Messages

Thank you for answering.
After further investigation, I found that the rule "let out anything from the firewall host itself" is logged for every packet with the S/SA flags exiting any interface, including packets traversing the firewall. Therefore, in my case, this rule/log line was not the real indicator of the problem.

After understanding this, I enabled logging correctly and fixed the problem. At this point, I suspect that intra-VLAN traffic might also have been working with the previous firmware... but I have no way to investigate that. In any case, the problem is solved now. Thank you for sending me the links explaining the design choices behind the outbound rules; I think I've learned a bit more about pfctl now.

Hi, after upgrade to 26.x (currently 26.1.1-amd64), all intra vlan traffic is permitted and no longer blocked.

According to the firewall logs, the "let out anything from firewall host itself" rule, is allowing traffic from/to internal VLANS/LAN.
The rule "let out anything from firewall host itself" is applied automatically before my interface group "last match" blocking rule, so my blocking rule cannot be used. My interface group last match blocking rule was working correctly, blocking intra vlan traffic, before the upgrade.

I also tried to convert rules to the new version, deleted all old rules, rebooted, but nothing changed. Intra vlan traffic is still permitted.

Is it correct that in 26.x "let out anything from firewall host itself" allows traffic not originating from the firewall ?

Ok, half answer found: to avoid clients restarting every two minutes, in the openvpn server instance editor, enable advanced mode and set "Keep alive interval" to 10, and "Keep alive timeout" to 60.
Another useful option to mitigate IP wasting after reconnection, is to enable explicit-exit-notify in both Push Options and Options.

Thank you for the hint. I wasted a lot of time trying to understand why OpenVPN clients on OPNsense were reconnecting every two minutes, each time receiving a new IP address. The issue was that the server wasn't sending pings, and the client has a default ping-restart value of 120 seconds. As a result, the client restarted the connection every 120 seconds.

Setting the keepalive helper on the server to keepalive 10 60 should really be the default, as it is in pfSense and other products. When configured on the server, this setting is also pushed to the client—there's no need to define a keepalive on the client side.

The keepalive X Y option can be enabled in OPNsense by editing the OpenVPN server instance in advanced mode and setting both the "Keep alive interval" and "Keep alive timeout".

Additionally, enabling explicit-exit-notify on both client and server by default would be a good idea. For example, when a client disconnects, the allocated IP on the server is immediately released, without having to wait for the ping-exit timer to expire.
Again, explicit-exit-notify is enabled by default on pfSense clients and WatchGuard Firebox clients.

Hello!

I'm new to OPNsense, having just migrated from pfSense. I'm currently using OPNsense 25.1.5_5-amd64.

I've configured an OpenVPN server in "VPN: OpenVPN: Instances" and downloaded the .ovpn file from "VPN: OpenVPN: Client Export." I've also configured the necessary firewall rules.
The connection works properly - I can successfully reach all internal PCs on the LAN. However, I'm experiencing an issue: when I disconnect the client, the connection is never removed from the Connection Status list on the OPNsense side. The IP address is not released, and the route to the client is not removed.

Since the client disconnects every two minutes due to "Inactivity timeout (--ping-restart)" when there's no traffic, the list of active sessions on the server side grows indefinitely.

What am I doing wrong? Why aren't connections being released on the server side?

Thank you.

Me too. I have an APU4D4 with WLE600VX, and I would like to use it with opnsense.
As you said, FreeBSD 12 seems to support it. But none of opnsense or pfsense does support it. :(