Messages

anomaly0617, did you figure out your internal routing issue? I got my internal routing working stable regardless of the WAN by leaving all interfaces selected on Unbound's outgoing interface setting. Re-tested it on a fresh install and limiting the outbound interfaces killed internal routing without WAN. I selected all again and unplugged the WAN and never lost internal routing.

I decided to start over with a fresh install. I still can't get it to work.

With my network and basic firewall rules setup (GeoIP and some blacklists on WAN), I created aliases for which networks need the VPN and which don't. I also created an alias for sites I'd prefer to not got through the VPN. I have no floating rules except the automatic ones.

I setup one standard OpenVPN client to PIA and left "Don't pull routes" unchecked. I put PIA's DNS servers in system>settings>general, and set up the NAT/outbound rule for it. It worked as soon as I turned it on. No other firewall rules at all. But, that pulls all traffic on my network through PIA.

I cloned the original OpenVPN client, changing only the name and pull routes box, and created/enabled a new interface named 2PIA assigned to the cloned client. I cloned the NAT/outbound rule, changing only the interface to the new interface. I can leave the client on and it stays connected with no traffic going through it, as it should be at this point. I can see that the new interface is getting an IP in system>gateways>single.

I used a group interface to include every other local interface that is supposed to go through PIA. On it, I created two firewall rules. On top: pass ipv4*, source=pia networks alias, destination=VPN bypass websites, gateway=WAN. 2nd rule is: pass, ipv4*, source=pia network alias, destination any, gateway=2PIA interface.

When I enable the firewall rules everything covered by the alias stops going anywhere. They won't even route to internal servers. Browsers say "looking up... xyz.com" until they time out. The VPN bypass sites don't work either. I tried using IP addresses instead of names thinking it might be DNS but still nothing. Other devices on the same interfaces, but not included in the alias, are unaffected. So my alias list seems to be working. I had double checked it in pfTables.

I did try changing the source on those two rules to their "interface net" also and still got the same result, except everything attached to the interface was impacted (as expected).

If any of you can help me leave my VPN on to selected traffic only I would greatly appreciate it.

I switch servers regularly but all use port 1197.

Still working for me.

When I try to delete the old alias it says cannot delete... in use by filter.rule.67/source. I've gone through all my rules in the gui thoroughly and can't find anywhere I missed changing to the new alias. I tried resetting states and reloading pf. It let me disable it but won't let me delete it. Can someone tell me how to figure out what filter.rule.67 is so I can fix this?

chemlud, creating a new alias did the trick. Thank you!

I can't get it working and unfortunately I don't know what to provide to help figure out the cause. I used the link in my browser and the file downloaded immediately. I've been trying in the GeopIP settings tab for about 14 hours (waiting overnight since I knew some had delays) and still nothing.

Anything but the chosen source/destination.

We don't have any power outages or reboots happening. Our wisp has issues some 25 or so miles away on a mountain top and the internet goes down for anywhere between a few minutes and few hours. Once the internet is down, internal routing soon follows. I'm using Unbound and wondered if switching to DNSMasq would resolve it, but haven't felt like trying it. I wish I were more knowledgeable to find info from the logs that might help.

I am trying to use PIA VPN service with "Don't pull routes" checked. With that unchecked it works as expected. My goal is to be able to use firewall aliases/rules to direct what traffic uses the VPN and what doesn't, rather than having all traffic sucked into the VPN. I'm using 19.7.8. I didn't find my answer from reading the many threads on here and PF. I've read the HOW TO thread 4979 at least 4 times.

I created a new VPN client and it connects fine. I then setup an interface for it to name it and left the interface enabled. No other interface settings touched. I also created an alias for PC's to use the VPN and verified the alias in pfTables. I haven't touched the DNS settings, which are pointed to PIA's servers already.

NAT - I have 4 new rules with the new interface. 2 have Source = 127.0.0.0/8 and one of those has destination port = 500 with static port checked. The other 2 new NAT rules have Source = VPN alias list and one is port = 500/static. All 4 are at the top of the list.

On the 2nd two rules, I have experimented with changing the source to LAN net and my LAN interface group. I did that b/c the working VPN's NAT source = (LAN interface group name) net. Neither has worked.

System>Gateways>Single shows the interface as online. I have no Gateway groups yet, though if I can get this working I plan to with multiple VPN client gateways for load balancing & failover.

