Messages

[--exit-node-allow-lan-access]

RESOLVED

I always figure it out in the end.

Right so what i misunderstood was on the Opnsense plugin in order to apply the flag --exit-node-allow-lan-access
you can't advertise Opnsense as an exit node at same time, so I disable Opnsense as exit node and now all LAN devices behind the Opnsense tail-scale Subnet router now route over the VPN tunnel and use the far exit node as a gateway

Hi,

I have setup and got working as per instructions.
I can reach the local LAN and remote sub-nets, and access resources.
Confirming forwarding and NAT are working.
The exit nodes work fine with all Tail-scale clients.

What I would like to do, is add a policy to route the local sub-net 192.168.20.0/24 to the far Tail-net exit node,
This works fine when using wire-guard gateways.

So on the LAN interface I add a rule
Action Pass, any, use remote Gateway 100.90.90.1

I see traffic leaving opnsense tails interface from the subnet device IP, using the opnsense tails Address confirming its nat'ted.
But as soon as I enable the rule to use the remote gateway it cant reach the internet, no return traffic

Anyone got this to work, or am I making an error?

Did you update the ACL rules on the tail admin?
The endpoints in the subnet wont get to the other subnet unless you permit in the Access Control List

{
   "src": [
      "192.168.2.0/24",
      "192.168.3.0/24",
   ],

   "dst": [
      "192.168.2.0/24",
      "192.168.3.0/24",
   ],

   "ip": ["*"],

Poor speed or disconnects, usually MTU is wrong, set too high at either side of the tunnel

Was able to solve it,

System > Firmware > Packages
Reinstall os-sensei fixes the package

Was then able to update to update to 24.7.8

Keep getting this issue when trying to update to 24.7.8
Currently running OPNsense 24.7.7

Tried all mirrors, anyone able to advise why it wont update?
Tried pkg clean -a and pkg update -f

Error here:
85 MiB to be downloaded.
[1/14] Fetching os-sensei-1.18.2.pkg: .......... done
pkg-static: cached package os-sensei-1.18.2: missing or size mismatch, fetching from remote
[2/14] Fetching os-sensei-1.18.2.pkg: ......... done
pkg-static: cached package os-sensei-1.18.2: missing or size mismatch, cannot continue
Consider running 'pkg update -f'

Did you get anywhere with this?
I just been suppplied a ZTE MC888 and cannot get bridge mode to work at all.
It keeps assigning 192.168.0.x to the opnsense wan port even though DHCP and wifi are disabled on the ZTE

Tried eveything I know, had a similar issue with a differenytt router in bridge mode before and a factory reset sorted it out, but tried that with the ZTE several times, sam eissue and not getting anywhere

thanks

Hi, if someone could help please, I have read the tutorial and successfully setup nginx with letsencrypt and the domain fqdn and base upstream server works perfectly on https://mydomain.com

I am trying to configure a second location which points to a second internal web service with a subfolder of the primary domain
https://mydomain.com/filemanger to point to another upstream server on https://192.168.1.5/

I have configured the second upstream location with (see screenshot)
URL pattern /filemanager/
path prefix /

so that when get https://mydomain.com/filemanager/ it directs to https://192.168.1.5/
It seems to start to load the page but then gets a 500 gateway timeout

Is this the correct way to configure for subfolders?
Thank you

Looking at the error message "vm_fault pager read error"
It is likely either an issue reading the hard disk or a kernel fault, i would start by eliminating any disk and config issue

Make sure you have a backup of your config

Did you install this with zfs_enable=YES ?
if so then test it with zfs_enable="NO" by editing /etc/rc.conf and reboot

Hope this helps

Flip me, one issue after another, but I've got there
After successfully getting to 22.7 with a working webgui and some internet access,
I started looking through the logs.

