OPNsense Discussions

[xiaofan]

Things I am not going to try -- either I am not interested or my HW is not powerful enough.

But you may be interested and you are welcome to share your experiences.

1) OpenVPN
https://docs.opnsense.org/manual/vpnet.html#openvpn-ssl-vpn

2) IDS/IPS
https://docs.opnsense.org/manual/ips.html

3) Zenarmor
https://docs.opnsense.org/vendor/sunnyvalley/zenarmor.html

4) geo-ip blocking
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html


5) Haproxy
https://docs.opnsense.org/development/api/plugins/haproxy.html

 

[xiaofan]

There are also other interesting topics which I may not try.
1) WAF and CrowdSec



2) Multi-WAN and Load Balancing


3) More advanced topic like HA

 

[xiaofan]

Quick updates on simple VLAN settings. I am not using the TP-Link TL-SG108E VLAN capable switch yet, but rather I am using Huawei AX3 Quad Core global version running as a VLAN capable AP to carry out simple testing.

OPNsense LAN: 192.168.48.1
OPNsense LAN2: 192.168.100.1
OPNsense VLAN150 on LAN2: 192.168.150.1
OPNsense VLAN250 on LAN2: 192.168.250.1

Test results are as expected.
AX3 Quad -- LAN -- 192.168.48.x address for the wireless clients
AX3 Quad -- LAN2 -- 192.168.100.x address for the wireless clients
AX3 Quad -- LAN2 and setup VLAN ID as 150 -- 192.168.150.x address for the wireless clients
AX3 Quad -- LAN2 and setup VLAN ID as 250 -- 192.168.250.x address for the wireless clients

When I got time I will use Linksys EA7500 v2 running OpenWRT as the VLAN capable switch/AP to carry out more testing on VLAN.

 

[XiaoFu99]

Anybody got a working settings for plex to cover both intranet and internet?

My current config using 4x ports mini PC based on N100 (running OPNsense) as follow:
etho -> WAN
eth1 -> LAN1 -> TP-link unmanaged switch
eth2 -> LAN2 -> Asus wireless access point
eth3 -> LAN3 -> Nvidia shield TV pro

LAN1 / LAN2 / LAN3 -> All bridge up with IP set as 192.168.10.1 (gateway)
DHCP range: 192.168.10.50 - 192.168.10.199
IPv6 - disable
Internet working @ all LAN ports.

LAN1 -> TP-link switch (unmanaged) -> QNAP NAS with Plex server @ 192.168.10.55
-> Desktop @ 192.168.10.50

Desktop able to ping both NAS (192.168.10.55) and router (192.168.10.1). Desktop able to access NAS dashboard and etc. However, none of the ports can access plex @ intranet.

Google for solutions but doesn't seems to work for me:
- create a port forward @ port 32400 (enable NAT reflection) and redirect target to 192.168.10.55
- OpnSense > Services > Unbound DNS > Blocklist > Private Domains > plex.direct
- System > Settings > Administration (added plex.direct @ Alternative Hostnames)

Thanks

 

[xiaofan]

Anybody got a working settings for plex to cover both intranet and internet?

My current config using 4x ports mini PC based on N100 (running OPNsense) as follow:
etho -> WAN
eth1 -> LAN1 -> TP-link unmanaged switch
eth2 -> LAN2 -> Asus wireless access point
eth3 -> LAN3 -> Nvidia shield TV pro

LAN1 / LAN2 / LAN3 -> All bridge up with IP set as 192.168.10.1 (gateway)
DHCP range: 192.168.10.50 - 192.168.10.199
IPv6 - disable
Internet working @ all LAN ports.

LAN1 -> TP-link switch (unmanaged) -> QNAP NAS with Plex server @ 192.168.10.55
-> Desktop @ 192.168.10.50

Desktop able to ping both NAS (192.168.10.55) and router (192.168.10.1). Desktop able to access NAS dashboard and etc. However, none of the ports can access plex @ intranet.

Google for solutions but doesn't seems to work for me:
- create a port forward @ port 32400 (enable NAT reflection) and redirect target to 192.168.10.55
- OpnSense > Services > Unbound DNS > Blocklist > Private Domains > plex.direct
- System > Settings > Administration (added plex.direct @ Alternative Hostnames)

Thanks

So remote access is working but not local access for the Plex server. This could well be that your client is not directly talking the plex server through LAN, but somehow goes to the internet and then comes back. Maybe you can try traceroute command to plex.direct to see if that is the case.

