Messages

Thanks. I realized I created that interface for VPN when I was trying to look at the live firewall log and wanted to watch all traffic on the interface. I deleted it and still don't seem to be able to reach the intranet, though the VPN seems intact.

bumping this with the hope that anyone has ideas?

I'm a relatively new convert from pfSense to opnsense. I've been happy with it, but I'm still unsure how to get my firewall rules configured correctly.

First, when I navigate to Firewall -> Rules, I have a ruleset for "OPENVPN" and a second ruleset for "OpenVPN". Is this correct? The all-caps one is from the Interface that I created that maps to "ovpns1". I'm unsure what the ruleset for "OpenVPN" came from, nor how/if to delete it.

Both of these rule sets are empty, except for some default rules on the OPENVPN for blocking bogon networks. When I connect to the VPN, I find that I can't even connect to the VPN's gateway (192.168.x.1) to get to opnsense. It feels like it's a firewall block, since the telnet command gets hung.

Is there some obvious thing I'm missing? Thanks much.

I've put a few screenshots showing the interfaces, the VPN rules, and the firewall logs, at this link. https://imgur.com/a/98vZ7nX

EDIT: I figured out what's wrong. I needed to setup the VPN server to listen on Interface "WAN" instead of Interface "any".

Thanks, this sounds exactly like what I need to do.

Would you be willing to share a screenshot or detail of the floating firewall rule?

I did something of this sort with Unbound and AdGuardHome. I kept Unbound on 9 of my VLANs plus localhost. (10.0 thru 10.8, and localhost) The 10th VLAN (which is streaming TV i.e. Roku and Apple) has AdGuard listening on port 53 and forwarding to localhost:53 for upstream. I did this lazy approach so I could see what the streaming TV's are doing. Also did an outbound NAT port 53 into localhost:53 to stop the Roku going to 8.8.8.8. Next step is looking at ZenArmor to stop DoT & DoH from getting out, as I see my iPhone when on Wifi goes to some dns-apple.com site it looks like for resolution. So far it's working good. The only gotcha, I had to modify my floating rule to reverse/ignore via an alias my domain/dns to allow them outside access (no blocking of anykind) as backup/testing of name resolution.

Hi, I'm trying to setup AdGuard Home for my home network, but I have to leave one subnet untouched by AdGuard.

Is the right way to do this to do a few port forwarding rules so that the networks I want protected redirect to AdGuard's DNS port, and the other nets point to Unbound directly? It looks like AdGuard Home has support for mapping individual clients, but I'd prefer to do this with rules of the form:

192.168.1.0/24 --> AdGuard DNS --> Unbound DNS forward
192.168.41.0/24 --> Unbound DNS directly

(I configure the "Unbound DNS forward" as a fallback DNS server in AdGuard Home.)

I'm running AdGuard Home via the os-adguardhome-maxit community plugin, btw.

thanks

Thank you! Yes for some reason I only had the Firewall Advanced setting for "Reflection for port forwards" set, the other two were not. Turning those on and reloading the firewall seems to have done the trick, even after I deleted the overrides in Unbound. Thanks very much!

yeah i tried to use dns but kept getting issues with it getting confused and not working for a while etc.

just make sure you have all three NAT settings ticked in Firewall: Settings: Advanced

and create a nat port forwarding rule for what you want make sure nat reflection is ticked in the rule. and auto create a filter rule too.
if you've done it right you'll see the rule in the Firewall: Rules: Floating bit.
make sure its top of the rules. 

thats what i've got and it now worked.  hopefully it does for you

Bug filed: https://github.com/opnsense/plugins/issues/2869

Thank you to @Koldnitz. I added DNS overrides to make this work, at least for now. I'd still prefer to solve this via the firewall rules so I don't need to explicitly add each host to Unbound (a wildcard won't work for what I need since I direct some entries to external services in the cloud). But for now, I'm at least able to get this working.

https://homenetworkguy.com/how-to/deploy-nginx-proxy-manager-in-dmz-with-opnsense/

The part in the above link about split DNS might be useful to you.

It seems he is did something similar to what you are doing.

Cheers,

Thanks, yes, I'm sure it's that I don't have port reflection. I've turned it on but I'm not seeing anything different, and the behavior is the same that I can't access those external services from within my network (on a VLAN running atop LAN, if that matters).

Do I need to recreate all of my rules? I tried with HTTPS and I still don't see where a rule is created to remap the external -> internal address.

thanks!

[PROBLEM SOLVED]

PROBLEM SOLVED.

