Messages

+1 from me.

Until I get a more infra-wide dashboard in place I have same report up on a spare monitor and would love to ignore spikes from re-scaling the Y axis.

Rich Stevens uses tcpdump to show how the protocols work in action. Absolutely brilliant.

I'm pretty comfortable with IP/UDP/TCP itself. Is there a similarly great book you're recommend on advanced networking topics with FreeBSD?

the best tool to troubleshoot wireguard would be the good old tcpdump.

tcpdump -i wg0

Well, that is a tool I've definitely spent time getting to know. Thanks for the advice.

I've been trying to set some of the Outbound NAT and other firewall rules for logging but I'm not seeing much in the console. Perhaps I'm not looking in the correct place or perhaps there's a way to get at that info from the command line?

Another approach I'm planning to take is set up an internal log aggregator. I've been meaning to this for some time anyway.

So what I've noticed is that even in DEBUG the Wireguard Log can sometimes report that the tunnel is up but it doesn't seem to be functioning for me and I don't see routes for it at the CLI either. Entirely possible that I am able to auth to the remote VPN endpoint and then something about routing or forwarding is still goofed up.

On that theory, I've been opening 2 browsers when configuring new tunnels and comparing them step-by-step to known-good configs for working tunnels. Hasn't produced working tunnels in most cases.

Howdy, folks.

So I'm having a LOT of problems getting multiple WG VPN tunnels set up to Mullvad and then doing selective routing over them. Some of it, I would say, is due to lack of observability as to the state of the tunnels. In short, I miss the old Status tab which would at least let me know I had configured the tunnel correctly before I start playing with selectively routing of traffic over them.

What advice do folks here have as to troubleshooting WG VPN (and maybe related pf configurations) from the CLI?

For reference, I have tons of experiencing doing pretty complicated gateway setup on Linux going all the way back to ipchains days. Not so much with *BSD and pf. So, I can learn is what I'm saying. :D

I have a Mullvad WG tunnel I set up ages which has been running fine with selective routing. I would like to setup another WG Instance but I notice that for all of the various exit countries when I download the configs all of the config/Interface/Address addresses are like so:

    [Interface]
    ...
    Address = xxx.yyy.zzz.0/32
    ...

and I'm not sure what to do with that when it comes to using the Minus 1 rule for setting the address in the associated Gateway.

Actually, I'll be honest, I've never really understood the Minus 1 rule anyway.

Can anyone shed some light? Or have ideas?

thx

Howdy, folks.

This is not strictly-aligned to the topic of this sub-forum but this is as close as I found.

I'm interested in selectively routing website traffic through a Tor proxy running on the OPNSense appliance. I'm curious if anyone has found a good way to do this when, as in most cases, the remote site is using HTTPS. I suspect this could involved some combination of the following:

- DNS tricks
- transparent proxy
- policy routing to the Tor proxy daemon on the appliance

thx

Given that I did not get any response from my previous question about OPNSense training...

Curious if anyone who has a lot of experience with OPNSense and pfSense has any insight as to how training in pfSense might translate to OPNSense? Now, let me be clear... Obviously there are some dramatic differences in the UIs and some less dramatic differences as to how things might vary in terms of general management and available packages. I'm talking more about core concepts. So as an example, I would like to understand the inner workings for a use-case such as:

1) multi-WAN set up with load-balancing and sticky sessions
2) site-to-site VPN layered over top of multi-WAN
3) for that VPN, assign a preference for the higher speed WAN link

Appreciate any input. Thx.

Hey, folks.

I've been using OPNSense for increasingly more complex tasks starting about 2 years ago. I have fairly solid (decades) experience in networking. However I've been struggling to get some of the Wireguard site-to-site stuff to work as I expect even when working against both the official docs and various YouTube examples. I've come to the conclusion that I might have more luck if I were able to go top-to-bottom on some training; either paid in-person or some sort of remote (YouTube) training that was not aimed at a specific task but instead at understanding all of OPNSense from Interfaces, Gateways, and all of the other pieces in the "object model".

It terms of any attempts to go top-to-bottom I've only found the video series from PhasedLogix IT Services on YT. Hopefully not much has changed in 2 years since the series was started.?.

But perhaps others have advice on comprehensive resources?

ty!

I leaned into dnsmasq a while ago because it seemed to have (actual) support for integrating with the names sent in DHCP registration -- never could get unbound to do so -- and as of the latest 24.x.x series I'm now seeing dnsmasq crap out several times a day. It's running, port is open, it doesn't answer queries.

Just a data point for now.

I'll enable debug logging soon.

I have a managed switch with a half a dozen VLANs and a trunk point to the OPNSense gateway. All VLANs have domain naming convention:

<something unique to VLAN>.foshizzle

The DHCP server for each VLAN interface hands out something unique for <something unique to VLAN>. For the hosts within a VLAN, I would lie for them to be able to find other nodes in that VLAN by bare name but I cannot seem to figure out how to deliver the domain search list via DHCP4 to allow for either of these to resolve:

- hosta.wizzle.foshizzle
- hosta

Setting 'Domain search list' to 'hosta.foshizzle;foshizzle' does not allow the bare search.

Thoughts?

Howdy, folks.

I just replaced my OPNSense firewall with IPFire because I was having unresolveable problems with WAN drops even when turning off the Gateway checks. This was consistent with both OPNSense and PFSense on iron or as VMs and with a raft of different NICs, cabling, etc. I couldn't keep the WAN interface going for more than 5 minutes -- sometimes less -- even embedding a dhclient restart in system cron to run every few minutes. Looking around the various forums this seems to be a mysterious and also long-running issue.

I would very much prefer to run OPNsense due to the VLAN support, amongst other things, and so I'm offering up my environment and my hands for any advanced troubleshooting with someone who is more experienced with the lower levels of the OPNsense system. Perhaps even someone from Deciso if the opportunity presents.  I don't have a ton of BSD experience but I've been operating in the Free Software/Open Source world as DevOps and NetOps for a couple of decades. The hardware is HP Prodesk 600 with any number of available NICs and the connection is residential fiber Gb.

DM me if there's any interest in some remote debugging with the idea of possibly putting this WAN drop thing to rest. I'm cross-eyed from looking at debug logs. ;)