Recent Posts

11

German - Deutsch / Re: Verbindungsproblem zwischen opnSense Firewalls nach Update

« Last post by viragomann on Today at 08:14:38 pm »

Was nicht funktioniert:

    Verbindungen zwischen FW01 und FW02 (beide im selben Subnetz) funktionieren nicht.
        Die Verbindung von FW01 zu FW02 wird nicht aufgebaut.
        Die Verbindung von FW02 zu FW01 wird ebenfalls nicht aufgebaut.

Hallo,

du meinst direkt von FW1 bspw. ein Ping auf FW2 WAN IP geht nicht, obwohl es die Regeln erlauben?

Wie sind die WANs der Geräte miteinander verbunden? Hängen die an einem Switch, oder müssen die über ein externes Gerät kommunizieren.

Ist die WAN Subnetzmaske auf beiden korrekt?

Findest sich die IP der anderen FW in der ARP Tabelle nach dem Versuch, sie zu pingen?

12

German - Deutsch / Re: Verbindungsproblem zwischen opnSense Firewalls nach Update

« Last post by Patrick M. Hausen on Today at 08:13:04 pm »

Hab ich das überlesen? Um was für "Verbindungen" geht es denn überhaupt? Natürlich musst du eingehend auf dem jeweiligen WAN zulassen, was da "verbunden" werden soll - WireGuard, OpenVPN, IPsec, whatever ... das schreibst du ja nicht.

13

24.7 Production Series / Kea dhcp static mapping

« Last post by caplam on Today at 08:05:37 pm »

Hi,
I’m new to opnsense so I have my all network to migrate.
I started with Kea as isc is mentionned for being soon deprecated.
I tried with no success to import dhcp static mapping from my actual router.
File is a csv with the same Fields as in the configuration screen.
I tried many times with or without the first line.
I have « unexpected error se the logs « 
But no error is shown in the logs.
Is this import thing working?
Un the mean time I deactivated Kea to start isc and I will make registrations from the leases page.

14

German - Deutsch / Verbindungsproblem zwischen opnSense Firewalls nach Update

« Last post by G-XVI on Today at 08:02:51 pm »

Hallo zusammen,

ich habe ein Problem mit den Verbindungen zwischen zwei opnSense Firewalls (FW01 und FW02) nach einem Update, das ich vor ein bis zwei Monaten durchgeführt habe. Vor dem Update funktionierte alles einwandfrei, aber nach den letzten Updates kann keine Verbindung mehr zwischen den beiden Firewalls hergestellt werden. Hier sind die Details:
Netzwerkaufbau:

    Öffentliches IP-Subnetz: 200.X.X.X/29
    OPNsense 24.7.10_1-amd64 FW01:
        WAN IP: 200.X.X.11/29
    OPNsense 24.7.10_1-amd64 FW02:
        WAN IP: 200.X.X.12/29
    Gerät FW03 (andere FW nicht opnSense):
        IP: 200.X.X.13/29

Was funktioniert:

    Verbindungen aus dem Internet auf FW01, FW02 und FW03 sind möglich.
    Verbindungen von FW01 und FW02 zu FW03 funktionieren ohne Probleme.

Was nicht funktioniert:

    Verbindungen zwischen FW01 und FW02 (beide im selben Subnetz) funktionieren nicht.
        Die Verbindung von FW01 zu FW02 wird nicht aufgebaut.
        Die Verbindung von FW02 zu FW01 wird ebenfalls nicht aufgebaut.

Details zum Problem:

    Vor etwa ein bis zwei Monaten funktionierte alles noch einwandfrei, aber nach den letzten opnSense-Updates (konnte das genaue Update-Datum nicht mehr nachvollziehen) sind die Verbindungen zwischen FW01 und FW02 nicht mehr möglich.
    Beide Firewalls sind direkt im gleichen Subnetz (200.X.X.0/29) mit öffentlichen IP-Adressen verbunden.

Bisherige Troubleshooting-Maßnahmen:

    Ich habe die Firewall-Logs überprüft, aber konnte keine offensichtlichen Blockierungen oder Fehler finden.
    Der ping-Test zwischen FW01 und FW02 zeigt keine Antwort.
    NAT oder Portweiterleitungen sind in diesem Setup nicht erforderlich, da beide Firewalls direkt in das öffentliche Subnetz eingebunden sind.
    Ich habe die Konfigurationen auf beiden Firewalls überprüft, insbesondere die Firewall-Regeln, aber keine Unterschiede oder Fehlkonfigurationen gefunden, die das Problem verursachen könnten.

