description of my lan:
SITE A: fritzbox 192.168.0.1 DSL routes 192.168.12.0/24 to gateway 192.168.2.254
10.0.0.0/24 to gateway 192.168.2.254
opnsense 192.168.2.254 with wireguard server tunnel configured on 10.0.0.1
SITE B: fritzbox 192.168.12.1
two sites are correctly browsing internet and site B take the site A public address for my config.
SITE B can ping all SITE A addressed through the tunnel
SITE A can ping 10.0.0.2 (tunnel adress of site b fritz)
can see web interface 192.168.12.1 of the site B fritz
but cannot ping not 192.168.12.1 and his lan address
it seems that I miss something in config it seems something related to routes, dns, or something else.. probably something stupid...
but I don't find what.
any help is appreciated.
seemsn related to this..
https://forum.mikrotik.com/viewtopic.php?t=197279
but I don't understand where confi remote network
with applies of those rules
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
i make a little step...
now from opnsense consolle I can ping 192.168.12.1
but still I cannot ping it from site a and I cannot ping the rest of his lan devices.. (ping: sendto: No route to host
)
this is the message when I try to ping one of the component of remote lan 192.168.12.10
ping: sendto: Capabilities insufficient
92 bytes from 127.0.0.1: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 1e12 0 0000 40 01 85e4 10.0.0.1 192.168.12.10
noone can help me?
this is my last log console:
root@OPNsense:~ # ping 192.168.12.33
PING 192.168.12.33 (192.168.12.33): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=254 time=125.764 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=254 time=145.248 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=254 time=151.729 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=254 time=60.655 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=254 time=98.549 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=254 time=118.062 ms
^Z
Suspended
root@OPNsense:~ # traceroute 192.168.12.33
traceroute to 192.168.12.33 (192.168.12.33), 64 hops max, 40 byte packets
1 10.0.0.2 (10.0.0.2) 297.478 ms 62.803 ms 60.274 ms
2 10.0.0.2 (10.0.0.2) 99.519 ms 98.444 ms 206.532 ms
root@OPNsense:~ #
all addresses are resolved in 10.0.0.2 that is the second address of my remote fritz
Your problem is just not a usual one, because doing VPN with a Fritzbox is always limited. The IPsec is, as well as the wireguard.
When I played around with Wireguard on Fritzbox in combination with OPNsense, I found out that the Fritzbox implementation is very limited and bad for site2site. Its more focused on roadwarrior access.
I couldn't use a transfer net (in your case 10.0.0.0/24) like in usual wireguard setups. You can also just connect two networks directly per tunnel this way. (The routes are just for information, the allowed IPs set routes automatically)
(This is just an example, it was a few months ago when I connected a Fritzbox to an Opnsense)
Basically just use the wizard in the fritzbox to create a site2site .cfg file, and look into it with a text editor to see what to configure on the opnsense.
SiteA Configuration:
[Interface]
PrivateKey = <Private_Key_SiteA>
Address = 192.168.2.2/24
ListenPort = 51820
[Peer]
PublicKey = <Public_Key_SiteB>
AllowedIPs = 192.168.12.0/24
Endpoint = 208.0.0.1:51820
ip route add 192.168.12.0/24 dev wg0
SiteB Configuration:
[Interface]
PrivateKey = <Private_Key_SiteB>
Address = 192.168.12.2/24
ListenPort = 51820
[Peer]
PublicKey = <Public_Key_SiteA>
AllowedIPs = 192.168.2.0/24
Endpoint = 207.0.0.1:51820
ip route add 192.168.2.0/24 dev wg0
I manage to establish the vpn both way from opnsense and fritz.. but I still have a problem.
on opnsense consolle I can ping remote hosts...
