Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Fawkesguy

Pages1
#1
Virtual private networks / Unable to monitor one Wireguard gateway
July 07, 2024, 11:11:36 PM
This is an odd issue which has me stumped.  Hopefully someone can point me in the right direction.  I have Wireguard clients from three providers running on OPNsense Business Edition 24.4.1 (Mullvad, AirVPN, and iVPN).  All clients connect successfully, and I can selectively route through them without issue.  I have all three in a gateway group called "VPN", and I have also tested them individually.

I've added a 2nd Mullvad WG client, but no matter what I do, I can't get monitoring to work - just on this one gateway.  Being that the gateway will also be part of the gateway group, I need it to be monitored.  I've tried the following IP addresses, and none work:

Mullvad's DNS Servers
100.64.0.1
100.64.0.2
100.64.0.3

10.64.0.1 (local Mullvad gateway)

External addresses, such as 8.8.4.4, 9.9.9.9, 1.1.1.1, etc.

None of them work.

What's really weird is that on the first Mullvad gateway I created, all of those addresses work without issue.  It's currently using 100.64.0.1

I've removed and re-added the gateway, the interface, tried multiple different endpoints.  Makes no difference. 

Again, traffic flows successfully across this 2nd Mullvad instance, but it refuses to be monitored.   :-)

Any suggestions would be greatly appreciated!
#2
Documentation and Translation / Re: AdGuard Home setup guide
February 02, 2022, 06:00:54 PM
Quote from: ChrisChros on February 02, 2022, 04:48:54 PM
Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...

Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.

I hope this will help you to setup your firewall.

Just to show another option:

I do my LAN rule a little differently.  First one blocks everything but my Adguard Home server from reaching outside DNS using an alias containing a list of public DNS servers.  This helps prevent clients from using DoT and DoH to bypass the NAT port forward.  Second rule is generated from the NAT port forward.

The "Public_DNS" alias contains https://public-dns.info/nameservers-all.txt

#3
21.1 Legacy Series / Re: Redirect NTP on local interfaces to OPNSense
May 16, 2021, 03:43:38 AM
Not sure why, but I can't get this to work.  DNS redirect works fine, but NTP goes right past my NAT port forward.  Any ideas on how I might troubleshoot this?  Attached are my NAT and associated interface rules.  NAT reflection is disabled.



#4
Zenarmor (Sensei) / Re: "Block DNS Tunneling"
March 22, 2021, 09:19:57 PM
Thank you for that very thorough reply.  The ability to block DoH will be great, when it becomes available.   :)
#5
Zenarmor (Sensei) / Re: "Block DNS Tunneling"
March 21, 2021, 06:03:59 PM
Quote from: chemlud on March 21, 2021, 05:27:01 PM
That's fawke news ;-p

LOL, probably!  It seems impossible, but since the developers included it in the GUI, I figured I'd ask.   :)
#6
Zenarmor (Sensei) / Re: "Block DNS Tunneling"
March 21, 2021, 04:48:51 PM
Quote from: mimugmail on March 21, 2021, 06:40:57 AM
I'd guess never since DoT and DoH

Then I wonder why they put these in the GUI?

#7
Zenarmor (Sensei) / "Block DNS Tunneling"
March 21, 2021, 02:58:17 AM
Anyone know when we might see this feature implemented?

#8
21.1 Legacy Series / Need Help with Captive Portal Setup
March 20, 2021, 08:20:56 PM
Hello,

I'd like to set up a simple "no password" guest portal.  Just a page where a guest would need to check a box or click a button to enable access.  Setting up something like that in pfSense was just a couple of clicks.  I can't figure out how to do it in OPNsense.  Is it possible?  If so, can anyone provide guidance or point me to a how-to, or something similar?
Pages1