Messages

Nvm - dug around and found how to constrain the answer using access control view.

Hello bob9744, I am having the exact same problem. Can you please elaborate on how exactly did you manage to solve this? Did you manage to do it through the GUI? I was going to implement a solution proposed here: https://forum.opnsense.org/index.php?topic=16833.0, which relied on field "custom options" to define access control views but just found out that it was removed from the GUI  so now I'm at a loss.

Thanks in avance.

Hello,

Any news on this topic? The mentioned PR got closed.
I'd like to be able to have an Ansible playbook use OPNSense API to fetch existing certificates.

Thanks.

Hi,

Thank you for the linked discussion. It is very useful. That and the other link discussion that's posted there.

Please keep me posted on your success!

I kind of let this unattended for a while but I will try to find some time to have another go at it. I'll also post my progress here.

Thanks!
Nuno

[What I need:]

Hi,

What I need:
I have several subnets defined in my OPNSense and need one of them to access the Internet through a VPN client instead of through the default gateway.

I also found a tutorial for OPNSense+NordVPN but it routes all traffic through the VPN. I just want to route one of the subnets. The rest must remain unchanged.

What I did:
After reading a lot from OPNSense's docs and some online tutorials (some specific to pfSense) I gave it a try:

• Created a client to my VPN provider and connected it successfully;
• Created a new interface WANVPN assigned to the VPN client;
• (OPNSense automatically created two new Gateways called WANVPN_VPN4 and WANVPN_VPN6. I disabled the latter.);
• Created a new VLAN type interface with VLAN=4 with parent interface LAN;
• Created a new interface called LANVPN assigned to the new VLAN with address 10.0.4.1/24;
• Changed NAT outbound mode to manual and created manual rules to keep the same behaviour as before except for the LANVPN interface;
• Added NAT outbound rule on interface WANVPN with source address LANVPN net;
• Added Firewall rule to interface WANVPN to let any traffic pass coming from LANVPN net
• Added Firewall rule to interface LANVPN to let all traffic pass and in the Gateway I chose WANVPN_VPNV4;

This is it. But somehow it is not working properly.

The problem:
A computer in this subnet 10.0.4.1/24 can successfully ping 10.0.4.1 but when it tries to ping google.com this happens:

Code Select Expand

PING google.com (216.58.201.174): 56 data bytes
64 bytes from 10.0.4.1: icmp_seq=0 ttl=64 time=1.177 ms
64 bytes from 10.0.4.1: icmp_seq=1 ttl=64 time=2.376 ms
64 bytes from 10.0.4.1: icmp_seq=2 ttl=64 time=2.009 ms
64 bytes from 10.0.4.1: icmp_seq=3 ttl=64 time=1.850 ms

Notice how DNS is able to find google.com IP but then it actually tries to ping 10.0.4.1.

And this is where I get lost. For sure I'm missing something or doing something wrong, but what? I'm not so sure about the Firewall rules I added in both LANVPN and WANVPN. I specially wonder why the interface WAN has an automatically generated rule called "let out anything from firewall host itself (force gw)" while the new interface WANVPN doesn't.

Any help is welcome.

Thanks in advance,
Nuno

Hello,

I moved my Sonos speakers to an IoT dedicated subnet.

Now I'm trying to configure OPNSense so that my iPhone Sonos App can discover the Sonos speakers from a different subnet.

I successfully did this before for mDNS using the os-mdns-repeater plugin and I was hoping that I could use os-upnp to make it work for UPnP.

Since I don't want to give UPnP access to WAN (which seems to be the most common configuration) I defined my LAN interface as the external interface and my IoT interface as the local. The service is running and below you can find its current configuration (JAULA is the name of the IoT subnet).

Since it didn't work I added a rule that lets out from IoT interface all traffic to port 1900 and now I'm not getting any drops in the firewall anymore. But this doesn't seem to be enough yet.

Please help!



Thanks in advance,
Nuno

Hum... I'm not so sure what the problem is anymore. Because I just managed to connect to one of these discoverable services. My Sonos devices still don't show but another one did. I will better investigate this when I'm back home.

Anyway, the question remains: if indeed mDNS multicast traffic is reaching my OpenVPN subnet, how is that happening?

Hi,

I created a separate subnet segment in my home for IoT devices. I am using mDNS repeater so that stuff like Sonos speakers and AirPrint printers can still be automatically discovered from my other subnet.

But I also connect to my home via OpenVPN which creates a 3rd subnet.

Unfortunately the mDNS repeater plugin doesn't list my OpenVPN connection. So, when I connect via VPN I have no access to any of the devices that depend on mDNS.

Is there any way to solve this problem?

Thanks in advance,
Nuno