Messages

1

Virtual private networks / Accessing IP camera on wireguard client site

« on: April 06, 2024, 10:22:03 pm »

I have a remote client connected via wireguard to my OPNsense router that serves for off-site backups. Now I added a camera on that location that I would like to access from my main network as well.

My main network is on 192.168.50.1/24, the remote network is 192.168.8.1/24 with the WG client sitting on 192.168.8.10 and the camera on 192.168.8.89. The WG network is 10.0.9.0/24

From what I read up i understood that i need to add the ip of the camera under alllowed networks of WG client config under Peer. Also I have added the camera IP to the Allowed IPs of the peer in OPNSense

Code: [Select]

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxx
Address = 10.0.9.80/32
DNS = 192.168.50.1
MTU = 1400
[Peer]
Endpoint = mydomain.com:51820
PublicKey = xxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 192.168.50.1/24, 192.168.8.89/32
PersistentKeepalive = 25

Now i understand i need to create a static route in Opnsense so i can access the device, but I am not sure what to put in there. I did the following:
- created a new gateway on the wireguard interface with the ip address 10.0.9.80 (WG IP address of the remote client with the local address 192.168.8.10)
- a route between the newly created WG gateway and the local address of the WG client (192.168.8.10/24)

I tried here different IP addresses, but none of them worked.

Any idea how to proceed with this?

Thanks a lot

2

24.1 Legacy Series / Struggling to setup both OpenVPN and WireGuard

« on: March 02, 2024, 12:09:28 am »

I've been using OpenVPN for my instance for several years, running two servers - one giving me full access to my network and other one i used for work purposes to route only specific addresses trough the VPN. It worked flawlessly, until the cert have expired, and in the meantime Opnsense 23.7 came out with the new "Instances" OpenVPN setup.

Since that moment, i am unable to make OpenVPN work. The clients are connecting, but no traffic is routed trough. The VPN servers have their interfaces assigned and firewall rules are set up, so everything should work. But it does not.
So I gave Wireguard I try, but ran into the very same issue. Client connects (as I can see on the Diagnostics page), but cannot transfer any data.

Finally I gave up, as I really needed that "work" OpenVPN instance, set it up via the legacy method and its working flawlessly again. But still need to set up that private access. Did a lot of comparisons between the legacy and the instances settings, but I can't figure out where lies the problem.

The log files doesn't seem contain any meaningful information. Also I have enabled logging for the firewall rules, but zero results show up for them.

Since there is an estabilished connection both for Wireguard and OpnVPN, i'd assume that its something with the FW rules that is wrong, but can't figure out what - theyt are just a simple allow all rules for the given OVPN/WG interface.

Any idea where to look for a solution?

3

23.7 Legacy Series / Re: OpenVPN CSO what happened to custom_options

« on: August 23, 2023, 10:15:09 am »

This is exactly what I have experienced and it was solved after checking "Topology" of the Server configuration. See my post https://forum.opnsense.org/index.php?topic=35447.0

thanks, that did it !!

4

23.7 Legacy Series / Re: OpenVPN CSO what happened to custom_options

« on: August 23, 2023, 12:23:24 am »

Yes, but you need to put the correct subnet size.


Cheers,
Franco

If on version 23.1.11 we used the line

ifconfig-push 192.168.yyy.xxx 255.255.255.0

Now in the IPv4 Tunnel Network field, you need to set the value

192.168.yyyy.xxx/24 ?

Did I understand correctly?

i did various tries with IPv4 Tunnel network settings, but none of them were satisfactory:
- VPN server subnet is set to 10.0.8.0/24
- Client Specific override Tunnel IPv4 set to 10.0.8.10/32 -> resulting client IP is 10.0.8.12
- Client Specific override Tunnel IPv4 set to 10.0.8.10/24 -> resulting client IP is 10.0.8.2

Don't know what I am doiing wrong

5

22.1 Legacy Series / Re: Log files getting too large since 22.1

« on: February 06, 2022, 08:33:09 pm »

i see.

this change is kinda stupid, because for firewall i don't need to log anything older than 5 minutes, as these logs are mostly for troubleshooting purposes to adjust firewall rules. now i have either have logged everything for days or nothing. (i know i can set the days to keep the logs, but it applies to every log, not just firewall)

6

22.1 Legacy Series / Re: Log files getting too large since 22.1

« on: February 06, 2022, 12:28:31 am »

what was the previous limit set for the log file? today's log has already 7 MB in 22 minutes. i need to find a way how to limit its size, as my opnsense instance is running off a 8 Gig drive.

7

22.1 Legacy Series / Log files getting too large since 22.1

« on: February 05, 2022, 06:55:47 pm »

i have noticed that since upgrading to 22.1 my disk is getting filled with log files, what was not happening in previous releases. or something happened to my system causing the logs to getting clogged. is there a way to limit these log file sizes?

