Messages

If you want to reach your External WAN IP Address via a Domain Record that is known on the Internet with the same Domain Record from your LAN then you need to configure that correctly.

Some options :
- Reverse NAT a.k.a. NAT Loopback.
But not really what you want to be honest...
- Reverse Proxy + The correct DNS Records.

Or just use IPv6 only ofcourse :)

Well I do have a reverse proxy, I use HAProxy for that. And I used UnboundDNS internally to send to the right server. All of that worked before 26.1.

Hi,

Even since version 26.1, I have been experiencing issues, services that worked that I can no longer reach.  tried to take my time to understand some of the problems I was faced with but I'm struggling; I recently migrated to the new rules system which was a source of problems initially but I noticed that NAT rules which were created for me automatically before when setting a WAN rule that is no longer happening (Destination NAT); I don't think this is part of my issue since the Destination NAT for my Teamspeak entries were already there from what was created before. I'm able to access Teamspeak from the outside however, from the inside; I use something like teamspeak.mynetwork.net which is configured through Cloudflare and internally I use Unbound DNS to override the destination. But that doesn't seem to work anymore, no matter what IP I put in Unbound DNS I never seen it. Are there any issues with Unbound DNS at the moment?

Instead of doing everything manually, I created a backup of my VM, I used the migration tool, imported everything in the new rules and deleted the legacy ones and it all works now.. Not sure what went wrong, perhaps disabling one thing in the old rules after enabling it in the new caused an issue.

Sure here, just recently refreshed:

https://docs.opnsense.org/manual/firewall.html#rules

Both go to the same library that generate rules, and the same ruleset comes out afterwards. So mostly the GUI is different, the backend (rule generator) mostly the same.

Thanks for the link. I guess I'll have to do some more reading.

I had a synapse server setup that worked well and I needed port 443 and 8448 to be allowed in to connect to the backend. I created two new rules (in the new rules) with the exact same configuration from the "OLD" rules and the connection fails. So either there is an extra step that I have to do now or something is not as it should (a bug).

Just to be clear, when adding the new rules to the new interface, I disabled the ones from the old interface... And that fails.. In order to get things to work again I had to disable the ones from the new interface and enabled the ones in the old interface.. The old stuff does something more that I am not aware of.

Make sure you go to the latest minor release (at least 26.1.4) before testing things again. There were issues with reply-to rule generations, I think due to the Port Forward -> Destination NAT change.

A good test is before the upgrade do:

pfctl -s rules

Safe output in a file.

Go all the way to 26.1.4 or 5, then do pfctl -s rules again

diff both files, if there is no explainable difference then the firewall does not do anything wrong (on the packet filter level)

Thanks for the help. I printed the output of what I have now I can't really see any issue and I am using 26.1.5. Not sure what happened and it could be that it has nothing to do with OPNSense. Until I have more information I can't say for sure what happened...

Is there documentation somewhere that explains the changes between the old and new rules system?

Alright so I guess has to be another issue post update that broken something.. I'll have to look more into this.

Alright so I did a quick search and learned that there is now a new rules system in place and the most recent update of 26.1 completely destroyed my network, by destroy I mean nothing would route properly anymore. I had to go back to a two weeks old backup / VM to fix everything.

I'm not sure why this change was done and why it couldn't be made optional. What this really necessary? The upgrade procedure seems to be very painful and involving a lot of work. Not sure this change was really thought out, it breaks way too much than it fixes.

Update : Seems that shortly after installing the old backup which is still 26.1, routing rules worked for 5 minutes and then nothing worked anymore so I suppose something is being done running in the background that causes old routing rules to no longer work.. What a PAIN!

Just a quick follow up.. I found this post and joined their Matrix / OPNSense support group and very helpful.. If you need help setting up Matrix behind OPNSense, you can find help here in the Matrix group.. Find all the info in this post..
https://forum.opnsense.org/index.php?topic=20019.msg92568#msg92568

Hi,

I'm trying to setup a Matrix Synapse server. What I have so far is a Debian VM running Matrix Synapse, everything I have is sitting behind an OPNSense server and I have been using HAProxy for all my reverse proxy needs. That being said, it has been particularly challenging with Matrix Synapse. I've read a lot of documentation including Matrix Synapse's examples on how to setup HAProxy but so far no joy. Part of the problem is that they offer a text ouput version of an HAProxy config I would need with the rules but there is no way to import that config via OPNSense so I have to interpret it and replicate it via the UI (I suppose I could login to OPNSense directly and edit the haproxy.conf file but I'm not VI expert). Anyway, I digress.

