Messages

I have the usual home setup with an OPNSense appliance sitting behind a consumer grade router provided by my ISP. How do I configure DynDNS in this setup? Does anything change?

Here is the error I'm getting:

/services_dyndns_edit.php: Dynamic DNS (<address>) There was an error trying to determine the public IP for interface - wan(igb2). Probably interface is not a WAN interface.

Surely not... surely given that most dynamic dns clients can easily update from well behind a public interface that this shouldn't be an issue for opnsense.

EDIT: turns out this is indeed a limitation of using opnsense in the home, or rather of using it in this configuration. As an alternative, ddclient can easily be spun up in docker and tbh is the preferred method.

There doesn't seem to be an exclusion pool available. I am referring to use cases where it would be helpful to have known static ip addresses annotated somewhere in the interface.

Say for example, I have an address pool from .60/24 to .70/24 but I have a static address at .65/24 for one reason or another. I could add a dhcp mapping, but then that violates system as documentation principles.

I could allocate away from that address but sometimes that's not always an option. Yes we should all use netbox and I'll definitely get there, in the meantime even just a visible list of statically allocated addresses at the bottom of the manual allocation window would be a good interim measure.

Interested in thought and suggestions.

Could we add some basic walkthrough info on using plugins? Took a little while to find how to add a community repo, the answer of which was found on reddit of all places. Not great.

Also took a bit to find plugins buried in the firmware section. The page for community plugins could redirect towards plugins page to give a basic usage summary and the plugins that have been upstreamed need to be removed from that documentation.

A good on usage instructions start might be the blurb on the community plugins github.

SOLVED!!!

The answer was to disable Unbound DNS, which is unfortunate... that is a problem for another time perhaps.

For now my VLANs are being routed over the VPN tunnel and DNS is resolving when using the VPN Gateway on Firewall rules.

I have a Proxmox server with a VM and VLAN aware Linux bridge, feeding through a 24 port switch with the appropriate tag profiles on the desired ports, then to an OPNSense appliance and out to the internet. I also have a laptop (Machine A) connected to the switch.

- The VM is tagged 5 in the Proxmox network adaptor settings and the /etc/default/interfaces has allowed for vids 2-4096

- Machine A is not tagged

Perhaps important to note that my proxmox server has but one ethernet PHY.

Now, I have setup the VLAN on OPNSense with the ibg0 port as parent according to this tutorial: https://homenetworkguy.com/how-to/configure-vlans-opnsense/#_

igb0 as parent seems logical. After having the issues I describe below, I figured I might try making the VPN interface as parent but that didn't work as expected.

Anyway. Here is a basic diagram

Machine A on LAN-> 24portSW -> OPN -> internet
Proxmox on VLAN 2-5 -> 24portSW -> OPN -> internet

OPN igb0 port has all the VLANs as does the port which is connected to my Proxmox server (there are more VLANs but I'm just focused on VLAN 5 right now as they all face the same issue). igb0 is connected to 24portSW.

Then I setup NordVPN according to this tutorial:https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm

I have the following rules in VLAN 5 (see attached)

TCP/UDP VLAN5_net -> VLAN5_address -> Gateway = * (default)
ICMP ALL VLAN5_net -> *-> Gateway = * (default)
TCP/UDP VLAN5_net -> 53 -> Gateway = * (default)
TCP/UDP VLAN5_net -> 80 -> Gateway = * (default)
TCP/UDP VLAN5_net -> 443 -> Gateway = * (default)

I have the following rules on LAN

TCP/UDP VLAN5_net -> VLAN5_address -> Gateway = VPN
ICMP ALL VLAN5_net -> *-> Gateway = VPN
TCP/UDP VLAN5_net -> 53 -> Gateway = VPN
TCP/UDP VLAN5_net -> 80 -> Gateway = VPN
TCP/UDP VLAN5_net -> 443 -> Gateway = VPN

Both machines are getting respective DHCP leases from each LAN subnet (LAN and VLAN5) and I have checked with various VM types (TrueNAS, Arch Linux) on Proxmox across various tags (2, 3, & 5). All have the same issue.

