Messages

Okay.

I've created a configd file to kill the states for the range in question.

/usr/local/opnsense/service/conf/actions.d/actions_closesessionsforrange.conf
--
[check]
command:/sbin/pfctl -k <range>/24 2>&1
parameters:
type:script
message:check closesessionsforrange
description: Close Sessions for Range <range>/24
--

I then inserted a cron entry through the menu for this.

Is there any reason this would not work?

Thanks,

JF

Hello,

I've blocked the kids network range with a schedule in the firewall schedules. What happens is that they are playing a game, the schedule goes off and they continue playing.

The options and reading I've done so far indicate this should work the way it was intended but does not seem to do so. I've seen others use Cron entries to drop those states or schedule a reboot when that timing goes off.

Am I doing something wrong?

Thanks,

JF

Did you add DNS: <ip address> to the [Interface] of your client tunnels?

Thank you!

Hi!

I've read somewhere that wireguard in 19.7 won't allow you to add a Gateway with "dynamic" in the ip address. Will it work in 20.x?

Trying to setup a firewall rule to force a client through a wireguard connection, and not having much luck so far since there's no way to add a gateway to be used in firewall rules, unless there's another way?

Thanks for any help.

Once again -- Thanks for your reply.

You didn't answer the question though, which side do you want screenshots of?

Are you asking for screenshots of the server or the remote sites?

The server works fine, and some of the remote sites reconnect just dandy, however, some of the remote sites never reconnect until we hit save.

All endpoints have a unique /32, and then also another network associated with them (/24, /16, etc.)

Hello!

This might not be the right place for this, but I don't know a better place.

Using Wireguard on opnsense at remote sites, and a main server with a static.

When we add a new peer into the main server, some of the remote sites don't automatically reconnect. We have to go into the remote sites, and hit save inside the wireguard interface to get them to reconnect.

Is this a bug or misconfiguration?

Thank you for your assistance! ;D

Sure.

Phase 1 is the outside ip address for me and outside ip address of the peer. It's followed by the encryption settings for the tunnel. Phase 1 completes.

Phase 2 is

Local Subnet: LAN
Remote Subnet: 10.200.1.0/16

Encryption settings match the connection I'm trying to establish. Phase 2 completes.

I can ping from the remote site to the local LAN address. I see it's traffic in opnsense on enc0 using tcpdump.

If I delete the route (route del 10.200.0.0/16), I can then ping through the tunnel to the remote site, but only from the opnsense. I cannot ping through this tunnel from anything behind it.

Alternatively, I can ping from the remote site through the tunnel to the LAN address and anything on it, but when it replies, the reply gets to this OPNSense where IPSec is terminated, and then stops. It never goes through the tunnel according to TCPDUMP.

I thought (following most guides), that I'd be able to setup an interface under Interface Assignments and then add a GW, so that I could add a route. (Remember: the route gets put in place 10.200.0.0/16, but it's assigned to the outside internet connection vtnet, not ipsec.)

As far as I can tell, it's a bug. I found another post where someone said they could get to the interface for IPSec if they goto interfaces.php?if=enc0, and I can also, but changing it's name and/or settings makes no difference. It still does not show up in any interfaces.

At a loss on what to do next. :-)

Thanks to anyone who could comment and assist.

I have an IPSec setup which is established. The routes necessary for it aren't put in place correctly. It keeps adding them when the tunnel comes up, but assigning them to the WAN interface.

I can delete the route (which allows the opnsense itself to ping through the tunnel), but nothing behind it works.

Is this a bug? Most documentation says to add a gateway selecting the IPSEC interface, but I can't find it.

Jeff

I did assign an interface, but deleted it thinking it was unnecessary, and it honestly is unnecessary once it's setup.

I did figure out my problem though, I assigned the client address so far away from the tunnel address, I had my NAT rule incorrect.

I changed the ip address of the client to fall in line with the subnet I chose, and it works just fine now.

:-)

Hi!

I've setup wireguard with two clients, one being 172.20.1.1. I put in some NAT rules to allow this client out to the internet, however, the traffic is going out the WAN interface without being NAT'd first.

--

10:40:54.680981 IP 10.20.1.1.37352 > 8.8.8.8.53: 10996+ A? audio-sv5-t1-1-v4v6.pandora.com. (49)
10:40:54.681100 IP 10.20.1.1.45138 > 8.8.8.8.53: 28973+ A? android-tuner.pandora.com. (43)
10:40:54.681178 IP 10.20.1.1.42111 > 8.8.8.8.53: 12703+ A? clients4.google.com. (37)
10:40:54.681264 IP 10.20.1.1.42743 > 8.8.8.8.53: 18097+ A? clients4.google.com. (37)
10:40:54.681343 IP 10.20.1.1.5269 > 8.8.8.8.53: 1405+ A? clients4.google.com. (37)
10:40:54.681747 IP 10.20.1.1.32947 > 8.8.8.8.53: 60937+ A? clients4.google.com. (37)
10:40:55.011681 IP 10.20.1.1.47250 > 8.8.8.8.53: 25109+ A? sirocco.accuweather.com. (41)
--

I've tried moving the rule, changing the ip address, etc. to no change.

Any help would be appreciated :-)

Jeff

What happened to all the openvpn export options?

How do I make a mobile config from the files presented? :-/

Go into each interface, and at the bottom where you can select a gateway, select the correct gateway.

Also, check out Firewall -> Settings -> Advanced and check Sticky Connections under Multi-WAN :-D