Messages

I noticed that my wg0 interface was missing after the upgrade. When I created a new interface a got a new interface (wg1 in my case) but I can't set a static ip address for that...
So I rolled back and all is working (and the wg0 is found)

EDIT: I run another attempt to upgrade to 24.1.6 and it worked. My wg0 interface is still there (I have to remove the static IP). But it takes me several attempts to get the update successfull with wg0. The update process dies 2 times (in each approach) and I have a dependency problem in one of them. In one approach (that I must throw away and restore the backup) I have every time when I search for an update an exception...

Any news here?
I upgraded from 24.1.1 to 24.1.5_3 and my wireguard got broken too.
I can made a handshake but no traffic will be routed.
After a rollback to 24.1.1 all works fine.

isn't that what you were trying to achieve? access local server by firewall public (instead of using split DNS)?
without reflection (or manual hairpinning) traffic from the internal client is not tranlated and therefore is routed directly to the external interface of the OPN (in this case, to port 443, where the gui is waiting for it). this was not required before the apartment was changed, as then the traffic really left the OPN, reached the company's equipment and returned with the source address of the company's reverse proxy.

Than NAT reflection act's in both ways? Since I don't wan't to use the internal over the external address , I want to use the external over the internal address.

did not quite understand the question. please explain

From the docs, I see NAT reflection works to use the internal over the public address. Make sense, but thats not my goal (see above). So NAT reflection works in both ways? Internal over public and public over internal (sounds strange to me, but maybe...)?

Okay okay:

• No, nat reflection was disabled. I enabled it and all is like expected.
• I tried this before and after turn on nat reflection, same outup: external IP
• I have not tried
• I have not tried

HSTS don't show up in the console. I saw it throught the message for an invalid certificate from the browser. He says that HSTS is on and I can't create an exception for that website.
When I forced to trust, I saw the normal website, only with an invalid certificate.

I turned nat refelection in the system for all connections on. Now I can see my websites with the right certificate and visit my teamspeakserver over the domain (previously only via internal ip possible).

But when I take a look at https://docs.opnsense.org/manual/nat.html, I don't get it, why nat reflection solves my problem. I will use the external IP, to pass my nginx and see the website with the right certificate. Or is it vice versa?

See attachment.
Fact 1: external client want to see my website: external client -> internet -> my opnsense (over WAN port 443/80) -> nginx (redirect port 80 to 443, get data from webserver over port 80, encrypt them and send back over port 443). Works fine.

Fact 2: internal client want to see my website: opnense (over LAN on port 443/80) -> internet (over WAN, resolv domain to external IP and connect with it) -> opnsense (over WAN port 443/80) -> nginx (redirect port 80 to 443, get data from webserver over port 80, encrypted them and send back over port 443).
Don't work. I got the certificate from the web gui from opnsense. When i accept it, i can see the webpage, but with wrong certificate.

Fact 3: internal client want to see the web gui from opnsense: opnense (over LAN on port 443/80) -> opnsense (redirect port 80 to 443).
Works fine (with right certificate).

Fact 4: external client want to see the web gui from opnsense: external client -> internet -> my opnsense (over WAN port 443/80) -> nginx (don't know any destination for the web gui) -> error
Is as it should.

Maybe this helps?

No, the web gui is not part of nginx, only the websites are.
The web gui is only local and direct via opnsense available.
For port 80 and 443 exists one nat rule, that forward the traffic to the nginx. These nats only trigger over wan.
So when I want to hit the web gui, the nginx do nothing.
But when I want to see a webpage, the nginx do all the stuff.

Yes, the port is always 443.

But the domains complete different. Like example.com for the webpage and internal.anotherexample.pl for opnsense.

So I use the first domain and become an error with the opnsense certificate.

Hi,

i have imported a valid SSL certificate for the web gui and set it under System/Settings/Administration for the web gui. Works fine, no problems.

A couple of days ago I noticed that I can't reached my websites (2) locally, but they are online and reachable from externel networks. I got a certificate error, the certificate from opnsense is being used. Logically the common name is invalid.

So I changed the certificate back to the self signed one from installation and same error, only the message changes (certificate is now selfsigned).
I also tried the option listen interfaces. E.g. when I uncheck WAN, the website isn't reachable locally (timeout). Seems strange to me, since this option is only for the web gui from opnsense.

Before the problem appeared I moved to a new apartment, in the old one I don't have this problem because in front of my opnsense was a reverseproxy from the company from which I got the Internet (the reverseproxy overwrites the certificate I think). So the way for a request was: company router->company reverseproxy->opnsense (my router)->reverseproxy (mine, nginx)->webserver.
Now I'm directly connected to the internet (as normal) and the way from a request is: opnsense->reverseproxy(nginx)->webserver and backwards. The correct certificate is set from the reverseproxy and, as I wrote, works smooth outside my network.

