"Recent posts
#91
25.1, 25.4 Series / Re: default hw.vtnet.csum_disa...
Last post by jauling - Today at 10:59:33 AMBecause I'm a n00b and wanted to confirm. Thanks, and apologies.
#92
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by franco - Today at 10:46:04 AMYay, thanks! <3
#93
25.7, 25.10 Series / Re: 25.7.11_1 host discovery i...
Last post by franco - Today at 10:45:06 AMThis was fixed in today's 25.7.11_9 hotfix.
Cheers,
Franco
Cheers,
Franco
#94
26.1 Series / Re: Clarification on os-isc-dh...
Last post by franco - Today at 10:43:11 AM> Yes, exactly.
It's important to know that all configuration exists within config.xml and a component moving to plugins simply keeps reading the same information.
> As I understand it, you don't need to change anything manually. The "Track Interface" option is still there (marked as "legacy" thoguh), and works as expected.
There may be use cases where you want "Identity association" with ISC-DHCP. This is analogous to using the " Allow manual adjustment of DHCPv6 and Router Advertisements" option in "Track interface". At some point both IPv6 modes may start to drift feature-wise, but at the moment that's not the case either.
Specifically the problem with "Track interface" was just that it was closely tied to ISC-DHCPv6/Radvd auto-configuration which is different now that we have Dnsmasq DHCPv6+RA and Kea DHCPv6+Radvd as viable options we don't want to also manage automatically anymore. Even Dnsmasq DHCPv6+Radvd can be a viable option.
Cheers,
Franco
It's important to know that all configuration exists within config.xml and a component moving to plugins simply keeps reading the same information.
> As I understand it, you don't need to change anything manually. The "Track Interface" option is still there (marked as "legacy" thoguh), and works as expected.
There may be use cases where you want "Identity association" with ISC-DHCP. This is analogous to using the " Allow manual adjustment of DHCPv6 and Router Advertisements" option in "Track interface". At some point both IPv6 modes may start to drift feature-wise, but at the moment that's not the case either.
Specifically the problem with "Track interface" was just that it was closely tied to ISC-DHCPv6/Radvd auto-configuration which is different now that we have Dnsmasq DHCPv6+RA and Kea DHCPv6+Radvd as viable options we don't want to also manage automatically anymore. Even Dnsmasq DHCPv6+Radvd can be a viable option.
Cheers,
Franco
#95
Announcements / Re: OPNsense 25.7.11 released
Last post by franco - Today at 10:34:52 AMA hotfix release was issued as 25.7.11_9:
o interfaces: host discovery: make sure the full dump includes NDP output on fallback
o firewall: improve GeoIP alias expiry condition
o firewall: escape selector in rule_protocol
o dnsmasq: fix log conditions
o firmware: add upgrade hint and fingerprint for 26.1 plus isc-dhcp plugin migration
o isc-dhcp: check if device we try to configure exists in the system
o openvpn: account for CARP status in start and restart cases as well
o ports: hostwatch 1.0.6 with community tested improvements
o interfaces: host discovery: make sure the full dump includes NDP output on fallback
o firewall: improve GeoIP alias expiry condition
o firewall: escape selector in rule_protocol
o dnsmasq: fix log conditions
o firmware: add upgrade hint and fingerprint for 26.1 plus isc-dhcp plugin migration
o isc-dhcp: check if device we try to configure exists in the system
o openvpn: account for CARP status in start and restart cases as well
o ports: hostwatch 1.0.6 with community tested improvements
#96
General Discussion / Re: (Newbie) Internet speeds h...
Last post by bevisjame - Today at 10:16:19 AMQuote from: railswrack on October 27, 2024, 09:21:38 AMI just recently changed to a new modem (Arris S33) and a protectli vault with OPNsense. Also using a switch and wireless access point.It sounds like UPnP might be the issue since your old router had it enabled. Check your OPNsense settings to ensure UPnP is activated and that your gaming devices can use it. Also, consider adjusting your NAT settings, as different modes can impact P2P connections. Good luck!
I did this to fix fluctuating and constant speed drops that my old modem/router was giving me. (Netgear C7000v2). This has completely fixed my internet speeds by not only making them more stable but also faster.
However despite my improved speeds, my connection in online gaming is worse than before. This is the 2nd OPNsense router I have tried (thought the first one had faulty hardware or something) but the same thing is happening on my new one.
The game I'm playing uses p2p stickman hook (peer to peer) connections between players. Not a dedicated server, so connections are based on the "host" player with the other players feeding off the host's connection.
I'm not sure how to go about fixing it, but from my research I think it might have something to do with UPnP or NAT.
My old router had UPnP enabled and did not have this issue.
I'm not sure how to go about fixing this or what settings to change. If someone could please help me I'd appreciate it! All my OPNsense settings are currently default except I changed my LAN ip from 192.168.1.1 to a static ip.
By the way I game on PC and it is hard wired to my switch (not WiFi). Thank you!
