Topics

[very]

I have recently setup a new OPNSense (24.1.10_3) router to replace a failing router which ran OpenWRT.

After getting everything up and running perfectly last week (including a number of VLANs) I have just configured Wireguard to use my VPN-vendor account using the WG Selective Routing to External VPN Endpoint instructions available in the docs.

Various tests show the WG instance to be working and not leaking my real IP address and in general things are working well.

However, I now have 2 fairly significant new problems:

• If i turn off (disable) Wireguard at /ui/wireguard/general, then no PCs within the VLANs which are "normally" in the Wireguard tunnel can browse the internet.
  
  It is not just a DNS problem as I can not even open a website for which I know the IP address.
  
  It's weird to me as I have NOT implemented the "killswitch" instructions, yet disabling Wireguard kills the connection entirely.
  
  


• Port forwarding does not work within the WG tunnel (even though those handful of ports are forwarded at the VPN provider).  [ This in spite of changing various parameters of the forwarded ports (especially the "destination address" which should likely no longer be "WAN address" but now likely the VPN address). ]

Ports for one of the machines are somehow forwarded to/from the actual WAN address which has me very confused since the port forwarding setup is identical for another machine in the same VLAN and its ports are not all thusly forwarded when there is an exact correspondence in setup with the exception of IP address (one digit different) and a port number (also 1 digit different).

Given my efforts regarding problem 2 haven't worked out in the least, these problems likely point to firewall configuration issues.

I have played with reordering some of the rules (there are not yet many) to no avail.

Any and all ideas are appreciated!  Thanks in advance.

Problem 1 is the more important one; if I can figure out a way to kill the WG instance without killing the internet, that would be good.

Problem 2 is really only for torrenting anonymously where desired -- not hugely important at the moment.

[The Aliases used for Squeezebox ports and devices have been reviewed to be correct!]

Hi OPNSense Gurus!  ;)

I have recently begun implementing VLANs to great effect (using OPNSense 23.7.12).  Everything works well (although my firewall rules are still quite permissive while working through it, so I am not really surprised at things working in general).

One of my VLANs -- VLAN6 -- is for "entertainment devices."

On VLAN6 I have a Logitech Squeezebox which successfully pulls its DHCP reserved IP address (10.11.6.10).  It needs to make a UDP broadcast on port 3483 to find the LogitechMediaServer (10.11.1.100) which serves music.

Since VLANs won't pass UDP packets across the VLAN boundary, I thought I could use port forwarding (which I otherwise successfully use for remote access of a couple PCs on the network).  Unfortunately this does not work for reasons unclear to me.

Attached are images of what the NAT and LAN firewall rules look like for it, as well as the port forwarding setup (this may somehow be in error -- my experience with port forwards in OPNSense to date as been letting WAN requests into specific computers).  The Aliases used for Squeezebox ports and devices have been reviewed to be correct!

Finally, I have attached a screenshot of my attempt to setup the "UDP Broadcast Relay" plugin.  FYI: when it was enabled, the port forward was disabled (and vice-versa) so there should be no "trampling" going on.  Also, I tried both with and without enabling "TTL for ID."

You will note in the background this same relay is highlighted in green.  This seems to indicate the relay is running.  When the relay is NOT running there is a corresponding error in the general log.

There is neither a broadcast/multicast address nor a source address entered as those two things seem to cause the relay to fail startup.  Also, @marjohn56 specifically mentioned leaving those blank in relation to Squeezebox / LMS setups in this linked post

In the case of attempting the "UDP Broadcast Relay" solution, I have a "wide open" floating firewall rule which bidirectionally passes any and all tcp/udp packets to ALL sources and destinations on the single 3483 "discovery" port used by Squeezeboxen.  Just in case, I have an additional floating FW rule which passes all traffic on port 9000 to ALL sources and destinations (LMS requires this for streaming, but it should nt be required for discovery).

Anyway, with this (temporary) level of "openness," I am surprised I can not get this to work!  [I can't show the FW rules as I do not have ability to attach another image . . . ]

I am posting this here because the thread for UPD Broadcast Relay is "stuck" on an unanswered question on Dec. 18, more than one month ago.

Any and all hints would be appreciated.  I am probably doing something really dorky and fully expect to facepalm when I hear back!  :-[

[off]

I updated a number of OPNSense 22.7.6 instances yesterday night by remote connection.  All upgrades were "successful."

One installation, however, now has no devices which can connect to the internet.  Meanwhile, I can still connect to the router remotely and can see all expected devices listed in /status_dhcp_leases.php.  However, I can not connect to any of those machines by VNC, SSH or other methods for which ports are open.

This sounds like a firewall configuration problem (although I changed nothing before or after the upgrade!), so i turned it off (temporarily).  I did this at /system_advanced_firewall.php under Miscellaneous/"Disable all packet filtering."  [ I recognize this is a "bazooka"-type, acceptable for quick testing-only "solution," but the devices could still NOT connect out nor I in. ]

I started worrying that the modem was doing something weird, but having a user at the facility connect a computer directly to the modem immediately enables internet access via that (i.e. directly connected) device (Arris SB6183, basically a "dumb" device which allows for essentially no end-user configuration; the modem is at the same exact hardware and software revisions as other installations which are working fine under OPNSense 22.7.8).

OPNSense health check indicates no problems . . .

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.7.8 (amd64/OpenSSL) at Mon Nov 21 13:31:12 PST 2022
>>> Check installed kernel version
Version 22.7.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.7.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-ddclient 1.9_1
os-wireguard 1.13_1
os-wol 2.4_1
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: ................................................................. done
***DONE***


Any and all ideas would be most welcome.

Thank you in advance!!

[Thank you OpnSense developers (and predecessors) for your great work!]

I am a very recent OpnSense convert and enjoying it tremendously so far.  It is incredibly intuitive and/or cleanly laid out compared to OpenWRT, DD-WRT and especially MikroTik's RouterOS with which I had multiple false starts.  Thank you OpnSense developers (and predecessors) for your great work!

In spite of the intuitiveness, this afternoon I managed to lock myself out (of the web interface) while experimenting with VLANs.

Surprisingly, I am NOT able to log in via SSH to get anything done.  Connection attempts to a known correct port time out with either the admin or my single "named" user.

I am fairly certain I gave each user SSH access and that the non-standard SSH port was added (automatically, then double-checked) to the "anti-lockout" rule.  It is, however, possible I did that on an earlier test installation.

So, I guess I am left with attaching a keyboard and display.

My related questions then are:

• Where are the docs showing how to use the console? [I have poked around in https://docs.opnsense.org/manual/  and found nothing, even in the troubleshooting section, which surprised me quite a bit.
• In the absence of such documentation what are the steps to restore from a backup when in the console? (I assume it might be much quicker to do that than find and fix whatever arcane thing I was trying to do with VLANs (especially since I applied a bunch of changes (I know, I know!  ::) )

I'm hoping to not have to reinstall to restore a backup (although that would not be a worst-imaginable case scenario! )

Thanks in advance for any insights.