By right if it is going through intranet then there should be no issues with local access.

Google mentioned another possibility. Are you using Secure Server connection and do you have some firewall rules to have DNS rebind protection?
https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/

 

[gpgtmeowmeow]

After that, I may want to try out VLAN. I played a bit with VALN last time with pfSense using the cheap TP-Link TL-SG108E but I did not go deep as I did not have the real needs at that time. I still do not have the real needs as of now. So this will probably just an experiment.



Using OPNsense + Unifi with VLAN

Have a OPNsense + unifi switch and AP with VLAN setup. Fairly straightforward.

The better way would be OPNsense + any managed switch + openWRT as AP (pick a wifi6 device) if you are up for it. It will let you save your wallet and get excellent speed.

 

[xiaofan]

Have a OPNsense + unifi switch and AP with VLAN setup. Fairly straightforward.

The better way would be OPNsense + any managed switch + openWRT as AP (pick a wifi6 device) if you are up for it. It will let you save your wallet and get excellent speed.

Yes that is indeed the plan for the experiment.

OPNsense + TP-Link TL-SG108E + OpenWRT based AP. I will use my two old OpenWRT wireless router for the experiment (Linksys EA7500 v2 and Linksys WRT1900AC).

Other APs I may use for experiment:
1) Huawei AX3 Quad Core global version (used now)
2) Asus RT-AX82U
3) MikroTik hAP ac²

I am actually rotating through three router operating systems (pfSense, OPNsense and OpenWRT), running as VM under PVE7.4, using an Intel J4105 CPU based mini PC with 4 Intel I210 NICs. It is not so powerful but just nice for my experiments. I may try a bit of IPFire as well as it is Linux based and is quite a bit different from OpenWRT. It is not as powerful as pfSense/OPNsense though.

Newer Intel N100 based mini PCs with 4 x Intel I226 2.5Gbps NICs are pretty nice and not that expensive. But I guess I do not feel the need to upgrade as of now.

I do not have any plans to buy any more WiFi 6 APs since I already have three (RT-AX86U, RT-AX82U and Huawei AX3 Quad Core global version).

BTW, I have two independant home networks. RT-AX86U is used for one network. Then I can experient with different router OS on the other network.

 

[xiaofan]

I am not so sure if @bert64 can help here for IPv6 related issue.

Edit on 2-Sept-2023: this turns out to be a long-standing OPNsense issue.
https://github.com/opnsense/core/issues/3903
Running route add -inet6 default -interface wan_stf in shell fixed the issue for me, at least from the router itself I can get IPv6 working now.

On the LAN side, that is another story. I have never been able to get the LAN side working with Wireless APs with OpenWRT/pfSense and now OPNsense.

Here is the update -- I got the LAN side working as well after I got it working under pfSense. You can see that the settings are pretty much the same.
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-79#post-149166591
WAN 6rd setting

LAN settings

Router Advertisement Settings

 

[TheCoolDude89]

Have a OPNsense + unifi switch and AP with VLAN setup. Fairly straightforward.

The better way would be OPNsense + any managed switch + openWRT as AP (pick a wifi6 device) if you are up for it. It will let you save your wallet and get excellent speed.

Why is openWRT as a AP better in speed compare to Unifi switch and AP combo?

 

[xiaofan]

Why is openWRT as a AP better in speed compare to Unifi switch and AP combo?

I think it is more about cost than performance.

It seems to me Unifi Switches and Unifi APs are pretty popular to go with pfSense/OPNsense for power users (they may not want to use Unifi router/firewall like UDM Pro or UDM SE).

I am not prepared to go with the Unifi stuff myself since I have enough consumer grade APs to use with pfSense/OPNsense (now using Huawei AX3 Quad Core version, but I have a spare Asus RT-AX82U which is even better). Then I have quite some other older AC wireless routers which can also be used for experiment, including two capable of running OpenWRT (Linksys EA7500v2 and Linksys WRT1900AC v1, WRT1900AC v1 was my main router from April 2014 to Sept 2020).

 

[xiaofan]

Quick updates on simple VLAN settings. I am not using the TP-Link TL-SG108E VLAN capable switch yet, but rather I am using Huawei AX3 Quad Core global version running as a VLAN capable AP to carry out simple testing.