#97
26.1 Series / Re: Please add reverse lookp t...
Last post by franco - Today at 10:14:04 AMDiscussed this a bit with Cedrik. I think in general this is a good idea although it's a bit complicated to compute the values in each case and a few special subnet sizes need more than one entry from the looks of it.
Cheers,
Franco
Cheers,
Franco
#98
25.7, 25.10 Series / Re: Port forwarding rule trigg...
Last post by thelittleblackbird - Today at 10:10:40 AMfuck!, I feel ashamed of myself.
I promise i checked that for hours and i didnt see anything wrong.
thanks for the help.
For the IPv6 I am not so worried, I only wanted to ahve a rule that could be triggered when one of the device of the network is not behaving "nominally". I dont care if dns over ipv6 are not resolved when not directed to the FW
I promise i checked that for hours and i didnt see anything wrong.
thanks for the help.
For the IPv6 I am not so worried, I only wanted to ahve a rule that could be triggered when one of the device of the network is not behaving "nominally". I dont care if dns over ipv6 are not resolved when not directed to the FW
#99
26.1 Series / VLAN Bridge Setup
Last post by seb101 - Today at 10:10:12 AMHi Folks,
Coming from OpenWRT so bear with me...
I'm trying to replicate my setup on OpenWRT, some of the new concepts in OPNSense are confusing me. OPNSense is running on a proxmox host with 6 physical interfaces delegated to it (PCI devices) and one virtual interface. The 4 physical igb0-3 interfaces are for WAN, the two physical ixl0-1 interfaces for 10GbE VLAN trunks to my downstream network. The virtual interface vtnet0 is for a VLAN trunk to ProxMox so other guests can attach to any network they need.
I want to bridge the VLANs between the physical ixl0 device and the virtual vtnet0 device. In OpenWRT this would be equivalent to:
How do I set up the equivalent in OPNSense? In the GUI when I setup a bridge it only allows me to select existing networks (WAN, LAN etc) not interfaces.
Also - a point of confusion, during initial setup OPNSense names VLANs nicely like ixl0_vlan10, vtnet0_vlan10, but post-setup in the GUI it will only allow naming them vlan0 vlan1 etc. Why is this?
Thanks!
EDIT
So it seems you can achieve this by first assigning the VLAN interfaces to networks, but this seems to break OPNSense's own conceptual model. The bridge is supposed to be a Layer 2 concept, in the OPNSense documentation it describes the assigning of networks as the Layer 3 instantiation of that interface:
If bridging creates a Layer 2 bridge, why do you have to jump through the hoops of creating the 'Layer 3' concept on the underlying VLAN devices.
Coming from OpenWRT so bear with me...
I'm trying to replicate my setup on OpenWRT, some of the new concepts in OPNSense are confusing me. OPNSense is running on a proxmox host with 6 physical interfaces delegated to it (PCI devices) and one virtual interface. The 4 physical igb0-3 interfaces are for WAN, the two physical ixl0-1 interfaces for 10GbE VLAN trunks to my downstream network. The virtual interface vtnet0 is for a VLAN trunk to ProxMox so other guests can attach to any network they need.
I want to bridge the VLANs between the physical ixl0 device and the virtual vtnet0 device. In OpenWRT this would be equivalent to:
Code Select
config device
option name 'br-dmz'
option type 'bridge'
list ports 'ixl0.200'
list ports 'vtnet0.200'
option mtu '9000'
config interface 'dmz'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option device 'br-dmz'
How do I set up the equivalent in OPNSense? In the GUI when I setup a bridge it only allows me to select existing networks (WAN, LAN etc) not interfaces.
Also - a point of confusion, during initial setup OPNSense names VLANs nicely like ixl0_vlan10, vtnet0_vlan10, but post-setup in the GUI it will only allow naming them vlan0 vlan1 etc. Why is this?
Thanks!
EDIT
So it seems you can achieve this by first assigning the VLAN interfaces to networks, but this seems to break OPNSense's own conceptual model. The bridge is supposed to be a Layer 2 concept, in the OPNSense documentation it describes the assigning of networks as the Layer 3 instantiation of that interface:
Code Select
The steps so far followed the OSI Layer Model:
Connecting the Physical Layer (Layer 1) between OPNsense Appliance and Managed Switch
Creating the Data Link Layer (Layer 2) with LAGG (optional) and VLAN
Configuring the Network Layer (Layer 3) by setting IP addresses on the VLAN interfaces
If bridging creates a Layer 2 bridge, why do you have to jump through the hoops of creating the 'Layer 3' concept on the underlying VLAN devices.
#100
25.7, 25.10 Series / Re: Port forwarding rule trigg...
Last post by meyergru - Today at 10:02:14 AMYes, for starters: why is the source "This firewall" - you should have the list of clients that will be forced to use your local DNS there.
See this, point 29 and what is linked there.
See this, point 29 and what is linked there.
