Messages

I found a fix here https://blog.veloc1ty.de/2022/03/07/opnsense-wireguard-wg0-is-not-a-WireGuard-interface/

The tldr is run "ifconfig wg0 destroy" and then "/usr/local/etc/rc.d/wireguard restart"

Hi Bert,

Maybe you have an older root certificate bundle manually imported in system: trust: authorities? Sometimes CAs reissue their certificates and if an older expired version is still in your system it could cause that.


Cheers,
Franco

I am having the same issue. How do I update the certificates?

Edit: Nevermind, I changed to an HTTP provider, performed the update and then changed back and that seems to have fixed the issue.

Dear Plaidy,

I have no problems here and I use Zenarmor, Suricata, crowdsec, wireguard vpn etc.. Network is working great. I do use basic traffic shaping.
This is an easy guide:
https://maltechx.de/en/2021/03/opnsense-setup-traffic-shaping-and-reduce-bufferbloat/

or here on this forum:
https://forum.opnsense.org/index.php?topic=7423.0

hope it helps you

Thanks so much. I will take a look at this.

I am wondering if I may get some help from trying to set up traffic shaping but this is confusing as this does not seem to be a problem others are having. One thing to note is that the conference calls largely take place while connected to company VPNs but the same issue is present from this network with two devices connected to two different company's VPNs and the problem does not occur when using other home networks to connect to those company VPNs.

Is there some data I could provide that may assist with troubleshooting?

Unfortunately not. I am not running that. Thank you for the suggestion though.

Hello,

I am running a fairly basic configuration on a dedicated x86 device with dedicated intel LAN and WAN ports. The LAN port goes to a basic home use switch. My connection is stable except for calls in Teams and Webex. The overall connection stays stable with no dropouts during this time but usually 2-3 times per hour the audio and video will cut out when having video/voice calls using webex and teams. It may be a problem with other conferencing tools but those are really the only ones used in my household. I have tried changing a few things in the advanced firewall settings that I have seen suggested to better prioritize the UDP traffic but it has made no difference. The only thing I have that could maybe cause an issue with streaming data is that I have geo-blocking active inbound to all but a few countries.

Any suggestions would really be appreciated. It's annoying but more so, I hear about it often from my girlfriend :-D

Did you ever find a way to fix this? I have the exact same issue and it's pretty annoying. Voice calls audio and video just randomly cuts out but the connection to the internet is maintained the whole time.

@Plaidy; Did you get it to work?

ps Thanks for your detailed posts and for quoting chemlud.

Sorry for not replying here. I guess I don't have notifications setup when people reply to posts here. I did get it to work, or rather I gathered enough information be satisfied I guess. Still no actual explanation as to why some addresses can get through. Are you having issues?

I was hoping someone could tell me what I am doing wrong. I set up a file in actions.d and linked the action to a shell script I have. I do a "service configd restart" and then test my action with "configctl checkwan load" and the script executes and says ok. I then go into the gui and select a cron job for that action but it never runs.

Here is my code https://pastebin.com/kriFUHkM I have tried using different actions like start restart etc and nothing helps.

The reason I know when it does and doesn't execute according to schedule is I set up a healthchecks.io call in the checkwans.sh script for the time being.

Edit: Never mind. After making all the changes I removed the whole cron and added it again via the GUI and now it seems to be firing on schedule.

...i.e. anything not in the alias should be blocked. ...

...when I check the Maxmind GeoLite2 files the subnet is not present. ...

The way you explained it, it sounds like it's working as expected. That you have an Alias with only say USA IPs in it and then an inverse source rule that if the source is not a USA IP address it is blocked. That IP from say Mexico would not be in the list for the USA in the maxmind db or your rule set. You may have meant something else but that is what I understood.

You need to add the endpoints in the local tab. There is a dropdown with the available endpoints. You need to activate the ones you want to have on that local endpoint.

Yep. Wow. I feel like a dummy. Thank you.

I have been trying to add an endpoint to the Wireguard plugin and no matter what I do, it doesn't show up in the configuration tab after saving. At first I was pulling my hair out trying to figure out why I couldn't connect with that key pair and then saw the endpoint is not shown in the config. I have gone through and saved every tab and I have even restarted the device after seeing a reddit post here https://www.reddit.com/r/WireGuard/comments/e8vxsn/wireguard_opnsense_add_client_endpoint_requires/. No luck though. Please see the attached screenshot for what I mean.

OMG.

Dude, I don't know if that response is necessary. This is an INBOUND rule we are talking about. I want to allow some inbound traffic and deny others.

Edit: As I understand it, all that WAN designation does is tell OPNsense to APPLY this rule to packets coming in to the first interface they would hit from the outside: The WAN interface.

Of those packets coming into the OUTSIDE (read: WAN) interface NOT initiated from inside my network, apply the rule that only IP subnets listed as being from DE or the US may proceed to be evaluated by the next rule in the list. If they are not listed as DE or US they will be denied.

If this is not correct, could you please tell me where the break in logic is? This has nothing to do with stateful sessions at this point. I am trying to block/allow HTTP/HTTPS traffic to my reverse proxy that sits inside my home LAN BEHIND the OPNsense box and its WAN interface and that traffic/those requests are initiated from the OUTSIDE of the OPNsense box.

Edit: Glad I started quoting all your responses for the sake of posterity ;)

I see now that you were mistaken this whole time and thought I was trying to block ALL traffic inbound and block outbound LAN traffic to everywhere but the US and DE. That would be a very bizarre thing to do and definitely not what I was trying to accomplish. Thanks for trying to give me a lesson on networking and stateful packet inspection though heh.

OPNsense is a stateful firewall. You have to block/allow on LAN. Don't ALLOW ANYTHING on WAN.

I am really not following here. I know it is a stateful firewall and as far as I know the rule is only allowing sessions INITIATED from the outside TO my WAN address which is then forwarded to the appropriate place on my LAN by OPNsense after the request is received.

Did you try upping the limit under firewall-->settings-->advanced-->Firewall Maximum Table Entries to something like 99999999999?

I initially had geoIP working and then in a subsequent update it stopped and I had to go edit that entry. Not sure why, if that is the fix, that it would only be needed on one box but worth a check anyway.