Messages

So, any updates to the various issues in ddclient?
FreeDNS still doesn't seem to work, though there may be something on my end that I must do.
On the FreeDNS config side, which of these should I be using?

All supported update styles
Randomized Update Token           Default option, simple, secure, my personal favorite.
Username and Password, inline   Username and password as URI arguments, rather then the HTTP authentication
Username and Password           Uses HTTP authentication, if you'd rather use a username/password, some routers like to implement this method or can be most easily adapted to this method
/nic/update                           Uses HTTP authentication, I've seen update attempts like these hitting the server.



Also worth noting that none of these are HTTPS. Not sure if that is or should be a concern?

I tried some different things for FreeDNS and i got it to work using username/password instead of e-mailaddress/token.

.

Same error here, using FreeDNS.

Code Select Expand

WARNING: file /var/tmp/ddclient.cache, line 3: Invalid Value for keyword 'ip' = ''

EDIT:
For anyone who came here through a search engine, there is already a thread for this issue here:
https://forum.opnsense.org/index.php?topic=26446.0

Nice, thanks!

Me neither. This should work but it doesn't. Thanks again for your help though!

* PSG-ManC is 1-0 at half time. Maybe i should consider my match half time as well. As in i might take another look. Some day. If anybody reading this has anything to add, please do.

Here is the proof it works from an iphone.

No worries, i'm totally convinced your setup works. I appreciate the time you take to try to help me!  :)

So far i tried:

a) One WAN Rule (dest. WAN Addess, port 51820) and one NAT (dest. WAN Address, port 51821 redirect to 192.168.1.1 port 51820)
b) Two NAT (one dest. WAN Address port 51820, redirect to 192.168.1.1 port 51820 and one dest. WAN Address port 51821 redirect to 192.168.1.1 port 51820)
c) One NAT rule only, redirect dest. WAN Address port 51821 to 192.168.1.1 port 51820.

With options a) and b) i can successfully connect to endpoint my.wan.ip:51820 but as soon as i try my.wan.ip:51821 i can't get a handshake.
Option c) also fails handshake when connecting to my.wan.ip:51821

Same problem when i try to redirect a port for OpenVPN; no connection possible.
When i redirect a port to a different machine in my network everything works as it should. Just not when i redirect to a service on the firewall itself.  ???

I even tried less-sensical options like opening 51821 and 51820 from all sources in Rules -> LAN, Loopback and WAN, setting ListenPort in clients [Interface] config and what not. All without success.

I don't know what else i can try to make this work and frankly i'm getting fed up with this. At first i wanted to solve this just because it should work but now i'm ready to throw the towel and just run Wireguard on a different port. Gonna watch me some brilliant CL soccer now, PSG-ManC. Hopefully that match will be good. This one wasn't: FW-MTR 1-0.  ::)


edit: added option c) to things i tried.

I followed the road warrior setup guide, hence the rule with Destination WAN address under Rules->WAN.

Under my rules, wan the destination is the internal IP of the firewall not wan address

Yes, the NAT rule creates a rule under Rules->WAN which says destination <internal_ip>. Destination in the NAT rule is WAN address tho (yours says PPPoEWAN address, according to the screenshot you posted earlier.

Probably because of stateful inspection the bottom wan rule is never hit (the rule above stops further processing of rules). You could try reorder the bottom rule and move it before the rule that is to wan address in your screenshot.

Tried that, no-go.

Im pretty sure this is the issue because I only use nat rules even when forwarding to the router itself (ie as opposed to just opening the wan up directly).

For testing i removed the rule i made in WAN, going only with a NAT rule as you suggested. This works (client connecting to 51820):


But this does not (client connecting to 51821):


Do you have only 1 NAT rule for Wireguard and nothing more (except from the linked rule under Rules->WAN)?

Under NAT -> Port Forward i have destination WAN address with port 15821 and NAT 192.168.1.1 with port 15820.

Under WAN the first rule is for normal Wireguard, and the second one is linked by the NAT rule. 

Is this not right?

I know i can just run Wireguard on a different port but Port Forwarding should work, right? Why doesn't it? I must be doing something wrong and I like to know what. Please see attached images for my NAT and WAN rules.
What am i missing here?

Wireguard go. But i don't think that's the issue; I just tried port forwarding for OpenVPN and that doesn't work either.

Did you make sure under wireguard - local the port you are redirecting to is what wireguard is running on.

Yes, Wireguard is running on 51820. Clients connecting to that port directly get a handshake just fine.

So, if your config works, then OP's and mine should work as well yet they don't. There must be something else then; some setting or rule both OP and I have in place which prevents us from port forwarding to services running on the firewall itself. @OP can you confirm NAT port forwarding is working for a different machine in your network? I know this works on my end:

Firewall-> NAT-> Port Forward:
Interface: WAN
TCP/IP: IPV4
Protocol: TCP/UDP
Source: any
Destination: WAN address
Destination Port Range: 51821-51821
Redirect Target IP: Single Host or Network: 192.168.10.10
Redirect Target Port: 8888

When i use a browser and connect to http://my_wan_ip:51821 i now get the web interface for Chronograf running on my Pi3@192.168.10.10:8888.

So NAT port forwarding is working, just not for services on the firewall itself so it seems.


edit: for anyone wondering (i did ;) ), NAT port forwarding does also work for devices in the same VLAN as the firewall, i tried above config but redirecting to 192.168.1.10:80 -which is a switch- and i get the switch's web interface.

Not OP, but same problem here. Not a matter of port blocked by ISP. I tried on port 80 which i know isn't blocked but no go. Also tried port 51821 for testing but no luck.

Firewall-> NAT-> Port Forward:
Interface: WAN
TCP/IP: IPV4
Protocol: UDP
Source: any
Destination: WAN address
Destination Port Range: 51821-51821
Redirect Target IP: Single Host or Network: 192.168.1.1 (also tried 127.0.0.1 and Wireguards 10.0.0.1)
Redirect Target Port: 51820

I thought this should be good but it isn't. What am i missing here?

I 'fixed' this issue by using a port redirect for DNS coming in from the Wireguard interface. Now all DNS queries get redirected to localhost and wham, no more ads in apps. I'll mark this solved for now, as it doesn't seem to be Opnsense related but rather an issue with Android or the Wireguard Android app.

Hi,

I'm using Unbound's blacklist feature with Wireguard on my Android devices for blocking ads on the go. This used to work fine, but recently i started to get ads in Android apps. Thing is, it's kind of selective. Ads are blocked on webpages but not in apps. But when i'm on my LAN not using Wireguard i get no ads at all. I'm unable to figure out why i'm seeing ads only in apps and only when using Wireguard. I upgraded Opnsense from 20.1 to 21.7.2 (needed to do that anyway ;)) but that didn't help.

- IP's: Opnsense 192.168.1.1/24, Wireguard Local 10.0.0.1/24, Wireguard Endpoint 10.0.0.2/32
- DNS Server in Wireguard Local is not set; tried both 192.168.1.1 and 10.0.0.1 but that didn't seem to make any difference.
- DNS Server in client's Wireguard config is set to 192.168.1.1 (10.0.0.1 doesn't work: websites take a lot longer to load and i get no ad blocking at all)
- Unbound is set to listen on the WG interface and 10.0.0.2/32 is added to Access Lists

It does do something; no ads on webpages. But why do i get ads in apps when i'm connected with Wireguard? Any ideas?

Just a different note between all error posts here. I just upgraded from 20.1.x to 21.7.2_1 and all it took was a few clicks and a couple of reboots. No issues whatsoever. Thanks devs!  8)