The next issue was half the websites were saying untrusted including https://forum.opensense.org of all sites
I figured this out that the firewall rules were not loading correctly due to an issue with some firewall aliases.
An article I read said there were alias issues with 22.1.8, so I assumed these issues were not patched and have been carried over to 22.1.10_4 and 22.7 ?
Anyway I disabled the aliases and rules mentioned in the error log, and hey presto the firewall rules then successfully loaded and all internet sites were accessible.

Then onto the next issue with a device with failing nat ports, again I figured this was alias related,  as it was working perfectly fine in 22.1, so I changed the nat rules for the client with issue from using it's alias to using its ip address, and again Eureka! this is now working again!

Hope this helps some people out who may have been facing similar issues

Im trying to read between the lines here.
Two things I will suggest.
1. First you must be certain opnsense has connectivity, in opnsense console can it ping say 8.8.4.4
This proves the upstream is working and opnsense gateway can reach the internet. If no connection untick the allow dns override by dhcp and configure dns here as 8.8.4.4 to test again

Once this works goto step 2.

2.do ipconfig/all on the client
Confirm its gateway address is the ip of the lan interface.
Report back what dns resolvers are configured.
Run a tracert 8.8.4.4 and see how far it gets most likely not getting past the gateway

It certainly sounds like high temp system protection cutoff kicking in, if kernel is cutting power to save frying the cpu

92c does sound high, that chips normal operating range is between 50-70c, 50c when idle passively cooled.

Teams video uses high network bandwidth, so there maybe expected additional cpu load when there is increased traffic throughput, hence varying time for symptom to manifest. Its just a question of how long before temp rises before cutoff kicks in, ive seen this lots of times for various reasons.

1.Make sure plenty of space and airflow around unit
2.Check the cpu and heatsink
3.Check latest bios
4. Perhaps upgrade to 22.7 as there seems to have been a few issues with 22.1 to 22.1.10 with network hardware offloading changes
5.Try disable any on chip gpu and run headless may assist with temp
6. Disable in bios anything that is not absolutly nessesary such as audio, unused usb ports etc, i have seen sone posts where chipset feature were causing kernel issues

Hope these suggestions help you figure it out :-)

What bios version on the acer?
First I would go into bios and switch boot mode from uefi to legacy and see if opnsense boots
Then its likely a partition issue that first partition is mbr/bios instead of gpt/uefi

I would also check for bios updates, and check the acer
forums

Hope you resolve it

UPDATE - progress
After reading some of the forum articles again some of the symptoms reported pointed to issues upgrading from 22.1 to various itterations of problems from 22.1.3 thru to 22.1.10_4

The clues suggested issue with interface hardware offloading.
Ref https://github.com/opnsense/core/issues/5521

To resolve this upgrade issue, i have tested the following steps.

1. Enabled hardware offloading on interface for CRC, TSO, LRO
2. Rebooted, and checked status, the reason this was disabled before was due to throughput issues
3. Upgraded to 22.1.10
4. Tested and checked Wan access, and Lan Gui now accessible post upgrade
5. Upgraded to 22.7
6. Tested wan and Lan Gui still accessible
7. I have left the hardware offload settings unchecked, throughput seems fine

Clients are now able to access Gui and internet

I will log a seperate query for the next symptom, as now it seems some ios (safari) and android (chrome) browsers are saying no internet but are working fine, and also looks like there may now be some issues with some root CA certificates, as some websites now reporting not trusted
Will look at this when i get some spare time

Hi,

I am stuck, I have to do an interim upgrade to 22.1.10_4 before it will allow upgrade to 22.7

I have a QEMU/KVM using virtio interface adapter with no vlans, there are no parent interfaces to add as I am not using vlans (per the solutions I have read).
I have also checked Hardware CRC, TSO, LRO is disabled, and VLAN hardware filtering is set to default as per forum articles I have read.

I have reverted to previous version on failure to reattempt. On one such attempt it successfully upgraded to 22.1.10_4 and I was able to logon to the web-gui, and internet worked for a few minutes then it stopped working.

Any help appreciated on which log files I need to check or how to determine what is happening?