Messages

I have a setup where I'm needing to bypass CGNAT and some other headaches from an ISP. I basically need ALL traffic to pass through a Linode "portal" node across WireGuard to my LAN with the headache ISP.


I have followed the site-to-site tutorial (https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html) and it works well from what I can tell with communication between the two sites (the Linode doesn't have a "LAN" so to speak, only a singular WAN).


We will call the Linode OPNsense server "Site A". The second site behind the ISP will be "Site B".


I am not understanding how I can make "Site B" (192.168.0.1) act as a gateway that will tunnel all internet traffic across the WireGuard VPN tunnel after connection.


It seems like "Site B" should and does negotiate the connection just fine to "Site A", but the snag comes to me that when this link is established, it should then use the WireGuard link for ALL traffic from the LAN that goes across it to access through the Linode node and IP address.


Can anyone explain or point me to documentation that will explain how to do this with the two OPNsense sites?

So my issue is that I'm trying to set up a site-to-site WireGuard arrangement. The system I'm referring to is an OPNsense 24.1 install with a singular WAN port. Each time I make any changes that seem to effect the firewall I have to do something to make it responsive again for the web admin interface. I couldn't think of anything to do while I only had LISH (console access via Linode) access except something basic, and this "service pf onerestart" is what worked to push the system into responsiveness again on the web interface. I even found this to be true with direct ssh remote access as well - same problem, had to go to LISH and issue "service pf onerestart" to get ssh to respond...

Unfortunately this guide (https://docs.opnsense.org/manual/how-tos/wireguard-client.html) needs some updating. The step numbers are off in at least 3 or 4 places and screenshots and values are no longer congruent with the system. Things are not sufficiently clear or delineated since this is a stepwise treatment.

When I was logged into the shell to restart pf, I got the error in the subject line which seems odd/worrisome:

Code Select Expand



root@firewall:~ # service pf onerestart
Disabling pf.
/etc/rc.d/pf: WARNING: /etc/pf.conf is not readable.



As you will see, the file simply isn't there:

Code Select Expand


root@firewall:~ # cat /etc/pf.conf
cat: /etc/pf.conf: No such file or directory

I'm not clear on how this helped, but I was able to execute this from the shell and was able to access the web admin interface again:

Code Select Expand


# service pf onerestart
Disabling pf.
/etc/rc.d/pf: WARNING: /etc/pf.conf is not readable.


I was concerned about that pf.conf message though and the file is not present:

Code Select Expand


# cat /etc/pf.conf
cat: /etc/pf.conf: No such file or directory

While setting up an OPNsense WireGuard VPN server and following along on this guide:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I hit a snag on Step 4(a).  In my case I am setting this up on Linode with a single network interface (WAN of course), but my goal is to only provide a gateway service with WireGuard. After getting to "Save the interface configuration and then click Apply changes" the web admin interface entirely stopped working.

I am left now with only being able to ssh into the system or use LISH (a remote direct console to the server). I don't know how to back out of the changes that were done in Step 4(a) from ssh, but I'd really like to not have to set this entire thing up again.

Any ideas of how to fix this or back out of these changes or troubleshoot it further to determine what really went wrong here? I assume that setting up this WireGuard assignment here somehow broke the only other assignment.

I suppose after I get the server working again I'll need to try to find another tutorial that is a WAN-only WireGuard VPN internet gateway service setup, but so far I haven't found anything beyond this particular docs manual entry.

I am confused by your disdainful tone here. I would suppose that the customer base for Ubiquiti and other similar devices is at least in the tens of thousands if not hundreds of thousands or more. This is a common functionality and for you to relegate it as you have really is strange and shocking. Do you really have the best interest of OPNsense in your heart??? Your remark does not feel objective here.

Have you not seen EdgeMAX administrative interfaces before? It's okay if you have not, but I don't think you should be so quick to discount and poo poo such things as you feel to have done.

Thank you for your time. I will think about this and probably just go back to EdgeMAX for this particular situation after this kind of interaction for this particular use case scenario since I need this functionality in an integrated fashion.

Very true, but (given some peculiar circumstances I'm dealing with) I have to run everything from a single server machine. I simply don't have the luxury to isolate OPNsense and a Linux system to do both tasks. I guess Proxmox or ESXI will end up being required. Had hoped to keep OPNsense in a dedicated setup, but it's just not going to be permitted for this scenario. Either that or I just have to go ahead and go back with Ubiquiti's solution and dump OPNsense for this particular scenario.  :'(

I guess I foobarred this since I went in selling OPNsense as being everything and more than Ubiquiti's EdgeMax distribution offerings on the monitoring and visualization front.

Thank you. That looks really interesting. I suppose I am in a pickle though since I needed to integrate it directly on OPNsense itself. I suppose I will rethink my strategy and probably run OPNsense through a virtual machine since I don't think I'm going to be able to get by with additional hardware presently due to some limitations out of my control.

