Messages

My bad the issue was that I didn't install Snort and ET Telemetry plugin. Closing this now.

I was having a lot of problems with old firewall instance and so I was setting up a new firewall instance from scratch. After some initial configuration I was about to setup IPS on the firewall and it seems like the option to add new rulesets (ET Telemetry, Cisco, etc) are missing. I had these rulesets in the old instance but I am unable to add them to the new, does anyone know where these options reside on 22.7?

Please see the attached screenshot.

TIA

Hi OPNsense team,

Not sure if this is the right place for feature requests. I recently come across Lokinet (onion routing) platform which is somewhat similar to TOR but it's more decentralised and optimised and seems more secure. Although there is no release currently available for FreeBSD it can be built from source see https://github.com/oxen-io/loki-network. Unlike Tor, Lokinet can tunnel all IP traffic over their low latency onion network. Is there anyway we can develop a plugin for Lokinet?

Note: Session IM app (alternative to Whatsapp/Signal/Telegram) uses Lokinet.

Thank you,
Regards,
Bobby Thomas

This seems to be reoccurring, I am unable to connect to WG from outside (WAN) if try to establish a new session (mostly after some hours after establishing a WG vpn sesison). But after connecting from inside (LAN) I am able to establish a WG session from outside. This is kind of weird. As this is reoccurring I changed the status of this post.

Any idea what could be causing the issue?

Thank you,
Regards,
Bobby Thomas

Ok, this is kind of weird, I tried connecting from inside network and it connected fine, then I tried connecting from WAN again and this time it connected fine. Not sure what's going one with WG.

Going to mark this as Solved.

Hi All,

I have upgraded my Opnsense instance to 21.1.4 from 21.1.2 and since then Wireguard is not working, I think the service is not running or some other issue. I see WG handshake timing out on the client side, but there is no traffic seen on the firewall end. I tried capturing packets on the WAN side on port udp 51820 (default port) but it's not even showing any hits. I can see other traffic from same IP and IPSec vpn is also working fine. Was there any changes in 1.5? Do I need to reconfigure WG from scratch after this upgrade?

Thanks in advance.

Regards,
Bobby Thomas

Hi there,

This may not be much related to OPNsense but I would like to get some guidance in moving SWAP to a new partition/disk. Currently I am running OPNsense VM on Proxmox with SSD, I would just like to move the SWAP partition to another HDD, is it possible?

Thanks in Advance,

Regards,
Bobby Thomas

No, it's not related to routing or NAT, as soon as I change the modem from bridge mode to routed mode I get the private IP from the modem. As for the "Block private networks", it's already unchecked. My ISP doesn't provide IPv6 addresses yet, so it's not related to IPv6.

I think this is something related to DHCP client service or some configuration on the ISP side which restricts IP allocation to certain MAC addresses (like some virtual mac addresses which has unknown OUI).

Hi Team,

Hope everyone enjoying the holidays.

Well it seems like my holidays are going from bad to worse. Coming to the point I have an OPNsense firewall setup in a VM in Proxmox and it has been working great, couple of weeks back my ISP replaced my Docsis 3 ethernet cable modem with a wifi one, since then I was facing issues. I have disabled the wifi on the new Wifi Docsis modem and configured Bridge mode (as I need public IP terminating on my OPNsense firewall). I got public ip on the modem for some time then it started causing issues, I started getting IP address from 192.168.5.0/24 range even though I have disabled DHCP service on the wifi modem. What ever I do, I only receive an IP address from the range 192.168.5.0/24 on my OPNsense firewall, while if I connect a PC to the modem I am hetting a public IP issued by ISP DHCP server. I am scratching my head to understand why it's happening like this.

I also tried a different approach by assigning the MAC address of the PC to the OPNsense WAN interface and then it gets the public IP but it cannot communicate with anything in WAN (cannot ping gateway or it seems no traffic passing through). Any idea how I can get this issue fixed? I think there is some issue with OPNsense DHCP client service.

Thanks in advance,
Regards,
Bobby Thomas

Why don't you just use split-dns for this? OPNsense is handling letsencrypt on public ip. Then you define an override in unbound for the same hostname as you used for the letsencrypt cert with the internal IP of the OPNsense.

I thought of doing this but I will have to import the cert from firewall and update than on the server every 3  months. So I thought I will go with HA Proxy.

Regards,
Bobby Thomas

I don't use unbound for homeassistant but for other haproxy services that depend also on LE and I don't have problems. Inside and vpn are redirected to the local address (the new virt-ip of the haproxy-frontend) but LE is working and looking for the official dns-servers.

Edit:
the condition and rule is simple:
cond: host starts (match or end will most likely be also possible) with: fqdn / or something like it
rule: it cond -> execute function use backend ...
rule selected/applied on the frontend then.

Best regards,
Bernd

I got it working for LAN, I will go through the VPN part in sometime, Thank you for your valuable suggestion.

Regards,
Bobby Thomas

Thank you for the suggestion Bernd, I will give it a try with HA Proxy, the only concern I am having is with name resolution from inside and how to configure rules in HA Proxy according to that.

Regards,
Bobby Thomas

Hi OPNSensers,

I am a bit confused here, trying to think of a method to implement a solution. Here are some details about the issue I am currently facing. I have an Openhab server for automation in the inside and I have access to it over http/https only from inside. There are some android apps which require https and public ca signed certificate for api access (as from Android 10 they have those restrictions). I have Letsencrypt service running for CA cert which signs my ddns domain. I previously had pi-hole where I have created a static DNS A record for my ddns domain pointing to Openhab and then I imported the Letsencrypt certificate to openhab from OPNSense, after this android app worked well. Now I have moved away from pi-hole as I am now using Unbound and Bind for dns filtering. Also it's very hectic to manually import the certificate to the openhab every three months, so I want to know if I can use HA proxy for this purpose. I only need to access this server from inside and vpn networks and not from outside but I need it to use the Letsencrypt cert for ssl.

It maybe a little confusing to you to follow, but let me know if you require any additional details.

Thanks in advance
Regards,
Bobby Thomas

I checked all available good documentations and also the official ones:
https://www.routerperformance.net/opnsense/opnsense-and-wireguard/

I have no idea why you set your local networks in local instance.

This is nowhere documented.

Maybe this would was dismissed with FreeBSD 11.2 and now throws an error in FreeBSD 12.1

Ok, I may have overlooked this during while configuring the local instance. I think I added my LAN as well as Zerotier to Wireguard config thinking it's similar to ipsec config. Anyways I removed it now and everything looks good. I will keep this in mind when configuring WG in future.

Thank you Michael. Appreciate your assistance.

Regards,
Bobby Thomas

WHERE did you set this 192.168.1.0/24? in local instance or endpoint?

Local instance (on the firewall).