I found that the plugin "os-mdns-repeater" was absolutely bombarding my syslog with errors of the form:

Code Select Expand

<27>1 2022-02-25T23:59:48-08:00 opnsense.lan mdns-repeater 43304 - [meta sequenceId="55384"] send(): Network is down
<27>1 2022-02-25T23:59:51-08:00 opnsense.lan mdns-repeater 43304 - [meta sequenceId="55385"] send(): Network is down
<27>1 2022-02-25T23:59:51-08:00 opnsense.lan mdns-repeater 43304 - [meta sequenceId="55386"] send(): Network is down
<27>1 2022-02-25T23:59:51-08:00 opnsense.lan mdns-repeater 43304 - [meta sequenceId="55387"] send(): Network is down

I had enabled a physical interface that I wasn't actively using as one of the repeated mdns networks, and that seemed to make the plugin very grumpy and noisy. I disabled that interface and now all is well.

While I get that this is a plugin, it shouldn't be so extremely chatty. syslog-ng nearly killed the router.

In nearly all cases, my CPU utilization is now down at roughly 1%, which is what I'd have hoped for.

I've got a box setup as a web server for both internal and external services. nginx uses the HTTP host to route to the correct apps. The internal services work fine, and the externally-visible services work but only if I'm not on my LAN (meaning only if I come in from a public IP).

If I'm on the LAN, and I try to access a service from the external host (e.g. myapp.mydomain.com), it looks like it redirects to the webserver which runs on the opnsense box, rather than port forwarding to the correct machine.

My WAN rejects rfc1918 addresses, but I'd think if I'm trying to access something at my proper domain name, the source would be the WAN address.

I'm guessing the problem is actually something in unbound, but I don't really know what to look for. I had this all working well on the exact same hardware a few days ago when I was running pfSense, and I've tried to mimic the firewall rules, etc. as best as I can.

Any suggestions are very welcome!

EDIT: Solved by Firewall -> Settings -> Advanced, enable the 3 NAT settings

I've just gotten Opnsense 22.1.3 up and running on my router box, which is based on a 4-core Intel Pentium 3700 running on a 4-NIC Supermicro motherboard. The hardware is old-ish (built in 2016) but I've been using it with pfSense for years with no problem. It's only serving up my home network, so the actual traffic through the box is normally not very high.

With pfSense (2.5.2) I never noticed the CPU running at > 40%. With Opnsense I'm seeing the CPU running at roughly 70%. From reading the XML of my pfSense backup it looks like I had both Segmentation Offloading and Large Receive Offloading. pfSense doesn't have an obvious equivalent of the Hardware CRC Checksum control (Opnsense Interfaces -> Settings -> Hardware CRC.

Not sure what else I should be looking at? It's not like network traffic has shot up much in the past couple of days. I do run a few (6) VLANs but I'd guess this is something based on network traffic. I haven't enabled Intrusion Detection and it is indeed off. My firewall rules are quite basic, it's just 1-3 rules per VLAN.

Thanks for this suggestion. Yes I had tried it before posting. I've just reverted temporarily back to pfSense (again on the exact same hardware) and it was able to get the DHCP address. I'm re-checking every setting now to see what the heck I might've missed.

Hi, I've just decided to migrate from pfsense due to their new 2.6 licensing. I'm pretty experienced with pfsense, having been a user for 5+ years.

I've just migrated my box to opnsense and I can't for the life of me figure out how to get the WAN interface to get a DHCP license from my cable modem. I had one for a little while, but once I started trying to setup firewall rules and VLANs, I've now lost DHCP and I can't see what the heck I'm doing wrong.

I've confirmed with my internet provider (Comcast) that they don't lock to a specific MAC address. I have confirmed that I can get a DHCP license from the cable modem when I direct connect my Mac. I have my WAN interface set to DHCP (for IPv4) and no IPv6 just to keep things simple for now. The interface is enabled, but when I go to Interfaces -> Overview -> WAN and click Reload (or Release+Reload) I end up with no DHCP license.

I have several VLANs all running on LAN1 but not a lot of firewall complexity. Basically, either my VLANs should be fully open (allow all IPv4 traffic) or I allow the firewall, then block private networks, then allow all other connections. There shouldn't be anything tricky here, and much of it looks almost exactly like what I'd had setup on my pfsense box.

I've also seen that apparently opnsense can't directly let me get to the cable modem IP, since it uses a private IP address (192.168.100.1) and the WAN interface doesn't expect to see private networks but if I hook my Mac directly up to the cable modem it looks like it's properly connected to Comcast so I don't think the problem is within the modem.

What's the best way to troubleshoot this? Any suggestions are very welcome.

----

EDIT: I ended up wiping the system and reinstalling from scratch and it now works. I'm not really sure what the problem was before.