I need to figure out a way to achieve a friendly at-a-glance traffic analysis tool-like presentation of host traffic utilization similar to the Ubiquiti EdgeMAX "Traffic Analysis" tab in OPNsense:


If you hover over any of these hosts you will also see a presentation of the various services that EdgeMAX is able to detect and how much bandwidth each is using by known protocols or services and sites. Example:


How can I achieve something similar here in OPNsense?

I have a "switch" (setup as bridge0) called LANSwitch, yes.

Yes, I have 3 WAN ports with 3 ISPs. Two of them are active and the 3rd is just plugged in when needed as it is a hotspot from a wireless phone service and so is only active when there is trouble.

Yes, it is basically a failover group. WAN1 is Starlink and is the main fast connection. WAN2 is another ISP that is crap (10mbps), but it is always on and may be upgraded soon due to the phone system, but it's still even after an upgrade only be 1/3 to 1/5 the speed of Starlink WAN1. I think I'm going to modify it to be a kind of load balance arrangement so that WAN1 is weighted much more heavily at 10-20x, but it's not really important.

I'm not entirely sure on the instructions is my problem. They seem unclear and so I'm not sure how to use the gateway group properly. I sure wish there were simply not mistakes in the documentation.

I've been out of the office and am going to look closer at your instructions within the next several hours or so. Thank you.

I also stumbled upon something else I need to look at closely that might offer better screenshot steps to be more clear: https://www.thomas-krenn.com/de/wiki/OPNsense_Multi_WAN

Thank you- it seems as if you are saying I am supposed to modify rules for a group that should be there called "WANGROUP" (if I'm following the instructions exactly). For example, the instructions indicate, in Step 2:


And this is what I have in this WANGROUP:


But in Step 5 when I go to Firewall → Rules, I do not see "WANGROUP" in these rules that you seem to maybe indicate should be there (but you call "multwan" in your first sentance):


But in the instructions it does say "This rule will utilize the gateway group for all traffic coming from our LAN network" in the "!Note" in Step 4, which to me seems to make me think I need to use my "LANSwitch" bridge "group" from Interfaces → Other Types → Bridge:


So is there a problem with my Firewall → Rules listing where the "WANGROUP" is not showing or should I actually be working with "LANSwitch" and add the rule that you say there in "LANSwitch" instead?

I'm attempting to set up an OPNsense system with 3 WAN gateways in a group for failover and load balancing with priority on WAN1 ethernet port.

I was following the following instructions without too much trouble, until I hit "Step 5 - Add allow rule for DNS traffic":
https://docs.opnsense.org/manual/how-tos/multiwan.html

Step 4 started to seem a little iffy and then when I hit Step 5 I went entirely off the rails. First you see:

Add a rule just above the default LAN allow rule to make sure traffic to and from the firewall on port 53 (DNS) is not going to be routed to the Gateway Group that we just defined.

Start with pressing the + icon in the bottom left corner.

First, I wasn't sure what it meant by "Add a rule just above the default LAN allow rule..."

In my case I have LAN1, LAN2, and LAN3 in a "LANSwitch" bridge (bridge0; see: https://docs.opnsense.org/manual/how-tos/lan_bridge.html) and then I have WAN1, WAN2, and WAN3 in a  Gateways → Group called WANGROUP with each different WAN1_DHCP, WAN2_DHCP, and WAN3_DHCP all in tiers 1 through 3 for priority and set up as per instructions in the initial multiwan URL above.

So while I wasn't sure what that meant as I said "Add a rule just above the default LAN allow rule..." I thought maybe it was talking about LANSwitch in my case since it's the bridge for my 3 ethernet LAN "switch" ports. I tried to edit that, but the instructions really didn't seem to line up at all well.

I then poked around elsewhere and really didn't find anything that matched up there either. The line "Start with pressing the + icon in the bottom left corner." also didn't line up with anything. I just don't see any "+" buttons in any bottom left corners anywhere......

Can someone point me to some more clear instructions about how to set up a multi WAN gateway setup that can fit my scenario as outlined? Or can these instructions from the official docs be clarified or expanded with screenshots to help make them more clear?

Thank you so much: Firewall > Virtual IPs > Settings

I've got a scenario where I need to set up a test network that emulates a customer's network. Their network is 10.0.0.1/8 and my LAN is 192.168.0.1/24. These two networks will be going to the same switch without DHCP. 

I have workstations set up with the 192.168.0.0 subnet as the primary interface config and will set up 10.0.0.0 as a second one with lower priority, but it simply facilitates testing and going to network devices with static IPs prior to deploying onsite.

192.168.0.0 works fine right now, but my (failed) attempts so far don't allow visiting of 10.0.0.1 or any other device (such as 10.0.0.2) on the subnet and 10.0.0.1 doesn't act as a gateway for internet traffic yet.

How is this configured with OPNsense?

I could do this the "dumb" way and just plug in another router, but I know this must be possible with OPNsense...