Messages

 Thanks for your insight -- that I should have different domain names at the two sites connected via VPN, I have a more functional site-to-site VPN.

• I have name to IP resolution when I ping computers at the other site, although the ping itself times out
• I added both domains to the LAN DHCP4 search list, now I can use the hostname or the FQDN for name resolution
• RDP and VNC work across the VPN from any computer to any other computer by just using the name, IP address, or FQDN

Only thing that is still blocked is being able to browse directories using file manager -- both styles of addressing -- \\PC-2 and \\192.168.2.2 -- time out.

Pretty sure these are being blocked by the firewall rules, but am nervous about experimenting with them.

I will try that, thanks!

I apologize if this is an already answered question --

I have connected my two sites using wireguard VPN site to site setup. How do you resolve names across the VPN? I am able to ping the far-end machines by their IP addresses, from either site, but not by name.

Both sites run similarly configured opnsense firewalls; both sites use unbound. I tried adding the DNS server name of the far end site to the DNS server list but that didn't work. I even tried running WINS (gasp!) at both sites on a raspberry pi that is running pi-hole, again, no luck. I seem to be missing something fundamental here, for which I seek help.

And yes, things always "work" before they don't.

I am adding this quote to my repertoire!  ::)

I am trying to follow the documentation to setup an OpenVPN instance. There may be an error in the HOWTO at https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html

Should the certificate type for Site A be a "Client" and not "Server" as it stands in the how-to? (Image attached)

Also, there is a typo in the firewall port number -- Should be 1194/UDP, not 1494/UDP -- Table that follows is correct, however.

I am wondering if it is possible to reset all firewall rules to default as if it were a new installation? Alternately, is the default rules list available somewhere to download?

Thanks.

That makes sense, thank you.

The firewall does have some spare capacity, which is running unvirtualized but I don't need the CPU cycles for any other compelling purpose (core i5 3470T dual core CPU, 2*GbE ports, 8GB RAM, 32 GB SSD).

I think I will just leave the production system alone for a bit longer and resist the temptation to muck with it.

My research says it "Depends," which could conceivably start a religious war.  ;D

ChatGPT answered along similar lines, but I find it much spookier! See ChatGPT's answer below:

The decision to virtualize a firewall or run it on bare-metal depends on a variety of factors, including the specific requirements of your organization's network security infrastructure and the capabilities of the firewall software and hardware that you are using.

One of the main benefits of virtualizing a firewall is that it can be more easily managed and scaled than a physical firewall. This can be particularly beneficial for organizations with dynamic or rapidly changing network requirements. Virtual firewalls can also be more easily replicated, making it easier to test new configurations or to create disaster recovery plans. Additionally, virtual firewalls can be run on commodity hardware, which can be less expensive than specialized firewall appliances.

On the other hand, running a firewall on bare-metal can offer several advantages as well. For example, running a firewall on bare-metal can provide better performance, as virtualized firewalls can be affected by the overhead of the virtualization layer. Also, Some organizations may prefer to keep their firewalls separate from their other virtualized infrastructure for better security and fault isolation. Additionally, certain organizations may have certain compliance requirements that mandate the use of physical firewalls.

Ultimately, the decision of whether to virtualize a firewall or run it on bare-metal will depend on the specific needs of your organization and the features and capabilities of the firewall software and hardware that you are using. It would be a good idea to consult with a network security expert or to consult the vendor's documentation and guidelines to understand the best practices and any limitation to follow before making a final decision.

Hopefully an easy question --

I have OPNsense running on a dedicated dual-ethernet machine for our SOHO. This deployment is not virtualized.

Should this instance of OPNSense instead be running on the same hardware virtualized? Why or why not?

Just donated USD 25.

Thank you for the great work you do!

I am comfortably running Opnsense on an old mini-ITX Intel motherboard (DQ77KM) with a Core i5 and 8GB RAM. The motherboard has two Intel 1GB NICs. I got these on ebay and the entire system was under USD 200 including the case and power supply. However, it consumes close to 60W, compared to the newer generation hardware.

Just noticed that Verizon FIOS has given me a 2600:... /56 IPV6 address for the WAN interface.

What do I do with this information? How should I set up my LAN correctly?

Yes, the devices on the two LANs respond to pings within their own subnets; Pings across the VPN time out but the names resolve to the correct IP addresses.

It is still weird that I can connect to any machine on the "other" side by name via RDP or VNC -- but cannot directly browse their shared folders.

Wonder if if I need some kind of outbound NAT -- I shouldn't need it according to the documentation because the WG interface is assigned and enabled. And I am not yet knowledgeable enough to know what/how to go about it!

Adding an explicit "Allow ICMP" rule to the wireguard interface made no difference.

Can you please elaborate on your solution? This could be related to what I am experiencing.