Messages

Hi. Have you found a solution to this problem? I have an identical problem with identical symptoms, but it only affects one of the two VPN clients. One VPN client is a commercial service and works correctly, i.e. it does not force being the default gateway. When you restart opnsense, everything turns on and connects as it should. However, when I add an additional VPN client that connects to my own server abroad, the problems described in this thread begin. One of the annoying things is that after restarting opnsense the first client (commercial) will not connect properly. You need to turn off client no. 2 (which usually connects faster than client 1 and becomes the default gateway - but it shouldn't!), restart client no. 1 and only then start no. 2. Then it works fine until one of the servers goes down. It looks like the first VPN client is trying to connect through the gateway created by client no. 2. This server is blocking the UDP port on which client no. 1 is running, but changing the port to TCP 443 makes client no. 1 work properly.
For now, I have moved client no. 2 to another device and defined this device as a gateway in opnsense. This is a workaround, so I am interested in solving this problem in a proper way.

I didn't, but ended up switching to using Wireguard to connect to the VPN provider and haven't had the issue since. Pretty sure I did have 'Don't pull routes' enabled though when I was using OpenVPN.

Hi there,

I'm after a bit of advice on why my OPNSense firewall can't ping devices on the LAN subnet. If I look at the firewall logs, I can see it's sending them using the WAN public IP as the source address, not the LAN IP. It's hitting the automatic rule 'let out anything from firewall host itself (force gw)', which allows it.

It's a pretty straightforward configuration. One LAN interface, one PPPoE WAN interface and an OpenVPN client which is used by some policy routing.

If I enable 'Disable automatic rules which force local services to use the assigned interface gateway.' it can then ping LAN devices ok, but I am not confident I understand the implications of Disabling those.

Is there anything else I need to consider after disabling those automatic rules?

Thanks

You're using only IP address to connect to the device, not hostnames? Seems odd that Unbound would be involved, if it's just by IP address on a flat L2 network.

You could try running 'arp -a' in a command prompt (on Windows) or 'ip neighbour' on Linux and see if the mac address for the IP of your device is the same one you see when the firewall isn't connected to the switch.

Thanks. I'll try re-creating the VPN profile and report back. The schedule is there to stop all general internet access overnight from 23:00, but it's not a factor in the issue, as I had the same behaviour before I added that schedule.

Thanks for getting back to me. The issues persists after reboot, I have tried several times.

Attached screenshots of gateways, routes and LAN rules. If I leave any outgoing rules on the 'default' gateway, they go out via the VPN gateway, hence why they are all directly specified to use the pppoe WAN interface per rule currently. It works as is, but causes problems for other things like acme renewal, etc.

Further clarification on this, if I look in the routing table, the correct pppoe WAN gateway has the destination 'default', but any firewall rules using gateway 'default' end up going out the OpenVPN client gateway.

Hi all,

I've got a single WAN connection and an OpenVPN client interface connecting to a VPN provider, which I only wish to use for specific firewall rules by changing the Gateway in the rule.

No matter what I do, the OpenVPN client ends up being the default route, so I have to actually specify the WAN connection gateway on all the rules that I don't want to go over the OpenVPN connection.

I have set the WAN gateway priority to 1 and also to the upstream gateway, then set the OpenVPN client gateway priority to 255. Even with this configuration, the OpenVPN client gateway gets to be the default route.

Am I missing something obvious or can anyone offer advice on this?

OPNsense 23.1.1_2-amd64

Many thanks

+1 from me. Zenarmor UI not working any more, but web filtering seems to be still in play. I haven't yet rebooted.