Messages

[not]

Fresh install of OPNsense-19.1-OpenSSL-vga-amd64.img from a USB stick on a real (J1900, UEFI) machine hangs at Booting ...

Luckily, I'm not the first victim (https://forum.opnsense.org/index.php?topic=11400.msg51534#msg51534 and https://twitter.com/opnsense/status/1091014083112062980) and of course I didn't have to read Release Update before, so after several attempts I was finally quick enough to hit 3 at the boot prompt.
Enter set kern.vty="sc" and now the boot process from USB continues.

After running installer, boot from the internal sata disk hangs again, at Booting ...
But now I'm prepared and change the "Console driver" option via the web interface (System-Settings-Administration).

I am impressed that OPNsense 19.1 picks up the config file (that I last maintained with 17.1) and comes up with all functions right off the bat.  I am not impressed with a comment that manual entry of "use the hardware console" was documented in the Release Update, so not a bug.

You could use Firewall-Groups to create a group that includes all interfaces with similar access requirements, then apply your rules on the Rules tab that will be created for the group.

Each ovpn client creates a gateway with address 10.8.8.1.  So when the 2nd client starts, it cannot create this route for itself.  I got around this by mapping each gateway to a unique address with the dnat command.  https://forum.opnsense.org/index.php?topic=5921

I use "Firewall: Settings: Advanced: Skip rules" for this purpose.  A rule forces traffic from specific clients into a gateway, unless the gateway is down.

Look at https://forum.opnsense.org/index.php?topic=5921.0
When you add dnat commands to the advanced client properties of your openvpn clients, you can assign alternative route addresses, and two or more gateways that can work simultaneously.  Next you use rules to direct traffic to one of those gateways.

Here is a cookbook how to get it going: https://forum.opnsense.org/index.php?topic=4979
You could check the firewall log to see which IP address and port failed.  When I did my first install, openvpn could not resolve the name of the server.

In your LAN rules, you should write that Source alias1 can go to Dest "any" via Gateway1.
A 2nd rule states that Source alias2 can go to Dest "any" via Gateway2.
If you cannot specify your list of servers as an alias, you could try to add a Block rule that prevents your "private" alias going into the public gateway.

Answering the OP's (old) question:
To bridge 2 NICs you have to define an interface for each NIC, for example NIC2 and NIC3.  I found that you can have mixes of IP v4 configurations: NIC2 with a fixed address and NIC3 with "None", or both NICs with a (different) fixed address.

As Franco warned, when you assign a fixed address to both, you can also tell DHCP to listen to both interfaces and it can issue leases on both interfaces.  However... here I was surprised... it only reports the leases on ONE of the interfaces (the last of the members).

Hi Roy
Maybe I misunderstand your intention, but ...
- did you intend to forward only traffic from "source address" WAN address?  When you write "go to my server from outside of the lan" I would have expected you mean "any address on the WAN adapter."  So specify "source address" as "*".
- the "destination address" and "port" should be what the remote client specified, so "WAN address" would be my guess.
- the "NAT IP" would be the internal IP where you want to redirect, so "severs" would be my suggestion.

Suppose you needed a connection to hosts in Australia and the US, via VPN.  It would be silly to use only 1 VPN end-point, no?  So I define a VPN client with an end-point in AUS and another in the US, with the same VPN provider.  It turns out that they always push a route-gateway address 10.8.8.1 so openvpn issues

/sbin/route add -net 10.8.8.0 10.8.8.1 255.255.255.0

and the second openvpn client issues: ERROR: FreeBSD route add command failed: external program exited with error status: 1

In https://airvpn.org/topic/9518-faking-static-local-vpn-addess-using-client-nat-and-ifconfig/?p=10449 I found an idea to use the client-dnat command to present a unique address for each of the 2 gateways, so I added in the advanced client properties of my 1st client:

route-gateway 10.8.5.1
ifconfig 10.8.57.2 10.8.5.1
client-nat dnat 10.8.5.1 255.255.255.255 10.8.8.1
client-nat dnat 10.8.5.0 255.255.255.255 10.8.8.0

and the 2nd client uses:

route-gateway 10.8.21.1
ifconfig 10.8.57.2 10.8.21.1
client-nat dnat 10.8.21.1 255.255.255.255 10.8.8.1
client-nat dnat 10.8.21.0 255.255.255.255 10.8.8.0

That means, my GATEWAY definitions refer to the 10.8.5.1 and 10.8.21.1 "virtual" gateway addresses, and I can have both active at the same time.  With geo-filter aliases in the FW rules, my traffic goes through the right tunnel.

Except... gateway monitoring does not work.  apinger tells me that he cannot reach the monitor addresses that I specified (both of which used to work, one at a time, when I did not have the dnat parameters).

1. how is apinger running, so that it does not use the "virtual" gateway addresses?
2. is there a better way to have multiple openvpn clients (for the same VPN provider, that pushes the same route-gateway) active?

Edit: after I upgraded to 17.10.1, apinger is able to ping the monitor addresses through the "virtual" gateways.