I was wondering if there is anyone out there who has went through the pains of setting up a Matrix Synapse server of their own and if there is a setup guide that may be of some use to me? I appreciate in advance all the help.

Hi,

I have somehow managed to enter a Client Identifier without any host name or any details what so ever. Now when I try to see it in Services -> DHCPV4 -> LAN, it isn't listed. If I try to add something with the same identifier it says it already exists. I haven't been able to find through the UI where to delete this identifier.

Which file do I have to edit to force remove this "ghost" client identifier?

Thanks

Found it! I can't set it right now since I didn't move into my new house yet. I also will have to wire the house myself with CAT6 but at least I know exactly what to do now, thanks!

Duly noted for the US-8-150W. I think most POE switches have the same problems, they run hot and have loud fans unless you upgrade the fans. That is why I bought myself an HP ProCurve 1810-24G J9803A, an old and used 1G switch I know but, it is fanless and doesn't run so hot. Of course, I have no POE and as much as I wanted to install two WIFI POE devices like the ubiquiti ones or cameras, I've decided not to do it. I'll go WIFI for the cameras and just get some good WIFI Access Points that I can connect in an outlet for power. Not the most elegant but I just don't want to have to deal with hot running devices and loud fans.

Thanks again!

Hi Allebone,

Thanks so much for all this information. It will be quite useful. I am in Gatineau btw so I'm hoping we it will be using PPPOE but then again I don't know. It will be my first time with Bell Fiber. Like I wrote before, with Videotron it was a simple task, flip the switch to BRIDGE mode.

My only worry comes from my experience with Videotron's HELIX modem/router solution that didn't support static routing ergo I could never get a connection to my VPN server and so I assumed I would be facing the same issues with Bell's router if can't find a way to make it into a bridge.

With the solutions you provided it seems to me option 1 is the less painful and sounds like my VPN server will work that way. And if I may ask one more question, setting PPPOE on OPNSense that is just a simple matter of configuring a point-to-point device on my VTNET0 interface which is my WAN and should be good to go correct? May sound like I'm repeating myself from what I wrote previously but I am headed into uncharted territory with this config.

Thanks again for the help!

BTW, if I could afford a Ubiquity switch (or any layer 3 capable switch) right this moment, I would probably go that route, not because I hate Bell but because I'm all for efficiency when I can, less power consumption. Granted, 15w is not a lot but still...

Hi Allebone,

Thanks for this. I was with Videotron before and decided to make the jump to Bell. Videotron made this easy by having a bridge mode option on their Helix box and when I talked to a Bell Rep, they told me it would be as easy with their box.. Well after reading around it seems that it is not as easy as I thought.

Your solution seems very simple however, unfortunately for me, I only have a layer 2 switch and I guess that wont work for me. So that leaves me with the Media converter option.

I was wondering if I could ask you a few questions since you seem to have experience with all this.

1) If I set Bell's HH3000 box as DMZ, can I avoid all those headaches and continue to have my VPN server work? That is, in the case I want to limit the amount of change I need to do and keep Bell's router?

2) If I use a media converter, I will need to bring the RJ-45 from the media converter over to my OPNSense's WAN assigned interface and then :

    a) I need to create the VLAN ID for the internet on the WAN interface (In my case OPNSense is virtualized on Promox but it comes down to selecting the right interface which is vtnet0 for me)
    b) Configure PPPOE handling on the wan interface

And I should be good correct?

Looking at the logs I noticed something which I think may be causing the problem but not 100% sure :

2021-04-19T23:43:24   kernel   pflog0: promiscuous mode enabled   
2021-04-19T23:43:24   kernel   pflog0: promiscuous mode disabled

Like I said, I was fine for months and all of a sudden after the last two updates, I've been getting those random disconnects.

I have the same issue here. Ever since the last two updates, I've been getting random network disconnects. I am running version OPNsense 21.1.4.

I ran version 20.x for a few months without any issues. I'm using this network card :

https://www.servethehome.com/syba-dual-2-5-gigabit-ethernet-adapter-review/

Works great but like I said, since the last few updates, I've been getting lost packets, random disconnections.