Messages

Would it be possible to include a Secondary Gateway option for IPsec VPN failover?

You wouldn't need to re-configure any firewall policies, static routes or encryption. Just have a Primary IPSec Gateway and Secondary IPsec Gateway option as a backup in the IPsec tunnel connection properties. Sonicwall UTM's seem to have this feature and it looks pretty slick.

Do you happen to have Multi-WAN ports\HA load balancing configured at Site A on the OPNSense box?

When you ping between both servers, try doing a ping test to test for packet fragmentation through the VPN

Example from Site 1: ping server2 -l 1500
Example from Site 2: ping server1 -l 1500

Inspect your MTU on your WAN port of each router to see what your MTU is set at. In the examples above I used 1500 bytes. The default MTU of OPNSense WAN port is 1500 bytes. Ensure you're not getting packet fragmentation through the VPN tunnel during your ping tests.

I am going to assume each side of the VPN has a different subnet:
Example Site 1: 192.168.1.X  /24
Example Site 2: 192.168.2.X /24

If it happens to be a restrictive firewall policy through the IPSec tunnel to the Zyxel, the network ports I normally pass for File & Printer Sharing are: TCP/UDP: 135,137,138,139,445.

Each remote site should be on its own separate subnet. For instance office 2&3 should not be using the same network segment, this will cause a routing problem. I only know of Cisco that can handle this properly.

You need to ensure static routes are inplace for your road warrior subnet to locate these other remote sites through the Ipsec tunnel instead of through the default WAN Gateway. You will also need static routes from the remote offices routing back to your road warrior vpn router endpoint through the Ipsec tunnel.

Firewall policies need to be configured to allow this additional network traffic to come and go for each gateway interface through the existing IPSec tunnel.

Assuming your road warrior vpn endpoint is installed at the main office. The road warrior Client  will also require persistent static routes setup in the local routing table for office 2 & 3 to ensure traffic destined for remote offices goes through the VPN tunnel and not out the local device default gateway, as there isnt a direct connection from the road warrior device to these two remote networks (office 2 & 3).

Hi,

I have a setup where there are two isolated networks. VLANID:1 (192.168.1.x)  & VLANID:2 (192.168.100.x)  I would like the management interface for OPNSense to be available remotely on both internal management interfaces. For instance:
If VLANID:1 Ethernet Port 1 is 192.168.1.1 Then from a public computer I would like to be able to navigate to http://my_public_ip:4443 to access the OPNSense web interface.
If VLANID:2 Ethernet Port 2 is 192.168.100.1 Then from a public computer I would like to be able to navigate to
https://my_public_ip

The reason for this, is regardless of what interface is connected there will always be an accessible remote management interface. I do not plan on using both interfaces at the same time but i'd like the option available depending on what interface is plugged in to be automatically setup and functional for remote configuration.

Presently, I can remote administer the OPNsense router by going to https://my_public_ip

However, when I create a NAT rule on the WAN port for 4443 to map to 192.168.1.1:443 it fails to connect me to the OPNSense Web Interface,  the connection times out.

I can access both https://192.168.1.1 & https://192.168.100.1 from each internal network to manage the router.

Nevermind, I accidentally typo'd the remote WAN hostname compliments of autofill.

Thank you, I will look into this.

I think my biggest problem was not binding the bridge interface to the bridge. For anyone interested below is my working config.

Interfaces: Assignments
Bridge: Bridge0 ()
LAN1: EM1
LAN2: EM2
LAN3: EM3
WAN1: EM0

Interfaces: Other Types:VLAN
EM1 VLAN ID 1
EM2 VLAN ID 2
EM3 VLAN ID 2

Interfaces:
LAN1: IP ADDRESS: 192.168.1.1 / 255.255.255.224
DHCP RANGE: 192.168.1.2-192.168.1.30

Interfaces: Other Types: Bridge
Interface: BRIDGE0 Members: Bridge,LAN2,LAN3
IP ADDRESS: 192.168.100.1 / 255.255.255.224
Bridge DHCP Range: 192.168.100.2-192.168.100.29

I use the Firewall:Rules section under the Bridge & LAN1 Interfaces to include a Deny Policy to prevent VLANID 1 from Accessing VLANID 2 and vice versa and I ensure the deny policy is applied  at the top before any additional policies.

In conclusion, this setup allows the OPNSense router to have two isolated & private networks which also can be service configured to communicate between the two by means of a firewall policy. This configuration also allows both networks to share the same common internet connection.

Time for a kitkat and a config backup! LOL

*** UPDATE *** Oh my gosh, where to begin? Networking can be so crazy complicated but the solution is always logical and simple.

I was able to get VLAN tagging working with my bridged interfaces and my managed switch. I had two VLAN's on the managed switch. VLAN ID 1 and VLAN ID2. I also setup firewall rules to send traffic from one VLAN1 to VLAN2 but not from VLAN2 to VLAN1. Anyway, mysteriously traffic was somehow going from VLAN2 to VLAN1 without any routing or firewall rules. In fact I got so frustrated I was using DENY permissions to prevent the flow of traffic between the two networks having absolutely no impact. Traffic was still flowing back and forth freely. How was this possible?  Well... as it turns out my LAN interface on the OPNSense Router had an IPSEC tunnel setup between the two Routers/VLANs . Traffic was routing out through the WAN interface through the VPN and making its way from VLAN2 to VLAN1. Now the mystery is over and I've disabled my IPSec Tunnel that I had setup a while ago. Crazy frustrating! Sometimes I'm my worst enemy.