Here's the issue:

1. Currently I have no VPN routing and thus obviously DNS leaks on this VLAN, my IP is completely exposed BUT I have full internet connectivity across allowed firewall ports from the VM on VLAN5. I retain internet connectivity on Machine A on LAN. Using dig I can see my public IP completely exposed from the VM on VLAN5, but protected from Machine A on LAN.

2. However, if I switch the Gateway on VLAN5 to the VPN Interface (which mimics the rules on LAN), then I retain some connectivity and can ping 8.8.8.8 but I lose DNS and cannot resolve anything.

To sum up, I am losing DNS on VLAN5 when switching to the VPN Gateway on firewall rules. If I leave it on default I have DNS leaks and no VPN routing.

EDIT: also I cannot even ping the VLAN interface IP when switching to VPN Gateway

Solved.

I regret to inform that opnsense wasn't the only issue I was facing, yet I didn't know until very late last night.... it appears there was something broken in my Arch Linux network stack. I suspect ExpressVpn has something to do with blocking traffic even when the service was suspended.

The abovementioned settings on UnboundDNS in Forwarding Mode seem to work just fine.

Thank you for your help and patience!

.

Well. I am a bit lost here.  ;)

I have similar setups running, even with some APU2 (and virtual instances on Proxmox). What I have and is working perfectly:


myNetwork---------LAN|OPNsense(NAT)|WAN-----------LAN|Router(NAT)|WAN----------Provider
10.1.1.0/24       10.1.1.1    192.168.1.100       192.168.1.1      some IP


The Gateway of OPNsense is (automatically via DHCP) set to 192.168.1.1.
On OPNsense I have (manually) configured two DNS servers (e.g. OpenDNS or Google).
DHCP server on LAN of OPNsense sets Clients in myNetwork to use the Unbound DNS server running on OPNsense (10.1.1.1 as DNS server on clients). Undbound forwards to the normal DNS resolvers configured for OPNsense.

Supposed your router would do some kind of DNS blocking, one could try to set 192.168.1.1 as DNS forwarder on OPNsense. Could be done manually or should also be set automatically using DHCP from your router.

I would say, that this is a kind of standard setup that always worked for me.

Haha yes we will figure this out together, I am only a little frustrated  8)

Ok so I have set the unbound DNS "Enable Forwarding Mode" and pushed some buttons... all of a sudden it works but not with dhcp for some reason. I turned things off, even unbound, then power cycled the box and it still worked.

Flashed a new image to another mSata and inserted to investigate, no idea why it started working which tbh is only slightly more annoying than it not working at all haha

Will report what I find.

EDIT: false alarm, not sure what I did but I've retraced my steps and cannot get it working again. Clearly I am on the right track here. Will keep going and report back.

Ok. Getting better... ;-)

I think it will not work like this: You can not have the same IP range on both NICs (WAN, LAN) without special subnet calculations.

I would select another range for the LAN side. E.g. 192.168.2.x or the 10.x.x.x you had before.

That's what I thought originally, so I've set that as LAN 10.x.x.x/24 and WAN 192.x.x.x/24.

It appears the popular option for a sub LAN behind a NAT router, is to turn off NAT in the subnet appliance and apply static routes but that doesn't seem to work either. I've turned off NAT and made the following static route:

Network: 192.168.1.0/24
Gateway: WAN_DHCP - 192.168.1.254
Description: WAN

This does not work. Cannot access router or internet. I'm at a loss for what to do here, this shouldn't be this hard. I remember having minor struggles with routing the first time I attempted this many years ago but this is getting ridiculous.

What IP address is assigned to the WAN NIC of OPNsense? And how?

With your setup you will probably need to do double NAT. There are routers rejecting routing to other internal IP addresses than the ones in their own LAN segment. (Which ist the WAN segment on your OPNsense but not the LAN segment of OPNsense).

What would I do?
Make sure its working with a notebook attached to your router.
Reset the configuration of OPNsense.
Just let the OPNsense Wizard do its work.

This SHOULD result in a working configuration.

