Messages

1

General Discussion / Re: UDP Broadcast Relay

« on: July 27, 2024, 08:49:32 pm »

Hi all,

anyone who has airplay with Sonos running via udp broadcast relay?
For me it is not working.
A different device than Sonos (Denon) is working fine on the same plan, but with the Sonos its different.
I can see the device via airplay but connection is not possible.
Any hints? / anyone who has this running?

regards,
Tobias

2

General Discussion / fw blocks package but existing rule exists

« on: July 07, 2024, 12:08:23 pm »

Hi all,

i am on 24.1.9_4-amd64 and I don't have any clue why traffic is still blocked 8seeattachment dropped_packages).
It's regarding my home automation network and I have a general RFC1918 rule that denies traffic within the vlan.
Now I am trying to connect from device 192.168.178.30 (random tcp port) to 192.168.178.88 on tcp port 8083.
As you can see in my screenshots this traffic is blocked with the RFC rule. But before I have a rule that should pass that traffic. (see rule1 and rule_details).
Do you have any hints for me?

Thanks,
Tobias

3

24.1 Legacy Series / [solved] wireguard site2site not working after upgrade

« on: May 09, 2024, 10:13:09 am »

Hi all,

unfortunately my wireguard site2site is not working after upgrade.
Wiregard for clients remains working.
I have the following setup:
Interface:

Tried with and without dynamic GW policy and with tunnel interface.
WG instance:

Tried without and with GW. Before update I didn't create a GW there.
Peer: didn't change anything
Gateway:


Any hint?
Thanks,
Tobias

Update: I have solved this by deleting all VPN related rules, restart and then manual configuration Gateway and rout and WG instance (disabling rules, setting GW).

4

24.1 Legacy Series / Re: 24.1.2 Wireguard does not work after updating

« on: May 05, 2024, 02:51:11 pm »

can someone explain what exactly needs to be done to get wireguard running fine again?
I have a site2site VPN that is not working after upgrade anymore (to mobile clients is working).
I tried a lot but don't get it solved.
Currently I am getting:

Code: [Select]

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/ifconfig 'wg2' inet '192.168.200.1'/'24' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): File exists'
Update: that was due to VIP that I tried to set as I saw something in some threads.
When I am creating a gateway and activating a route I am not getting any error but it's still not working....
If I roll back to old config I am getting:

Code: [Select]

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: gateway IP could not be found for 192.168.200.0/24

Thanks,
Tobi

5

Virtual private networks / wireguard S2S between opnsense and fritzbox. Connection up but "no access"

« on: March 02, 2024, 10:03:17 am »

Hi,

i am just switching from IPSec to Wireguard for my S2S connection to my father.
Attached you can see the rough overview.

The link is shown as up and running but I can't access for example the Fritzbox on the other side.
connection shows:

Code: [Select]

peer: blubbblubb
  preshared key: (hidden)
  endpoint: [IPv6]:50040
  allowed ips: 192.168.200.0/24, 192.168.161.1/32
  transfer: 0 B received, 1.59 KiB sent
  persistent keepalive: every 25 secondsRouting is done automatically, correct?
At least I have a route like 192.168.200.0/24 via wg2 (interface s2sPapa).
I can also see packages going out (see screenshot2).
What am I doing wrong?

Thanks for any hint,
Tobi

6

General Discussion / Re: accessing ipv6 IPs on WAN

« on: February 17, 2024, 03:40:20 pm »

Well, I have never had an issue with double NAT etc, as I am routing the networks as needed.
Regarding the ipv6 issue its not going easier as I am using unbound and ADGuard
I am not getting an IPv6 from my fritzbox.
And I can't even resolve ipv6 addresses via adguard / unbound.

7

General Discussion / Re: accessing ipv6 IPs on WAN

« on: February 11, 2024, 03:06:25 pm »

Attached you can see an rough overview:

- remote fritzbox is on IPv6
- my fritzbox is on IPv4 and just for DSL dial in
- OPNsense holds the networks (e.g. for new site2site VPN)

IPv6 request from OPNSense fails.