Firewall>Rules>LAN - At the top of the list I put a pass/in/IPv4 rule with the new VPN client gateway set. I've tried setting source as the VPN alias list, LAN net, Group-name net. I have tried this rule with source variations on the interface group rules too, where I would prefer it be.

I have 3 Floating rules. The top one is pass any direction, IPv4* to destination LAN-group net, with "*" for the source, ports, and gateway. The 2nd is pass any direction IPv4 TCP/UDP to all "*". The 3rd is the same as the 2nd, except ICMP instead of TCP/UDP. I don't recall if or why I set these rules, probably a few years ago. I disabled the top rule with no noticable impact. If I disable the bottom, ICMP rule, my connection cuts in and out every other second. If I disable the middle, TCP/UDP rule, I lose my connection and OPNSense gui. I have to ssh in and reload all services to get the gui back. Sometimes I briefly get the VPN connection after reload, but not consistently. I lose the gui again within a minute or two.

I tried adding a floating rule for the VPN on top of the TCP/UDP rule and got almost the same as disabling the TCP/UDP rule. The difference was that I couldn't get the GUI back by reloading services. I SSHed in and restored a config from 20 minutes prior. That's when I came to ask for help.

Is there a better way to achieve my goal of controlling VPN traffic and disabling pull routes? I don't care if I can't make it work the way I've been trying so long as I can get it to work. Or can someone please identify where I went wrong and teach me how to fix it?

It isn't Firefox on Arch. That setup is working fine with me as long as I don't let NoScript block opnsense.org.

Did you ever figure this out? We get the same thing with our not so reliable internet. When the WAN goes down we lose internal traffic shortly after. Can't print, access internal Nextcloud, etc. Supposedly going to get fiber out here soon, which should be far more reliable than our WISP. But until then, we lose internet at least a few times a week.

I was hoping someone as ignorant as I am about port forwarding would have asked this already but I can't find it. I upgraded to 19.7 last week, aware of the change with openvpn now needing to use localhost with port forwarding, but apparently over-optimistic about my ability to do it. Though I've set the VPN client and interface to disabled for now so I can get online, I have everything back to being set according to the older post "How to - Routing Traffic over Private VPN" found https://forum.opnsense.org/index.php?topic=4979.0. Can someone please tell me how to setup the port forwarding for the new requirements?

After my last post (2 days ago) I set a cron job to download remote acls every hour. Woke up this morning and the webgui was the only thing I could access. Every website I tried returned "access denied." The opnsense dashboard showed ram maxed out, swap nearly maxed out, and cpu usage at 97%. Couldn't pull up log files and couldn't ssh into the machine so I did a hard reboot.

Squid wouldn't start after reboot. Logs showed it couldn't load ftp port 2121, so I disabled that feature. It started fine after that, but still couldn't pull up a single website. Turns out the remote acls finally downloaded and every category of every list was enabled and applied. Couldn't disable any individual categories so had to disable the lists. Applying the change stopped the squid service and it wouldn't restart through the webgui. SSH into opnsense to start it at the cli and watch for errors. No errors shown, but squid wouldn't start. Another reboot, and squid loaded without the acls enabled and I obviously have access to regular websites again.

Maybe after a few hours of normal life I'll come back and play with the acl categories.

Been focused on the issue with remote ACLs not downloading this morning. I'll work on the offline cache next.

UT1 is working again. I can download every list on my desktop and by logging into OPNsense via ssh and using wget. I ran

Code Select Expand

time curl -C - -O '(acl list link) and they all downloaded in seconds.

Per another thread I ran [/code] /usr/local/opnsense/scripts/proxy/fetchACLs.py[/code] I got nothing.

I've tried running the download from webgui and the above command with the lists enabled and disabled. No difference either way.

On the webgui logs (system, firewall, and proxy logs) I see nothing that looks related to these ACLs.

I just checked /usr/local/etc/squid/externalACLs.conf (both with them enabled and disabled in the webgui) and the yoyoads acl is the only one listed. I'm guessing the webgui isn't passing along the remainder of the list. I haven't figured out yet where that externalACLs.conf is generated from to check it.

I'm sure this is unrelated to this issue at all, but it is a change I made from my previously stated setup so thought I'd mention it. After learning more about unbound DNS from fabian on some other posts I switched from DNSmasq to Unbound. No issues with the switch.