Messages

This problem started weeks ago, and has been intermittent but is getting worse, now i am losing the WAN gateway and needing to restart the appliance at intervals from 5 minutes, to 3 hours, and can't ever expect it to be up over an entire day.

Initially, i had some upstream problems with my ISP, but these appear to have been sorted, while the Opnsense issue remains. Setup that has been working for years started showing this behavior, I was a fair bit behind in my updates- but having now gotten to 25.7.2, issue is still present and bad as ever.

Issue is gateway shows down, no response to ping. Nothing in the device health logs, no issues in the internal LAN or DMZ configs. Don't see anything on the firewall logs. 

Packet capture shows outbound packets from the Wan to various devices, and absolutely no return traffic. I've replaced the ethernet cable on the Wan to gateway connection. I've tried using other devices in troubleshooting sessions- none of them have problems connecting to the gateway when is in this state, but opnsense continiues to persist the problem even if the cable is physically disconnected and replaced.

When issue is present, there is no way to recover other then rebooting the appliance. I've tried disabling the interface and re-enabling it. I've tried shutting down extraneous services- Crowdsec, VPN, etc. 

I honestly don't know what the next logical step is at this point. Reimage the entire device and rebuild all my configs from scratch? Try to harang the ISP to get me a packet capture from their end? Not sure how that would go, there's definetly very limited troubleshotting options in the portal i have access to, and all those show the gateway working fine when opnsense drops out.

Intel Nics, as i know some people have referenced problems with realtek ones.

I'm trying to set up a a /29 as virtual IPs for my static IPs. the primary IP that I set as my Wan works, that's fine. But my Virtual IPS don't seem to work. I've tried to set them up with both port forwarding/outbound, and 1 to 1 NATs. Neither seems to work. I've allowed ICMP through, and the WAN interface responds to pings, but the VIPs do not.

Is there any other steps i need to do other then setting up the VIP and assigning it to an interface to make it routable? I'd half love to think this is any issue with my ISP/Modem not pushing them all through, but before I open a ticket with them I would like a more fullproof test or confirmation on the Opnsense side.

I had a VPN client set up in 18.6, upgrading broke it, and your tutorial helped me get things working.

However, it only works if i try to route ALL traffic through it. If i try to only route certain hosts through it, my other internet traffic breaks (Because my VPN provider pushes routes that try to take all traffic). If i check 'don't pull routes', so that the OPenVPN client doesn't override my default routes, then I have no way of sending traffic to my VPN.

I know in the older version, I could put a rule that passed traffic from the WAN  to the VPN gateway if it was the correct source, but now that the system doesn't recognize the VPN client as a interface or allow a gateway for it- Any Ideas?

Following these instructions, I had this working in Jan.. but then I wanted to bring on another interface, set up a DMZ. I then had some issue with traffic not routing appropriatly- it looks like I'm not the only one who ran into something like this, reading through the last few pages. I disabled the VPN client, and got the second interface working.

I've decided I want to tackle this again, ran through all the updates so i'm on 18.1.6. I can confirm the VPN client shows as up, I've followed the rules- but now I apparently can't get any traffic out through the VPN- no matter what host I add, (tried some VMs and some bare metal in case there was something weird I was missing), all traffic appears to hit my phyical interfaces, rather than the virtual VPN interface.

edit: I missed a basic troubleshooting step. After a reboot, I could now send from my VPN alias out through the VPN.. along with all of my other traffic. Rereading the other issues people experienced, it experimented with the flags for don't pull routes /don't add or remove routes'

With 'don't pull routes' unchecked, and 'don't add or remove routes' checked.. everything appears to work.  Thought I'm not sure exactly how confident I am in this.

I feel like I'm missing something obvious since I can't find much on this.

I'm trying to set up a DMZ. Opnsense deployed on Protectli 6 port router.  Everything workes for my LAN setup.

I have also set up an OpenVPN client, following the instructions herehttps://forum.opnsense.org/index.php?topic=4979 Everything works as okay with this too. the OpenVPN interface is named 'IVPN', and it shows as OVPNC2 in interfaces, with all 0 for the MAC address.

I enable a new physical interface as DMZ , set it as 192.168.2.1 /24 I configured the DHCP server for it, and then created rules for the interface, cloning the 'allow any to any' rules for the LAN to test. (using 8.8.8.8 as the DNS provided, if that makes a difference)

I plug a device into the port, and i see the link go from down to up in the dashboard. Confirm I'm pulling a DHCP address in the range, but i have no connectivity past the firewall.  When I check the firewall logs, filtering for the IP of my test device- 192.168.2.101, i do see DNS traffic hitting the firewall, and showing as ALLOWED. However... it shows under the IVPN interface, not as the DMZ interface.

I've tested a few things- updating, deleteing rebooting, rebuilding, rebooting, and searched for tutorials on setting up DMZs. If I'm understanding it right, i don't need to create a gateway- none of the tutorials mention that, and i notice the LAN doesn't require one.. and it states i don't need to create routes between different interfaces under the route tab. What am I missing?


I'm also assuming that my connectivity issues are the traffic showing up on the wrong interface, but I suppose it's possible these are two separate issues. Any help would be greatly appreciated.

I followed the instructions https://forum.opnsense.org/index.php?topic=4979.0.

It works, but I have one tiny question that I don't see mentioned elsewhere in the forums. I'd like to force the traffic I have alias to use the VPN to fail to reach the WAN if the VPN link fails. As it is, if it toggle the VPN down, the traffic continues over the public WAN.

Would this just be as simple as editing the last rule in step 9 to be alias VPN 'source invert' so that it does not direct traffic from the VPN outside?

I still also have the default any to any under the new rules, I didn't know if i'd also need to edit that same source invert in or just delete them- I see a bunch of ways I could take myself offline doing this, and I've already done that a number of times the past couple days.