Frage:

Hat jemand ähnliche Probleme nach einem Update von opnSense gehabt? Gibt es spezielle Einstellungen oder Änderungen, die nach einem Update beachtet werden müssen? Oder könnte es sich um ein Problem mit den Routing-Tabellen oder einer anderen Konfiguration handeln, die sich nach dem Update geändert hat?

Ich freue mich über jede Hilfe oder Hinweise!

Vielen Dank im Voraus!

15

24.7 Production Series / 24.7.10_1 NGINX can't find cert.pem

« Last post by Sander85 on Today at 07:53:52 pm »

Just updated from 24.7.9 to 24.7.10_1 and NGINX stopped working.
Probably because the change:
"system: remove the SSL bundles in default locations"

NGINX can't find /etc/ssl/cert.pem.

Code: [Select]

nginx: [emerg] SSL_CTX_load_verify_locations("/etc/ssl/cert.pem") failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/ssl/cert.pem, r) error:10000080:BIO routines::no such file error:05880002:x509 certificate routines::system lib)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
For a quickfix I created a symlink to /usr/local/etc/ssl/cert.pem.

Code: [Select]

ln -s /usr/local/etc/ssl/cert.pem /etc/ssl/cert.pem

16

German - Deutsch / Re: WLAN AP - Problem mit DHCP - Client bekommt keine IP

« Last post by meyergru on Today at 07:21:59 pm »

Also zunächst mal benötigt man keine speziellen Regeln für DHCP in den (V)LANs, es ist auch kein DHCP Relay notwendig. Das macht man nur, wenn man mehrere geroutete Netze hat, weil DHCP-Requests per Broadcast gesendet werden und man dann einen "Stellvertreter" im entfernten Netz hat (eben das DHCP Relay).

In Deinem Fall hast Du mit den Switches einen Backbone, der an den LAGG-Ports und am Port für den AP eben Trunks mit allen (V)LANs hat. Für Endgeräte schaltet man auf den Port eben die entsprechenden VLANs untagged auf. So hast Du es ja auch eingezeichnet.

Die Switches sollten natürlich managebar sein. Ich kenne den WLAN-AP nicht, ich setze selbst Unifi-APs ein, auf denen das genau so funktioniert mit 1:1-Zuordnung von VLANs auf WLANs. Offenbar kann der Netgear verschiedene Modi, auch solche, in denen er selbst DHCP macht.

Wenn er 1:1-Zuordnung kann, sollten die DHCP-Requests und -Replies der OpnSense aber durchgehen - wenn nicht, ist das Problem dort zu suchen.

17

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« Last post by stefan21 on Today at 07:07:38 pm »

Actually I tried to split port 443 in HAProxy. I couldn't find a working solution for my setup. While struggling around Cedrik gave me the hint to try Caddy. The idea behind HAProxy was to restrict access to the LAN and to present all certs to any clients or applications in the LAN. Connections from outside are only allowed through VPN. In this setup there's only a minimum of ports at the WAN interface open.

The main reason for port-sharing is that more and more wifi's in hotels or airports have only two ports open. As long as there's no deep packet inspection, one could use port 443 for openvpn. In other enviroments wireguard maybe a good choice.

Here are the steps sharing the port 443 between openvpn and a web application running on https, which are working for me. As pre-requisites there are (up-to-date)

OPNsense 24.7.9_1-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

- all DNS records setup at the ISP/DNS registrar
- all (let's encrypt) certificates are stored at the correct local places and up-to-date
- there's a user created for openvpn
- local certificates have been created for the vpn-server and the vpn-client (user)
- there's a VPN instance up and running bound to 127.0.0.1 on port 1194

a) in Caddy - general settings - enable caddy and layer4 proxy. Advanced, Log, DNS, etc. are left on default.
b) in reverse proxy - http access - create your acl. I allow access only to LAN and VPN. HTTP response code for me is 403, the message is "HTTP 403 - Forbidden"
c) in reverse proxy - Domains - create your web-application on port 443 (https). Don't forget the corresponding certificate and the access list to this application.
d) in reverse proxy - http handlers - create the web-application which belongs to step c). Handler is "handle", leave path to "any", directive is "reverse_proxy", leave http version on default, protocol is "https", define your upstream domain/IP on the upstream port 443. Leave upstream path empty. Change the TLS server name that matches the SAN "Subject Alternative Name" of the offered upstream certificate.
e) in layer4 proxy - leave/change routing type "listener_wrappers", protocol is TCP, local port leave empty, matchers is "openvpn", mode and key is "any", upstream domain is "127.0.0.1", upstream port is 1194. Leave the rest empty/on default.

