Messages

Update.

Configured failover following this guideline: https://docs.opnsense.org/manual/how-tos/multiwan.html

BGW210-700 router --> OPNSense router --> Network Switch <--- Netgear LTE LM1200 Modem Router

It works.  When BGW210 is unplugged, WAN gateway switches to LTE LM1200 modem.

Update 08/30/2022.

Documented the process here: https://youtu.be/WG0Mh4Ts9GQ

Looks like I solved this one.  Did not need to upgrade my existing hardware config.  I can plug the LTE modem into my current hub.  See the attached diagram.

1. I set my LTE cellular modem to bridge mode and assigned it a static IP on my LAN.
2. I plugged the LTE modem into my network hub.
3. In OPNSense, went to: System: Gateways: Single and added the LTE modem as a gateway (IPV4, LAN interface).  https://docs.opnsense.org/manual/gateways.html#
I entered a monitor IP and did NOT disable gateway monitoring.
4. Went to: System: Diagnostics: Services and turned dpinger ON for the new gateway.

Verified that LTE gateway is "online" and dpinger is returning RTT results on System: Gateways: Single page.

My next step will be to configure failover, but for now I at least know that I can add a gateway to my existing configuration.

I don't have a solution to this as I am struggling to design a failover setup myself.

Question:  What is your hardware config for the basic failover setup from WAN1 to WAN2?

WAN1-----|
               | OPNSense Router |----->LAN
WAN2-----|

I guess what I really want to know is: are the ethernet ports for both WAN1 and WAN2 both physically on the OPNSense router?  My router only has two physical ethernet ports: WAN and LAN.  I'm trying to figure out if I need to upgrade the hardware to accomodate 2 WANs (att broadband, att cellular) + LAN, or is there some other workaround?

Running OPNSense 22.1 router software on an amd64 system with only 2 ethernet ports (WAN/LAN).  Connected to internet using ATT BGW210-700 router in passthrough mode.  Image of my current setup is attached.

Current WAN1 is wired ATT broadband.  I just purchased an LTE cellular modem which I would like to add as WAN2 in an OPNSense failover setup. 

1. Do I need to upgrade my router hardware to a system with at least 3 ethernet ports?
or
2. Is there some other way to achieve WAN1 to WAN2 failover to LAN with existing 2 port router?

I noticed under the features for Zenarmor plans https://www.sunnyvalley.io/plans is something called Device Identification & Asset Discovery (coming soon).  What, exactly, is that and how is it different from what is currently available?

OK, I FINALLY figured it out.  I was not understanding "Destination".  It should be "WAN Address".  I kept trying to use the LAN address.  VPN server working like a charm!

I just can't seem to figure out how to do this.  I have a Synology VPN server on my network, and I just want to open the port on the firewall to allow access to it.  I've created aliases for the server host and port, and created a WAN rule AND a port forward, but it's not working.

Someone went through the effort here to explain it step by step, I tried this as well but I guess I'm just not getting it.  Attached are the rules I have created.  When I try to access the VPN server from the WAN, I can see on the live report that it is blocked by the default deny rule.

How do I open that port on the WAN?

Instead of relying on MAC I would recommend locking down the VPN since there are only going to be 3 devices by using ultra long paswords, etc.

you can place your VPN in a VPN zone and create a specific rule based on the IP to access the devices.

Got it!  Thanks. 

OK, then, can I filter by MAC on the LAN side?  That is, once a device is allowed through the WAN side of firewall, can I capture it's MAC on the LAN side to determine if it is allowed to proceed to the port of the internal host?

And if so, how?

https://en.wikipedia.org/wiki/MAC_address

So, can I filter by MAC using firewall rules in OPNsense?

I have to open a WAN port in my firewall to allow access to VPN.  I have only 3 devices I will ever use to access my VPN server (running on Synology) away from home. 

I was wondering if there was a way to construct a rule in OPNsense which would only allow the MAC addresses of those 3 devices to pass through the WAN at that port?

