Messages

@franco - appreciate your comments.

Perhaps if you can put a final statement (fix/advice) and maybe lock the thread before it causes further confusion (for want of a better word).

thanks

Noticed internet access was very slow since doing the upgrade couple days ago.

Thankfully came across this thread. Not an opnsense expert. Running opnsense on a dedicated physical machine.

Rolled back to 22.7.9 and things seem to back to 'normal'.

opnsense-revert -r 22.7.9 opnsense
opnsense-update -kr 22.7.9
# then reboot

Cheers,

OK. nslookup from windows does that for me too. Something to do with the order perhaps?

C:\Windows\System32>nslookup sense
Server:  sense.lan
Address:  192.168.10.1

Name:    sense.lan
Addresses:  x.y.115.212
          192.168.10.1

and Linux seems similar

gurpal@proxmox:~$ dig sense

; <<>> DiG 9.16.22-Debian <<>> sense
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1223
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sense.                         IN      A

;; ANSWER SECTION:
sense.                  3600    IN      A       x.y.115.212
sense.                  3600    IN      A       192.168.10.1

;; Query time: 0 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: Sun Jan 09 08:38:10 GMT 2022
;; MSG SIZE  rcvd: 66

I've been on OPNsense for a while now, but one thing has always bugged me.

From within the lan, when I ping the OPNsense server, I get the IP address assigned by the ISP as opposed to the internal network subnet (192.168.10.x) - from a Windows machine. I use unbound. Dhcp clients are registered.

Windows example:

C:\Windows\System32>ping sense

Pinging sense.lan [x.y.115.212] with 32 bytes of data:
Reply from x.y.115.212: bytes=32 time<1ms TTL=64

Linux seems to be fine, but there is a short delay before the pings return.

gurpal@proxmox:~$ ping sense
PING sense.lan (192.168.10.1) 56(84) bytes of data.
64 bytes from sense.lan (192.168.10.1): icmp_seq=1 ttl=64 time=0.163 ms

Is there something mysterious Windows clients are doing? When I do ipconfig, it all looks great to me.

thanks

Thanks this seems to have fixed it for me also. Removed all entries and then put the actual wg ip address with a /32 on the end; lastly bounced wg. Although now I can't ping other subnets.

Two things to check:

First, make sure that your firewall allows for traffic from WG to your other subnets. Second, on the client side, make sure that your allowed subnets includes the ones you want to access.

I think the default wg firewall entry is "all inclusive" (Any).

Anyway, previously I would have had entries like this "10.10.0.0/24, 192.168.2.0/24" in the Allowed IPs. To me, these are ranges of IP addresses.

Under the new version, I have to change these to "10.10.0.2/32,192.168.2.1/24". Now first is a very specific IP (no range) which is the only end of the tunnel in a VPS. It's fine.

The second is actually the IP address of an LXC bridge on a VPS where the wg client lives. But because /24 is a range, it includes other IP addresses on the 2.x subnet. Which is also fine.

So things work better, and I can do what I used to do before I think. I don't understand why - which is worrying for me (a newbie).

So, finally dug into this quite a bit and it would appear as though the way the instructions state to setup Wireguard may have worked fine in 20.1, but definitely shouldn't work in 20.1 either. The allowed IP range needs to be the /32 Wireguard address only. I think I saw another post where this is stated as well. Once I did that, problem is resolved.

Thanks this seems to have fixed it for me also. Removed all entries and then put the actual wg ip address with a /32 on the end; lastly bounced wg. Although now I can't ping other subnets.

Similar question/answer but no explanation - https://github.com/opnsense/core/issues/3534

So I found out the hard way that Peer to Peer modes in opnsense's openvpn module just don't include the dns/domain push options in the resulting server config.

Why is that?

What i'm looking to do is essentially extend my homelab with a VPS. The stuff inside the VPS is to be ringfenced and included within the homelab scope. I thought a peer to peer would be the best option as I can push at least dns from the intranet. The idea is to have a permanent tunnel up (not dependent on a physical user).

Using the Remote method, it implies physical "users", but there aren't any. I suppose I could treat a "user" as a machine and do it that way?

[Not possible to run opnsense inside the VPS either, so making it more important to get the openvpn client config right]

@hbc - thank you for the response.

Yes I understand the host alias is limited to host and not port. That's fine.

Ah I see, so probably not best to mess with lighttpd as there is a risk that the gui can break and any changes "on top" might not be compatible with upgrades I'm guessing. So i will read up on nginx.

Use case: You're right simple browser bookmark will do, but not with 10 laptops in the house for various people. Many places of work use these intranet shortcuts. You only have to change the underlying URL but the "shortcut alias" never has to change. Plus I can actually remember the shortcut names for the home lab, eg: "plex", "wiki", "wifirouter", "sense", etc.

(newbie) Hi, I see that a lighttpd "package" is available on opnsense.

In the past I have used lighttpd to simulate redirection of web pages like so:

Code Select Expand

$HTTP["host"] =~ "plex|plex.lan" {
  url.redirect = ("" => "http://myserver:32400/web")
  url.redirect-code = 302
}

So the point of this was that the name (http: // plex) is resolved by a web server local to the DNS server and I'll have an alias set up to repoint to a different host (eg. myserver). Think of them as intranet "shortcuts" for webapps. In fact I use this in pihole on a different setup where the DNS resolver works seemlessly with lighttpd - all on the same host.

Problematic as this may sound/be, is there a way to reuse lighttpd on the opnsense host in a similar way (and making sure the management GUI still works) ?

Edit: or a different way of accomplishing the same thing but from the same host. eg. nginx. I dont know too much about reverse proxies. I just know this trick above and it's worked for years.

Thanks

@chemlud - ah yes you're right. I changed to LAN only and worked. thank you

Hi newbie here.

I followed the tutorial here to get modem access in bridged mode (https://forum.opnsense.org/index.php?topic=8616.msg38219#msg38219) - it works as expected (although i don't fully understand the need for the floating rule).

1. I've noticed that OPNsense GUI is also available via the Virtual IP. Bonus, maybe? Any risk to this? Any way (or a real need) to disable that somehow?

2. I have a TP-LINK W9970 which has additional physical ports. Now i can get a laptop configured with a static IP in the modem's private subnet which allows me to get to the modem's GUI. Is there not a way to simply connect a wire from one of the free ports physically to a switch and access the modem with simpler rules? And would that be without VLANs and all that? ie. no need for the virtual IP etc in (1).

thank you