Connect your roadwarrior through port 443 to the openvpn instance. I used for client export "file only".

That's it. Working at least for me. If there are questions with this setup, I'll try to help. I had to start over for a second try. The first approach didn't work as expected. While re-installing (I removed every leftover from caddy via cli) it worked in the way I described. This time I was better prepared and didn't change or alter any setting while configuring caddy. Be sure to have all pre-requisites working as they should. Then start configuring caddy.

I can't push the DNS through the linux client (not working with WIN-clients), access to the LAN apps works only with IP's. Or connecting via vnc to a machine in the LAN. I can live with that. Or maybe someone is able to rule this out.

regards,
stefan

P.S. thank's to cedrik - all credits to him

18

24.7 Production Series / Re: bnxt NIC (AOC-S25G-b2S - Broadcom BCM57414) stop working after upgrade

« Last post by borys.ohnsorge on Today at 07:07:11 pm »

There is a problem with that line of NICs which is being discussed at least since January 2023:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269133

You probably best get a different brand of cards.

EDIT: possibly a different firmware version might help:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245981

Hi

After changing NIC to Intel XXV710 I still have network problems.

server1:

Code: [Select]

Name
admins-opn-1
Versions
OPNsense 24.7.10_1-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

root@admins-opn-1:~ # pciconf -l -BbcevV ixl0
ixl0@pci0:1:0:0: class=0x020000 rev=0x02 hdr=0x00 vendor=0x8086 device=0x158b subvendor=0x15d9 subdevice=0x0978
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller XXV710 for 25GbE SFP28'
    class      = network
    subclass   = ethernet
    bar   [10] = type Prefetchable Memory, range 64, base 0xdc000000, size 16777216, enabled
    bar   [1c] = type Prefetchable Memory, range 64, base 0xdd008000, size 32768, enabled
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 129 messages, enabled
                 Table in map 0x1c[0x0], PBA in map 0x1c[0x1000]
    cap 10[a0] = PCI-Express 2 endpoint max data 256(2048) FLR
                 max read 512
                 link x8(x8) speed 8.0(8.0)
    cap 03[e0] = VPD
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                     0 VFs configured out of 64 supported
                     First VF RID Offset 0x0110, VF RID Stride 0x0001
                     VF Device ID 0x154c
                     Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 0017[1a0] = TPH Requester 1
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                     P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                     P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                     P2P Direct Translated unavailable, Enhanced Capability unavailable
    ecap 0019[1d0] = PCIe Sec 1 lane errors 0xff
  PCI-e errors = Correctable Error Detected
                 Unsupported Request Detected
     Corrected = Advisory Non-Fatal Error
    VPD ident  = 'Supermicro Network Adapter'
    VPD ro PN  = 'AOC-S25G-i2S                    '
    VPD ro V0  = '9.30 0x8000EA8A'
    VPD ro V1  = '2.00  '
    VPD ro SN  = '       '
    VPD ro VA  = '2'
    VPD ro V2  = ''
    VPD ro V3  = ''
    VPD ro V4  = '            '
    VPD ro V5  = '            '
    VPD rw VB  = ''
root@admins-opn-1:~ # pciconf -l -BbcevV ixl1
ixl1@pci0:1:0:1: class=0x020000 rev=0x02 hdr=0x00 vendor=0x8086 device=0x158b subvendor=0x15d9 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller XXV710 for 25GbE SFP28'
