Messages

1

General Discussion / Wireguard via DHCP WANs in a Failover Scenario

« on: November 21, 2024, 01:07:00 pm »

Hi everyone,
I created two LABs in virtual environments, each running OPNsense as a firewall/router of their own LANs.
I also set a dual WAN failover on their WAN ports (one port with static IP, and a dhcp client on the other).
I then set a site-to-site Wireguard tunnel between the two OPNsense machines to make their LANs reach each other. Everything works great so far.

However, I noticed that the tunnel works as long as a WAN with static IP is UP on at least one side of the two LABs; in other words, if the two "static IP WANs" fail on both sides, the Wireguard tunnel stops working even though the two DHCP WANs are regularly up and the clients on both sides can go out to the Internet.
Is this expected and considered normal behaviour in a real-world scenario too?
Thanks

2

Italian - Italiano / Wireguard via DHCP WANs

« on: November 21, 2024, 01:04:31 pm »

Moved to General Discussion. My bad, sorry

3

General Discussion / Re: [SOLVED] I can't access WEB GUI from a local PC

« on: November 20, 2024, 09:25:27 am »

Set all the internal MTU to 1500. Jumbo frames are best for dedicated storage networks/VLANs.

I checked. The MTU is already set to 1500 on every Cisco interface. Maybe the issue is something related to the virtualization

4

General Discussion / Re: [SOLVED] I can't access WEB GUI from a local PC

« on: November 19, 2024, 07:55:55 pm »

There may be a discrepancy in the MTU at layer-2. Check for switches or network cards that are set to different values.

There is a virtual Cisco switch between OPNsense and clients

5

General Discussion / Re: I can't access WEB GUI from a local PC

« on: November 19, 2024, 02:19:02 pm »

UPDATE!!

I set MSS at 600 and now it works!

I can guess it, but I don't know exactly why.

6

General Discussion / Re: I can't access WEB GUI from a local PC

« on: November 19, 2024, 02:09:05 pm »

Well can you tcpdump/wireshark on the requesting client to see if it receives the correct responses from the firewall when initiating an ssh session for example?

Ok. I ran wireshark on the windows 7 machine while I was trying to access the OPNsense's WEBGUI

7

General Discussion / Re: I can't access WEB GUI from a local PC

« on: November 19, 2024, 01:43:06 pm »

If only traffic targeted to a service on the firewall itself does not work, the response of the firewall might be sent to a different destination than back to the requesting client.

I havent checked the packet capture sorry, just an idea.

I didn't set anything about the gateway, so it must be on the default setting.
Thanks

8

General Discussion / Re: I can't access WEB GUI from a local PC

« on: November 19, 2024, 01:29:31 pm »

Maybe that VLAN has a Gateway set accidentally?

Where?

Apart from WebGUI access, everything works as expected.
Can you see anything interesting in the wireshark capture screenshot I uploaded earlier?

Very weird issue

9

General Discussion / Re: I can't access WEB GUI from a local PC

« on: November 19, 2024, 01:06:21 pm »

Can you access the firewall with SSH?

only from WAN or the MNG port, not from the PC on the VLAN

10

General Discussion / Re: I can't access WEB GUI from a local PC

« on: November 19, 2024, 12:48:29 pm »

System: Settings: Administration

Is the Web GUI listening on all interfaces?

Yes it is.
Thanks

11

General Discussion / [SOLVED] I can't access WEB GUI from a local PC

« on: November 19, 2024, 11:03:32 am »

Hi,

I can access my OPNsense web GUI either from a management interface or directly from WAN (I set a firewall rule for that), no security issues since everything runs in a virtual lab environment.
I found out that I can't access the web GUI from local PCs running in a  VLAN,even though I set a pass rule for that, and the PCs can ping the local gateway (10.30.30.1) and go to the internet regularly.

here is the VLAN firewall rules:



and a Wireshark capture on the trunk interface:



I also disabled the firewall filters in the advanced option but I still can't access the web GUI from the "main" VLAN.

I don't know what it is wrong with it. Could you please help figure it out? Thanks

12

General Discussion / Re: Disable reply-to on WAN Rule to access GUI from WAN

« on: November 18, 2024, 12:28:01 pm »

If you're planning on Multi-WAN, you should not disable reply-to globally - rather do it on the specific rules where it's causing an issue - like your WebUI access rule....

Okay. Thanks

13

General Discussion / Re: Disable reply-to on WAN Rule to access GUI from WAN

« on: November 18, 2024, 12:06:05 pm »

"reply-to" is a defining feature of "pf".

When activated, it will force packets to the default gateway of the interface. This means, it can circumvent issues like asymmetric routing natively.

It also means, that clients in the same network as the interface with the gateway will not receive responses since they are all sent to the default gateway.

You do not have to globally disable it, creating a firewall rule that matches the exact traffic of the WebGUI, and enabling advanced options in that rule, and setting "reply-to" to "disable" should solve it selectively. Of course, that rule has to match first on the WAN firewall rules.

E.g:

Source Network: WAN net
Source Ports: Any
Destination Network: WAN address
Destination Ports: HTTPS
- Advanced Options -
Reply-To: Disable

Okay, I think I get it, and I'll give "the selective rule" a try.

By the way, does this also mean that I need to uncheck this option if I want to set up a dual WAN failover (which is what I actually want to do)?

Thank you very much

14

General Discussion / Disable reply-to on WAN Rule to access GUI from WAN

« on: November 17, 2024, 09:05:34 pm »

Hi everyone,

I installed OPNsense as a VM on two different PCs. In order to access their own WEB GUIs from WAN (just for convenience, they run on LAB environments which I use for learning purpose), I set pass rules to allow that, of course.
I can access the OPNsense's WEB GUI from the browser of the host where the VM runs,
BUT if I want access it from another PC (the other one when another OPNsense VM runs) , it isn't allowed unless I check "Disable reply-to on WAN Rule"



Could anyone please explain to me what this option is for and how does it work exactly?

Thanks

15

General Discussion / Error: Not netmap adapter on device

« on: November 08, 2024, 01:20:28 pm »

Hi,
I installed and enabled Zenarmor for the LAN interface (and IPS for the WAN as well).
I started to see this error message on the shell:

https://imgbox.com/ZzU5wxX4

Could anyone please tell me what it is about and if I can fix it?
Thanks