Hi
I have setup wireguard instance and clients as exactly in this video, it clearly shows
what to do.
However when I connect to the server, it establishes connection but packets are not received.
The only difference is I have pppoe connection (as interface), however I have allowed Wireguard port on the WAN firewall only.
Do I need to open firewall port on pppoe interface rather than WAN? Or how can I trouble shoot? Thanks.
What would be the difference between WAN and pppoe0?
One is just an assigned name for the underlying PPPoE interface - unless you made the mistake of naming the physical NIC (or VLAN) as WAN.
That is the problem with many of those videos: There is no such thing as a step-by-step tutorial, because each situation is different, like your example clearly shows.
You have to understand how things work, otherwise you will be stuck at each crossing.
With a PPPoE connection, you can have one of these topologies on the WAN side:
1. ISP ONT/modem -> physical NIC ("ONT") -> PPPoE interface ("WAN")
2. ISP ONT/modem -> physical NIC ("ONT") -> VLAN ("VLANXX") -> PPPoE interface ("WAN")
With OpnSense, you have either two or three logical interfaces. Name them according to the scheme above. Firewall rules should always be applied to "WAN", which usually is the same thing as "pppoe0". You do not even need explicit names for ONT and VLANXX, unless you want to have direct ONT/modem access. You also do not need firewall rules for "ONT" either, as per default, everything is blocked.
You obviously use it differently, which causes your confusion:
ISP ONT/modem -> physical NIC ("WAN") -> PPPoE interface ("???")
Quote from: meyergru on Today at 01:48:45 PMWhat would be the difference between WAN and pppoe0?
One is just an assigned name for the underlying PPPoE interface - unless you made the mistake of naming the physical NIC (or VLAN) as WAN.
That is the problem with many of those videos: There is no such thing as a step-by-step tutorial, because each situation is different, like your example clearly shows.
You have to understand how things work, otherwise you will be stuck at each crossing.
With a PPPoE connection, you can have one of these topologies on the WAN side:
1. ISP ONT/modem -> physical NIC ("ONT") -> PPPoE interface ("WAN")
2. ISP ONT/modem -> physical NIC ("ONT") -> VLAN ("VLANXX") -> PPPoE interface ("WAN")
With OpnSense, you have either two or three logical interfaces. Name them according to the scheme above. Firewall rules should always be applied to "WAN", which usually is the same thing as "pppoe0". You do not even need explicit names for ONT and VLANXX, unless you want to have direct ONT/modem access. You also do not need firewall rules for "ONT" either, as per default, everything is blocked.
You obviously use it differently, which causes your confusion:
ISP ONT/modem -> physical NIC ("WAN") -> PPPoE interface ("???")
Many thanks
I have a very simple setup. No VLANS.
ISP -> PPPoE (WAN) -> LAN Devices
So I did apply the firewall rules to the WAN interface as per the video, so what could be wrong?
Is there a way to check logs or something else that I can identify the problem?
There are two parts of firewall rules (well, actually, it's three):
1. On WAN, you need to allow "in" access on the UDP port that your wireguard instance is running on.
2. On the Wireguard group, you need to create "in" rules to access any of the LAN resources you want external clients to have access to. For starters, you could "allow from any to any".
3. In the wireguard peer, you need to set the "allowed ip" range to those of the wireguard clients that you want to pass. You could use 0.0.0.0/0 here.
All of this is explained for both site-to-site and roadwarrior setups in the official docs (https://docs.opnsense.org/manual/vpnet.html#wireguard).
The order of checks would be outside -> in, so first make sure that the wireguard instance is really contacted by your clients.
That means:
a. the client must be able to connect to your external WAN IP, probably by using its dynamic DNS alias.
b. the client must be allowed to use the wireguard instance's external UDP port.
c. the secrets must be correct, otherwise the packets will be silently discarded.
You can check that via the Wireguard status. It must be green, having a "handshake age" and both sent and received traffic.
The second step would be to verify access from your client to your internal networks.
You can enable firewall logging for the default block rules and watch if there are blocks.