёт.
Если будет настроение, продолжу сегодня раскопки :)
#6
26.1 Series / Re: Can the GUI levels stay ex...
Last post by nero355 - March 20, 2026, 11:58:49 PMQuote from: tcm1010 on March 20, 2026, 05:05:12 PMThanks nero355 for pointing those out.You are welcome! :)
QuoteI did a lot of searching before posting and did not come across those threads (probably because I used "GUI" as one of the search criteria).No worries! Stuff happens! ;)
QuoteShall I mark this thread [SOLVED]...or [REDUNDANT]? :-)I would wait for a reply from one of the developers of OPNsense.
#7
Virtual private networks / Re: Wireguard VPN on mobile wh...
Last post by kermitxyz - March 20, 2026, 10:52:11 PMThe endpoint is for example "vpn.domain" which resolves to the Static IP of the OPNSense WAN interface.
I think the issue is that from external networks this resovles to say 80.12.15.40 but inside the LAN this doesn't work as it's the IP of the external OPNSense interface.
I think I might need "split DNS"? I have created an override in Unbound DNS so from inside the LAN "vpn.domain" resolves to the LAN IP of the OPNSense router.
But services still don't work...?
I think the issue is that from external networks this resovles to say 80.12.15.40 but inside the LAN this doesn't work as it's the IP of the external OPNSense interface.
I think I might need "split DNS"? I have created an override in Unbound DNS so from inside the LAN "vpn.domain" resolves to the LAN IP of the OPNSense router.
But services still don't work...?
#8
26.1 Series / Re: cloudflare blocklist
Last post by stanps - March 20, 2026, 10:29:59 PMIf I'm not mistaken you could also use their family DNS servers that [attempt to] block porn and malware. 1.1.1.3 & 1.0.0.3
#9
26.1 Series / Re: KeaDHCP dynamic DHCP quest...
Last post by stauf - March 20, 2026, 10:10:58 PMInteresting, thank you. Someone was saying that Automatic Discovery sends out pings but I guess that is not the case. The documentation I can find on it shows that it just listens for ARP and NDP messages. Feels like there must be some defect(s) in the Automatic Discovery. If all it does is listen for ARPs and update it's cache if there are devices on the network changing their IP -> MAC mappings, or devices with static entries not using OpnSense to get an IP address, but they would need to send out ARP requests to populate their own ARP cache if they want to talk with other devices on the network. I can't think of anything (other than malicious/malformed ARPs, which I am certainly not sending...at least not intentionally, on my network) that would explain why OpnSense would populate entries in its DHCP table when there is no device on the network that is sending those ARPs.
It might be a nice feature to add a tag to any KeadDHCP MAC->IP entries in the csv files. Basically how was this entry learned. There is already a "Lease Type" column that says it is either static or dynamic. Might be nice to have an "automatic" maybe?
As I have Proxmox and multiple hosts on individual ethernet interfaces, there could be multiple IP/MAC combinations on the same interface, but from an OpnSense point of view, that should not matter at all.
I don't have v6 configured on OpnSense so I assume, even if Automatic Discovery is on, any rogue v6 NDP packets on my network would just get dropped? I suppose in my case, it's a moot point as there are no entries in the KeaDHCPv6 table.
When Automatic Discovery is enabled and it sees ARPs and keeps track, what is the next step? Does it just populate the KeaDHCP cache? Does it create a table somewhere else?
It might be a nice feature to add a tag to any KeadDHCP MAC->IP entries in the csv files. Basically how was this entry learned. There is already a "Lease Type" column that says it is either static or dynamic. Might be nice to have an "automatic" maybe?
As I have Proxmox and multiple hosts on individual ethernet interfaces, there could be multiple IP/MAC combinations on the same interface, but from an OpnSense point of view, that should not matter at all.
I don't have v6 configured on OpnSense so I assume, even if Automatic Discovery is on, any rogue v6 NDP packets on my network would just get dropped? I suppose in my case, it's a moot point as there are no entries in the KeaDHCPv6 table.
When Automatic Discovery is enabled and it sees ARPs and keeps track, what is the next step? Does it just populate the KeaDHCP cache? Does it create a table somewhere else?
#10
26.1 Series / Re: OPNSense setting wrong add...
Last post by Monviech (Cedrik) - March 20, 2026, 10:02:17 PMSame happened to me, thanks for posting about this.
I chose akamai now and things work again.
I chose akamai now and things work again.
