I have recently setup a new OPNSense (24.1.10_3) router to replace a failing router which ran OpenWRT.
After getting everything up and running perfectly last week (including a number of VLANs) I have just configured Wireguard to use my VPN-vendor account using the WG Selective Routing to External VPN Endpoint instructions (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html) available in the docs.
Various tests show the WG instance to be working and not leaking my real IP address and in general things are working well.
However, I now have 2 fairly significant new problems:
- If i turn off (disable) Wireguard at /ui/wireguard/general, then no PCs within the VLANs which are "normally" in the Wireguard tunnel can browse the internet.
It is not just a DNS problem as I can not even open a website for which I know the IP address.
It's weird to me as I have NOT implemented the "killswitch" instructions, yet disabling Wireguard kills the connection entirely.
- Port forwarding does not work within the WG tunnel (even though those handful of ports are forwarded at the VPN provider). [ This in spite of changing various parameters of the forwarded ports (especially the "destination address" which should likely no longer be "WAN address" but now likely the VPN address). ]
Ports for one of the machines are somehow forwarded to/from the
actual WAN address which has me
very confused since the port forwarding setup is
identical for another machine in the same VLAN and its ports are
not all thusly forwarded when there is an exact correspondence in setup with the exception of IP address (one digit different) and a port number (also 1 digit different).
Given my efforts regarding problem 2 haven't worked out in the least, these problems likely point to firewall configuration issues.
I have played with reordering some of the rules (there are not yet many) to no avail.
Any and all ideas are appreciated! Thanks in advance.
Problem 1 is the more important one; if I can figure out a way to kill the WG instance without killing the internet, that would be good.
Problem 2 is really only for torrenting anonymously where desired -- not hugely important at the moment.