Latency issues

[halcyon]

Not understanding what is going on with this thing.

I'm running an HP 8200 Elite. This thing is a powerhouse for what its getting used for. i5-2400 @ 3.10ghz 4 cores with 16gb of ram. The only shortfall is that its presently using a spindle drive, but swap usage is at 0, so that can't be a bottleneck here?

This is a fairly fresh installation, and I'm noticing a few concerns. When I moved from the old 5520ASA to OPNSense, the difference was almsot immediate. Webpages began to sit for several seconds before loading, load times were significantly slower.

Beyond that, there's an issue with trunking two vlans across one link. It doesn't seem to want to work. (this was attempted because of apparent latency)

[Sirius1]

The HP is likely not your issue. You don't list any kind of specifics, so hard to tell though what kind of capacity you are trying to support.

Yes VLANs can most certainy be trunked. I have 8 internal VLANs trunked over a single gig link from an HP dual-port card as the 'inside' of OPNSense.

Seeing your other post, you appear to be going to a Cisco switch. My setup is like this and no problems:

                                     [Intel gig dual port]
NetGear Modem >>> | OPNsense WAN    |
                                   |    -----------------       |
                                   | OPNsense 'inside' |  >>> 8 VLANs >>>> Cisco 2960

All 'inside' traffic VLANs are trunked across to the Catalyst. I found that this worked best:
- Define all the 'internal' segments as VLANs on OPNsense, so they are all 'tagged'.
- Define all your VLANs on Catalyst.
- On the Catalyst, also define an unused VLAN: I called mine GhostVLAN (VLAN2). Then on your Cisco trunk port, set that
   as the 'native VLAN'. This will keep all your VLANs tagged, so you don't have to worry about tagged and untagged traffic.
- Define your access ports as needed on the Catalyst.

This should work no problem.

[halcyon]

Initially what I ran into was that I could not get traffic to function without a bridge between the vlan and the lan port. I don't know if that's 'standard fare' for these or not. The ASA had to have no bridges, and it just worked once I had things in place. Yet, the bridge does not even look to be active (it does not show up in interface list)

3750:
gig 1/0/1-1/0/12 VLAN 10
gig 1/0/13-1/0/24 VLAN20
gig 1/0/25-36 Testing
--1/0/33 NAS that flaps at vlan10 when the port is on (weee)
gig 1/0/37-51 Future
gig 1/0/52 - Trunk to OPNSense vlan 10 only at the moment, since it broke when I tried to get vlan 20 up.
ip default gateway 172.20.10.254


OPNS Interfaces:
IGB0 - WAN -->Motorola Modem
IGB1 - LAN [IGB1to3750]
+vlan 10 on igb1 (172.20.10.254/24)
em0 - Management (192.168.1.254/24)

Firewall rules:
WAN: No rules- autogenerated only
Vlan10: pass any + autogenerate
IGB1 - LAN - any

NAT - Port Forward, autogenerated 80,443
- Automatic outbound

Services: DHCPv4
vlan10 dhcp enabled
management port dhcp enabled



Also... latency dropped after I unplugged a dummy switch off of one of the drops. There was only one thing there, the switch wasn't needed there. At least not at the moment.

bpduguard was up. Maybe I'm not understanding what bpduguard is for.

[Sirius1]

What is the config on the trunk port 1/0/52?

For OPNS, under Interfaces > Assignments: Does your LAN show as 'vlan 10 on xxN' (being the VLAN subinterface on the physical interface? Or does your LAN show directly as being 'xxN' (physical interface)? Or do you have both entries?

Then should be showing as 'vlan 20 on xxN' for whatever your 2nd VLAN is.

From what I think I'm seeing is that you have both a LAN, and 'vlan10' (or your 'LAN') being defined. Essentially that looks like 2 'LANs' configured. Then you also have 2 sets of Firewall rules, one for Vlan10, and one for LAN (or what you are calling IGB1).


For my setup, under Interfaces > Assignments, I have
WAN is 'em1'
LAN is 'vlan 111 on em0'
IOT is 'vlan 222 on em0'
WiFi is 'vlan 333 on em0'
etc

On Cisco:
GhostVLAN 2 set as 'native vlan 2' on my trunk interface. No VLAN restrictions (ie. allowed VLANs) on the trunk
Define VLANs, 111, 222, 333, etc
Configure access switchports for VLANs 111, 222, etc


bpduguard does affect (block) additional MACs that may be on that connected port. That is meaning devices connected to a switch uplinked to a Cisco port with bpduguard enabled, will not work. This may or may not have been having an effect on your traffic issue.

[halcyon]

https://imgur.com/a/ROiIrKv

I think I see where I botched it.

So now I have IGB1to3750
Vlan10on3750p52 (assigned to igb1)
Vlan20on3750p52 (assigned to igb1)
Bridge IGB1to3750,Vlan10on3750p52
--Problem here. I don't know if I even need this. If I attach Vlan20on3750p2 to the Bridge, my connection (on vlan10) drops. Do I even need a bridge for vlan10?
Firewall rules for Vlan10 & 20 are autogenerated + pass any any. Not sure if this is smart, but the wan link is what blocks everything.

[Sirius1]

Good.  Think you are getting closer then.

You do not need the bridge. At least I never have configured one.

Are VLAN10 and VLAN 20 trunked on the same physical connection, or different ports of your 4-port card? Looking at your image, vlan10 shows on igb1 and vlan20 shows on ibg2. I'd expect to see both of them on the same interface: igb1. Confirm this on your Interfaces > Assignments page.

Looking at my 'Interfaces' page as you snipped, all my VLANs are on the same interface: em0 in my case.

Re: firewall rules, it's been a while since my initial setup, but I think other than the auto-generated DHCP rules, that no other traffic is allowed. You'll need to start with an allow 'any' for each vlan network as you may have done. I later created explicit rules for 80, 443, etc, but keep the generic 'allow all' rule in the list, but disabled, in case I need to use it.

[halcyon]

They're both set to igb1 now. There was something missing that was not allowing me to add vlan20 to igb1 initially. Can't recall exactly what it was at the moment.

Since I have an issue with an unmanaged switch, I've ordered a small 8port managed cisco to replace the unmanaged one so I can trunk instead. That should solve the other issues I was dealing with.