Topics

Hi all,

Back after dropping OPNSense and going to Pfsense due to being unable to fix some VPN and load balancing issues.  The last version of OPNSense I used was 16.7, and it appears most of the issues I experienced before are now fixed.

Hoping to try the traffic shaper later today (Pfsense's non-sensical HFSC shaper drove me mad, it simply doesn't work!).  Now using 18.7.

I've cloned most of my Pfsense settings including my three OpenVPN servers (two peer to peer and one roadwarrior) and I'm finding my RW clients won't connect from inside the LAN, where they did on Pfsense.  Any ideas?  My thoughts were that it was something to do with NAT Reflection as my clients are configured to connect to the WAN address but I've tried all the options for that and can't get it to work.  Besides, the same options were off on Pfsense and it worked out of the box!

I could get around this by using split DNS but I'd have to reconfigure my clients to use the DNS record rather than the IP.

I have the VPN sever listening on all interfaces.

Thanks!

Currently running 16.7.4 - prior to this sticky connections worked fine but now it seems to be broken - users logging in to websites keep getting logged out, which is the behaviour we experienced before turning on sticky connections. To try and get around I have a firewall rule for LAN set to route all 443 traffic through WAN1 which works for some websites but not others.

Just tried to add a second client to a peer to peer VPN connection and found that the server can't handle two connections at once, so to get around this added a second server on port 1195.

Problem is a new tab on the firewall rules doesn't appear for the new second OpenVPN interface so can't add any rules; any ideas?

Thanks.

Hi,

Pretty new to firewalls this advanced and struggling a bit!

Struggling with OpenVPN site-to-site and multi-wan, as follows:

Site A has multi-WAN (two lines load balance and one failover) and static IP's on both WANs. OpenVPN is configured to use WAN1 interface (tun, shared key peer to peer).  LAN is on subnet 10.0.0.0/23, server IP 10.0.0.1 and OpnSense box 10.0.0.2.  OpenVPN virtual adapter 10.1.0.1.

Site B has single WAN with dynamic IP and is running the OpenVPN client.  Connection is up and remains solid. LAN is on subnet 10.0.2.0/23, server IP 10.0.2.1 and OpnSense box 10.0.2.2, OpenVPN virtual adapter 10.1.0.2.

OpenVPN is configured to use 10.1.0.0/24 as the tunnel network.

I have two Windows servers, one at each site.  The one client side works great.  The Site B server can ping the Site A server and replicate as necessary.  A tracert shows correctly, first hop 10.0.2.2, next hop tunnel exit 10.1.0.1 and finally to 10.0.0.1.  I can ping both sides of the tunnel also (10.1.0.1 and 10.1.0.2).

If I try to ping back at Site B from Site A though, I get nothing.  I can't even ping the local end of the tunnel (10.1.0.1).

I'm thinking there's a NAT rule I have to create on Site A's OpnSense to make sure traffic for the 10.0.2.0/23 network goes through the tunnel and not just out into the abyss over the gateway group, but as I said, new to this sort of thing so not sure how to go about it.

EDIT: Defnintely some sort of rule needed, pings from 10.0.0.2 to 10.1.0.2 and 10.0.2.1 are successful (using the OpnSense Ping util). Strangely though the OpnSense Traceroute doesn't work.  Both the pinger and traceroute utils were set to LAN as the local addresses.

Thanks!

Afternoon all,

Sorry if this is a silly question; I haven't been able to find an answer elsewhere.

I've got a lovely MITX rackmount system running 16.7 in our cabinet and have a Multi-WAN setup.

I have a gateway group with two FTTC lines on Tier 1, load balancing brilliantly.  I also have a 4G mobile connection on Tier 2 as a failover, which is also online and pinging constantly.

My question is this:

If one of the Tier 1 lines fails, does the Tier 2 gateway kick in?  Or does it wait for both Tier 1 members to fail?  I'd prefer the latter.

What's the best way to check which lines are being used?

Thanks!