Messages

1

24.7 Production Series / Configuring Static Routing for Secondary /29 Subnet

« on: November 12, 2024, 10:15:47 pm »

Hello everyone,

I received two /29 subnets from our ISP. Currently, I’m using the first /29 as the uplink, with the other 7 IPs functioning as virtual IPs, which is working well.

The second /29 subnet has its own gateway, which has been added as well, with those IPs also set up as virtual. However, our Layer 3 switch is having trouble routing this second subnet because we need to configure a static route in OPNSense.

Could someone advise on how to set up the static routing for the second subnet?

Your support is greatly appreciated.

Thank you!

2

24.1 Legacy Series / Re: 24.1.2 Wireguard does not work after updating

« on: May 23, 2024, 11:10:30 pm »

Yup, after the upgrade DOT DNS couldn't resolve in order to load Wireguard.
I've tried lowering DNSSEC standards and it helped, at least the BOGUS or NXDOMAIN responses lasted "only" 10sec, so the boot was fast, and WG successful.
I will not use IPs. IPs change.
I just hope Adguard will move to the early part of the boot sequence, so I don't need to use Unbound just to satisfy (unreliably) the boot process.

i have resolve it before with change the dns name of the extern site to the ip, after the last update OPNsense 24.1.7_4-amd64 has crashes it.
i am using DOT too.

Edit: ive got it resolved. Make sure to check the wireguard plug in. Somehow it disappeared. Reinstall it

3

24.1 Legacy Series / WG firewall rules

« on: May 22, 2024, 10:08:24 pm »

Hi everyone,

We are using WireGuard as a site-to-site VPN between four offices. These offices are connected to site A, so sites B, C, D, and E are connected to site A.

I want to allow RDP and ICMP from sites B and C, and allow all traffic from sites D and E. Can you please advise how to set this up? I appreciate any support.

4

24.1 Legacy Series / Re: 24.1.2 Wireguard does not work after updating

« on: May 14, 2024, 10:42:49 pm »

I managed to resolve this issue. Most of the S2S VPN connections were using the DNS name of the peer instead of the IP address. I am using DNS over TLS, which somehow didn’t resolve these two VPN sites correctly. I changed their DNS names to IP addresses, and they started working. I thought I’d share my resolution here.

5

24.1 Legacy Series / Re: NAT Rule Help

« on: May 14, 2024, 10:39:55 pm »

Sorry guys for my late reaction due to some health issues.

In some situations, when I have a DMZ, it forwards every port to OPNsense. Do you mean that even if OPNsense is behind a DMZ, it still needs port forwarding? I've noticed that OPNsense doesn't handle double NAT well.

6

24.1 Legacy Series / Re: 24.1.2 Wireguard does not work after updating

« on: May 05, 2024, 08:54:18 pm »

I am experiencing the same issue. After updating to OPNsense 24.1.6, my WireGuard setup stopped working. I have multiple sites, and I'm concerned because some sites work, while others do not.

The error message I'm getting on both sites is:

Code: [Select]

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt3 interface

7

24.1 Legacy Series / Re: Wireguard S2S down after upgrade

« on: May 05, 2024, 08:31:51 pm »

Solved it!

Don't ask why but the gateway was gone and on the interface it was set to "automatic".

I had to recreate the gateway and reconfigure it on the interface and things started working again.

i am facing a similar issue, do you mean the Site to Site Gateway was Gone?

8

24.1 Legacy Series / Re: NAT Rule Help

« on: April 29, 2024, 10:05:24 pm »

If there is another router in front you need a port forward rule on that other router, too.

There is a router in front of the OPNsense. We’re dealing with double NAT. Are you asking if I should still forward the port on the ISP router even if there’s a DMZ set up for the OPNsense?

9

24.1 Legacy Series / Re: NAT Rule Help

« on: April 28, 2024, 11:04:29 pm »

As an alternative to setting "Associated firewall rule" to "Pass" you could set it to "None" and then create your own explicit filter rule.

Can you explain what you exactly mean ?

10

24.1 Legacy Series / Re: NAT Rule Help

« on: April 28, 2024, 11:03:48 pm »

For that NAT port forward - did you set the "Associated firewall rule" to "Pass"?

I have tried those but it didn’t works.
I understand it’s a double NAT.
There is a isp router draytek in front of it and the opnsense is a dmz.
Could the double nat be the cause ?

11

24.1 Legacy Series / Re: NAT Rule Help

« on: April 26, 2024, 05:19:01 pm »

Does anyone have any suggestions? I would appreciate the help—I can't seem to resolve this issue. I've tried every tutorial and solution I could find online.

12

24.1 Legacy Series / NAT Rule Help

« on: April 25, 2024, 07:00:52 pm »

Hi Everyone,

I created a NAT rule to allow access to our internal camera system from outside the network. The rule is applied on the NAT and is automatically reflected on the WAN interface of the firewall.

However, when I try to access the cameras from an external location, I get the following error message: "Default Deny / State Violation." I've attached a screenshot showing the error.

Could someone please advise on what I might need to do to resolve this issue? Any guidance would be greatly appreciated.

Thanks in advance!

13

24.1 Legacy Series / Re: Multi Wan

« on: March 18, 2024, 10:33:15 am »

You can leave gw group for that rule, the 'disable force gateway' option will override that, so don't care about it.
Yes, lower number for WAN1 ia higher priority.
First time I hear about a WG tunnel, but it should not be affected.

Thank you for your answer.
i have followed up those steps unfortunately it didnt force the switching when WAN1 was cable was remoed.
i remeber me strugling with this couple of years ago. but i give up using it.

14

24.1 Legacy Series / Re: Multi Wan

« on: March 17, 2024, 07:37:54 pm »

Configure both as upstream. This causes OPNsense to use both for upstream according to priority. It will always use the GW online with higher priority, though there is no need for GW groups, but you can leave GW groups and firewall rules as they are.

So on the lan firewall rule keep using the default gateway or the use the gateway group I used ?
So WAN gateway and WAN2 gateway as upstream GW, but GW 1 with low numbers so it will be high priority and used for the up stream.
If I do so the Wireguard tunnel will remain working ?

15

24.1 Legacy Series / Re: Multi Wan

« on: March 17, 2024, 06:59:38 pm »

Looks everything fine so far... Now let's try setting up multi WAN without policy based routing...
Active the force gateway option and set WAN2 gateway to upstream. This should cause routing table to be used. If WAN1 is down, OPNsense will set WAN2 as default gateway, not using any gateway group. GW priority is already set correct for this.
Does this work?

I lost you in this part.
Wan gateway is the up stream right now.
Do you mean wan2 gateway configured it as upstream gateway too ? Or remove the wan gateway as upstream gateway and replace it with wan 2?