OPNsense LAN: 192.168.48.1
OPNsense LAN2: 192.168.100.1
OPNsense VLAN150 on LAN2: 192.168.150.1
OPNsense VLAN250 on LAN2: 192.168.250.1

Test results are as expected.
AX3 Quad -- LAN -- 192.168.48.x address for the wireless clients
AX3 Quad -- LAN2 -- 192.168.100.x address for the wireless clients
AX3 Quad -- LAN2 and setup VLAN ID as 150 -- 192.168.150.x address for the wireless clients
AX3 Quad -- LAN2 and setup VLAN ID as 250 -- 192.168.250.x address for the wireless clients

When I got time I will use Linksys EA7500 v2 running OpenWRT as the VLAN capable switch/AP to carry out more testing on VLAN.

My first experiment with TP-Link TL-SG108E is a failure.

I connect Port 1 (trunk port) of TL-SG108E to OPNSense LAN2.

Then I connect Huawei AX3 Quad Core AP (no VLAN settings) to Port 2 of the TL-SG108E and expect I can get 192.168.150.x IPv4 address from OPNsense.

Unfortunately I still get 192.168.100.x, as though the VLAN ID 150 does not exist. Strange.

Edit 1 minute after the post: I forgot to set up PVID. Now it is working.

AX3 Quad Core version to TL-SG108E Port 2/3 --> 192.168.150.x
AX3 Quad Core version to TL-SG108E Port 4/5 --> 192.168.250.x
AX3 Quad Core version to TL-SG108E Port 6/7 --> 192.168.100.x

 

[xiaofan]

So far so good, but I have not done much other than the above.

 

[XiaoFu99]

Just an update:

For bridge interface, each interface unable to ping each other:

I missed the section whereby some settings @ Tunables need to be change from default settings (step #6):
https://docs.opnsense.org/manual/how-tos/lan_bridge.html

Need to add an additional firewall rule to enable each interface to talk to each other:


Unable to access plex @ LAN, need to insert "plex.direct" @ private domain section


Hope that helps in whoever in trying to do the same thing.

Next in plan (if time permit) to investigate accessing plex from external using UpnP without touching port forwarding.

Anybody got a working settings for plex to cover both intranet and internet?

My current config using 4x ports mini PC based on N100 (running OPNsense) as follow:
etho -> WAN
eth1 -> LAN1 -> TP-link unmanaged switch
eth2 -> LAN2 -> Asus wireless access point
eth3 -> LAN3 -> Nvidia shield TV pro

LAN1 / LAN2 / LAN3 -> All bridge up with IP set as 192.168.10.1 (gateway)
DHCP range: 192.168.10.50 - 192.168.10.199
IPv6 - disable
Internet working @ all LAN ports.

LAN1 -> TP-link switch (unmanaged) -> QNAP NAS with Plex server @ 192.168.10.55
-> Desktop @ 192.168.10.50

Desktop able to ping both NAS (192.168.10.55) and router (192.168.10.1). Desktop able to access NAS dashboard and etc. However, none of the ports can access plex @ intranet.

Google for solutions but doesn't seems to work for me:
- create a port forward @ port 32400 (enable NAT reflection) and redirect target to 192.168.10.55
- OpnSense > Services > Unbound DNS > Blocklist > Private Domains > plex.direct
- System > Settings > Administration (added plex.direct @ Alternative Hostnames)

Thanks

 

[XiaoFu99]

Just an update on UPnP (with Plex in mind):

Somehow, the documentation for that is rather scarce and just gotten some better idea about "MiniUPnPd". Although the below link for pfSense, but it's applicable to OPNSense as well.
https://docs.netgate.com/pfsense/en/latest/services/upnp.html

OPNSense - you need to manually install the UpnP plugin but it seems to be build in for pfSense.

Configuration after install UPnP:

Nothing much special:

Check the boxes for the following:

Enable
Allow UPnP Port Mapping
Allow NAT-PMP Port Mapping

External interface - select WAN
Interface -> Bridge_123 // basically I have bridge 3 LAN ethernet ports

Click "Save" and that's it.

Tested accessing my Plex server externally and viola, it works without any special rules @ firewall to it.

Hope it helps whoever aiming to do the same.

Just an update:

For bridge interface, each interface unable to ping each other:

I missed the section whereby some settings @ Tunables need to be change from default settings (step #6):
https://docs.opnsense.org/manual/how-tos/lan_bridge.html

Need to add an additional firewall rule to enable each interface to talk to each other:


Unable to access plex @ LAN, need to insert "plex.direct" @ private domain section


Hope that helps in whoever in trying to do the same thing.

