Messages

[nano]

That was the key, it does rely on it being the nano image. No more LiveCD happening. I'm up and running after a configure and reboot.

Thank you for spotting that error of mine @Patrick.

[nano image]

@tedly if it boots in live CD mode you probably missed the part about using the nano image for this procedure.

Ohhhh. I grabbed vga based on his instructions showing:

Code Select Expand

wget https://mirror.ams1.nl.leaseweb.net/opnsense/releases/23.7/OPNsense-23.7-vga-amd64.img.bz2

I didn't catch that he changed it to nano a few lines later. Time to give that a go before the work day starts. Thank you.

I'm attempting this method for an OVH VPS.

First off, thanks for the instructions. I've had to fiddle with a few things. Primarily the networking. I wasn't able to get it to work using /32 or /24 with the x.x.x.1 GW address. Out of desperation I told it to boot DHCP where it did get the original IP, marked it with a /32 and then used the GW from the previous/lower /24. So if the IP was 192.168.51.50, the GW came back as 192.168.50.1. I would think that would make it a /23 but apparently not.

Anyhow. So once that is in place and I run pfctl -d, i can reach the box. But it insists it is in LiveCD mode. Which made sense. Its like it booted off the CD as a result of writing the installation disk to the only hard disk. Not like a real / full install.

As a result,  when I go to run the installer, select the FS type, partition, etc, it throws out the error :

Code Select Expand

gpart: geom 'da0': File exists

And therefore refuses to install.

I assume thats because the mounted CDRom image running on the same partition that I want to do a full (non LiveCD) install on. I'm stumped on how to get around this problem.

I've tried the image in your instructions and a newer 24.1 version as well. Same issue.  :(

Whew!

I wasn't aware of the pre-upgrade hook, that's fantastic!

I've tried to move to the newer certificate-based authentication but have yet to get it 100% working. Sounds like I have a big window to work that out.

Thanks for the reply.

[[legacy]]

I believe it was the upgrade between 23.7 and 24.1 that openvpn servers/clients now says [legacy] next to them.

Does this mean they're going to go EOL/discontinue at some point?

I looked at the roadmap link here but it doesn't mention this change. Nor a mention of this in the future. Is there somewhere that details the future of openvpn client/server for opnsense? I don't want to be caught with my pants down if it suddenly stops working when I patch to a new release.

[legacy] is scary wording for someone who relies on it.

Thanks.

I found that if I use an external search (google), i get much better results than the forum search. Here's several people talking about the same thing as I:

https://www.google.com/search?q=opnsense+vpn+client+use+gw+group+multi-wan+site%3Aforum.opnsense.org

None of the threads answer the question, dating back to 2016. Looks like it may just be a short coming of opnsense that isn't getting much attention.

VPN routing works fine if one disables the multi-wan setup on the device.

I just observed a new symptom. I can't even ping my own LAN gateway. And if I traceroute to it, it give me that same goofy route outside of my LAN to starlink's CGNAT gateway.  :'(

Route table and Tracepath results in attached screenshot.

How in the world could a gateway / router send traffic heading to itself to the public internet?

FYI - i am on the network typing this and can use the same opnsense gw just fine to browse/anything currently.

Hi. I've set up countless (open)vpn site2site setups over the last decade with pfsense. Now I'm all-in on opnsense. I had it working fine 12 hours ago before I added in multi-wan. Now that multi-wan is going, openvpn no longer routes properly. Rather than use the VPN tunnel IP to route traffic, it uses the upstream hop. See below:

1?: [LOCALHOST]                      pmtu 1500
1:  192.168.1.1                                           0.965ms asymm  2
2:  100.64.0.1                                           39.816ms asymm  4
3:  172.16.251.70                                        38.100ms asymm  4
4:  undefined.hostname.localhost                         51.994ms (This broken router returned corrupted payload) asymm  8
5:  undefined.hostname.localhost                         42.959ms asymm  6
6:  den-b3-link.ip.twelve99.net                          43.309ms !N
     Resume: pmtu 1500

Note that 192.168.1.1 is my upstream hop because I have cgnat behind starlink.

My source network is 192.168.150.0/23 and my destination is 192.168.148.0/23. Each end of the site-to-site connects to a hub opnsense host and that hub communicates traffic between the two networks. Again, something I've done many times.

The remote end (192.168.148.0/23) can ping and communicate with the local side (192.168.150.0/23). When the remote side does a traceroute, it correctly talks to the VPN's tunnel subnet (172.30.1.16/28).

But when the local side tries to connect to the remote network, it skips routing through the tunnel's subnet gateway (172.30.1.17). And goes out the the public (192.168.1.1) gateway. And as you can see in the example above, it doesn't reach the real end point.

I have verified that the local opnsense has a route setup for 192.168.148.0/23 to go to the tunnel subnet gw (172.30.1.17). But it is being ignored anytime I send traffic.

As mentioned at the start of the post. This was working until I added multiwan on the local (192.168.150.0/23) opnsense.

I've rebooted. I've deleted and recreated the openvpn client configs. I've scoured the configs for 3-4 hours now. The VPN connects but the route is just broken.

Any ideas?

I didn't find a solution to my issue. But it occurred to me that I can just set a new firewall wan rule at the top to capture traffic from those IPs and not log it.

I had to take the time to add the whole subnet other than my IP and the gateway. But, then, success! Now my default log view has useful entries again.

Though it would still be cool to have a default filter that shows up during Log View.

Hi. Is there a way to set a default template for my firewall logs?

Reason I ask is that I have a bunch of noisy neighbors on my /24 who constantly hit me with UDP broadcast(?) traffic. Like 10 packets a second.

Which is making it pretty difficult to watch the logs for what's going on. I have made a template to block the external subnet and that works great. But I have to wait for the logs page to load each time and then select it. Plus there doesn't appear to be a way to set any template on the Dashboard Firewall Log widget.

Is there any way to set a default filter on the logs? Perhaps in a template that is selected by default.

I've tried googling and searching the forum for firewall log & default template but all I'm getting is results lots of other unrelated topics.

Thanks in advance.

Thank you for the quick reply, Bart.

I did try that already this evening. With a reboot after the change.

I tried it again just now upon your suggestion - in case I had an error before. Unfortunately, it hasn't changed the "identifier" field under Interface Assignments though.

Ultimately my goal is to do multi-wan between the LTE (backup) and the Starlink (primary) networks with the 3rd interface being my LAN. Does the "identifier" name have any bearing on that? Or, if it's just a label that doesn't effect anything, then I can just move on with continuing to configure my first opnsense as-is.

I couldn't seem to find any posts or info to answer this, or I didn't pick the right search terms.

But I have a brand new setup with three NICs. I intend to have one for my LAN (internal), WAN (primary gateway), and OPT1 (backup LTE).

But during the setup, the system assigned the "identifier" of "lan" to the LTE interface. And "opt1" to the LAN interface. See attached image.

I'd like to reverse these. I couldn't find where to change these.

And I can't just move the NIC cords because I need certain NICs to do certain duties for performance reasons.