I have read that, in general, opnsense (and pfsense) do not allow for external MAC filtering because their Linux kernels don't support it.  However, I have also seen mention of something called "captive portal" which might be able to do it.  And, I just saw this article on using pi-hole to see the MAC and IP addresses of external servers: https://pi-hole.net/blog/2021/09/30/pi-hole-and-opnsense/#page-content.

So, thought I'd pose the question here in case someone has done it or knows how to do it.

I am on
* OPNsense 21.7.7-amd64
and I am using a Realtek NIC.

After reading through this, I want to make sure I use download the os-realtek-re on beforehand.

How can I do this?

Do installed plugins persist through updates?

In using Google to search for this error, I found a few pfSense posts on the subject.

https://www.reddit.com/r/PFSENSE/comments/mzq203/my_router_failed_last_night_system_log_shows/

This appears to be another realtek driver issue.  I installed the os-realtek-re plugin and rebooted.  Checked the logs and I no longer see this error.

Making progress!

I'm getting this error consistently on boot for all my static leases.  What is it, and how do I resolve it?

2022-02-08T20:32:41-08:00   Error   opnsense   /usr/local/etc/rc.bootup: The command '/usr/sbin/arp -s '192.168.1.248' '<MAC>'' returned exit code '1', the output was 'arp: writing to routing socket: Cannot allocate memory'   
2022-02-08T20:32:41-08:00   Error   opnsense   /usr/local/etc/rc.bootup: The command '/usr/sbin/arp -s '192.168.1.237' '<MAC>'' returned exit code '1', the output was 'arp: writing to routing socket: Cannot allocate memory'   
2022-02-08T20:32:41-08:00   Error   opnsense   /usr/local/etc/rc.bootup: The command '/usr/sbin/arp -s '192.168.1.226' '<MAC>' returned exit code '1', the output was 'arp: writing to routing socket: Cannot allocate memory'   
2022-02-08T20:32:41-08:00   Error   opnsense   /usr/local/etc/rc.bootup: The command '/usr/sbin/arp -s '192.168.1.185' '<MAC>'' returned exit code '1', the output was 'arp: writing to routing socket: Cannot allocate memory'   
2022-02-08T20:32:41-08:00   Error   opnsense   /usr/local/etc/rc.bootup: The command '/usr/sbin/arp -s '192.168.1.163' '<MAC>'' returned exit code '1', the output was 'arp: writing to routing socket: Cannot allocate memory'   
2022-02-08T20:32:41-08:00   Error   opnsense   /usr/local/etc/rc.bootup: The command '/usr/sbin/arp -s '192.168.1.65' '<MAC>'' returned exit code '1', the output was 'arp: writing to routing socket: Cannot allocate memory'   

Thinking it could be related to this: https://forum.opnsense.org/index.php?topic=12166.0

Went to: Firewall -> Settings -> Advanced : " Firewall Maximum Table Entries"

Changed it from 1000000 (default) to 2000000
No change.  Still getting error.

I only see 66 entries in my ARP table.

Topology:

ATT BGW210-700  router in passthrough mode (re1) --> Opnsense firewall running on mini-pc (re0) --> switch

CPU: (Intel(R) Celeron(R) J4125 CPU @ 2.00GHZ (4 cores, 4 threads)
8GB Ram
Disk usage 2%
Memory usage: 4%

Complete usage details attached.

since I read "re" adapters - Realtek - I would try the plugin os-realtek-re for the "old" realtek drivers

Thank you.  Installed os-realtek-re as suggested.

Turns out my problem was twofold:

1. I had installed Zenarmor Sensei.  It increased my memory usage from 10% to 45%.  It was definitely the cause of the crashes because after uninstalling it, my OPNsense router has been up and running smooth for a day now.

2. After submitting the uninstall report to Zenarmor, Sunny Valley Networks support reached out to me (that's pretty awesome!) and reported that: "Zenarmor uses netmap which is an Operating System subsystem to grab packets off the wire. And our experience is that netmap doesn't play well with Realtek drivers"  They also recommended installing the realtek-re-kmod package.

So, for now, I'm back up and I'm good.  I'll get back to Sensei when I have a better sense of what I'm doing!

Thanks to all who commented here.