How to fix Bufferbloat with OPNsense firewall

Unfortunately everybody has to deal with Bufferbloat, especially in home internet connections.

Bufferbloat is caused when your gigabit internal network pushes packets to your home router/firewall, which has to deal with a lower speed connection on the other side. A common example is to think about an 8 lane freeway that is going to be reduced immediately to a 3 lane highway. In order to not lose any packet transmitted (packet loss), network devices use a buffer in order to “park” and line them up in a queue until the way is free to go. This means that during congestions, you would most likely see your packets being delivered later that expected (high latency).

In order to avoid this, a fairly new algorithm called CodelQ has been developed. CodelQ manages the packet queue in a different way than FIFO (First In First Out) and together with traffic shaping (in order to not max out your internet bandwidth), can totally resolve Bufferbloat.

Continue reading

Block ads using OPNsense firewall

This post aims to configure your network firewall for blocking ads shown on webpages in order to allow all network devices to use this feature without the requirement to install an ad-blocker on each of them.

Why blocking ads? Simple: they are annoying, they slow down web pages navigation, they can carry malware and lately they are showing up everywhere since web sites want to make profit in order to pay back the costs for running their websites (servers, powers, hosting, etc). I understand that running a website cost money, but when they are annoying you with ads posted everywhere and trying to bait you to click on them, in my opinion it is not a good way to thread users.

This post is based on using an OPNsense firewall (can works on PFsense as well with some adjustment), the DNS unbound service (with DNS forward activated) and all the network clients using the firewall as DNS server, which is my current network configuration. The technique used for blocking ads is to configure the DNS service to refuse the name resolution queries for ads companies websites, and it is accomplished by placing a new config file listing all of those URLs acting as a black-list in the Unbound directory.

I have found/collected the list of ads websites on internet and everything has been stored in my ad-blacklist.conf file (downloadable here).

Here the steps to enable the configuration:

  1. Enable SSH access to the firewall by checking System -> Settings -> Administration -> Enable Secure Shell
  2. Secure copy the file in /var/unbound
  3. Add “include: /var/unbound/ad-blacklist.conf” into Services -> Unbound DNS -> General -> Custom options
  4. Save and apply changes
  5. Disable SSH access by un-checking System -> Settings -> Administration -> Enable Secure Shell

You can test the new config by trying to resolve from a client in your network one of the URLs listed in the file. Let’s use “”:

  1. On a laptop open the terminal and execute nslookup
  2. You should receive the following response: server can’t find REFUSED

Now you can notice many “empty slots” in websites that you are viewing since all the ads are being blocked.