    class      = network
    subclass   = ethernet
    bar   [10] = type Prefetchable Memory, range 64, base 0xdb000000, size 16777216, enabled
    bar   [1c] = type Prefetchable Memory, range 64, base 0xdd000000, size 32768, enabled
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 129 messages, enabled
                 Table in map 0x1c[0x0], PBA in map 0x1c[0x1000]
    cap 10[a0] = PCI-Express 2 endpoint max data 256(2048) FLR
                 max read 512
                 link x8(x8) speed 8.0(8.0)
    cap 03[e0] = VPD
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                     0 VFs configured out of 64 supported
                     First VF RID Offset 0x014f, VF RID Stride 0x0001
                     VF Device ID 0x154c
                     Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 0017[1a0] = TPH Requester 1
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                     P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                     P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                     P2P Direct Translated unavailable, Enhanced Capability unavailable
  PCI-e errors = Correctable Error Detected
                 Unsupported Request Detected
     Corrected = Advisory Non-Fatal Error
    VPD ident  = 'Supermicro Network Adapter'
    VPD ro PN  = 'AOC-S25G-i2S                    '
    VPD ro V0  = '9.30 0x8000EA8A'
    VPD ro V1  = '2.00  '
    VPD ro SN  = '       '
    VPD ro VA  = '2'
    VPD ro V2  = ''
    VPD ro V3  = ''
    VPD ro V4  = '            '
    VPD ro V5  = '            '
    VPD rw VB  = ''
root@admins-opn-1:~ #
root@admins-opn-1:~ #
root@admins-opn-1:~ # ifconfig lagg0
lagg0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 9214
options=4800028<VLAN_MTU,JUMBO_MTU,HWSTATS,MEXTPG>
ether xx:xx:xx:xx:11:b4
hwaddr 00:00:00:00:00:00
laggproto lacp lagghash l2,l3
laggport: ixl0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: ixl1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
groups: lagg
media: Ethernet autoselect
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
root@admins-opn-1:~ # ifconfig lagg0_vlan52
lagg0_vlan52: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 9214
description: WAN (wan)
options=4000000<MEXTPG>
ether xx:xx:xx:xx:11:b4
inet 192.168.1.1 netmask 0xffffffe0 broadcast 192.168.1.31
groups: vlan
vlan: 52 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
media: Ethernet autoselect
status: active
nd6 options=121<PERFORMNUD,AUTO_LINKLOCAL,NO_DAD>
root@admins-opn-1:~ # kldstat
Id Refs Address                Size Name
 1   61 0xffffffff80200000  1f63788 kernel
 2    1 0xffffffff82164000    1e2c8 opensolaris.ko
 3    1 0xffffffff82183000    165f0 if_lagg.ko
 4    2 0xffffffff8219a000     3540 if_infiniband.ko
 5    1 0xffffffff8219f000     ea58 if_bridge.ko
 6    2 0xffffffff821ae000     8930 bridgestp.ko
 7    1 0xffffffff821b7000     3c10 pflog.ko
 8    3 0xffffffff821bb000    8d578 pf.ko
 9    1 0xffffffff82249000    11a18 pfsync.ko
10    1 0xffffffff8225b000   5cd5e0 zfs.ko
11    1 0xffffffff82829000     aa30 if_gre.ko
12    1 0xffffffff82834000     4be0 if_enc.ko
13    1 0xffffffff82839000     fba8 carp.ko
14    1 0xffffffff83220000     2110 pchtherm.ko
15    1 0xffffffff83223000     3250 ichsmb.ko
16    1 0xffffffff83227000     2178 smbus.ko
17    1 0xffffffff8322a000     3360 uhid.ko
18    1 0xffffffff8322e000     4364 ums.ko
19    1 0xffffffff83233000     33c0 usbhid.ko
20    1 0xffffffff83237000     3380 hidbus.ko
21    1 0xffffffff8323b000     4850 nullfs.ko
root@admins-opn-1:~ #

