Messages

Thank you so much for this!
Yes it is now working exactly as expected.
I just wasn't setting up the PPoE connection first under "Interfaces>Point-to-Point>Devices", I was doing it from the "Interfaces>WAN>Generic configuration" section.
I was also getting confused whether it was working or not as I was running a speedtest so test teh connection and view my external IP so I knew which WAN connection was being used, but I didn't realise that the default GW Failover Pool Option was "Round Robin, Sticky Address" so of course when I refreshed the page it looked like it had not failed across as it will use the first connection in that session until it is no longer available.
Thanks again, I was struggling with this for a while so you saved me a lot of time.
BTW, the IPv6 Gateway still appears but doesn't make any difference to teh functionality so it wasn't related to the issues I saw after all, but I'm not sure why it is there.

The OPNsense Documentation is excellent around Gateway groups / Multi WAN and I was able to follow this in a test environment on my new DEC675 unit without any issues.
This test involves 2 DHCP WAN connections.
In the real world I'll be using a UK vDSL connection (PPPoE) as WAN and a Robustel 4G/LTE router as WAN2.
As soon as I change the WAN from DHCP to to use PPoE, the failover no longer works.
I can get internet connection using the PPoE configuration but what's strange is that when I look under System>Gateways>Single I see a new gateway called "WAN_GW" which is marked as active and is using IPv6 and I'm not using IPv6 anywhere.  I'm not sure if this is causing the issues as it seems to take priority over the actual WAN gateway that is also listed.

Has anybody managed to setup PPoE as part of a GW Failover group succesfully?
I'm using a brand new DEC675 appliance from Deciso and OPNsense Business Edition Version 22.10.2

Found the solution elsewhere:

Firewall > Settings > Advanced

Turned on these 3 setting under "Network Address Translation"

• Reflection for port forwards
• Reflection for 1:1
• Automatic outbound NAT for Reflection

Now all working as expected.

[87]

We have some NAT Rules on our OPNsense firewall to redirect CCTV browser traffic to the correct NVR depending on the port used.

E.G. 1.2.3.4:8087 redirects to internal IP 10.0.0.1:80 & 1.2.3.4:8088 redirects to internal 10.0.0.2:80

This works fine externally, but when somebody with a laptop comes into the office and plugs into the network, the shortcut they have to the CCTV system in their browser no longer works.
They get a generic error "This site can't be reached [sitename.co.uk] took too long to respond.

I can't work out a way to get around this, please could somebody help me?

Thanks

Hi all,
I found the answer, but I found it difficult to get there so it took me a long time  to find it.
I'm posting the answer here to help anybody else finding themselves in the same situation in future.

In the end, it was a simple as following the steps in this guide: https://docs.opnsense.org/troubleshooting/password_reset.html

Once you reset the password, you are given the option to change the authentication server so I changed it back from my LDAP server to Local Database and after a final reboot, I could log back in.

The problem was caused when I selected the LDAP Server as the Authentication Server, I should have also selected the Local Database option, I didn't realise it was a multiple selection list, I though by selecting my LDAP server it would be Added to the list but this is not the case.

Luckily I found this literally seconds before giving up and starting again!

Hi,
I've spent hours perfecting my new Firewall setup for a Live customer over the weekend and was testing VPN Connectivity for Road Warriors last night using LDAP and all was working perfectly.

I've come to finish off this morning and I can't login to the OPNsense firewall anymore!

I think it might be because I changed the Authentication Server to the LDAP Connection BUT I though that as long as I didn't check "Disable integrated authentication" I would still be able to login using the local root account, but I can't.

I can't SSH to it and teh Web interface just says "Wrong username or password."

PLEASE HELP!

I'm currently completely locked out

Not had much response to this but really struggling to work this out.  Any help would be greatly appreciated!

