Topics

Hi all,

I have a WireGuard road warrior setup with two WG instances, wg0 and wg1. No interfaces are defined for WG because I don't want clients to connect to internet via the tunnel – so just aliases defined. I have set the usual pass rule on WAN for ports 51820-51821 where each of the wg instances listen on, and the further rules to allow the clients to LAN resources. In other words, the service has been configured according to WireGuard Road Warrior Setup (https://docs.opnsense.org/manual/how-tos/wireguard-client.html), but without creating WG interfaces or without outbound NAT rule.

The thing is that wg1 works as expected, but wg0 does not. When I try to connect to wg0, the logs tell me the connection has fallen through and was blocked by the "default deny / state violation" rule. Indeed, firewall logs show me a denied connection from the WG client's external address to the firewall's LAN address. This does not happen with wg1 and the same single WAN rule to allow incoming WG connections on port range 51820-51821 seems to work in wg1's case.

wg0 starts to work when I add a pass rule on WAN with the firewall's LAN address as destination. But this behavior baffles me and makes me concerned. Could anyone help to explain why this happens?

When I checked the wgX config files, they have identical structure with only minor differences. I can't come up with any meaningful difference between the two instances and why the other one works expectedly whereas the other does not.

Code Select Expand


# cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = *
Address = 10.x.11.1/24
ListenPort = 51820

[Peer]
PublicKey = *

AllowedIPs = 10.x.11.2/32
PersistentKeepalive = 25

# cat /usr/local/etc/wireguard/wg1.conf
[Interface]
PrivateKey = *
Address = 10.x.12.1/24
ListenPort = 51821

[Peer]
PublicKey = *

AllowedIPs = 10.x.12.2/32


Hi all,
I have a maddeningly elusive multiwan/routing/firewall problem.

I've set up a multiwan configuration according to the official OPNsense multiwan documentation, using a WAN group and policy based routing by firewall rules.

Both WAN interfaces are configured and confirmed to work independently, but by making the load balancing setup active by selecting both interfaces as Tier 1 in the WAN group, internet connectivity from the LAN clients seems to fail randomly. One of the interfaces (WAN2) gets a "public" IP address from the carrier NAT 100.64/10 block by DHCP, the other has a standard public static address setup.

The symptoms:

Connectivity may work seemingly perfectly fine for a couple of minutes after applying the configuration, but using only one of the interfaces. Traceroute seems normal and shows the WAN interface being used. Then, new connections just start getting timed out and traceroute gets only as far as the OPNsense box, which has led me to suspect something happens when the system tries to use the other WAN route.

Further suspect is that the firewall rules don't somehow match this traffic. While the connectivity problem is happening, I can see traffic getting blocked by the default firewall block rule. The attachments show firewall live log excerpts with traffic resulting from simple `curl ifconfig.me/ip` on a LAN workstation; one connection times out, the other works as supposed. Even though the excerpts show different interfaces working and failing, I think both interfaces have exhibited similar behavior.

Considering the 100.64/10 address block, I disabled the "Block private networks" configuration rule on WAN2 to see if it made any improvement, sadly not.

The gist of my firewall rules:

excerpts from floating auto-generated rules

   pass out IPv4+6 *   *   *   *   *   *   *   let out anything from firewall host itself
   pass out IPv4+6 *   (igb0)   *   *   *   WAN_GW   *   let out anything from firewall host itself (force gw)   
   pass out IPv4+6 *   (igb3)   *   *   *   WAN2_DHCP   *   let out anything from firewall host itself (force gw)   


excerpts from LAN ruleset

   pass in quick    IPv4 TCP/UDP   *   *   LAN address   53 (DNS)   *   *   
   pass in quick    IPv4 ICMP   *   *   LAN address   *   *   *   
   pass in quick    IPv4 *   LAN net   *   *   *   WANGRP_BAL   *   Load balancer allow LAN to any rule (cloned from default allow LAN rule)

Bogons and private addresses blocked in the statically configured interface, not blocked in the dynamically configured carrier NAT interface.

I have adjusted the WAN connections' parameters for now so that they are online and don't generate connectivity alerts (so they shouldn't affect any routing/load balancing decisions by the OS; the connections are somewhat low grade and could otherwise trigger an alert occasionally while still working).

The problem seems to be purely with routed traffic, I have never noticed the OPNsense box's own connections being affected. The configuration also works flawlessly as failover: if I put WAN2 as Tier 1, WAN as Tier 2 and then force-expire the WAN2 DHCP lease, Tier 2 takes over just as it should, without any bigger hiccups.

If anyone can come up with anything on this, be it further questions or suggestions, it would be greatly appreciated.

Hi all, hope this topic is on the correct forum.

I have two network segments, "clean" and "dirty". Currently I have a local DNS resolver (Unbound) running without any special filtration or configuration, but I would like to restrict DNS access from the dirty segment using overrides and blacklists (as well as prevent local DHCP issued hostnames from leaking from the clean segment) while leaving the clean segment unrestricted.

Based on that, I was wondering whether it was possible in OPNsense to run another resolver instance (from GUI or configured by hand) that could be configured separately. Or is this even the best way to approach this?

GUI configuration options don't seem to give the level of flexibility that would be needed in this, which led me to thinking that two separate instances with their own configurations could be the best way.

I'd say I'm quite familiar with Unix administration and could do this on a "vanilla" OS, but I'm a noob when it comes to OPNsense. So what I'm now mostly after is a way to achieve this without blowing up OPNsense's GUI or internals =) Any help is appreciated.

Edit: to add, the "dirty" segment is a separate segment in its own VLAN and the resolver would be bound to the VLAN interface, so it could be the default resolver for that segment.