"
Hi all,
recently upgraded from OPNsense 22.7 to 23.7.5.
There appears to be a problem with Wireguard/Firewall after the upgrade: While wireguard was working, client requests were not able to pass through the firewall. After some digging, I found the cause: In our setup, Firewall rules are applied to interface groups. The wireguard interface in question is assigned to such groups. Rules affecting these groups did not apply to the Wireguard interface after boot, while floating rules did.
If I look into Firewall > Diagnostics > Aliases > <alias-for-group>, the wireguard interface's subnet does not appear in it, even though the interface is part of the group.
Workaround 1: After reboot, make any kind of firewall change, or interface change, and apply. The config will be reloaded, and the wireguard interface's subnet will be included in the groups' network aliases.
Workaround 2: Add a script running on boot, I created /usr/local/etc/rc.syshook.d/start/92-wireguard-firewall-workaround with the following content:
While these workarounds do solve the issue for now, I would like to know what is causing the bug, and if it can be fixed on the OPNsense software side.
Firmware Status:
recently upgraded from OPNsense 22.7 to 23.7.5.
There appears to be a problem with Wireguard/Firewall after the upgrade: While wireguard was working, client requests were not able to pass through the firewall. After some digging, I found the cause: In our setup, Firewall rules are applied to interface groups. The wireguard interface in question is assigned to such groups. Rules affecting these groups did not apply to the Wireguard interface after boot, while floating rules did.
If I look into Firewall > Diagnostics > Aliases > <alias-for-group>, the wireguard interface's subnet does not appear in it, even though the interface is part of the group.
Workaround 1: After reboot, make any kind of firewall change, or interface change, and apply. The config will be reloaded, and the wireguard interface's subnet will be included in the groups' network aliases.
Workaround 2: Add a script running on boot, I created /usr/local/etc/rc.syshook.d/start/92-wireguard-firewall-workaround with the following content:
Code Select
#!/bin/sh
sleep 2
configctl filter reload
While these workarounds do solve the issue for now, I would like to know what is causing the bug, and if it can be fixed on the OPNsense software side.
Firmware Status:
Code Select
Type opnsense
Version 23.7.5
Architecture amd64
Commit cd8f7fa6f
Mirror https://pkg.opnsense.org/FreeBSD:13:amd64/23.7
Repositories OPNsense
Updated on Thu Sep 28 17:50:54 CEST 2023