[2.7.0-RELEASE][root@pfSense.home.arpa]/root: ping 192.168.12.1
PING 192.168.12.1 (192.168.12.1): 56 data bytes
64 bytes from 10.100.90.1: icmp_seq=0 ttl=64 time=50.825 ms
64 bytes from 10.100.90.1: icmp_seq=1 ttl=64 time=56.637 ms
^Z
Suspended
[2.7.0-RELEASE][root@pfSense.home.arpa]/root: ping 192.168.12.33
PING 192.168.12.33 (192.168.12.33): 56 data bytes
64 bytes from 10.100.90.1: icmp_seq=0 ttl=254 time=260.427 ms
64 bytes from 10.100.90.1: icmp_seq=1 ttl=254 time=78.874 ms
(I changed some ips sorry)
but I still not reach any ports on remote fritz... there is something that I don't do in firewalls or routes.
I have for sure a problem of tracking routes.. due to the fact that opnsense don't manage dns but it is the fritz that manage it.
here a traceroute from site A (fritz) to site B
platini76@PlatPro16 ~ % traceroute 192.168.12.1
traceroute to 192.168.12.1 (192.168.12.1), 64 hops max, 52 byte packets
1 fritz.box (192.168.0.1) 5.194 ms 4.384 ms 4.027 ms
2 pfsense (192.168.0.254) 5.604 ms 5.844 ms 5.769 ms
3 10.100.90.1 (10.100.90.1) 73.387 ms 74.826 ms 75.708 ms
and here from opnsense shell to site B
: traceroute 192.168.12.1
traceroute to 192.168.12.1 (192.168.12.1), 64 hops max, 40 byte packets
1 10.100.90.1 (10.100.90.1) 67.925 ms 62.216 ms 69.590 ms
I assume that you are german because Fritzbox is wide spread in germany. (I just checked your screenshot and its in... italian? I didn't know there are fritzboxes used there :)
Please look at this thread:
https://forum.opnsense.org/index.php?topic=33087.0
Especially at this: https://forum.opnsense.org/index.php?topic=33087.msg160912#msg160912
Also if you can't get wireguard to work, there's always the choice to create an IPsec Tunnel. I primarly use IPsec to connect any other router to a fritzbox.
Quote from: Monviech on October 10, 2023, 06:51:11 PMitalian? I didn't know there are fritzboxes used there :)
:) :) :) :) :) :) :)
it is impossible to translate...
but my problem is not to make a wireguard connection... it is established.. and working..
now is only a routing table problem...
when a packet comes into the opnsense... if directed to a client on the same subnet of opensense... it reach destination... if not... it remains into the interface..
Did you recreate the Wireguard tunnel without the transfer net?
Option 1: (This works) It has to be 192.168.2.0/24 (wg opnsense) <---> 192.168.12.0/24 (wg fritzbox)
(Look at the configuration post https://forum.opnsense.org/index.php?topic=33087.msg160912#msg160912)
Option 2: (Not working) 192.168.2.0/24 <---> 10.0.0.1/24 <----> 10.0.0.2/24 <----> 192.168.12.0/24
In Option 2 with transfer net, the Fritzbox only puts a route on 10.0.0.0/24 and not on 192.168.2.0/24. So return pakets from 192.168.12.0/24 to 192.168.2.0/24 get lost. The Fritzbox can only do Option 1.
so please help me to assign addresses.
I have only one point that I cannot change
fritz on site a is 192.168.0.1/22
with subnets that I use are 192.168.0.0 and 192.168.2.0
his opensense firewall has in this moment:
wan 192.168.0.254/24
lan 192.168.2.254/24
opt (can change)
second fritz is free to set.
I already said it:
Opnsense Site A:
Local Configuration
Tunnel Address: 192.168.2.0/24 (Yes thats a valid IP address based on the configuration files posted in the other thread.)
Endpoints:
Allowed IPs: 192.168.12.0/24 (Network of your Fritzbox Site B)
Don't forget the create an allow any/any rule in "Firewall: Rules: Wireguard (Group)
Fritzbox Site B:
Use the Wizard to create the Wireguard tunnel and put "Allowed IPs: 192.168.2.0/24" (Network of your OPNsense) (I dont know what it's called there, maybe remote network, or so)
yes sir!
you save my life... after two weeks of try you gave me input for solve this question!
thanks very much.. if you come in italy please come to my house and I will offer you a good coffee!
plat
Awesome, sounds nice. Happy you could finally solve it.