1
24.7 Production Series / Re: VPN Kill Switch
« on: October 18, 2024, 12:03:18 pm »
Can anyone advise please?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.7 Production Series / VPN Kill Switch
« on: October 15, 2024, 04:28:20 pm »
Hi, I've setup a WG VPN as per https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html including the kill switch step suggested, which works fine but I noticed if I disable the WG gateway that I've created as part of those steps the traffic goes out the default route. I assume this wouldn't normally happen so the kill switch would stop it but I wanted to prevent this, so I added a block rule, see attached with the yellow arrow. This seems to work however if I have continous ping running from a machine in the VPN_Hosts group the ping continues to respond although internet access is blocked as expected. If I start a new ping thats blocked so why wouldn't it block ICMP that was already in progress?
I need to ensure that the VPN kill switch is solid. It mentions in the above instructions that there is a couple of ways to do this, what are these?
I would appreciate any recommendations on ensuring there is no scenario where the VPN Hosts could access the internet directly (even by ICMP etc).
Thanks
I need to ensure that the VPN kill switch is solid. It mentions in the above instructions that there is a couple of ways to do this, what are these?
I would appreciate any recommendations on ensuring there is no scenario where the VPN Hosts could access the internet directly (even by ICMP etc).
Thanks
3
24.7 Production Series / Re: Firewall log full of internal ICMP
« on: October 11, 2024, 06:15:42 pm »
Thanks for your help, found it
4
24.7 Production Series / Re: Firewall log full of internal ICMP
« on: October 11, 2024, 05:48:55 pm »UseCode: [Select]tcpdump -i <interface> -n -e icmp
to find the source MAC address and look up the vendor prefix here:
https://www.macvendorlookup.com
That should give you a hint about the device. You have a misconfigured $something connected to your network.
Thanks for reply, what am i doing wrong here? it's on the LAN interface...
root@OPNSense:~ # tcpdump -i LAN -n -e icmp
tcpdump: LAN: No such device exists
(No such device exists)
root@OPNSense:~ # tcpdump -i "LAN (bridge0)" -n -e icmp
tcpdump: LAN (bridge0): No such device exists
(No such device exists)
I tried lowercase etc as well
5
24.7 Production Series / Firewall log full of internal ICMP
« on: October 11, 2024, 04:10:29 pm »
Hi, I've noticed according to the firewall log an internal address is trying to ping itself constantly! This is very strange. See attached
My network is 192.168.0.1/24. I've checked ARP table and it only shows 192.168.0.x addresses as expected. Also checked routes and there is nothing for anything 10.x.x.x.
I wondered if it was something to do with VPNs, so I actually disabled both the OpenVPN and WireGuard services and its still continuing.
I downloaded the config XML and searched for 10.67.28.140 and 10.67 in and there is nothing found.
I don't have many plugins just ntopng.
Any ideas?
Thanks
My network is 192.168.0.1/24. I've checked ARP table and it only shows 192.168.0.x addresses as expected. Also checked routes and there is nothing for anything 10.x.x.x.
I wondered if it was something to do with VPNs, so I actually disabled both the OpenVPN and WireGuard services and its still continuing.
I downloaded the config XML and searched for 10.67.28.140 and 10.67 in and there is nothing found.
I don't have many plugins just ntopng.
Any ideas?
Thanks
6
Virtual private networks / Re: WireGuard setup blocking access to clients
« on: September 20, 2024, 06:28:19 pm »
Yes i've done that, I called it WG_Home, see attached...
Also I'm on 24.7.4_1
Also I'm on 24.7.4_1
7
Virtual private networks / WireGuard setup blocking access to clients
« on: September 20, 2024, 06:00:30 pm »
Hi, I've been through the instructions https://docs.opnsense.org/manual/how-tos/wireguard-client.html several times and think I have set it up exactly the same but when a client/peer connects they can't access the internet or any local resources.
In the firewall log there is blocks so the rule to allow WG_Home isn't working for some reason, I don't understand why?
Also there is some errors in the WireGuard log file. See attached screenshots.
Any ideas?
Thanks
In the firewall log there is blocks so the rule to allow WG_Home isn't working for some reason, I don't understand why?
Also there is some errors in the WireGuard log file. See attached screenshots.
Any ideas?
Thanks
8
Web Proxy Filtering and Caching / Re: Website domain name block not working
« on: December 14, 2023, 05:24:23 pm »
Which destination field? It is in that in the rule
9
Web Proxy Filtering and Caching / Website domain name block not working
« on: December 14, 2023, 03:56:24 pm »
Hi, I want to block certain website domains for the whole network. I've setup bbc.co.uk as an alias and created an alias with it added called Blocked_Internet_Sites. I've created the rule in LAN above the other rules but its not being blocked. FIREWALL: DIAGNOSTICS: ALIASES shows the bbc.co.uk IP addresses.
Please see attached screenshots. What have I done wrong?
Thanks
Please see attached screenshots. What have I done wrong?
Thanks
Pages: [1]