Code: [Select]

root@OPNsense:~ # ls -S -l -h /var/log/filter
total 1286944
-rw-------  1 root  wheel   343M Feb  3 00:00 filter_20220202.log
-rw-------  1 root  wheel   324M Feb  2 00:00 filter_20220201.log
-rw-------  1 root  wheel   313M Feb  5 00:01 filter_20220204.log
-rw-------  1 root  wheel   269M Feb  5 18:47 filter_20220205.log
-rw-------  1 root  wheel   7.5M Jan 29 00:00 filter_20220128.log
lrwxr-x---  1 root  wheel    35B Feb  5 18:01 latest.log -> /var/log/filter/filter_20220205.log

8

21.1 Legacy Series / Re: firewall seemingly ignoring allow rule

« on: July 20, 2021, 10:29:17 pm »

everything works now after rolling back to 20.1.7. was afraid to upgrade back to 20.1.8 as at the moment I have a little time playing around with it, in case it goes wrong again.

however some advice on how to fix the "Configuring firewall... failed" startup message would be nice for future reference

9

21.1 Legacy Series / Re: firewall seemingly ignoring allow rule

« on: July 19, 2021, 12:50:28 am »

update: tried restarting OPNsense, internet stopped working altogether.

during boot I got repeated "Configuring firewall.... failed" messages. only thing that helped was to restore to previous OPNsense backup (version 20.1.7) and now my initial problem with VLAN has been resolved as well.

seems like there's some issue introduced in 20.1.8...

10

21.1 Legacy Series / firewall seemingly ignoring allow rule

« on: July 17, 2021, 12:58:51 am »

I have a VLAN set up for smart devices that has normally blocked internet access, except enabling it occasionally for update & maintenance purposes. I am quite positive that in the past i several times enabled the firewall rule for WAN access and it worked, but now it does not.

these are my fireall rules: (normally the last two rules are disabled/enabled in the opposite way as on the picture)
https://imgur.com/gLdsLqZ

yet OPNsense keeps blocking the internet access for some reason:
https://imgur.com/4ISFrtV

any idea why is this happening?

11

General Discussion / [SOLVED] mDNS over VLAN works only for DHCP assigned IP addresses

« on: June 03, 2021, 10:16:35 pm »

Interesting  issue, but potentially dead simple here:

hostname resolving across and on VLANs is working only partially. hostname of devices where IP address is assigned via DHCP works, but static IP does does not work (nslookup fails)

my firewall rules for the VLAN allow port 53 to OPNsense firewall and 5353 to 224.0.0.251. mDNS repeater plugin is installed and enabled.

what did i miss here?

Edit: as i assumed it was dead simple: had to enable Register DHCP static mappings in Unbound

12

21.1 Legacy Series / clients cannot connect to VLAN network

« on: April 22, 2021, 11:51:56 pm »

I want to set up separate VLANs for my home network.

I did set up the new interface, assigned it to my LAN port, define subnet range, configured DHCP, changed switch settings, set up a separate SSID for the VLAN and connected few devices for testing. Everything seemd to work, when suddenly all devices connected droppped from the network and i wasn't able to reconnect them anymore.

So I have decided to start from scratch. Removed the VLAN interface, created a new one from scratch and in order to rule out switch malconfiguration i started to try the VLAN first via a Proxmox VM that is hosting my OPNsense instance as well.

So the current state is:
- VLAN interface configured, DHCP set up
- switch config untouched
- Proxmox VM hooked up to the Proxmox internal LAN port, interface is set as VLAN aware and tagged with the VLAN id.
- Firewall rules copied over from the LAN interface, so VLAN should be able to reach full internal network and internet as well (for testing purposes)

The problem is the following:
- the virtual machine does not get an IP address assigned in DHCP mode
- when setting static IP within the VLAN subnet, VM cannot ping gateway or anything else

Any idea how to troubleshoot this/what to look for in the logs?

Thanks

13

20.7 Legacy Series / Firewall default deny rule blocking LAN traffic?

« on: August 24, 2020, 09:18:55 pm »

Why is the Default deny rule blocking traffic between two hosts on my local network? I have no VLANs configured.

see screenshot below:
https://pasteboard.co/JnTcw6g.png

I pretty much suck at basic networking, but i don't see a reason why an unremovable firewall rule blocking LAN traffic should even exist...

Can please anyone explain it to me?

Not sure if this is relevant, but the host on x.20 is my working desktop computer and x.11 is an LXC container running on Proxmox.

14

20.7 Legacy Series / Re: [SOLVED] port forwarding does not work

« on: August 23, 2020, 07:51:23 pm »

as i suspected it was at the end unrelated to OPNsense. simply the webserver was not working and my browser was caching its content giving me the impression that it works.

15

20.7 Legacy Series / Re: port forwarding does not work

« on: August 22, 2020, 10:10:34 am »

ok, it's definitely not an OPNsense problem. when i do nmap 192.168.50.10 i get this result

Code: [Select]

PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
111/tcp  open  rpcbind
143/tcp  open  imap
587/tcp  open  submission
993/tcp  open  imaps
1334/tcp open  writesrv
3000/tcp open  ppp
5000/tcp open  upnp
6789/tcp open  ibm-db2-admin
8000/tcp open  http-alt
8080/tcp open  http-proxy
8086/tcp open  d-s-n
8100/tcp open  xprint-server
8180/tcp open  unknown
8181/tcp open  intermapper
8443/tcp open  https-alt
9000/tcp open  cslistener
9091/tcp open  xmltec-xmlmail
strangely the ports 80 and 443 are not listed, even if in a web browser both http://192.168.50.10 and http://192.168.50.10 display the web page hosted on the server