Topics

Hello,

I'm trying to setup Wireguard remote access. I have setup Dyanmic DNS on my NameCheap domain and that appears to be working. I'm using the guide here. I was able to create the instance, the pear and the interface but, when I attempt to when I attempt to specify my port (51867) in the WAN firewall rule, it says: "no Results matched 51867".

I don't know whether it makes any difference but, I have another Wireguard instance running VPN through proton.

I'm attaching images of my instances, peers and interfaces. To say I'm a novice at network setup would be overstating my abilities. Any help would be appreciated.

Let me start by saying I barely have enough network expertise to run opnsense. So, I'm likely missing something very obvious.

I have a small network with 11 nodes with static IPs. Two of those nodes go through wireguard to a VPN service with a kill switch.

This morning I moved my DHCP from ISC to Dnsmasq and it's working pretty well. However, there a couple minor issues.

• I have a laptop that sometimes goes through a wired connection and other times goes wireless. I put the MAC addresses for the wired and wireless network adapters in the host record but, only the wired connection gets the IP address in the host record. Oddly enough, when I connect wirelessly and look at the lease entry for the laptop, it shows that it's a static IP even though the IP is not in my static range and it's not the IP in the host record.
• For the nodes that go through wireguard, I need to specify the vendor's DNS server. In ISC I was able to specify that in the static lease entries. There's no equivalent in dnsmasq host entries. Is there somewhere else I can do this? Right now, I've put the DNS address in the network configuration on the individual nodes and that does what I need. However, since the wireguard config is on Opnsense, it would be cleaner to do it there.

Neither one of these is a showstopper but, they are a bit bothersome. An help would be appreciated.

I have a few IPs I want to limit to my LAN only.  First I set up an alias called NoWAN to hold the IPs.  I've attached a pic of my rules.  These are the first rules in the list.  They block inbound and outbuound ipv4 and ipv6 traffic from anywhere except a LAN address.  Now here's the weird part.  They work fine for both ipv4 and ipv6 when I'm first connected but, after 10 minutes or so ipv6 starts leaking.  Here's what I see on reboot or when I cycle the network connections:

Code Select Expand

ping www.google.com
ping: www.google.com: Temporary failure in name resolution

After 10 minutes or so I get:

Code Select Expand

ping www.google.com
PING www.google.com(yx-in-x68.1e100.net (2607:f8b0:4002:c08::68)) 56 data bytes
64 bytes from yx-in-x68.1e100.net (2607:f8b0:4002:c08::68): icmp_seq=1 ttl=106 time=16.2 ms
64 bytes from yx-in-x68.1e100.net (2607:f8b0:4002:c08::68): icmp_seq=2 ttl=106 time=16.5 ms

Note that those are ipv6 adresses.

I've tried making separate rules for ipv4 and ipv6 with the same result.  I'm not a networking expert and I don't know much about ipv6.  So, any help would be appreciated.

[Comments]

New here and I just got opnsense set up with PIA and kill switch.  I used the pfsense guide here https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/ as a go by.  I'm a soon to be retired DBA so, while I don't know the details of networking, I can get around a little.  I'm pretty experienced with Linux.  I don't know much about BSD.

I actually did it with pfsense first but, those guys' attitude really makes me uninterested in using their software if I have an alternative.  However, doing it in pfsense did give me the confidence to try it in opnsense.

I know it's overkill for a home router but, it's on an i5 with 32GB and a 30GB msata drive.

Comments

• I couldn't get the USB version to boot or even be recognized by the BIOS.  I had to burn a DVD. Not sure why.
  The install took a while.
• Others have commented on this but, guides for opnsense other than the documentation are pretty hard to come by.  That's why I did it with pfsense first.
• [ don't want it but, I'm a bit surprised that opnsense has no provision for UPnP.  The only reason I know that pfsense has it is because I went looking for it to make damn sure it was turned off.
• I've only had it running a few hours but, very pleased so far!

Questions

• Telling me to RTFM isn't unreasonable here but, this sysstem also has a 200GB hard drive.  Opnsense isn't using it.  Any pointers on getting it running?  Any reason I should?
• Is there a reason to set up ARP on a network with less than 20 nodes?  From what I've read it reduces broadcast messages for mac addresses but, how many of those are there going to be on that small a network?
• Anything else I should try to set up for a home router?  Obviously, I have some spare cycles.

My other observation is that both pfsense and opnsense perform about the same.  However, they both beat the tar out of my ASUS AC-RT87U performance wise.  That's not much of a surprise.  I also get higher throughput over PIA than I do on a clear connection with both opnsense and pfsense.  I'm pretty sure that's due to compression between my router and PIA.

Thanks for any answers, comments, insults, whatever. :)