Messages

Why not run the OpenVPN client on Android?

all of my opnsense networks lose internet

What are the symptoms? Ping 8.8.8.8 fails? No Netflix? Zoom has no sound?

Have you done any troubleshooting? If so, what did you find?

I think it's time to start tracing. Install Wireshark on a client and capture its and the firewall packets.

Can you set up a separate VLAN for each subnet? That will give you different interfaces for the routing table.

Make sure OPNsense is set up as a subnet router:

- advertised routes tab shows your LAN in VPN: Tailscale: Settings on OPNsense
- on the Tailscale admin page, you see a blue 'Subnets' label and in 'Edit route settings...' on the ... menu for your OPNsense node you have approved the subnet

https://youtu.be/XXx7NDgDaRU

Bart...

Any idea please?

Can you put the ISP routers in modem mode? At the moment you have net|vpn|nat|nat|vpn|net.

If your ISP's do CGNAT, you could even have net|vpn|nat|nat|nat|nat|vpn|net. You can check for CGNAT by browsing to https://ifconfig.co/ and compare the address shown with the WAN IP of your router.

Much simpler than configuring a VPN through multiple routers is an overlay network such as Tailscale or Zerotier. Both are available as OPNsense plugins.

Bart...

It seems that the upgrade has somehow trashed my GPT partitions.

That seems more like a hardware problem. Maybe your PSU or RAM is iffy?

System: Settings: General

what setting do you have for 'Allow DNS server list to be overridden by DHCP/PPP on WAN'

Services: Unbound DNS: General

do you have unbound enabled?

I don't run any DNS service on OPNsense. It uses internal DNS from my authoritative internal servers only. Self-hosted FTW ;-)

Log onto the console (SSH?) and select option 13 to roll back your changes

What happens when you install a different OS on the firewall and access the modem GUI? If you mirror the switch port for the modem or the WAN interface, you can capture the traffic and confirm the interface negotiation.

Yes, I think that is a much more sensible approach. Layer 3 on OPNsense and Layer 2 on the mesh, each doing what they do best.

You are making things more difficult for yourself. Replace the router with the Protectcli instead of trying to use them in series.

That will also give you an easy roll-back in case it takes longer than you think to set up OPNsense

I'm guessing it is DNS but you can check here: https://isitdns.com/ ;-)

Try hosts entries for your reverse proxy on a LAN device and check that it works. If you have another server, why not make it an authoritative DNS for your LAN?

A determined attacker can overcome OS and configuration changes, or simply plug the network cable into another device to thwart restrictions based on IP address.

https://en.wikipedia.org/wiki/Evil_maid_attack (apologies for the implied sexism)

If you don't trust a computer (or its operator) then you need to put it in a separate VLAN. That means that its access is configured on the switch and the firewall no matter what happens on the machine.