I have some equipment setup in a colocation cabinet in a local datacentre as per the diagram attached.
We can access everything we need to currently, but we want to add a set of Virtual Machines that have their own network behind their own managed OPNsense Firewall, independent of everything else.
We want to use a spare external IP address just for this network, so that in the example in my diagram, Unused External IP address *.*.*.164 will go straight through our firewall cluster (1) to the Virtual Firewall on XCP-NG Host1 (2) so we can access the resources behind it in that network (3).
I managed to get an isolated host on vLAN30 to be accessible from outside by NAT port forwarding RDP (don't worry just to test, it's not live) as shown in the diagram as "Windows VM 10.30.0.12" on XCP-NG Host3.
To achieve this:
•   I setup a vLAN ID (30) on my physical OPNSense Firewalls,
•   Created an Interface called "Test_Network" using vLAN ID30 on the LAN Physical Interface with IP Address 10.30.0.1,
•   Created a NAT Port Forward rule that allows RDP from my external IP address to the Virtual WAN IP address of the Windows VM.
•   Tagged this vLAN on all physical switch ports
•   Created a pool network on XCP-NG using vLAN ID30
•   Attached this network to my test Windows VM on one of the hosts
This works fine and my test VM is assigned an IP address from the external OPNsense firewall and has access to the internet but cannot see anything else on any other network, which is what I want, but it shares my main external IP and I have to have a rule to allow on our physical firewall,
I just can't work out how to do this instead to recognise a specific external IP address as the Destination on the Physical Firewall and so pass all traffic through to the second Virtual firewall on the XCP-NG host to manage it.
I feel like I'm close but can't quite get over the finishing line.
Any help greatly appreciated.

Hi @liceo, Thanks for your reply.
We're looking at hosting our customers infrastructure on a HA cluster.
Each customer typically has a Domain Controller onsite and a VPN to the Data Centre linking the 2 sites together.
Each customer will be completely segregated and have their own WAN IP address(es).
I'm just not sure how the firewall should be setup to keep them all separate.
When I say "all", we've not even started yet so will only have about 3 or 4 customer at first.
The idea is to add more storage and Hosts as it grows.

Hi,

We have had shockingly bad service and support from OVHcloud in the UK, who are hosting a managed Bare Metal server for one of our biggest customers.

We are looking into providing this service to our customers ourselves in future by using a set of 3 XCP-NG Servers in a HA cluster with Shared Storage (SAN), Stacked Switches and Resiliency wherever we can (multiple PSU etc) in a local co-location Data Centre.

The weakest area in expertise for me is the Router/Firewall area. 
I want to use set of 2 x OPNsense Hardware Firewalls in a HA Cluster to provide protection and connectivity for each customer.

Each customer will have a different WAN IP.

Can you offer any advice on how best to set this up or any tips or gotcha's to be aware of that you can point out to help?  I have no experience yet of using multiple WAN IP's with OPNsense.

I was also thinking of having this Hardware HA cluster, then having a Virtual OPNsense firewall instance for each customer too but my concern is that when I've virtualised OPNsense before, IPSEC VPN Performance has been very poor one way.

Any advice would be greatly appreciated.
Thanks in advance for your time.

Not seeing the console menu is normal. After logging in, "sudo su -" to switch to root. The menu then shows

Perfect, Thanks!

Hi,
I think this should be a simple one but I'm struggling to find the answer myself.

I created a new admin user some time ago and disabled the root user as per the good practice guides I read.
I've just had to login to the console for the first time since then and could not.
I had to re-enable the root user in the web interface and then I could login to teh console using that account.
I then compared the 2 accounts and the only difference I could see was the "Login Shell" value for root was "/usr/local/sbin/opnsense-shell" and my new admin user was set to "/sbin/nolongin", but the only other options in the drop down are "/bin/csh", "/bin/sh" and "/bin/tcsh".
I tried "/bin/sh" which allowed me to login but I couldn't see the usual menu.
If I type SU and put in my password, I get "Sorry"

To clarify this user is a member of teh admins group and the Systems > Settings > Administration Secure Shell Login Groups are set to Wheel, Admins.

UPDATE:

I paid a different Proxy Provider for a "Social Media UK Only Proxy" and as soon as I entered the details in the windows proxy settings, I was able to access the sites for the first time from every RDP server behind the firewall.

I really can't explain why after trying over 30 different proxies but I'm just relieved that it is now working!

Thanks for all your help so far!

Hi @chemlud the IP is definitely UK Based, it seems some sites like whatsmyip.com are reporting the location wrong on the initial page.

When you visit whatsmyip.com and click on "Your IP Address" at the top of the page, it shows the RIPE database lookup and that clearly shows GB and London England as the location so its a mistake on their first page.

I checked again with OVH and it actually says "UK" next to the IP address in the assignment list.

So I still think its being blocked because the site thinks my servers are behind a proxy.

I can replicate the issue anywhere by using a proxy, even on my laptop at home, which is why I think that something on the OPNsense firewall is making the website think it is using a proxy.

I can only replicate this by using a proxy or using my servers that are behind the OPNsense firewall.
If I use no proxy, the website is accessible from anywhere (except OVH behind the OPNsense firewall).

So I need to find out why the sites think a proxy is in use.

Further update:

It seems to depend on which site you use as to whether you get Paris France or London UK as a location for this IP address.

I just tried this site: https://www.iplocation.net/ which tells me UK London and also that no Proxy is present: