Messages

[accessing]

I have 4 official IPs. I am using the one IP to run a MailInABox server that does mail, NextCloud, DNS and a web server. I am using a second one to self host an rss server.

My internal network is 192.168.1.x and the DMZ is 192.168.100.x.

I then installed WireGuard on the firewall using port 51820. I am using 10.10.0.x as my VPN network. I setup the network rules and can access the DMZ server and the LAN servers from the VPN.

I then created a port forward to a third official IP that I am using for WireGuard as I would like to use port 53 for the tunnel (none of my clients blocks this port). This just forwards all traffic from the third IP port 53 to the main IP port 51820. This also works perfectly.

This means when I am at a customer I can open the tunnel, ssh to my servers in the LAN and the DMZ.

What does not work is me accessing anything that is on the DMZ side from the tunnel. What I mean by that is that I cannot access eg. Mail on that server. When I ping the mail server I am getting the external IP which is correct, I cannot access any mails using a mail client. I also cannot access the rss server when the tunnel is open... I think I need to set relection somewhere maybe or something else. Does anybody have a pointer as to what I still need to setup?

Thank you very much for any help given!

Thank you very much - thought I was going mad  :D

Hi

I love using aliases and have quite a few already set up. I want to setup my XBox for open NAT and started by creating a new port alias. I can enter the name, but when I select Port(s) and then try to enter the port in the Content field the values entered just disappear. I am on the newest version of OPNsense (OPNsense 19.7.5-amd64) and this was working as I already have a couple of port aliases that I created previously. Is this an error with this version of OPNsense or am I missing something?

Cheers
Ursus

PS: I have tried rebooting, checking if there is a newer version available and copying an existing entry and trying to update it

>> Have you read the docs about central VPN with WireGuard?
nope - I'll read up about it -> think this is the link you are referring to: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

>> You dont need 1to1 Nat
ok, but how does the traffic get routed to the correct IP -> I have 3 IP's, all listening to 443? Don't I need to tell the FW that anything coming in port 443 to the 3rd IP is for WireGuard?

>> At the endpoint device you need to add the local lan


>> Why do you need DHCP? You can also use IP/32, makes it clearer
yip - you are correct! I have changed it.

If you assign an interface it's named like this in rules. Use this one when you use it. For simple setups you dont need to assign.

I have tried that but cannot get it to work? Here is what I want to do: I have three IP's. I would like to use the first IP for Mail (incl. a web-frontend for mail - I am using a NAT Port Forwarding rule), the second one for a Webserver (1:1 Nat and rules) and the third one (1:1 Nat and Port Forwarding rules) to send all VPN traffic through to the LAN. The reason I want to use port 443 is that some of my customers have blocked "non normal" ports in the guest LAN.

What I want is therefore:

I am at the customer -> I try and connect to my VPN using IP x.x.x.204 and port 443 and want access to everything in 192.168.1.x/24

This is what I have created:

VPN/WireGuard/Local => Port 443 / Tunnel address: 10.10.0.0/24
VPN/WireGuard/Endpoint => Allowed Ip's: 10.10.0.0/24 / Endpoint address: x.x.x.204 / Port: 443
Firewall/NAT/One-to-One => WAN / x.x.x.204/32 => WireGuard net
Firewall/Rules/LAN => Allow all from 10.10.0.0/24
Firewall/Rules/Wireguard => Allow all from 10.10.0.0/24
Firewall/Rules/WAN => Destination: x.x.x.204 / Port: 443

What I am not sure about is:

Do I create a FireWall/NAT/Port forward rule?
How do I set the DHCP server -> without an interface I cannot assign one? Or do I just assign fixed IP's? Is VPN/WireGaurd/Endpoint => Endpoint Address perhaps the fixed 10.10.0.x address?

What am I missing :)

So, I wanted to install WireGuard on my Firewall - read everywhere how simple that is... I followed the instructions here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html and it seams as if that is for a different version of WireGuard and/or OPNsense? Setting up the routing shows me two WireGuard sections (I then renamed the interface to VPN and now I have a VPN and a WireGuard section in Rules) - which one do I use?

I would also like to help with the documentation for WireGuard, could somebody point me in the correct direction? Thx

In case you never did find the solution to your problem: https://forum.opnsense.org/index.php?topic=13865.0

https://forum.opnsense.org/index.php?topic=13865.0

Hi

This is who I solved my problem:

1. created the WAN connection => normal settings
2. created the port forward NAT rules needed to access the first server -> use the WAN address here (I created an alias just to be sure that the correct IP is being used (read in the forum somewhere that sometimes the WAN network was being used - I did not have that problem!)). I let OPNsense create the WAN firewall rules.
3. created an AliasIP => important, as you are setting up one IP /32 is the correct net mask -> I was using /29 here! NB2: now your firewall frontend is accessible from the Internet!!!! Careful!
4. create the port forwarding NAT rule using the AliasIP as the destination and redirecting to your WebServer. Allow OPNsense to create your firewall rule for you.

There you go, all perfect

One VERY important thing to note -> I am not sure if this is the normal setting but in System/Setting/Administration I had Web GUI/Listen Interfaces set to All (recommended) -> this allows the Web GUI of the firewall to be accessed from the internet until you have setup your rules -> I changed this setting to LAN.

Hi

I have the same problem -> did you ever fix this?

Cheers
Ursus

Hi

I have exactly the same problem as you -> did you ever find a way to get this to work? I have tried everything but it just will not work.

I am not quite sure why a "normal" NAT rule would not work here -> source would be the virtual IP, dest your web server? I tried it, doesn't work!

Thank you in advance
Ursus

Hi

I am moving from a 4 IP range (1 free) to an 8 IP range (5 free). I changed the WAN address and GW address and restarted the firewall. Everything worked as I was hoping and all my existing rules where still in place. Perfect.

I have my Mail server on the main ip (WAN) and would now like to add another server in the DMZ that I will use as a web server - I added the extra IP's as Virtual IP's but as soon as the virtual IP is added all the ports are then closed. I assume that the rules now no longer make sense. Do I need to update all the NAT rules for the existing WAN address?

I read that I need 1:1 NAT but shouldn't I be able to just Port Forward to the different machines? I would have thought that I could just do this: https://www.lawrencesystems.com/pfsense-setting-multiple-static-wan-ip-addresses-using-virtual-ips-nat-firewall-rules/

Thank you for any help.
Ursus

Nope, never got this to work. I am giving it another try this weekend - if I get it working I'll report back here :)

Hi Guys. I have just installed a new OPNSense FW, I have a Mail-in-a-Box instance running in my DMZ. I am using port forwarding to the Mail-in-a-Box server for mail for a couple of my friends and myself. I thought that I would try and install Sensei and am very impressed with it - well done guys. I monitored both the LAN and the DMZ interface. I left everything activated in Sensei but am getting very weird errors from Mail-in-a-Box. It is now saying port 22 cannot be reached, I cannot send and receive mails correctly, the box cannot update (apt update) itself anymore. I have had to uninstall Sensei again for everything to go back to normal.

What can I do to still use Sensei *and* Mail-in-a-box? Any pointers?

Thank you in advance
Ursus

I still seem to have a problem with my setup -> what I have noticed is that if I tick the "enable nginx" on the general settings page I cannot start nginx -> if it is not enabled I can start nginx on the dashboard? I have deleted all my settings, removed the nginx plugin and reinstalled. didn't help unfortunately 🙁