Messages

Check Interfaces > Assignments. Possibly your WG interfaces got renumbered.

Swapped back to the old snapshot - the interfaces are unfortunately numbered the same as they were prior to the update.

I swapped my individual interface installation back to using the Wireguard Group rules, and everything works again.

Greetings,

I have 2 installations of OPNsense - one of these installations has the Wireguard firewall rules in the "Wireguard" interface. The other installation has the Wireguard interfaces in separate OPT interfaces. Both work in 25.1.4.

Upon updating to 25.1.5, the installation using the "Wireguard" interface still passes the VPN traffic, but the installation using the separate Wireguard interfaces is not passing traffic.

Wireguard logs don't show any issues. Firewall logs indicate that the VPN traffic is not being blocked. For now, I've reverted to the pre-installation state with a ZFS snapshot.

Are there any other logs I can collect that might help?

[~$50]

Bypass is the way. Anything else is a waste of effort. If you are interested, I and probably hundreds of others here can assist. I literally did this 2 weeks ago.

I heard about this but I'm not certain it's the approach I want to take (no doubt if this had been available years ago when I was originally building my network I would have done it). Firstly, I don't think I'm on XGS-PON, I'm not sure how much of a hassle it would be to get that changed but it doesn't sound super fun since I really don't need more than 1Gbps. Secondly, my router is a thin client with an Intel PCIe NIC so I don't have an SFP+ port and can't add one, so if I did decide to go this route what would you recommend for converting the WAS-110 with SFP+ to RJ45?

Being on GPON is actually better, because the equipment you need is significantly cheaper. If you are on GPON, you need:

1) a GPON transceiver (SFP) - ~$50 from FS.com, but cheaper models that are known to work can be had.

2) a switch or media converter (puke) that can handle the traffic. Literally any dumb switch with an SFP and RJ45 jack will work. Even an existing smart switch could easily be made to work. Media coverters are junk, in general. I bought one of those first and had pretty bad latency issues in games. Replaced it with a dumb switch and it's perfect now. - ~$20-$80, depending on what ya buy.

The whole deal will cost you $40-$100 USD, depending on which transceiver and switch. It will cost you probably an hour or less in time to get the transceiver set up. The documentation on how to do this is scattered in 3-4 different sites, but I compiled all the instructions into a document for future use.

There can be some gotchas, like if AT&T is still enforcing EAP auth where you are. I'm not sure how common that is any more. I didn't need any certs or anything for my setup, when I did in the past (when I had the BGW210).

Would you mind posting your configs without the keys?

I have experienced this same behavior, with the same fix (refreshing WAN interface). It didn't happen all the time, but enough that I was afraid to remote reboot the firewall.


Ultimately, the solution is to bypass the AT&T gateway, as this is far from the only issue it has (not even talking about the well-known NAT table limitations). It also has some really nasty IPv6-PD bugs as well. Nasty as in it just doesn't work at all since the last update. Completely broken. I don't rely on IPv6, but I do have a dual stack network and I expect it to work... But good look explaining this to the support idiots at AT&T. It's not even worth the effort.

Bypass is the way. Anything else is a waste of effort. If you are interested, I and probably hundreds of others here can assist. I literally did this 2 weeks ago.

Do not do this.

[System > Settings > Miscellaneous]

I had a similar problem a while ago on older versions.

I fixed it by:
System > Settings > Miscellaneous

And then disable all of the periodic backups:
Periodic RRD Backup > DISABLED
Periodic DHCP Leases Backup > DISABLED
Periodic NetFlow Backup > DISBALED
Periodic Captive Portal Backup > DISABLED

Reboot and the now shutdown and reboot worked great.

This fixed the issue for me as well. I tried to disable all except DHCP lease backup, rebooted, and the lockup still happened. My DHCP server(s) are disabled on OPN. Perhaps that is the cause of the issue? OPN is attempting to backup something that does not exist and just hangs instead of timing out?

On the Server side when you add endpoint, only enter the remote Tunnel IP with /32 there. On endpoint itself you can add 0.0.0.0/0 as allowed ip

I found this to be super unintuitive with WireGuard. This exact thing caught me at first, too. When shown the correct way to set the configuration, it makes sense. To make things worse, there's a ton of misinformation out there.

L3 networks (multiple routers, multiple networks) - OPNsense - Internet

The issue was lack of outbound NAT rule. Once I created an outbound NAT rule with all of my static routes, it started working. I actually used an alias to include them all in one rule.

Greetings,

I have a routed network on the LAN side of my OPNsense box. There are multiple routers on this network, and they all use the single OPNsense box to get to the Internet via the LAN interface. Naturally, this doesn't work out of the box, I need to set up static routes.

I made another gateway, the address is the router that's upstream of OPNsense on the same /24. All created static routes point to my newly created gateway.

From my "remote" network, I can ping to my OPNsense box.
From my OPNsense box, I can ping to my "remote" network.
From my OPNsense box, I can ping to the Internet.
From my "remote" network, I cannot ping to the Internet.

Looking in the firewall rules, nothing is being blocked. I can see traffic passing coming from my IP address, but it is not returning (not showing up in the firewall logs).

What am I missing? I'm a pfSense convert (you can guess why), and this exact setup worked fine on pfSense. It has to be something that's not automatically configured and I just don't know what it is.