Messages

I've upgraded a site which used to be on PfSense onto Opnsense.

The site consists of 1 x FFTTP 1GBs Fibre and a backup ADSL connection (you can thank BT/Openreach for not being able to provide anything better in the city centre).

I've followed the normal instructions in configuring a WAN failover setup but my main issue is that DNS seems to come to a grinding halt after 10/20 minutes of enabling the last set in routing all traffic via the failover gateway group.

I have floating allow DNS rules in place, I'm a little stumped what it might be.

I've currently disabled the firewall rule to route all traffic via the failover gateway group, but I've also noticed regardless of this that occasionally on a normal session, a user will be browsing and their browser errors out saying no internet and then seconds later, loads the page.

As I mentioned prior, this is obviously a DNS issue but everything is configured as per the guides and basically the same as I had with the previous working PfSense install.

I have two separate DNS servers defined per WAN connection so I'm really struggling.

I'm one step away from re-installing PfSense but I really don't want to.

I'm at a complete loss.

I've re-installed OPNsense, I've done everything a million times.

I've also tried making a site to site with my server (which is in a datacentre) and it does the exact same thing.

Site A (server) can ping Site B but Site B VPN is up but the site to site interface gateway is offline.

What could cause this? I don't know what to do. The hardware is the same at both sites, and it's been running pfsense before this absolutely fine. I don't understand why this is happening, there's no clear indication  :-\

Yes you raise a very good point regarding SSL/TLS. I know about this, it was more just trying to get the damn thing to work properly. It's my plan to move it to SSL/TLS.

Regarding subnet size, yep I'll change that. It was more from following a step-to-step guide to see if I'd gotten anything wrong at all. I've changed the subnet size now.

Just so I don't confuse things I'll name the sites as following:

Site 1 - Server (and the site which isn't working properly)
Site 2 - Client

• I've still got the Site 1 remaining offline, it get's an IP but remains offline
• I can ping the from Site 2 > Site 1 from Opnsense diagnostics.
• As you'd expect I cannot ping from Site 1 > Site 2

I've mentioned before that I've tried swapping the server and client around but still have the exact same problem.

Noted with the rule, I'm clutching straws really.

Okay since my last post I created the interface at both sites and restarted the service which created the gateway. There's one site which the gateway appears online (after unticking "Disable gateway monitoring") and one site which remains offline. This seems to always be the same regardless of which site is server and which site is client.

Please see server config attached (didn't include the shared key obviously).

Seem to have a recurring error under the OpenVPN logs on the site where the gateway always appears offline (regardless if monitor IP is enabled)

Also - I took the plunge and rebooted...

2023-01-25T21:52:43   Warning   openvpn   ERROR: FreeBSD route add command failed: external program exited with error status: 1   
2023-01-25T21:52:43   Warning   openvpn   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts   
2023-01-25T21:52:43   Warning   openvpn   Cipher negotiation is disabled since neither P2MP client nor server mode is enabled   
2023-01-25T21:52:43   Error   openvpn   event_wait : Interrupted system call (code=4)   
2023-01-25T21:52:18   Warning   openvpn   ERROR: FreeBSD route add command failed: external program exited with error status: 1   
2023-01-25T21:52:18   Warning   openvpn   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts   
2023-01-25T21:52:18   Warning   openvpn   Cipher negotiation is disabled since neither P2MP client nor server mode is enabled   
2023-01-25T21:52:18   Error   openvpn   event_wait : Interrupted system call (code=4)

Hi there,

I seem to be struggling with a site to site between two Opnsense units.

I followed the Opnsense guide and also used my own experience to configure the link but I seem to be running into issues in getting the two local subnets to talk to eachother.

When I've had this issue before, it was usually a missing firewall rule and I've been able to at least ping the firewall at each end but I cannot even do this.

I added an everything/everywhere rule on both units under the OpenVPN firewall rules but this hasn't helped at all. I've also added a firewall rule to the LAN subnet on both sites with "OpenVPN Net" as source and to go anywhere.

I've also added the firewall on the WAN interface on the server.

As said before, VPN is up and the status is showing a small amount of data transferred but yep, no traffic at all. I've done a few site to sites before with OpenVPN with almost instant success so I'm a touch confused what may be going on.

