Messages

Apparently you have to select "allow options" at the advanced options section for the incoming firewall rule, when you want to force the returning traffic out to desired interface.
After enabling it all is now working..

By default , when you install OPnSense Firewall an dgo thrue the initial setup you define your WAN & LAN interface configuration.
All additional interfaces you define / configure start with opt and then a nr for example opt1.

I hope some one can explain why when you try to test a port-redirect rule configured on a opt<x>, interface as shown the firewall log(if you enable logging on the specific port) ,but when you do the same on the WAN port , nothing is shown and also not working ?

Should it work and is my opnsense firewall configuration a little bit corrupt / misconfigured due to all the testing and playing around with the settings or is there a good reason for why this is happening.

Sometimes you want to test this prior making this port open to the public (by creating a forwarding rule from the internet to your opnsense firewal wan interface.

This is the latest packet capture , selecting Both WAN connections and the DMZ where the web site is hosted. As you can see in the marked area that the Reply from the server with 404 is never send back over any WAN connection it gets dropped. Under Advanced firewall settings, i adjusted selected 'use sticky connections with a 'time-out' of 5 seconds to make sure that the firewal knows which Gateway to use when returning the traffic.

The output is from the internal Packet Capture feature of OpnSense and i placed all packets in order based on the time stamps.

There you see that the message with HTTP response 404 is NOT send back to any wan interface but get stuck somewhere in the firewall , or get dropped ?

Just to be complete in with the information This WAN (ziggo) connection is configured as Secondary gateway for all traffic .
The Primary Gateway is on WAN-2.
Both Gateways are configured in a gateway group where WAN-2 has higher priority/ preference.

During the capture i wan to note that the primary wan interface was included/ selected also just to be sure that the missed packets are not send back over the wrong interface ..

All works fine when i manually shutdown the Primary Gateway (on Wan 2). Then on the remote host, i get the desired web page ..

Anybody an idea why this is happening

Dispite all the advice given , and also a post regarding this issue, and possible solution (https://forum.opnsense.org/index.php?topic=42613.0) for it is not working (yet), so might am missing a small configuration failure.

Also an other difference compared to the other post is that i have asked the ISP (WAN 1) to set their Device In bridge mode , so also now for WAN-1 the Public IP is now also directly on its respective interface.
During the troubleshooting i also now testing only from a host based on the internet (a remote Pc i have access to).

Attached a packet captures what happens when i try to open the test page on Wan-IP1 (Ziggo).

Unfortunately the packet capture functionality Doesnt mix the Traffic on the selected interfaces but showed 1st the traffic on 1 interface and below that for the other interface where traffic is recorded so i have to combine them myself and placed them side by side for a better comparison what is happening.

Just an update on the troubleshooting what happens , as mentioned 'Wan1' is behind the isp modem before it gets to the internet.
When i from the lan network (goes to the internet over WAN 2) tries to open the test website/ i now created on the PublicIp address of Wan 1 , on the firewall log i see the redirect rule is hit , then i see the accept rule ,  but funny enough on the pacture capture running on the test server , dont see any packet arriving.
Do i the same using a host which resides somewhere on the internet i see the same behaviour in the firewall log , so redirect rule and accept rule are hit/ used, with the difference on the test server i actually see the packet arrive and test page opens.

Doing some more trouble shooting, when i try to access the WAN1 on the interface IP directly , i only see the rdr rule kicked in, not the accept rule, but the page is loaded normally.Hopefully this helps to get to the root cause of the found issue.

Yes I have reports configured.
When I open the email received and then open the attached html file, for all selections , no data

Not sure why this is happening .

Ik heb de volgende setup... een OpnSense firewall met 2 Wan connecties.
Interface WAN-1 is aangesloten op kabel modem -> Internet (WanIP1)
Interface WAN-2 is direct aangesloten op een GXS-Pon Terminal, krijgt dus PublicIP (WanIP2).
Hosts op mijn LAN gaan bij default het internet op via WAN-2

Op beide Wan interfaces heb ik een port-forward naar een test website , die de melding DEAD Host weergeeft.
Als ik vanaf mijn LAN de webpagina probeer te openen op http://wan-1, dan opent de pagina niet.
Als ik vanaf mijn LAN de webpagina probeer te openen op http://wan-2, krijg ik de test pagina.

