"Recent posts
#1
Virtual private networks / Wireguard site to site file tr...
Last post by ditch9 - June 27, 2026, 11:56:55 PMI have two sites. Site A and site B.
On site A OPNsense is the edge device. It has a DHCP WAN cable connection and MTU ping testing has verified my MTU settings of 1420 and MSS settings of 1380 are what I need. The WAN speed is 1gbit down 300mbits up. I have multiple remote access Wireguard tunnels in addition to the site to site on this device and there are no issues.
On site B OPNsense sites behind a DD WRT router which is the edge device. DD WRT has a DHCP WAN fiber connection which has the same MTU/MSS as site A. The WAN speed is 300mbit both ways. OPNsense in visualized in Proxmox on this site.
My issue is that file transfers using, wget, curl, rsync, and scp are very slow. Less than 1 megabyte a second. If I run rsync with -ahP the speed will be 100MB/s + for a short time then drop to sub 500kB/s and stay there. This happens across any host in any direction.
However, I can run iperf3 test in both directions and get speed around 200mbit/sec. If I run an iperf3 test while transferring files at sub 500kB/s speed, the iperf3 test is slower. Around 50mbit/sec ish.
Any ideas on how to figure out whats going on here? I'm lost.
On site A OPNsense is the edge device. It has a DHCP WAN cable connection and MTU ping testing has verified my MTU settings of 1420 and MSS settings of 1380 are what I need. The WAN speed is 1gbit down 300mbits up. I have multiple remote access Wireguard tunnels in addition to the site to site on this device and there are no issues.
On site B OPNsense sites behind a DD WRT router which is the edge device. DD WRT has a DHCP WAN fiber connection which has the same MTU/MSS as site A. The WAN speed is 300mbit both ways. OPNsense in visualized in Proxmox on this site.
My issue is that file transfers using, wget, curl, rsync, and scp are very slow. Less than 1 megabyte a second. If I run rsync with -ahP the speed will be 100MB/s + for a short time then drop to sub 500kB/s and stay there. This happens across any host in any direction.
However, I can run iperf3 test in both directions and get speed around 200mbit/sec. If I run an iperf3 test while transferring files at sub 500kB/s speed, the iperf3 test is slower. Around 50mbit/sec ish.
Any ideas on how to figure out whats going on here? I'm lost.
#2
Zenarmor (Sensei) / Latest upgrade causes Zenarmou...
Last post by lilsense - June 27, 2026, 11:47:47 PMAfter upgrading from 26.1.9 to 10 Zenarmour no longer is able to recognize any connections
#3
26.7 Development Series / Re: OPNsense 26.7-BETA images
Last post by patient0 - June 27, 2026, 11:28:41 PM@franco: Installing a fresh 26.7-BETA, appying the patch and importing the config shows the same error. 'opnsense-patch -l' shows the patch installed.
For testing I deleted the outbound rules and re-created a IPv6 NAT rule in the source NAT section. That works as it should but that leaves me with another question: the mode was set to 'Hybrid Source NAT rule generation' and the IPv6 NAT rule works fine. I then set the mode to 'Automatic Source NAT rule generation', my created rule disappears as expected but it seems the rule is still active, the IPv6 NAT-ting is still working. All the automatic rules are IPv4 only. Is that expected?
For testing I deleted the outbound rules and re-created a IPv6 NAT rule in the source NAT section. That works as it should but that leaves me with another question: the mode was set to 'Hybrid Source NAT rule generation' and the IPv6 NAT rule works fine. I then set the mode to 'Automatic Source NAT rule generation', my created rule disappears as expected but it seems the rule is still active, the IPv6 NAT-ting is still working. All the automatic rules are IPv4 only. Is that expected?
#4
Virtual private networks / Re: OPNsense with Express VPN ...
Last post by bennymundz - June 27, 2026, 11:00:56 PMAnyone coming here looking for a solution. You have to download the legacy openvpn pluginin the community applications (Firmware>Plugins>CommunityPlugins>os-openvpn-legacy) Install that package
Setup CA
Trust > Authorities > Import Existing Authority > Paste your CA section from your .ovpn file > Save
Setup Client Cert
Trust > Cert > Inport Existing Certificate > Paste your CERT section from your .ovpn file > Paste your Key from the KEY section > Save
Setup VPN Client
VPN > CLients [Legacy] > Protocol UDP4 > Remote address + port from your .ovpn file
TLS Auth > Enabled Authentication only
TLS Shared Key untick > Enter Static key from your .ovpn file
Peer Certificate Auth > Name of the CA you created above
Client certificate > Name of the cert you created above
Auth Digest - SHA512 from your .ovpn file
This worked for me. The rest is up to you with how you deal with the interface once it is established.
Setup CA
Trust > Authorities > Import Existing Authority > Paste your CA section from your .ovpn file > Save
Setup Client Cert
Trust > Cert > Inport Existing Certificate > Paste your CERT section from your .ovpn file > Paste your Key from the KEY section > Save
Setup VPN Client
VPN > CLients [Legacy] > Protocol UDP4 > Remote address + port from your .ovpn file
TLS Auth > Enabled Authentication only
TLS Shared Key untick > Enter Static key from your .ovpn file
Peer Certificate Auth > Name of the CA you created above
Client certificate > Name of the cert you created above
Auth Digest - SHA512 from your .ovpn file
This worked for me. The rest is up to you with how you deal with the interface once it is established.
#5
Hardware and Performance / Re: latencyspikes of seconds ...
Last post by pfry - June 27, 2026, 10:31:22 PMQuote from: thelittleblackbird on June 27, 2026, 06:14:13 PM[...]honestly, my FW ruleset is quite small (<200 rules)[...]