I've tried the server and client both ways around and exactly the same issues.

All encryption and compression matches also.

I've removed and re-made the config three times now with the same outcome :(

Thanks in advance.

It's worth noting I've not been able to reboot the units, I will try tomorrow night when I'm on site (too much fear doing this remotely)...

Just tried one last thing, I remember having some issues accessing ESXi once after a Opnsense upgrade which turned out to be an incorrect gateway.

I connected a laptop directly to the VLAN and had a look at what was set on the cameras... They were set to 10.1.1.1 and my CCTV gateway is 10.1.1.5.

I tried changing the one camera and I can now access the gui.

Stupid me, apologies.

Hi all,

I have a just upgraded a site to Opnsense from pfSense which was initally successful apart from one strange issue that's baffling me which I'm struggling to solve. It should be simple but my usual method isn't working.

So I have a few vlans, mostly public WiFi however I have the CCTV cameras on a separate subnet and I wish to access this from the LAN so I can modify the cameras if I need to (server based CCTV software).

So all I need is one way traffic from LAN > CCTV to basically access the camera's GUI.

So I have a rule, which normally worked in the past would go like this:

Action: Pass
Quick: Selected
Interface: LAN
Direction: In
TCP Version: IPv4
Source: LAN net
Destination: CCTV net

So I tried the reverse from the CCTV subnet which worked as expected and I could ping from CCTV subnet:

Action: Pass
Quick: Selected
Interface: LAN
Direction: In
TCP Version: IPv4
Source: CCTV net
Destination: LAN net

There are only two rules on CCTV subnet which is DNS and NTP.

LAN rules are simple too with the above rule at the top of the table.

Only floating rules for DNS as using WAN failover. Anybody know what could be causing this? I feel stupid as it's simple stuff.

Reboot solved the problem. Should have done that in the first place!

Could you clarify what you're trying to achieve?

Do the two wan connections have their own IP?

Sounds like you want a load balance or IP fail over?

Well, it all went well until...

Changed WAN prefix - good
Changed WAN IP - good

I changed the final setting which was the prefix on a virtual IP and now everything is offline.

I'll have to wait until the morning, maybe a reboot will solve it.

Hi all,

I have a requirement to change subnet mask to cater for expanding our public IPs. Problem is that I'll need to do this entirely remotely.

Gateway isn't going to change as I can expand backwards so just the subnet mask and I guess it'd be good to move the WAN IP to the start of the usable range.

Before pushing ahead and doing this, is there anything I should expect to happen or go wrong? As I mentioned, I need to do this remotely so once I hit save on that WAN interface change and apply the settings, will I need to restart the interface or reboot or anything or should I be able to keep connectivity?

Thanks

Edited - accidentally posted a duplicate copy of the above. Sorry

Hi All,

First of all, what a great product Opnsense is, thank you :)

I have a problem that has developed this morning after playing around with Zerotier (really cool stuff).

So right now, I'm connected to my firewall via OpenVPN and I can ping and access the firewall and GUI. The hosts on this subnet however, is returning the gateway address. Weird.

For example:

Pinging 10.20.8.1 with 32 bytes of data:
Reply from 10.20.8.1: bytes=32 time=20ms TTL=64

H:\>ping 10.20.8.101

Pinging 10.20.8.101 with 32 bytes of data:
Reply from [MY_PUBLIC_GATEWAY_IP]: Destination net unreachable.

Now, this server is in a datacentre and it's a self contained host. Everything has been up for a few months, no issues at all.

Initially I configured Zerotier to talk to my remote subnet, worked well. Still works but I tired to add a route to LAN (10.20.8.0/24) and now the devices are offline and I can't ping or anything.

What I've done so far:

I can ping from LAN interface on Opnsense
I can access the firewall via VPN and devices on other subnets work/are online
Verified I haven't changed any rules
Disabled all Zerotier config and interfaces to see if that helps.

I haven't rebooted Opnsense, I'm hoping to fix this without resorting to that, plus the ESX gui is on the "misrouted" subnet  :'(

I suppose I could try and remove the LAN interface and re-add it with the same IP range. ESXi is statically assigned.

I'd really appreciate if anybody has any pointers.

Thank you