Messages

What you cannot do is refer to any DNS name outside of your OpnSense, i.e. use an external DNS name with a mask applied in a firewall rule.
That would be a typical scenario for a VPN.

What type of rule do you want to create / what is your use-case? The reason I ask is that I do not see any.

To limit the source of WireGurad Peer to one known network, eg. /64 mask. Setting it in Endpoint address of the WireGuard Peer config.

The same goes for services like Plex or Jellyfin exposed over reverse proxy to family. There I know the network address (from the dyndns entry of the router) and want limit the source of any appropriate rules to those known networks (e.g. all devices behind the known router) and not the entire internet.

Hi,

what I mean is the following.

I've an DynDNS entry for IP 2001:DB8:1:2:a:b:c:d/128.

I want to use this in a rule, BUT ONLY the network portion 2001:DB8:1:2::/64 of it. This seems to be missing in Aliases as far my tests show.

I've one client that updates the dyndns, but want all devices from that network access, so I can not use the specific IPv6-IP from the updating device.

Or am I missing something obvious here?

I'll check this out. Does they strip the interface from an address given by dyndns?

Hi,

I've got a Wireguard Connection working just fine. I am trying to limit the source to the whole network. The IP public addresses are provided via dyndns. IPv4 is fine as its the gateway anyway, but for IPv6 I get 2001:DB8:1:2:a:b:c:d/128. Is there a way to create an alias to get 2001:DB8:1:2::/64. I know about the alias type IPv6 Host, but that's the interface and not the network part.

Would be a bit easier for the dyndns update part.

Hi,

yes I previously tried this. Did not seem to work. Reset the whole configuration to a before state rebooted and tried again, than it worked as expected.

One question there though. I've a working configuration with the manual spn added for the whole network segment used by the clients (e.g. 172.28.0.0/16). During testing before I was only adding the single addresses I actually configured the BI-NAT for (e.g. 172.28.200.106). Should this make any difference in effective configuration?

Hi guys,

I've been using OPNsense at home for quite some time, and could switch our old Zyxel Firewall at work with OPNsense at work recently. I had IPsec tunnels working for quite some time successfully, but had been able avoid NAT until now.

I need to set up a IPsec tunnel to a partner using the same local network as we are. So obviously some NAT had to be set up. Researching I found this post (https://forum.opnsense.org/index.php?topic=22605.0) but for the live in me, I could not get this to work. So I hope to get some input here.


The setup is the following

Code Select Expand

-------------------------------------
-- local network - 172.28.0.0/16   --
--   local PC    - 172.28.200.106  --
-------------------------------------
             -
             -
-------------------------------------
--        Firewall                 --
--                                 --
--      NAT to 10.199.2.129        --
--                                 --
--    IPsec to 10.199.2.128/25     --
-------------------------------------
             -
             -
-------------------------------------
--       at partner                --
--       reaching to               --
--       10.199.2.2/32             --
-------------------------------------

The tunnel itself is configured and should work. Originally set up with source net 172.28.0.0/16 got packets send.


What do I need to configure to get packets send through this IPsec tunnel?

 - 172.28.200.106 sends RDP-packet with destination 10.199.2.2
 - 172.28.200.106 is NATed to 10.199.2.129
 - 10.199.2.129 sends RDP-packet through IPsec tunnel
 - is handled at partner site to reach 10.199.2.2 and NATed to 172.28.x.x

As far as I understood the documentation I found this is Outbound NAT and I configured it as follows

 - Firewall NAT Outbound
 - Interface             IPsec
 - TCP/IP                IPv4
 - Protocol              any
 - Source Address        172.28.200.106
 - Source Port           any
 - Destination Address   10.199.2.2/32
 - Destination Port      any
 - Translation / Target  10.199.2.129

The Hints state something about configuring Virtual IP addresses on the Interface first, but I've no possibility to define them on the Interface IPsec, as it is not listed there.

Any hints on what I am missing would be greatly appreciated. If I need to provide more info just let me know.

What settings did this screenshot refer to?
I have the exact same issue, but the solution is unavailable due to deleted screenshot.

Have done some more testing, it's only port 80 that's not working here. And found some other thread, and changed the GUI-ports to only 443 and LAN, but it still persists.

Anything I missed?

Hi folks,

I've been trying to figure out why one of my portforwardings seems not to be working.

I'm using a PlexMediaServer on my NAS, it's requiring port 32400 for remote access. If I configure the same port on WAN, it's stable. But when using port 80 on the WAN for it, it stops working. I used to do this before I switched to OPNsense, as most guest networks only allow traffic on ports 80 and 443.

Is there any (standard) configuration that might use the port 80 already, so that it's not working here?

The attachments show the aliases and NAT rules I've configured. I'll limit the source to specific known networks later, but like to understand why it's not working in this simple setup.

Holger

... Plex remote access will not work unless I can figure out how to do this.

As far as I know, for remote access only port 32400 is needed. I've not changed anything for the certificates so far. And remote access is working just fine (at least from native apps, usually not using app.plex.tv)

Hi,

I've started a support request about this. Will keep you informed.

Holger

Hi folks,

I'm trying to setup port forwarding for my Plex Media Server. At the moment a simple unconditional one from port 80 to 32400 or 32400 to 32400. Doing so I noticed to different kinds of rules in "Firewall: NAT: Port Forward":

1. named "Enabled rule"
2. named "Linked rule"

Whats the difference between them? Can anyone link me to a documentation? Couldn't find any usefull posts so far.

Furthermore the one trying to forward 80 to 32400 seems to break after a few seconds, without any hint what might be wrong with it. Testing it with 32400 to 32400, so far this seems to be stable (for 30min at the moment).

Holger

Hi folks,

I've just switched to OPNsense, installed it this week, so far I'm quite happy, but come across a few questions I am going to ask here in separate threads. While registering I've tried to use my regular mail address, wich is from one major German ISP (@t-online.de), but the activation mail did never arrive.

Today I changed this to one address from my own domain, @dachs.blog, this one arrived instantly, as expected.
Any thoughts, why this might be?

Holger