Next in plan (if time permit) to investigate accessing plex from external using UpnP without touching port forwarding.

 

[xiaofan]

OPNsense introdcution video with Ubiquiti Unifi Switch and AP, with VLAN and Firewall rules.


His previous video using pfSense and Unifi.

 

[xiaofan]

OPNsense VM on Intel N100 mini-PC running Proxmox Virtual Environment 8.0, allocated 2 cores and 6GB RAM.

With the basic ZenArmor installation. CPU usage is sometimes high. Maybe I need to allocate more cores to it.

System Information​

Name	OPNsense.localdomain
Versions	OPNsense 23.7.7_3-amd64 FreeBSD 13.2-RELEASE-p3 OpenSSL 1.1.1w 11 Sep 2023
Updates
CPU type	QEMU Virtual CPU version 2.5+ (2 cores, 2 threads)
CPU usage
Load average	0.32, 0.39, 0.39
Uptime	11:22:37
Current date/time	Sun Oct 29 8:56:15 +08 2023
Last config change	Sun Oct 29 8:54:07 +08 2023
CPU usage	0 %
State table size	0 % ( 318/610000 )
MBUF usage	0 % ( 1524/378729 )
Memory usage	54 % ( 3323/6100 MB ) { ARC size 1486 MB }
SWAP usage

 

[xiaofan]

I deiced to increase the core to 3 and memory to 8GB (my N100 mini PC has 16GB memory).

System Information​

Name	OPNsense.localdomain
Versions	OPNsense 23.7.7_3-amd64 FreeBSD 13.2-RELEASE-p3 OpenSSL 1.1.1w 11 Sep 2023
Updates	Click to check for updates.
CPU type	QEMU Virtual CPU version 2.5+ (3 cores, 3 threads)
CPU usage
Load average	0.13, 0.21, 0.13
Uptime	00:09:31
Current date/time	Sun Oct 29 15:06:50 +08 2023
Last config change	Sun Oct 29 15:06:04 +08 2023
CPU usage	2 %
State table size	0 % ( 307/814000 )
MBUF usage	0 % ( 1016/506459 )
Memory usage	19 % ( 1627/8148 MB ) { ARC size 282 MB }
SWAP usage	0 % ( 0/8192 MB )

 

[xiaofan]

DNS Blocklist and DNS Over TLS settings.

DNS Leak Test Results:
https://www.dnsleaktest.com/

Ad Blocking Test results: same as what I can get using Pi-hole or Adguard Home.
https://d3ward.github.io/toolz/adblock.html

 

[xiaofan]

Proxmox 8.0 and OPNsense 23.7.3_3 with N100 mini PC (two Intel I226-V NICs).
NAT routing speed test.

iperf3 test server -- on the WAN side, using the PVE 8.0 host itself
iperf3 test client -- on the LAN side, Acer Swift 3 2021 model with external Ugreen USB 3.0 to 2.5G adapter

Download -- 2.14 Gbits/sec single stream, 2.32 Gbits/sec quad-stream
Upload --> 1.77 Gbits/sec single stream, 2.00 Gbits/sec quad-stream

Apparently FreeBSD 13.2-Release used in OPNSense 23.7.3 is not as good as FreeBSD 14.0-Current used in pfSense CE 2.7.

More details and comparisons with OpenWRT 23.05 VM and pfSense CE 2.7 VM:
https://forums.hardwarezone.com.sg/...0-12th-gen-alder-lake.6958302/#post-150011900

 

[hwzlite]

While I endeavor into proxmox/openwrt , happened to come across this optimization rant on abysmal stock performance on OPNsense, happy tweaking

https://binaryimpulse.com/2022/11/opnsense-performance-tuning-for-multi-gigabit-internet :

With all of the above changes, I achieved my desired performance with OPNsense, running in a KVM virtual machine on Proxmox.

I’d imagine that these same concepts would apply well to any FreeBSD based router solution, such as PFsense, and some could even apply to other FreeBSD based solutions common in homelab environments, such as FreeNAS. However, it appears in my research that OPNsense is unique limited in its performance (more limited than stock FreeBSD 13). So, your mileage may vary.

The above is not intended to be a comprehensive guide, I write it both for my future reference, and with the hopes that some of the many folks who seem to be out there having these same performance issues, and being forced to stumble around in the dark looking for answers like I was, might try the settings in my guide and achieve the same great outcome.