Messages

Hi everyone,

this topic has become a bit too much for me and I have found the limits of my understanding here.

The short version is that I have two OPNsense firewalls with CARP, which I "accidentally" found out is working properly ;-) I also have two internet routers, one with fiber internet, one with LTE/4G as backup internet.

The backup internet connection worked properly until I configured the HA system. Now, I cannot ping the backup LTE router from my internal network or from the OPNsense. This draws the conclusion that something is wrong with the NATing, seeing also that I had to perform changes there during the HA setup and that there needs to be NAT happening because the LTE router is in a different network.

For easier understanding, I tried to visualize this - see the attached screenshot.

I thought that maybe I just needed to add the LTE WAN in outbound NAT like the Fiber WAN, but that did not help - screenshot attached.

Now I'm lost where to look or what to do ... I'm unconscious of changes that would be necessary in regards to firewall rules, so although I have not attached a screenshot, you can expect that I haven't changed anything there.

I used this guide to setup my high availability system: https://www.thomas-krenn.com/en/wiki/OPNsense_HA_Cluster_configuration

I really hope someone out there can help me. During my miserable attempts, I killed the main firewall's config (thereby finding out that the aväilability part works).

Thanks a lot in advance. Your help is highly appreciated!

Hi guys,

Quick question: I have several allowlisted domains in my unbound blocklist config, eg WhatsApp and YouTube which otherwise won't work with some lists.

The allowlist becomes kinda cluttered and I'm wondering if there's a chance I could set up my own list somewhere, eg github, where unbound can retrieve the list.

I googled for unbound feature request, but didn't find anything suitable. Any idea where I could forward this to?

Thanks a lot in advance!

When I connect via the official Wireguard client on my Mac Book it appears to be working. However I am unable to access any ressources, neither internal ones (10.0.1.0/24) nor any public ones like 9.9.9.9 for DNS or any URLs.

Hi Tom,

I found that this might be a false-positive. My Windows app always shows "connected" even when I enter completely wrong IPs and credentials. Have a try at that, too, to see if something changes when you enter wrong credentials.

I'll be happy to jump in on this topic. I just did the same today in my home network.

I read this guide: https://www.zenarmor.com/docs/network-security-tutorials/how-to-setup-wireguard-on-opnsense#8-enabling-wireguard-server-on-opnsense
and ofc the official OPNsense documentation, which I found of limited use as it's 90% the same as the configuration pages with a bit more text to it: https://docs.opnsense.org/manual/vpnet.html#id4

Things I don't understand:

* Inside the instance in OPNsense and Wireguard, I'm supposed to enter a tunnel address. Is this the network of the VPN? So I shouldn't use the normal LAN netwerk, but a different CIDR range? So my LAN is 192.168.0.0/21, but for the VPN I must use something else, like 10.0.0.1/24 or 192.168.10.0/24 ? Or can it be the same if I'm not depending on network isolation?

* In the peers, I must configure a PSK, but neither in the Android app nor the Windows app, there's anywhere where I should have to enter such key. I understand that the pub/priv key is kinda PKI-like, so why add a PSK as well?

* Why do peers need an allowed IP? Is this because I can set the IP address in the wireguard client, too, and they must be the same network? What is the enpoint address and the endpoint port that I need to set in the peer? "Set public IP address the endpoint listens to" - Why would the endpoint/client listen to a public address? It should be the one it connects to, but not "listen"?

* I configured a firewall rule that allows simply every traffic coming from the WireGuard group/net. (see screenshot). According to internet resources, the WireGuard (Group) interface applies simply to all WireGuard instances.

* When I do an nmap scan on OPNsense port 51820, nothing appears or at least it says "open/filtered", but does not show any service (nmap -p 51820 192.168.0.1 -sUV - yes, I did a service scan because it's UDP). It also does not work when I scan the VPN IP 10.0.0.1 of OPNsense. That seems odd. I don't see anywhere in OPNsense where I would configure that the VPN should *not* be accessible from the LAN, so it should show, I think?

If anyone cares, the OPNsense is running very smoothly at ~42°C outside the rack.

It's basically configured with unbound, ISC DHCP (which has dropped support for sometime soon ... ugh), Gateway failover ... works like a charm. I'll probably order another cheap PC as a backup machine for high availability :D

Hi,

I edited the topic post to reflect more clearly that the dns service is not reachable.

I will delete the gateway group and see if that helps or changes anything.