Ok so... I've now done all of this. I reflashed the card, put it back in the APU2, booted up and went through the wizard as normal. I didn't change a single thing except for adding google DNS servers to WAN, LAN is set at 192.168.1.1, WAN is dhcp, and now I can't even access my router @ 192.168.1.254. It still marks as up and still able to fetch upgrades from the internet but accessing router from LAN just gives address unreachable. Cannot ping router either.

Trying to access internet still gives DNS reso fail.

I turned off blocking bogon and private networks, and tried turning off NAT. Nothing.

What IP address is assigned to the WAN NIC of OPNsense? And how?

A: WAN NIC = 192.168.1.253 and it's static assigned... my next troubleshoot is to have this assigned via dhcp

With your setup you will probably need to do double NAT. There are routers rejecting routing to other internal IP addresses than the ones in their own LAN segment. (Which ist the WAN segment on your OPNsense but not the LAN segment of OPNsense).

A: yes I figured that double NAT'ing would be necessary as I can't turn my router into a bridge (I think that's the correct term, but it's been a while!)

What would I do?
Make sure its working with a notebook attached to your router.

A: sincere apologies I forgot to mention that internet is indeed working when connected directly to the router

Reset the configuration of OPNsense.

A: indeed that is my next step in this process

Just let the OPNsense Wizard do its work.

A: Roger.

This SHOULD result in a working configuration.

Will report back after lunch.

Probably need to see more detail on your network topology and your rules on OPNsense etc. Maybe you need a route to the LAN set on your router? Remember also that OPNsense blocks by default unless allow rules are specified (although on the LAN there is usually an allowed to any rule included)

LAN: 10.0.0.0/24
WAN: 192.168.1.0/24
GW: 192.168.1.254

This is a fresh install so LAN has default allow all. I even have default allow all on the WAN for the moment just as a sanity check.

Also I turned off firewall on router so no need to mess around with forwarding any traffic. Still nothing.

Are you sure you are having a DNS problem? I mean is IP routing to the Internet working?

As your router seems to have a WAN IP 192.x.x.x this could be an internal only IP 192.168.x.x that is not routed to the Internet/WAN by default. In this case you should disable this security setting in menu Interfaces : WAN in section Generic/Block private networks.

It's possible this is not a DNS issue. I have disabled blocking private networks but nothing has changed.

I have the following updates:

- I can ping from the firewall to any ip address FROM any interface (LAN & WAN) using Interfaces -> Diagnostics -> ping tool
- I cannot ping from the client machine on the LAN net to any ip addeess on the internet, the only addess I can ping is my home router
- I can perform a DNS lookup via Interfaces -> Diagnostics -> DNS lookup to any and all internetz however I cannot then access that ip address directly in the browser. If I try google's ip address directly in the browser i.e. 216.58.210.206 it simply hangs and returns "ERR_CONNECTION_TIME_OUT"
- I have turned off the firewall on my router no change
- tried turning off NAT in opnsense no change
- again, everything is open on firewall rules and there is nothing in the logs to suggest any blockages at all.

Having another weird issue where I have network -> opnsense -> router and I can access the router but not any internet. Seems to be some kind of DNS issue, even tho I have set dns ips in my local machine and also in opnsense. As the title states this is a fresh install and I haven't selected anything other than making the LAN net a 10.x.x.x subnet and my rouyer is 192.x.x.x

There are no blocking rules set yet and I can ping/access my router just fine, updates to opnsense work just fine as well, and the upstream gateway is set properly.

Any ideas?

I have a very strange issue occuring where the webgui will not load.

Initially I was using a static ip on my machine @ 192.168.1.20 to access the gui. I did access the gui and had a look around, I added some firewall rules but then turned them off. Then I changed the WAN interface ip address to a static ip @ 10.x.x.x range and now everything seems to have broken.

What's odd is the dhcp server on the LAN port is up and served me a dhcp lease without any trouble, and nmap shows ports 80 and 443 open on the machine. However, as the title states, the webgui simply will not load.

I have tried multiple browsers and clearing caches, nothing seems to work. Also worth noting is the error message, it times out instead of just not being able to find a machine at that ip address. I tested this by trying to access known blank addresses and getting a different result to the opnsense machine.