On how many interfaces? I have four (bridges), and ~100 rules. But then I have static IPs, so I have 2-4 NAT rules.
The number is less important than the rules themselves, of course. You could post those, or at least the ones relevant to your speed test.
QuoteI dont know where or how to look at this point[...]
I'd watch the live log (rule logging must be enabled) and make sure the ruleset is working as expected. (I'm lazy, and also look at the "Firewall States" dashboard widget for a total, as well as the "Sessions" and "States" GUI diags.) With so many rules I would not expect a functional loop. Also, "netstat" - "-m", "-i", perhaps "-Q", "-T", "-x", "-s" options (most have to be issued separately), and see if anything looks bad.
#6
Hardware and Performance / Re: latencyspikes of seconds ...
Last post by nero355 - June 27, 2026, 10:27:54 PMQuote from: thelittleblackbird on June 27, 2026, 06:14:13 PMhonestly, my FW ruleset is quite small (<200 rules) and most of them are the autogenerated ones, I will be surprised if it is something like this.Why not boot the system with the Live Image of OPNsense and see how that performs with a very basic setup just good enough to get your WAN working ?
I dont know where or how to look at this point
Perhaps you made some weird loop somewhere or something got corrupted over time ?!
Another thing to keep in mind is this : https://www.tomshardware.com/news/intel-apollo-lake-refresh-degradation-cpu-failure,40362.html
Your CPU might be affected by something like that too IIRC from a very long time ago, but I could be wrong...
#7
26.1, 26,4 Series / Re: Import rules [new] dialog ...
Last post by nero355 - June 27, 2026, 09:52:00 PMQuote from: tz-mbc on June 26, 2026, 09:55:41 AMNo "ok", "cancel" or any of the usual buttons?I was confused too when moving Static DHCP Mappings from ISC to KEA but everything worked just fine afterwards so I guess maybe it will get a re-design OPNsense-wide one day when the more important things are finished first :)
#8
Zenarmor (Sensei) / Re: updating to 2.6 checking f...
Last post by wbennett - June 27, 2026, 07:55:27 PMGot updated to 2.6 yesterday.
#9
26.1, 26,4 Series / Re: 26.1.6 only works with E10...
Last post by meyergru - June 27, 2026, 06:55:41 PMThe physical interface is limited to 1 Gbps, I doubt that the driver itself does anything w/r to timing. However, virtio on the vistualisation border should work just fine. IDK how SR-IOV comes into play here, because you do not / should not pass thru the NICs.
Just to make this clear: There are two basic ways you can do this:
1. By passing thru the physical NIC hardware to the VM guest. This absolutely needs a working FreeBSD for the hardware. I do not recommend it. This is where technologies like SR-IOV comes into play.
2. By attaching a virtual network card to the PVE host bridge. In the VM, you can then select which emulated hardware you want to present to the guest, so either E1000 or virtio or whatever hardware your guest supports. For OpnSense, I recommend this way and also, using the virtio drivers.
Virtio would show up as virtioX as network device names under OpnSense.
You MTU looks O.K., so this should work fine. Maybe the physical NIC has some optimisations to coalesce interrupts. This is often the case for high-speed NICs in order to handle traffic more efficiently. It may well be that this interferes and makes low-volume traffic look "choppy".
I would try to use another NIC type to rule out a hardware/driver problem on the PVE side of things, especially, because there are many problem reports for those adapters over on the Proxmox forum: https://forum.proxmox.com/search/19853344/?q=I40e+nic
Just to make this clear: There are two basic ways you can do this:
1. By passing thru the physical NIC hardware to the VM guest. This absolutely needs a working FreeBSD for the hardware. I do not recommend it. This is where technologies like SR-IOV comes into play.
2. By attaching a virtual network card to the PVE host bridge. In the VM, you can then select which emulated hardware you want to present to the guest, so either E1000 or virtio or whatever hardware your guest supports. For OpnSense, I recommend this way and also, using the virtio drivers.
Virtio would show up as virtioX as network device names under OpnSense.
You MTU looks O.K., so this should work fine. Maybe the physical NIC has some optimisations to coalesce interrupts. This is often the case for high-speed NICs in order to handle traffic more efficiently. It may well be that this interferes and makes low-volume traffic look "choppy".
I would try to use another NIC type to rule out a hardware/driver problem on the PVE side of things, especially, because there are many problem reports for those adapters over on the Proxmox forum: https://forum.proxmox.com/search/19853344/?q=I40e+nic
#10
26.1, 26,4 Series / Re: 26.1.6 only works with E10...
Last post by Opnsensing-some-issues - June 27, 2026, 06:33:53 PMIsn't E1000 a 1Gbps interface? I thought that was the hard coded limit in the module hence why I'm shying away. I switched to vmxnet3 and it's working again. I suppose I just need this to spin up a basic config then will be able to switch to SR-IOV. One thing is sure: I have tried ever possible knob for virtio and it does not work. Here was the ping output:
QuoteC:\Users\bruh>ping 192.168.1.1 -l 1472 -f
Pinging 192.168.1.1 with 1472 bytes of data:
Reply from 192.168.1.1: bytes=1472 time=1ms TTL=64
Ping statistics for 192.168.1.1:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
Control-C
^C
C:\Users\bruh>ping 192.168.1.1 -l 1473 -f
Pinging 192.168.1.1 with 1473 bytes of data:
Packet needs to be fragmented but DF set.
Ping statistics for 192.168.1.1:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Users\bruh>ping 192.168.1.1 -l 4000
Pinging 192.168.1.1 with 4000 bytes of data:
Reply from 192.168.1.1: bytes=4000 time=1ms TTL=64
Reply from 192.168.1.1: bytes=4000 time=1ms TTL=64
Ping statistics for 192.168.1.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