But the header from the reverseproxy (e.g. HSTS) are passed throught, only the certificate is modified.

Why I'm sure that the wrong certificate comes from opnsense? I updated only this certificate und can see the changes when I try to connect locally to the websites.

opnsense version: 21.7.3_3-amd64

Can you please help me find the cause for this problem?

Also ein WireGuard User kann eine interne DHCP IP nicht erreichen und Umstellung auf statisch geht dann??

Das konnte ich tatsächlich noch nicht verifizieren. Aber eine Gemeinsamkeit von den nicht erreichbaren Maschinen ist eben, dass sie über DHCP ihre IP bekommen.
Werde ich aber als nächstes mal machen, dass ist ein guter Einwand.

1. ich verstehe nicht warum du opnsense und openwrt am laufen hast?
2. könnte es sein das die windows firewall dir in die quere kommt
sind alle im gleichen netzbereich, das konnte ich aus deiner zeichnung nicht ersehen (ich mag halt lieber richtige zeichnung nicht diesen text kram)
3. das deine sense eine VM ist hättest du gleich mal mit erwähnen können (vm´s haben manchmal ein eigenwilliges verhalten)

• Eine meiner WLAN-Karten wird von opnsense nicht unterstützt.
• Bei einem Androidhandy eher unwahrscheinlich. Aber später soll es auch von einem Windowsrechner möglich sein, da wäre es von Relevanz.
  Es gibt zwei Netzbereiche: Mein Heimnetz mit 192.168.230.0/24 und das WireGuard-Netz mit 192.168.220.0/24.
• Gut, es ist eine VM  ;D. Ich hatte so ein Verhalten noch nicht beobachten können, daher bin ich nicht darauf gekommen, dass es so interessant sein kann.

• Reicht das?

Code Select Expand


                                                                                               
                       WAN                                                                     
                        |                                                                     
                        |                                                                     
                        |                                                                     
   Hardwareserver       |                                                                     
+-----------------------|---------------------------------------------------------------------+
|                       |                                                                     |
|       Proxmox         |                             Clients                                 |
|     +-----------------|----------------------+    +--------------------------------------+  |
|     |                 |                      |    |                                      |  |
|     |                 |                      |    |  Windows, Android, ...               |  |
|     |  +--------------|--------------+       |    |                                      |  |
|     |  |Opnsense                     |       |    |                                      |  |
|     |  |       +--------------------+|       |    |                                      |  |
|     |  |       |Wireguard           ||       |    |                                      |  |
|     |  |       +--------------------+|       |    |                                      |  |
|     |  +-------|---------------------+       |    |                                      |  |
|     |  +-------|--+       +----------------+ |    |                                      |  |
| |------|OpenWRT   |       |DHCP            | |    +---------|----------------------------+  |
| |   |  +----------+       +----------------+ |              |                               |
| |   |  +----------+       +----------------+ |              |                               |
| |   |  |DNS       |       |Weitere Server  | |              |                               |
| |   |  +----------+       +----------------+ |              |                               |
| |   +----------------------------------------+              |                               |
| |                                                           |                               |
| |-----------------------------------------------------------|                               |
|               WLAN                                                                          |
|                                                                                             |
+---------------------------------------------------------------------------------------------+
                                                                                               
                                                                                               
                                                                                               
                                                                                               
                                                                                               
                                                                                               
                                                                                               


• Ja
• Androidhandy

Moin,

ich setzte WireGuard ein und es funktioniert. Ich kann mich problemlos verbinden und meine Server (Geräte mit fester IP) sind alle erreichbar (Pingbar und Weboberfläche funktioniert).
Wenn ich nun einen Client mit per DHCP zugewiesender IP anpingen möchte, klappt das nicht (Timeout).
Genau das möchte ich aber erreichen. In der Firewall kann ich nichts finden und bin daher nun etwas ratlos.

Könnt ihr mir weiterhelfen?

Moin zusammen,

ich habe das komische Phänomen, dass Opnsense bei mir manchmal beim booten kernel panic bekommt.
Sobald ich reboote startet alles normal. Da ich Opnsense per Cron 1x täglich reboote ist es schon blöd wenn er die ganze Nacht 100% CPU Auslastung hat. Ich verstehe aktuell noch nicht wieso er Panik bekommt...

Ich verwende OPNsense 20.1.6-amd64 auf einem Proxmox. Diesen Fehler weist jedoch nur die Opnsense VM auf.

Ich habe ein Bild der Konsolenausgabe angehängt. Dieser Fehler trat seit ich Opnsense nutze (ca. 1 Monat) 3-4 Mal auf.

Grüße
Stefan