Messages

Hi all,

anyone who has airplay with Sonos running via udp broadcast relay?
For me it is not working.
A different device than Sonos (Denon) is working fine on the same plan, but with the Sonos its different.
I can see the device via airplay but connection is not possible.
Any hints? / anyone who has this running?

regards,
Tobias

Hi all,

i am on 24.1.9_4-amd64 and I don't have any clue why traffic is still blocked 8seeattachment dropped_packages).
It's regarding my home automation network and I have a general RFC1918 rule that denies traffic within the vlan.
Now I am trying to connect from device 192.168.178.30 (random tcp port) to 192.168.178.88 on tcp port 8083.
As you can see in my screenshots this traffic is blocked with the RFC rule. But before I have a rule that should pass that traffic. (see rule1 and rule_details).
Do you have any hints for me?

Thanks,
Tobias

Hi,

i am just switching from IPSec to Wireguard for my S2S connection to my father.
Attached you can see the rough overview.

The link is shown as up and running but I can't access for example the Fritzbox on the other side.
connection shows:

Code Select Expand

peer: blubbblubb
  preshared key: (hidden)
  endpoint: [IPv6]:50040
  allowed ips: 192.168.200.0/24, 192.168.161.1/32
  transfer: 0 B received, 1.59 KiB sent
  persistent keepalive: every 25 seconds
Routing is done automatically, correct?
At least I have a route like 192.168.200.0/24 via wg2 (interface s2sPapa).
I can also see packages going out (see screenshot2).
What am I doing wrong?

Thanks for any hint,
Tobi

Well, I have never had an issue with double NAT etc, as I am routing the networks as needed.
Regarding the ipv6 issue its not going easier as I am using unbound and ADGuard ;)
I am not getting an IPv6 from my fritzbox.
And I can't even resolve ipv6 addresses via adguard / unbound.

Attached you can see an rough overview:

- remote fritzbox is on IPv6
- my fritzbox is on IPv4 and just for DSL dial in
- OPNsense holds the networks (e.g. for new site2site VPN)

IPv6 request from OPNSense fails.

I assume the fritzbox side has a CGNAT connection (probably Deutsche Glasfaser), so it is only reachable via IPv6.

That's true. It's Vodafone but only IPv6 is available.
My fritzbox has an ipv4 address but connection wasn't working already.

If I am trying to resolve an ipv6 I am getting no answer.

Hi,

i am trying to establish a Wireguard site2site connection from an opnsense to a fritzbox.
Fritz!Box is only having IPv6 address now and I found out that I am not able to connect to ipv6 addresses.
My OPNSense is sitting behind a fritzbox with ipv4 address.
I have now enabled also ipv6 on WAN interface (DHCPv6) but it is not working.
Any hints?

Thanks,
Tobi

ah ok, that was overlapping. Yes great.
After i disabled that rule and checked the logs, i can confirm that this traffic from client to dreck device is working and default deny also works for everything else.
THanks for your support!

THanks for your answer.
I wanted to deny all trafic by default out of the dreck network.
So how should i do that best?
Or is it that this will be done by default deny?

Sorry i was only on mobile and away.
After further investiagation i found out the following:
If you see the attachment block you can see that the request is not coming from the client net as source but from the GW address of the "dreck" network.
I also added the rules for the clientVLAN which is the network of my client PC and trying to access an address (192.168.177.60) at the dreck VLAN.

regards,
Tobi

Hi all,

i am just wondering why i have to create rules for the way back.
I have 6 ports (1 wan, 5 different ports with 8 vlans in all) configured.
For each vlan a single gateway is configured (is that really neede, as it seems to make no difference?).

Then i have created default block rules for incoming traffic.
Now i want access an http site from vlan a to b and created a rule for that.
But in the log i can now see that in this example traffic is going to vlan b but then the it is blocked on the interface b on going out.

I thought by default the way opnsense is doing it would be stateful, so if client from vlan a is initiating the traffic i don't need to create rules for the way back?

Does anyone have a hint on that?

Thanks,
Tobi

Thanks for you answers.
Strange is that even if i put in my actual IPv4 address wireguard on my mobile tells me i am connected but i can't find anything in my logs.
What do i have configured is:
- local wireguard config (see attached)
- wg1 interface
- FW rules on WAN and wireguard interface

Andy hints?

regards,
Tobi

Update:
I found the issue in the public key (i missed some letters). That was not shown in the GUI but on the console i could see that error.

regards,
Tobias

Hi,

i have the following setup:
Fritzbox => opnsense
- I have forwarded port 51820 to the opnsense
- configured wireguard via https://docs.opnsense.org/manual/how-tos/wireguard-client.html (without any ipv6 setup)

My mobile phone is connecting but it shows its connected to ipv6 address and i can't find anything in the FW logs or even in the Wireguard handshake.

Any ideas?
Thanks,
Tobi

Thanks!
What do you think about IPU451?
I think that will fullfill my requirements also for the future, but for,sure won't be the cheapest solution.

Specs are:
CPU: Intel Celeron N5105 Jasper Lake Quad Core (4 Threads) 2,0 GHz, Burst bis zu 2,9 GHz, 10W TDP
Cache: 128 KByte L1 Instruction, 128 KByte L1 Data, 1,5 MByte L2, 4 MByte L3
Features: AES-NI, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, Enhanced Intel SpeedStep Technology (EIST), Intel 64, XD bit, Intel VT-x, Intel VT-d, Intel SHA Extensions, SMPA/SMEP, MBEC
And i would b it with 16 gb ram and 250 gb nvm ssd.

Regards,
Tobi

Hi,

i am new here and am currently using an unifi security gateway and want to change the FW to an opnsense environment.
I am searching for a good but also cost optimized setup (< 500 € if the comprimisses are not to high).
Currently i have the following network devices:
- FW: USG
- AP: 3x UNifi U6 Pro
- Switches (all unifi):
1x 24 port switch
1x 8 port
3x 5 port
An Active Directoy running on synology nas and a pi hole + adguard running via Docker.
Homebridge also working as docker on synology.
- network/client devices: 60-80 (a lot of home automation devices)

my requirements are:
- WAN throughput: min. 500 mbit incl. IPS
- content finltering
- up to 10 remote dial in vpn user/divices
- up to 5 site to site vpns via wireguard or openvpn
- around 10 vlans
- possibility for WAN failover (via USB 4g/5g stick)
- no fans
- minimum of 4 gigabit lan ports (i expect i can use vlan tagging to summarize some vlans)

Does anyone has a proposal for such a hardware?

Thanks,
Tobi