server2:

Code: [Select]

Name
admins-opn-2
Versions
OPNsense 24.7.10_1-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

root@admins-opn-2:~ # pciconf -l -BbcevV ixl0
ixl0@pci0:1:0:0: class=0x020000 rev=0x02 hdr=0x00 vendor=0x8086 device=0x158b subvendor=0x15d9 subdevice=0x0978
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller XXV710 for 25GbE SFP28'
    class      = network
    subclass   = ethernet
    bar   [10] = type Prefetchable Memory, range 64, base 0xdc000000, size 16777216, enabled
    bar   [1c] = type Prefetchable Memory, range 64, base 0xdd008000, size 32768, enabled
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 129 messages, enabled
                 Table in map 0x1c[0x0], PBA in map 0x1c[0x1000]
    cap 10[a0] = PCI-Express 2 endpoint max data 256(2048) FLR
                 max read 512
                 link x8(x8) speed 8.0(8.0)
    cap 03[e0] = VPD
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                     0 VFs configured out of 64 supported
                     First VF RID Offset 0x0110, VF RID Stride 0x0001
                     VF Device ID 0x154c
                     Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 0017[1a0] = TPH Requester 1
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                     P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                     P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                     P2P Direct Translated unavailable, Enhanced Capability unavailable
    ecap 0019[1d0] = PCIe Sec 1 lane errors 0xff
  PCI-e errors = Correctable Error Detected
                 Unsupported Request Detected
     Corrected = Advisory Non-Fatal Error
    VPD ident  = 'Supermicro Network Adapter'
    VPD ro PN  = 'AOC-S25G-i2S                    '
    VPD ro V0  = '9.30 0x8000EA8A'
    VPD ro V1  = '2.00  '
    VPD ro SN  = '       '
    VPD ro VA  = '2'
    VPD ro V2  = ''
    VPD ro V3  = ''
    VPD ro V4  = '            '
    VPD ro V5  = '            '
    VPD rw VB  = ''
root@admins-opn-2:~ # pciconf -l -BbcevV ixl1
ixl1@pci0:1:0:1: class=0x020000 rev=0x02 hdr=0x00 vendor=0x8086 device=0x158b subvendor=0x15d9 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller XXV710 for 25GbE SFP28'
    class      = network
    subclass   = ethernet
    bar   [10] = type Prefetchable Memory, range 64, base 0xdb000000, size 16777216, enabled
    bar   [1c] = type Prefetchable Memory, range 64, base 0xdd000000, size 32768, enabled
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 129 messages, enabled
                 Table in map 0x1c[0x0], PBA in map 0x1c[0x1000]
    cap 10[a0] = PCI-Express 2 endpoint max data 256(2048) FLR
                 max read 512
                 link x8(x8) speed 8.0(8.0)
    cap 03[e0] = VPD
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                     0 VFs configured out of 64 supported
                     First VF RID Offset 0x014f, VF RID Stride 0x0001
                     VF Device ID 0x154c
                     Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 0017[1a0] = TPH Requester 1
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                     P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                     P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                     P2P Direct Translated unavailable, Enhanced Capability unavailable
  PCI-e errors = Correctable Error Detected
                 Unsupported Request Detected
     Corrected = Advisory Non-Fatal Error
    VPD ident  = 'Supermicro Network Adapter'
    VPD ro PN  = 'AOC-S25G-i2S                    '
    VPD ro V0  = '9.30 0x8000EA8A'
    VPD ro V1  = '2.00  '
    VPD ro SN  = '       '
    VPD ro VA  = '2'
    VPD ro V2  = ''
    VPD ro V3  = ''
    VPD ro V4  = '            '
    VPD ro V5  = '            '
    VPD rw VB  = ''
root@admins-opn-2:~ # ifconfig lagg0
lagg0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 9214
options=4800028<VLAN_MTU,JUMBO_MTU,HWSTATS,MEXTPG>
ether yy:yy:yy:yy:17:ba
hwaddr 00:00:00:00:00:00
laggproto lacp lagghash l2,l3
laggport: ixl0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: ixl1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
groups: lagg
media: Ethernet autoselect
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
root@admins-opn-2:~ # ifconfig lagg0_vlan52
lagg0_vlan52: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 9214
description: WAN (wan)
options=4000000<MEXTPG>
ether yy:yy:yy:yy:17:ba
inet 192.168.1.2 netmask 0xffffffe0 broadcast 192.168.1.31
groups: vlan
vlan: 52 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
media: Ethernet autoselect
status: active
nd6 options=121<PERFORMNUD,AUTO_LINKLOCAL,NO_DAD>
root@admins-opn-2:~ # kldstat
Id Refs Address                Size Name
 1   61 0xffffffff80200000  1f63788 kernel
 2    1 0xffffffff82164000     4be0 if_enc.ko
 3    1 0xffffffff82169000    1e2c8 opensolaris.ko
 4    1 0xffffffff82188000    165f0 if_lagg.ko
 5    2 0xffffffff8219f000     3540 if_infiniband.ko
 6    1 0xffffffff821a3000     ea58 if_bridge.ko
 7    2 0xffffffff821b2000     8930 bridgestp.ko
 8    1 0xffffffff821bb000   5cd5e0 zfs.ko
 9    1 0xffffffff82789000    11a18 pfsync.ko
10    3 0xffffffff8279b000    8d578 pf.ko
11    1 0xffffffff82829000     fba8 carp.ko
12    1 0xffffffff82839000     3c10 pflog.ko
13    1 0xffffffff8283d000     aa30 if_gre.ko
14    1 0xffffffff83220000     2110 pchtherm.ko
15    1 0xffffffff83223000     3250 ichsmb.ko
16    1 0xffffffff83227000     2178 smbus.ko
17    1 0xffffffff8322a000     3360 uhid.ko
18    1 0xffffffff8322e000     4364 ums.ko
19    1 0xffffffff83233000     33c0 usbhid.ko
20    1 0xffffffff83237000     3380 hidbus.ko
21    1 0xffffffff8323b000     4850 nullfs.ko
root@admins-opn-2:~ #

iperf3 test result between this 2 server:
server1:

