Messages

Basically, I am in the middle of splitting two physical networks, the new one being managed by OPNsense. Both machines causing problems have two NICs, one for the old network and one for the new network. One NIC is Intel, and the other Realtek everything routes properly when on the local networks. Once I threw wiregurad into the mix, I started to see strange routing issues with those machines.

While moving cables around on the machines, I found that if the old network was plugged into the Intel NIC and the new network plugged into the Realtek network, I would see the problem. Reverse the cables, and I don't see the routing problem anymore. Whether I reboot the machines or bring the interfaces up in different orders, it just goes away.

Well, after burning it all down three times, I figured out the issue was with the endpoints. Everything has been sorted out. Thanks for all the help; this was a really frustrating issue to have to deal with.

So watching the firewall logs as I ping IP while connected to wireguard. I the first one fails but its on the WAN interface? The second one passes and its on the correct interface. Any insight as to why some of the subnet getting sent through WAN?  Thanks also it is changing the subnet the from the original request of 172.28.0.13 to 172.27.0.13.

Thanks for the suggestion but it has the same results when I removed it.

Yes, I have assigned WG to an interface.

Each endpoint looks like this.

Name: Username
Public Key: pub key
shared secret: blank
Allowed IPs: 10.30.0.4/32 (user assigned IP)
Endpoint Address: Blank
Endpoint Port: Blank
Keepalive: 30

Each peer has been added to the local configuration which looks like this

Enabled: Checked
Name: WG
Public Key:  key
Private key: key
Port: 28363
Tunnel Address: 10.30.0.1/24
Peers: selected as required
Disable Routes: unchecked
Gateway: Blank

[VLAN]

No worries

No restrictive ssh configs, ping offers the same results as ssh just hangs. Everything is reachable via local network.

VLAN
      Protocol    Source    Port    Destination    Port    Gateway    Schedule    
IN   IPv4 *    LAB net      *                *                      *               *                 *

WG
      Protocol    Source    Port    Destination    Port    Gateway    Schedule    
IN   IPv4 *    WG net      *                *                      *               *                 *

I have watched the firewall log when i initiate a ping I see icmp happen it appears to allow the traffic but its just hangs when attempting from multiple machines Linux and Windows both

The peer configuration provided is for a road warrior split tunnel configuration. My understanding of the AllowedIPs is that I put the subnets that I want routed over the tunnel so that when the interface is brought up the route is added to the peers machine. Allowing that user to interact with the subnets on server side of the tunnel (opnsense).

The tunnel is working and routing the two specified subnets but only partiality on the 172.28.0.0/24 network so

ssh root@172.28.0.42 works
while
ssh root@172.28.0.14 times out

Not what is causing is issue. I should add that I have tried just sending everything with 0.0.0.0/0 with the same results with the same VLAN.

I have wireguard setup and I thought it was working correctly but I am having some routing issues with one of the subnets in AllowedIPs. The 172.28.0.0/24 is causing me issues as wireguard seems to only be routing some of the IPs but not all of the IPs in that VLAN. All of the IPs can be pinged from inside the local net.

Here is what peer configs look like

Code Select Expand

[Interface]
Address = 10.30.0.2/32
PrivateKey = blank

[Peer]
PublicKey = tyQSYEh1ik4CarV9GjCqdCIdscwVkiSghXNoRa+sRFo=
AllowedIPs = 10.30.0.0/24,172.28.0.0/24
Endpoint = {IP}:28363

I just have allow all rules on both the wireguard and the VLAN interfaces. No floating rules or anything like that.

Anyone know what might be causing the selective routing?

[As the app is written now its capable of:]

Hello,
I have been working on an Android app written in python using KivyMD. 

https://github.com/Red-Swingline/OPNsenseManager

I am modifying a custom app that I provided to my clients. This app intends to allow users to do common immediate actions and escalate as needed for help using the email option.

As the app is written now its capable of:

• Rule management (rules created with firewall plugin https://docs.opnsense.org/development/api/plugins/firewall.html)
  • Manually add rules by entering rule UUID and Description.
    • I opted for manual adding rules, as there may be rules created on the firewall that the end-user has no reason for messing with.
  • Manually deleting rules from the Admin tab.
    • This only removes rules from the local SQLite database
• VPN management
  • Enable/disable Wireguard client
  • (I might add other protocols if needed)
• Power
  • Reboot
• Admin
  • Add rules
  • Delete Rules (from local SQLite database)
  • Email Admin sends a fixed SOS email to a specified email address, aka the network admin. (Needs to be fixed

Perfect this is what I needed.

I didn't see anything in API reference so I figured I would ask here.

Is it possible to enable or disable a firewall rule with an API call?

[Config 1:]

I have wireguard setup as a client connecting to a remote server. Its working like 95% I seem to be having a issues with DNS, im not  sure if this is an unbound issue or a wireguard routing issue. I have tried two diffrent configs.

Config 1:
1. Wireguard connected to VPS
2. Create an interface for wiregurad called "WG"
3. Create outbound NAT rule
             interface: "WG"
             Source address: 10.0.0.0/24
4. 1.1.1.1 and 1.0.0.1 set as DNS in setting Gneral.
5. Unbound set to forwarding mode.
6. Create LAN rules to route a few things around the VPN out to WAN.

This config works but there are a few urls that dont reslove correctly, I have tested on the server side and everything resolves correctly.

Config 2:
1. Disable Routes under local config of wireguard
2. Set Gatway to 10.30.0.1
3. Create an interface for wiregurad called "WG"
4. Create new Gateway
          Name: "VPN"
          Interface: "WG"
          IP: "10.30.0.1
          Check "Far Gateway"         
4. Create LAN Rule for just a small test Aliases called "Desktop"
         Source: "Desktop"
         Gateway: "VPN"
5. 1.1.1.1 and 1.0.0.1 set as DNS in setting Gneral.
6. Unbound set to forwarding mode.

This results in routing "Desktop" traffic via "VPN" Gateway, all but it seems DNS, so nothing resloves. Ihave palyed with a few variations of each, with either little or no diffrence.

I have been tearing my hair out over this one for a few months, I have just been living with the 95% solution but I would like to figure out what I have configured incorrectly.

I have created an Aliases for my childrens devices I would like to create a rule to block their devices from accessing the WAN. What rules do I need to create to keep their devices from accessing the internet?

No, I ended up switching to wireguard.

Is there any way to schedule a reboot of opnsense?