Messages

Where is I go/what do I edit to have the boot menu have a default option? Right now, my install waits for a selection at boot up. I must have accidentally did this the last time I upgraded or something, because it didn't used to do so.

Thanks!

Thanks for the suggestions!

I do have it working now. It seems that there were two things that caused me the issue first time I tried it. In my case, it turns out the Flex-Mini switch I was connected to has an odd limitation, although you can tell it to be a trunk port, it doesn't like it if you don't have another switch plugged in. It wants to assign a VLAN to the port if you really are only using it as an access port but one with the extra MACs and IPs like I am trying to do. So I moved it up to my core switch which is a bit more flexible and that resolved that.

The other issue seemed to be that I had to explicitly set the MAC address on the untagged interface. It seemed like when I assigned the new MAC to the VLAN tagged interface, all packets coming out were getting ID'd as the new MAC (which was causing all the packets to get put into the tagged VLAN). I'm inferring this from what the Ubiquiti status screens were showing me, I didn't explicitly do a packet capture. But once I explicitly set the MAC address on the original interface to be it's actual MAC address so that both had MACs set, it started working as I wanted. It seems assuming the default MAC would stick was a bad assumption, or for whatever reason wasn't working out that way in my setup.

Still, I've got it working, thanks again for the input!

Hello,

I want to make sure what I'm trying to do will work the way I'm trying it. I am currently running OpnSense 21.1.5 on a Protectli device with 4 ports. I only use it as a network appliance to host services, it is not my network edge router(the rest of my network is managed Ubiquiti if that ends up mattering).

So the goal is to have a virtual IP on a VLAN sharing the same interface that is configured currently as untagged. This is so I can migrate off 192.168.1.x (the untagged network) without disrupting everything(so hopefully the services will listen on all interfaces, but that's a different problem I haven't gotten to). So to summerize: I want 192.168.1.161 on em0 untagged, and 10.117.1.161 tagged with VLAN 117 also on em0.

I tried this a while back and when I turned the new virtual interface on, I lost connectivity to the entire device. I ended up just restoring to backup config to roll back quickly. I was able to do this under on a physical Windows machine without any issue, so I think I must have missed something in configuration in OpnSense, so I guess I'm looking for a quick check of what I did to make sure I didn't miss anything. So steps I took:

• In interfaces>>Other Types>VLAN, created an interface on em0(the port I want to share) with the tag set to 117
• In assignments, added a new interface, called VLAN117, set it the network port resulting from the previous step (vlan 117 on em0)
• In the new interface, configured the static IP, left block private and bogons unchecked.  Basically everything at defaults

The last step is the place I suspect maybe I went wrong, because I don't think I assigned a MAC address. I think I had assumed last time around it would auto-generate a unique MAC. But if that doesn't happen, I could see that being why I stopped being able to access things from the network maybe.

Anyway, I'm just trying to get to where I can successful access OpnSense from an IP in the VLAN, so I can start migrating clients over as well. I'm not using multiple physical interfaces because I am running a bit low on ports on the upstream switch, but if that's the only way I can get this to work, I'll make it work, at least in the short term. So, if there's something I missed, or some reason what I'm doing won't work, I could use the info!

Thank you

Well, I went through my setup from zero (uninstall WG, re-install, reconfigure everything) and it worked this time. I'm not sure what I did differently, if anything.

It does seem just leaving IP stuff empty on the named interface that's bound to the network device is fine, and I guess the device, wg0, just uses default routes? I might try and figure out how to get it to bind to a different nic later, but I'm not worried about it right this moment.

I did forget I needed a firewall outbound allow rule on the Wireguard ruleset to get traffic to go beyond local; I hadn't gotten as far as even successful handshakes in the past, so I hadn't worried about outbound connections until now. Once I dropped that rule in, the last part started working as I wanted.

I've set WG up before, running directly on an Ubuntu server, but I'm a little unclear about how a few things work when doing it on OpnSense.

I'm running OpnSense on an older 4 port Protectli appliance. I'm using it just as a network appliance to run useful network services for me, for instance, as a separate gateway for VPN connectivity. And trying to move my WG peer off of my Ubuntu server onto it.

So, things I'm not clear on:

• When I install wg, and turn it on, I get 2 Interfaces, one I name, and one default called Wireguard. what I've read says you apply firewall rules to the one called Wireguard (and not to name yours Wireguard because of that auto created one- I name the one I can to wg or wg0 usually). I've been running all my services on a single port to this point, am I able to bind wg to the existing nic? It sorta seems like I can't, at least from the GUI, since OpnSense won't let me bind either wg interface to the nic port, since it's already got the LAN interface bound to it? Or do I not need to worry about that, i.e. it'll just be bound against the active port, I'm not seeing a way to specify an actual IP or interface for it to listen on so...?
• In trying to get this working, the binding confusion I had above, made me decide to try putting it on a different NIC port, dedicated just for it, and that NIC port, I'll put attach to a switch port in a different VLAN entirely, just to support WG operations. But of course, as I said earlier, I'm not quite clear if/how I can bind it, or which one of the two interfaces wireguard interfaces I should be binding (through the Assign screen) directly to the NIC port. I've been getting some really weird behaviors when I bind the interface I named (which I usually call wg or wg0) directly to it's own port, but I've been trying enough things to make this work, it could be I had a mis-configuration elsewhere.
• I need to go back and review setups, but I'll ask here again anyway. Assuming I have wg running against the same interface/port as everything else, do I assume I need to allow that port (the 51820, I just use that one) at both the normal interface firewall rules and the Wireguard interface rules for clients to connect, or just the actual interface bound to the nic port?

The guides I've been following to get it running on OpnSense haven't quite fit, since OpnSense isn't running as my edge router/firewall, and I've been trying to fit what's going on into what I had to do to get it setup on Ubuntu, but it doesn't seem to be falling into place for me, so any help is appreciated!

Thanks!

I've recently been thinking about setting up something to act as a VPN gateway for specific hosts in my network, and wondered if this is something that OpnSense would be good for, vs rolling my own setup on Linux.

My concerns are mostly that the OpnSense install wouldn't be my network edge, and if that would be an issue. I would run it on an old appliance I have, I assume give it a static address in my current network, and configure it to establish an OpenVPN connection to my provider. I would then want to be able to configure hosts in my network to target the OpnSense device as a gateway, and have it route traffic from them over the VPN connection.

Does that seem like it'd be reasonably straightforward to do under OpnSense?

Thank you!