Code: [Select]

root@admins-opn-1:~ # pfctl -d
pfctl: pf not enabled
root@admins-opn-1:~ # iperf3 -c 192.168.1.2
Connecting to host 192.168.1.2, port 5201
[  5] local 192.168.1.1 port 2124 connected to 192.168.1.2 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.04   sec  0.00 Bytes  0.00 bits/sec    3   8.95 KBytes       
[  5]   1.04-2.05   sec  0.00 Bytes  0.00 bits/sec    2   8.95 KBytes       
[  5]   2.05-3.06   sec  0.00 Bytes  0.00 bits/sec    0   8.95 KBytes       
[  5]   3.06-4.06   sec  0.00 Bytes  0.00 bits/sec    1   8.95 KBytes       
[  5]   4.06-5.00   sec  0.00 Bytes  0.00 bits/sec    0   8.95 KBytes       
[  5]   5.00-6.06   sec  0.00 Bytes  0.00 bits/sec    1   8.95 KBytes       
[  5]   6.06-7.04   sec  0.00 Bytes  0.00 bits/sec    0   8.95 KBytes       
[  5]   7.04-8.04   sec  0.00 Bytes  0.00 bits/sec    0   8.95 KBytes       
[  5]   8.04-9.04   sec  0.00 Bytes  0.00 bits/sec    0   8.95 KBytes       
[  5]   9.04-10.04  sec  0.00 Bytes  0.00 bits/sec    1   8.95 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.04  sec  0.00 Bytes  0.00 bits/sec    8             sender
[  5]   0.00-10.04  sec  0.00 Bytes  0.00 bits/sec                  receiver

iperf Done.
server2:

Code: [Select]

root@admins-opn-2:~ # pfctl -d
pfctl: pf not enabled
root@admins-opn-2:~ # iperf3 -s
-----------------------------------------------------------
Server listening on 5201 (test #1)
-----------------------------------------------------------
Accepted connection from 192.168.1.1, port 17875
[  5] local 192.168.1.2 port 5201 connected to 192.168.1.1 port 2124
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.06   sec  0.00 Bytes  0.00 bits/sec                 
[  5]   1.06-2.06   sec  0.00 Bytes  0.00 bits/sec                 
[  5]   2.06-3.02   sec  0.00 Bytes  0.00 bits/sec                 
[  5]   3.02-4.03   sec  0.00 Bytes  0.00 bits/sec                 
[  5]   4.03-5.05   sec  0.00 Bytes  0.00 bits/sec                 
[  5]   5.05-6.03   sec  0.00 Bytes  0.00 bits/sec                 
[  5]   6.03-7.05   sec  0.00 Bytes  0.00 bits/sec                 
[  5]   7.05-8.04   sec  0.00 Bytes  0.00 bits/sec                 
[  5]   8.04-9.06   sec  0.00 Bytes  0.00 bits/sec                 
[  5]   9.06-10.04  sec  0.00 Bytes  0.00 bits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.04  sec  0.00 Bytes  0.00 bits/sec                  receiver
-----------------------------------------------------------
Server listening on 5201 (test #2)
-----------------------------------------------------------
On this hardware under Ubuntu 22.04 LTS (installed on one of disks) with same lag+vlan+ip addresses, iperf3 achieves about 23Gbps without any problems (look at attached screens).

Am I doing something wrong?

Tomorrow I will "disassemble" the lags and do a test on the vlan only ports. After that on full access port.

Any help/suggestion will be appreciated.

Regards
Borys

19

German - Deutsch / Re: Umstellung von Fritzbox (Doppel-NAT) ---> Kabel-Modem + OPNSense

« Last post by schnipp on Today at 07:00:42 pm »

Ich verstehe Dein Setup nicht so ganz.

• Du hast NAT komplett auf „manuell“ stehen. Ist in der vorgeschalteten Fritzbox die korrekte IPv4-Route für die Opnsense eingetragen?
• Checkpoint Mobile hat mit dem Squid nichts zu tun. Wofür möchtest Du den Squid einsetzen?

20

German - Deutsch / Re: PPPOE durch Update auf 27.7.10 gebrickt?

« Last post by crazy-kermit on Today at 06:42:09 pm »

Habe auch gerade das Update gezogen und kein Probleme mit PPPoE via 1und1. Läuft wie zuvor.