Messages

Firstly it seems the problem was a misunderstanding about how the allowed ip's works on the server configuration, the documentation from wireguard is less than clear about this. I removed the extra ip's and the service now starts.

I was after a way of configuring clients to use a split tunnel so that only traffic bound for IP's accessible on the VPN would go through the VPN rather than all traffic, I thought the allowed ip's did that but as it turns out the client has to configure that.

I've seen the error message about that but I've no idea how to remove the wireguard-go module there's no uninstall option for that package in the GUI.

After the upgrade to 22.7.2 the wireguard service no longer starts, I try to manually start it though the web gui and it refuses. I'm using the wireguard-go package, also notice there's a wireguard-tools package I'm assuming both of these are needed they're both installed anyway.

I should also add that it was working in prior versions, I've scoured the log files trying to find any information on why its refusing to start but I've not found anything in the system logs in webgui, is this a bug has anyone else had this problem?

Well I did wonder about the directions of traffic and whether it was counter to logic. So with the best will in the world this needs a much more detailed explanation in the documentation judging by how many times this is misunderstood just going by the number of posts in forums on this very matter, with perhaps a little explanation that the way firewalls work is counter to logic so you explain it from how a normie would approach it vs how someone whose in know would expect.

It also makes me wonder if based on the fact this seems opposite to what someone expects perhaps the UI is wrong? From a not configuring this wrongly and scaling point of view it would make more sense to have the block rule on VLAN3 (using your example) to prevent anything coming in from VLAN2 or later on VLAN4 until you expressly allow it. But if I set a rule on say VLAN2 with "out" using the inverse logic should then do exactly that?

My other point was aren't VLAN's supposed to be separated from each other by default?

Phew, I'm not going mad, and I'm not the only person with this problem.

I too have created multiple VLANs they're on separate network interfaces for example I wanted placed my ipmi's into a VLAN which I called IPMI with a Vlan ID of 10 assigned dhcp to them on a completely different range (192.168.10.0/24) to my LAN(192.168.1.0/24) the ipmi's all have their IP's (lovely) The problem is my LAN can access them and I have not allowed that! I thought VLANs were completely cut off from other networks until you explicitly allowed them to access something, I thought it was always off by default.

No matter, thought I, i'll create a firewall rule blocking my LAN from accessing it, but low it doesn't, I have tried creating to prevent traffic leaving my LAN bound for my IPMI VLAN, I've tried creating a rule on the IPMI VLAN preventing all traffic from the LAN reaching it, in both cases the LAN has access. So the question is why are VLAN's not isolated?

I'm working from a clean fresh installation with the default firewall rules installed. I'm using OPNSense 21.1.5