meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
sw:opnsense:issues [2019/04/02 12:22] โ€“ created niziaksw:opnsense:issues [2025/08/20 12:12] (current) โ€“ niziak
Line 1: Line 1:
 +====== OPNSense issues ======
 +
 +===== WAN bandwidth limited =====
 +
 +4 port ''Intel(R) PRO/1000 Network Connection''
 +
 +  * last post in: [[https://forum.opnsense.org/index.php?topic=17277.0|[Help] troubleshooting high latency issues]]
 +  * [[https://forum.opnsense.org/index.php?topic=39763.0|Bandwidth cut in half when traversing system but direct bandwidth test is fine]]
 +  * [[]]
 +https://forum.opnsense.org/index.php?topic=15019.0
 +
 +https://forum.opnsense.org/index.php?topic=9693.0
 +
 +[[https://forum.opnsense.org/index.php?topic=6590.0|Performance tuning for IPS maximum performance]]
 +
 +
 +===== flowd =====
 +flowd.log is 5GB.
 +flowd_aggregate.py died (Insight Aggregator service).
 +Workaround is to use monit:
 +
 +{{:sw:opnsense:pasted:20200513-140645.png}}
 +
 +===== Multiwan =====
 +
 +==== multiwan: when primary WAN fails, local connectivity stops ====
 +Primary WAN fails:
 +  - Local (from OPNSense host) DNS doesn't work
 +  - local connectivity also doesn't work ``No route to host``
 +  - internet for LAN users works (switched to WAN2)
 +  - one LAN device cannot connect to 8.8.8.8 DNS server, because this request is still forwarded to WAN1
 +
 +SOLUTION ?
 +PROPOSALS: 
 +  - Allow DNS server list to be overridden by DHCP/PPP on WAN = CHECKED  <โ€“ uncheck this
 +
 +
 +==== multiwan: port reflection not working ====
 +**Scenario:**
 +  * Not possible to connect to port-forwarded service using WAN IP
 +**Problem 1**
 +  * Problem caused by Policy based routing with Multi WAN setup:
 +    * Firewall-->Rules-->LAN, when all LAN traffic has gateway set. LAN to LAN traffic should use default gateway.
 +**Solution 1**
 +  * Add rule before default gateway rule: LAN net --> LAN net to use Gateway default
 +
 +**Problem 2**
 +  * When interface group is used as interface in **Firewall --> NAT --> Port Forward**, reply-to rules are not generated.
 +**Solution 2**
 +  * Do not create NAT rule for **interface group**. Use duplicated rules for each WAN interface
 +
 +==== multiwan: port forwards ====
 +
 +**Scenario:**
 +  * Interface group WAN created, to group to WAN1 and WAN2 interfaces.
 +  * Prot forward defined from WAN to WAN:NETWORK TCP/UDP port 2196. to host 192.168.0.231:2196.
 +**Problem:**
 +  * Connection from world to WAN1 IP port 2196 works.
 +  * Connection from world to WAN2 IP prot 2196 doesn't work. It is correctly forwarded to LAN host, but response is sent using wrong WAN1 interface (src IP is WAN2 IP).
 +**Solution **
 +  * Do not create NAT rule for **interface group**. Use duplicated rules for each WAN interface
 +
 +
 +===== multi wan: lan gw was chosen ====
 +If gateway switching is used, it is needed to set all not WAN gateways as forced down.
 +
 +System --> Settings --> General --> Allow default gateway switching 
 +  If the link where the default gateway resides fails switch the default gateway to another available one. When using default gateway switching use any available gateway or select a specific gateway group below. 
 +
 +System --> Gateways --> Single --> ... --> Mark Gateway as Down
 +
 ====== static route from LAN to LAN not working ====== ====== static route from LAN to LAN not working ======
 Problem is that all outgoing traffic on LAN interface is using LAN gateway (autodetected) Problem is that all outgoing traffic on LAN interface is using LAN gateway (autodetected)
  
 +<code bash>
 cat /tmp/rules.debug cat /tmp/rules.debug
 +pass out route-to ( bge0 192.168.0.242 ) from {bge0} to {!(bge0:network)} keep state allow-opts label "let out anything from firewall host itself"
 +pass out route-to ( em1 85.222.100.29 ) from {em1} to {!(em1:network)} keep state allow-opts label "let out anything from firewall host itself"
 +pass out route-to ( em0 95.143.241.141 ) from {em0} to {!(em0:network)} keep state allow-opts label "let out anything from firewall host itself"
 +</code>
 +There are two additional gateways in LAN (bge0) (for OpenVPN remote networks): 192.168.0.231 and 192.168.0.242. From unknown reason OPNSense choose 192.168.0.242 as gateway for non LAN traffic.
 +This firewall rule overrides correct static routing:
 +<code bash>
 +netstat -nr
 +192.168.251.235/32 192.168.0.231      UGS        bge0
 +</code>
 +As workaround, firewall rule is needed to force output gateway.
 +
 +===== correct workaround =====
 +
 +Firewall --> Settings --> Advanced: Tick **Disable force gateway** (Outgoing packets from this firewall on an interface which has a gateway will normally use the specified gateway for that interface. When this option is set the route will be selected by the system routing table instead.)
 +
 +
 +====== cannot reach another VLAN from VPN ======
 +
 +Check for asymetric routing. Firewall cannot track one way packet flow so packets are blocke by default rule.
 +Solution is to add pass rule without connection tracking enabled (tracking ''none'').
 +
 +
 +
 +