Probeer ik het zelfde vanaf het internet , dan krijg ik op beide IP's de test pagina te zien.

Het probleem wordt zover ik kan heb kunnen ontdekken veroorzaakt doordat het WAN2-IP address direct op de firewall staat.

Iemand idee hoe dit valt op te lossen ?

What I am trying to figure out , why I am unable to reach the website using the public dns entry which points to IPS1-WAN IP when (default) traffic is routed to the internet using ISP2. When I enter for example webserver.mydoain as url in the browser, on the firewall I see that the request received on Wan1 interfac. The port forwarding is also happening (initial it goes to a (reverse-)web proxy and from their traffic reaches the correct webserver (based on the URL). My suspision is that it is caused by the fact that WANIPof ISP2 connection is on one of the other interfaces and then gets lost... I have trouble in this part of trouleshooting.. the packet capture feature doesn't give me a direction where to find the solution so. Hopefully some one does know which mistakes I make in my thinking / troubleshooting process.

So just to be clear when I restore the original setup where I also use the provided isp device to connect to the GXS-pon terminal(media converter)

Since some time i have a 2nd ISP Connection (Fiber) next to my current WAN connection.
The 2nd provider proviced a XGS-Pon Terminal (Fiber in -> 10gbit Coper out) and a Wifi modem/router
Created a gateway-group with ISP2 as Tier 1 and ISP1 as tier 2 , so by default all traffic goes to the internet using the 2nd Wan interface (isp)

The setup is then like the attachment "dual-wan_dual isp modem.png"

From the User i can reach the internet  and the shown web server using the public dns name which point Public-IP1.
To make this work i created the required port forwards on the ISP-1 Modem and on the Wan interface connected to  the ISP1-modem.

All working as i would like to see this

To save some energy and also because it is possible , i am now experimenting with the 2nd setup , where i removed the modem/wifi-router of ISP-2.
Adjusted the Interface configuration on the OpnSense firewall to be able to get a public IP.
So far so good..

The issue i have at this moment that it is not possible to reach the web server using the Public DNS hostname.
From the Internet i can reach the Webserver normally using the same public dns name.

It looks like OPnsense has issues returning the traffic back to PublicIP-2 when it is directly connected to the firewall, while i expect that it still has its NAT table with the port references, so shoule be able to return the traffic to the userip and initial tcp port

Anybody an idea how this can be done ?

Since a couple of days the daily reports which I receive with a summary are empty.
Running the latest version of OpnSense and Zenarmor.

Anybody an idea ?

Reachability of lan/wan was related to firewall settings, , onyl issue remaining that i get disconnected without any reason.

Currently i have the Openvpn server configuration under the legacy part configured and working without any issue.
Trying to figure out how to migrate from legace - > instance ..

I am able to configure a openvpn server instance , but the clients connected to it , keeps getting disconnected.
When trying to connect after approx 45 seconds the client gets disconnected , and even in this period not able to reach anything from the lan side

Why is this happening / what am i missing ?

Anybody having the same issue (running opnsense 25.1.2 version of opensense

I am unable to get a side 2 side configuration to work , with on both sides opensense with openvpn (one side server and other side client) or 1 side with opensnese openvpn-server , and 2nd side a 3rd party openvpn client. However i have to make a note as soon as i can import the ovpn file (into the openvpn client software / app), all is working fine so meaning that the issue is most likely at the openvpn client side where i cant figure out the correct parameters to connect to a openvpn server...

Does anybody have a clue how this can be fixed ?

regards

On the destination device ( ASus router) , i cant create a user based ovpn file, just a general one.
From ovpn config page (of this router) able to get the the Ca certificate and the private key ... but that as said not user specific.. selected this peer ca..
When enabeling the config it get to waiting state... cant get any further it is definitely a mismatch with ovpn file which is normally used by ovpn client... .. When i use this file on a windows client or openvpn client on my phone i get connected without any issues..

I am working on replacing a soho router to a opensense router/firewall ... The problem i have at this moment to configure the openvpn client section correctly to connect to the openvpn server.

So in the previous setup it was an easy job by just import the .ovpn file from the remote openvpn, currently i am stuck to configure this under the openvpn client section in opensense...

The ovpn file has the ca certificate and ofcourse the various options

Any help is apriciated

regards

eddy