Hi all,
recently upgraded from OPNsense 22.7 to 23.7.5.
There appears to be a problem with Wireguard/Firewall after the upgrade: While wireguard was working, client requests were not able to pass through the firewall. After some digging, I found the cause: In our setup, Firewall rules are applied to interface groups. The wireguard interface in question is assigned to such groups. Rules affecting these groups did not apply to the Wireguard interface after boot, while floating rules did.
If I look into Firewall > Diagnostics > Aliases > <alias-for-group>, the wireguard interface's subnet does not appear in it, even though the interface is part of the group.
Workaround 1: After reboot, make any kind of firewall change, or interface change, and apply. The config will be reloaded, and the wireguard interface's subnet will be included in the groups' network aliases.
Workaround 2: Add a script running on boot, I created
/usr/local/etc/rc.syshook.d/start/92-wireguard-firewall-workaround with the following content:
#!/bin/sh
sleep 2
configctl filter reload
While these workarounds do solve the issue for now, I would like to know what is causing the bug, and if it can be fixed on the OPNsense software side.
Firmware Status:
Type opnsense
Version 23.7.5
Architecture amd64
Commit cd8f7fa6f
Mirror https://pkg.opnsense.org/FreeBSD:13:amd64/23.7
Repositories OPNsense
Updated on Thu Sep 28 17:50:54 CEST 2023
reviving this issue, since it seems still to be present in OPNsense 24.7.3_1
thank you, ntsco, for the workaround which fixed it for me, too.
best,
oskar