Messages

1

Virtual private networks / Wireguard and ISP required VLAN tag

« on: September 16, 2024, 04:17:24 pm »

Trying to get Wireguard to work on my sons PC from his place. I have the Wireguard server running in OPNsense at my place. I've set up a client on my sons PC and there is a handshake and Wireguard is active (green) on his PC, but he has no internet access.

The client is set up with
DNS servers 9.9.9.9 and 149.112.1.12.112.
Allowed IPs 0.0.0.0/0

I'm using a Unifi Express at his place which I've set up without the router that his ISP did provide - just not to have all this equipment running. In order to get this to work I had to tag all outbound traffic with VLAN107.

I'm now in doubt if the connectivity issue is due to the VLAN tag or it has something to do with my firewall settings at my end or that I would need to tag outbound trafic from the server. As you can understand from this I'm not that familiar with how VPNs work (flow of trafic etc.)

The Unifi router isn't easily accessible that's why I didn't test with the IPS provided router in bridge mode (but this would off course be something to do next time I visit him).

Appreciate and help trying to troubleshoot this issue. I'm also OPNsense novice... TIA.

2

General Discussion / Firewall and company VPN

« on: March 20, 2023, 04:51:15 pm »

Hi forum
I've setup firewall rules to reject/block connections to the RFC1918 range, but my wife and I often work from home and use a secure VPN connection to log into our company networks. It's working right now, but I see a lot of rejected request because the source (company PC) is trying to reach a destination within the RFC1918 range. What would best practice be in this situation. Separate VLAN with no rules blocking the RFC1918 range?

3

General Discussion / Re: Loosing WAN connection continously

« on: March 20, 2023, 04:36:25 pm »

I contacted my IPS to verify that everything "on their side" was OK. Turned out that the had changed the setup of the modem so it no longer was in bridge-mode. She told me that he modem had been like this for a while (not changed today), so I wonder if this will solve my issue.

I guess this could mess things up quite a bit - but I'd really appreciate if you have any comments / input to my setup etc.

4

General Discussion / Loosing WAN connection continously

« on: March 20, 2023, 04:02:44 pm »

Hi forum
As a novice I'm looking for help to debug/identify my issue and confirm "correct" settings. My WAN connection has begun to drop out repeatedly - 5th time today. It has happened once before in the 1 - 2 weeks I've had OPNsense up and running. I haven't made any changes to my setup today (or in the last week or so). Running OPNsense vers. 23.1.3_4 on a Protectli.

I notice the "Router Advertisement Daemon" status changes to "OFF". One time I restarted it, the "Unbound DNS" service changed to "OFF". The service keeps turning "OFF". I'm inclined to believe my issue is connected to this service -but not sure at all.

The System Log File General shows the "Warning opnsense /usr/local/etc/rc.linkup: hcpd_radvd_configure(auto) found no suitable IPv6 address on igc1".

My ISP provides a dynamic IPv4 address - not sure if they support IPv6. My knowledge of best practice when it comes down to IPv6 is very limited.

IPv6 is not enabled in "Services/DHCPv6/Relay".

I've setup "Unbound DNS" and "DNS over TLS" using Quad9 as nameserver.
Admittedly I've enabled both the Quad9 IPv4 and IPv6 addresses.
In "Unbound/General" I've checked "IPv6 Link-Local/Register IPv6 link-local addresses".

In "Interfaces/WAN/" I had the "IPv6 Configuration Type" set to "DHCPv6".

I've setup floating firewalls to only allow DNS requests to "This firewall" and block other DNS request. Maybe "This firewall" should be replaced with "127.0.0.1"? See attached Billede1 (picture 1).

I've setup a Port Forwarding rule to redirect DNS requests to the local DNS server. Not sure if I should include port 853 here. See attached Billede2 (picture 2).

I'll contact my ISP to see if they had issues, but the modem indicates that everything should be fine.

PS: How do I insert an image? I get the icon and the "frames" but what then...?

5

Tutorials and FAQs / Re: DNS over TLS - Verified that unsigned response is INSECURE

« on: March 10, 2023, 11:06:56 am »

Thanks Fright. I'm admittedly in over my head sometimes...

6

Tutorials and FAQs / DNS over TLS - Verified that unsigned response is INSECURE

« on: March 09, 2023, 12:09:48 pm »

Hi forum
New to OPNsense and DNS over TLS. I get this line in my logfile under debug "[92375:3] info: Verified that unsigned response is INSECURE" and I'm not sure what to make of this "warning".

In > Unbound DNS > DNS over TLS, I've setup and enabled two services.
Enabled: Checked
Domain: Blank
Address: 1.1.1.2 and 1.0.0.2 (respectively)
Port: 853
Hostname: security.cloudflare-dns.com

In > Unbound DNS > General
Enabled: Checked
Listen port: 53
Network Interfaces: All
DNSSEC: Checked
IPv6 Link-local: Checked

In > Unbound DNS > Advanced
Harden DNSSEC Data: Checked
Log Queries: Checked
Log Level Verbosity: Level 2

In > Services > DHCPv4 and the respective LAN and VLANs
DNS Servers: Blank

In > System > Settings > General
DNS Servers: Blank

Am I missing something? Whats causing this promp in the log?