Just to recap the concern is:

1) When initially setting up or connecting an OPNSense router, it fails to route, but is immediately cleared up by a system reboot.

Well i've compared your port forward with my port forward. The only difference I can see is in your NAT rule. Mine looks like this: WAN -> TCP -> * -> * -> * -> 3389 -> PC -> 3389 -> RDP Description

Is the phone and the computer on the same remote network?

Make sure the offsite computer doesn't have a software firewall blocking outbound TCP 3389. Sounds more like a remote computer problem then an OPNSense firewall problem if a remote cellphone app connects through the OPNSense router and not the remote computer.

Things to try: From the Remote computer can you remote telnet to port 3389. E.g telnet <public-ip> 3389

Does it show as the port being open? If it is open it will show a flashing cursor and a blank screen. If it fails it will return: Could not open connection to the host, on port 3389.

From the remote computer in question, are you able to use RDP to another computer on the local network to another PC without any routing?

I have 3 interfaces (Network cards) that I have bridged together to act like a switch on the Opnsense box. I have manually tagged each of the individual bridged interfaces with a VLAN ID of 2. However, after connecting the OPNSense device to my managed switch port with the same tagged VLAN ID of 2, it appears the ports on the OPNSense box aren't being tagged as this enables them access to my management VLAN ID of 1.

When I set my managed switch to discard untagged frames on the port the OPNSense is connected to, it stops all traffic to and from the OPNSense box.  I can only assume the OPNSense bridge NIC packets aren't being tagged with a VLAN ID to the managed switch.

Sorry, this is probably my own fault, I'm reviewing my configuration and I may have missed a few steps...

Okay, so i get an IP on the WAN port. I can PING WAN IP and WAN gateway ip. But every other public ip replies destination host unreachable. I can successfully release and renew ip using GUI interfaces-->overview-->WAN interface / release/renew ok.  I cant ping from interfaces diagnostics ping it returns ping sendto: no route to host

When I run the command you asked me to:     # dhclient <name of WAN interface>
It returned:  dhclient already running, pid: 74889.

I have also attached as many logs as I could find while it wasn't working.
Disabling and Enabling the WAN interface doesn't correct the problem. Only a system reboot of OPNSense corrects the problem.

I definitely tried that but not from the CLI. The adapter did release and renewed but still did not correct the problem. I will try from the CLI and report back but i suspect it will end with the same result. Im also sure i attempted pinging the wan interface and gateway but now i cant remember what the outcome was. I will try that again too.

Yes, the routers WAN is set for DHCP. It does obtain an IP from the ISP but the routing between the LAN and WAN port cease until the router is rebooted after saving changes to the WAN interface.

I just have a Cable modem plugged in directly in to the WAN port. I'm pretty sure I can reproduce the problem consistently. If you could provide me with a method to report more information I would be more then happy to try it.

I'm also in the process of attempting to install Squid to test as a content filter. However, it appears the squid install doesn't complete after attempting to Download ACL's from a URL and apply them. The Squid service doesn't start and the following Errors show in the event log located here: https://192.168.1.1/diag_logs_proxy.php?type=cache
File /var/log/squid/cache.log doesn't exist.
File /var/log/squid/access.log doesn't exist.
File /var/log/squid/store.log doesn't exist.

The furthest I could make it following the manual : https://docs.opnsense.org/manual/how-tos/proxywebfilter.html was to Step 3.

The Blocklist file I attempted to use was: http://www.shallalist.de/Downloads/shallalist.tar.gz

I have gotten the Squid Service up and running. I didn't realize the prerequisite to enabling this service was to not use "DNS Forwarding" But to install and enable the DNS Resolver by installing "Unbound DNS" Service. Which makes sense because I needed a local authoritative DNS server not a DNS forward service.

To whom it may concern,

When I change the WAN adapter settings Enable/Disable
-  Block private networks   
- Block bogon networks
Save the settings the router doesn't recover and prevents traffic from routing out the gateway. The only way to restore routing functionality is to reboot the router.
There are also a few other areas pertaining to NAT that prevent the Router from routing after applying settings and the router only resumes after a reboot. Disabling the WAN interface and re-enabling the interface doesn't correct the problem.

Hi,

What I was attempting to do was to isolate a range of computers in the same subnet from having internet access while only allowing those in another range in the same subnet to have internet access. I don't think this is possible though and probably an easier solution would just be to vlan two networks to achieve this VLAN1 (Has internet) & VLAN2 (Has Isolated network access but not Internet). So I've opted for an easier solution, where I control the PC's on a small subnet and use DHCP MAC registration for those I want to connect to the network and internet. The other PC's can that just need network access can make due with a static IP address and no gateway.