8

General Discussion / Re: accessing ipv6 IPs on WAN

« on: February 11, 2024, 10:24:00 am »

I assume the fritzbox side has a CGNAT connection (probably Deutsche Glasfaser), so it is only reachable via IPv6.

That's true. It's Vodafone but only IPv6 is available.
My fritzbox has an ipv4 address but connection wasn't working already.

If I am trying to resolve an ipv6 I am getting no answer.

9

General Discussion / accessing ipv6 IPs on WAN

« on: February 11, 2024, 09:58:17 am »

Hi,

i am trying to establish a Wireguard site2site connection from an opnsense to a fritzbox.
Fritz!Box is only having IPv6 address now and I found out that I am not able to connect to ipv6 addresses.
My OPNSense is sitting behind a fritzbox with ipv4 address.
I have now enabled also ipv6 on WAN interface (DHCPv6) but it is not working.
Any hints?

Thanks,
Tobi

10

General Discussion / Re: configuration for stateful FW rules

« on: June 16, 2023, 09:18:24 am »

ah ok, that was overlapping. Yes great.
After i disabled that rule and checked the logs, i can confirm that this traffic from client to dreck device is working and default deny also works for everything else.
THanks for your support!

11

General Discussion / Re: configuration for stateful FW rules

« on: June 16, 2023, 09:09:20 am »

THanks for your answer.
I wanted to deny all trafic by default out of the dreck network.
So how should i do that best?
Or is it that this will be done by default deny?

12

General Discussion / Re: configuration for stateful FW rules

« on: June 16, 2023, 08:58:31 am »

Sorry i was only on mobile and away.
After further investiagation i found out the following:
If you see the attachment block you can see that the request is not coming from the client net as source but from the GW address of the "dreck" network.
I also added the rules for the clientVLAN which is the network of my client PC and trying to access an address (192.168.177.60) at the dreck VLAN.

regards,
Tobi

13

General Discussion / configuration for stateful FW rules

« on: June 14, 2023, 06:14:15 am »

Hi all,

i am just wondering why i have to create rules for the way back.
I have 6 ports (1 wan, 5 different ports with 8 vlans in all) configured.
For each vlan a single gateway is configured (is that really neede, as it seems to make no difference?).

Then i have created default block rules for incoming traffic.
Now i want access an http site from vlan a to b and created a rule for that.
But in the log i can now see that in this example traffic is going to vlan b but then the it is blocked on the interface b on going out.

I thought by default the way opnsense is doing it would be stateful, so if client from vlan a is initiating the traffic i don‘t need to create rules for the way back?

Does anyone have a hint on that?

Thanks,
Tobi

14

General Discussion / [solved] Re: Wireguard not working (connecting to IPv6 instead of ipv4)

« on: June 09, 2023, 04:02:41 pm »

Thanks for you answers.
Strange is that even if i put in my actual IPv4 address wireguard on my mobile tells me i am connected but i can't find anything in my logs.
What do i have configured is:
- local wireguard config (see attached)
- wg1 interface
- FW rules on WAN and wireguard interface

Andy hints?

regards,
Tobi

Update:
I found the issue in the public key (i missed some letters). That was not shown in the GUI but on the console i could see that error.

regards,
Tobias

15

General Discussion / [solved] Wireguard not working (connecting to IPv6 instead of ipv4)

« on: June 09, 2023, 11:48:45 am »

Hi,

i have the following setup:
Fritzbox => opnsense
- I have forwarded port 51820 to the opnsense
- configured wireguard via https://docs.opnsense.org/manual/how-tos/wireguard-client.html (without any ipv6 setup)

My mobile phone is connecting but it shows its connected to ipv6 address and i can't find anything in the FW logs or even in the Wireguard handshake.

Any ideas?
Thanks,
Tobi