1
23.7 Legacy Series / Re-application of firewall rules needed to allow Wireguard routing after reboot
« on: November 28, 2023, 12:38:29 pm »
Dear lurkers: I have a workaround here.
Hi all
Unfortunately I've not been able to find any sort of logs that will assist with this issue, however I'll describe the issue in its entirety in the hope that someone can help with regards to how to diagnose this issue.
This is something that came to light when upgrading to the latest community version from 23.1 - at time of this post, it is 23.7.9.
As far as I can tell, everything appeared to be working when I had performed checks post-install of 23.7, however I wouldn't trust that.
So, issue:
I'm confused. How should I go about this, other than adding a script to perhaps re-apply firewall rules soon after boot?
Note: all other routing works as intended, I appear to just have problems being routed through the firewall between the firewall booting, and me manually re-applying rules.
Hi all
Unfortunately I've not been able to find any sort of logs that will assist with this issue, however I'll describe the issue in its entirety in the hope that someone can help with regards to how to diagnose this issue.
This is something that came to light when upgrading to the latest community version from 23.1 - at time of this post, it is 23.7.9.
As far as I can tell, everything appeared to be working when I had performed checks post-install of 23.7, however I wouldn't trust that.
So, issue:
- Firewall VM is booted
- Wireguard is booted
- WG user can connect to WG server, and can access OPNsense admin UI
- WG user can access any IPs that are declared/routed through Wireguard
- WG user cannot access any IPs that are routed to the firewall itself, other than the port of admin UI/admin SSH
- Any attempt by WG user to access IPs routed through the firewall are met with a connection timeout
- Any attempt by WG user to access IPs do appear in logs (filter=dst_ip, filter=dst_port), and they are not blocked.
- NOTE: I didn't check whether or not any responses to the originating IP address were logged nor blocked.
- WG user proceeds to "Firewall" > "Aliases" page within admin UI
- WG user proceeds to click "Apply" at the bottom of the page
- WG user is now able to access IPs local to the Firewall
I'm confused. How should I go about this, other than adding a script to perhaps re-apply firewall rules soon after boot?
Note: all other routing works as intended, I appear to just have problems being routed through the firewall between the firewall booting, and me manually re-applying rules.