Bro, what the heck ... I deleted the group, disabled the LTE WAN, and it works instantly.

I guess I gotta inspect that grouping a bit more and learn about it more <3

Hi,

I edited the topic post to reflect more clearly that the dns service is not reachable.

I will delete the gateway group and see if that helps or changes anything.

Intro: I took a lot of screenshots as proof, but I can only upload 4 with a max. of 256kb. I hadn't thought such restrictions might exist here ...

Hi all,

I am experiencing some weird behaviour in my newly set up opnsense and need some help.

Background:
I have a lot of experience in networking, coming from an IT Security background and many years of penetration testing.
I want to say of myself that I understand how networking and routes work on layers 2 and 3 and 4.

My home network consists of:

• Telekom fiber modem
• My own fritz box that connects through the fiber modem. As far as I understood Telekom's documentation, the modem simply converts ethernet into fiber. The fritz box does the dial in.
• I have an lte router as fall back Internet gateway.
• I use a tp link omada infrastructure at the moment. It contains a router, which is currently the main router in my network. I also have some WiFi APs and a switch from tp link, but that's unnecessary for my issue.
• I also use a pihole for dns, installed on an ordinary raspberry pi.
• My network is 192.168.0.0/21, because I wanted some more space in my lan for all different kinds of devices.
  
• I bought a mini computer and installed opnsense on it, and want to swap, at some point in the future, the omada infrastructure to opnsense (and a different WiFi vendor).

What I have done so far:

I installed opnsense, configured the two gateways, formed a group for fail over, imported DHCP from omada, enabled dhcp. Up to that point, everything works nicely.

The IP addresses look like this:

• Fritz box, WAN: 192.168.178.1
• Omada router, WAN port: 192.168.178.2
• Omada router, lan port: 192.168.0.1
• Pihole: 192.168.0.253
• Opnsense, WAN: 192.168.178.3
• Opnsense, LAN: 192.168.4.254

The ipconfig on my computer looks like this, nothing manually set, everything comes from DHCP.

(image missing)

Now I wanted to remove the raspberry pi from the equation and enable dns in the opnsense. Here, I got stuck and the oddities begin, or became obvious:

When I do tracert 192.168.4.254, I see three hops:

• 192.168.4.254
• 192.168.0.1
• Some entry point at my ISP

When I do tracert on any other address, I get 1 hop straight to the target.
It is the same in a linux machine, by the way.

See attachment "tracert.png"


Second weird thing: the DNS port appears as filtered/unavailable in nmap.
(image missing)

Other ports on the firewall are open, e.g. 80.
(image missing)



If port 80 wasn't available, I couldn't configure the opnsense, anyway.
(image missing)


Third strange thing: When I try to manually set the DNS server in Windows via nslookup (nslookup google.com 192.168.4.254), I see this result in the firewall logs of opnsense.
(image missing)

I have no clue why it would show the WAN network IP, 192.168.178.3, as outgoing, and the LAN network IP, 192.168.4.254, as incoming, because the request never should have left the LAN network at all.

Now, you might be wondering if I made a mistake in the firewall rules, but I in fact did not do anything there yet. When I got stuck, I added the rule to allow port 53/UDP from anywhere, but I just added this because it didn't work.

See attachment "firewall rules.png".


Unbound does listen on port 53, I did not change anything in the config there.

(image missing)

When I go to the diagnostics, I see that the opnsense can itself perform DNS requests "to the internet" and get information.

(image missing)

The service is also running, it's not stopped or anything.

(image missing)

I have asked two colleagues whom I appreciate as keen IT experts, but none found an immediate error here of what I'm doing wrong, so I'm really looking forward to your replies! :-(

Thanks a lot in advance <3

Edit: so, the problem is: dns is not accessible from the LAN network. Dns does work, as the diagnostics show that the opnsense can resolve external domains, but the service is not reachable from other devices.

I would advice before you do anything start to do with the device to check the BIOS for P1 & P2 values, and set the accordingly to the CPU W values. I have N5105 and its P1 P2 were over the moon had to set them correctly, got much more better thermals.

Also in regards of Patrick's advice of the fan. I did yesterday Install a 140mm low profile FAN from Arctic (ARCTIC P14 SLIM PWM PST - basically put it on top of the chassis finstack). You see my FW is in a small rack, which doesn't have much clearance thus temperature in the rack tents to keep constantly high. The FAN decreased the Temps on the Device around 20C. See the picture.



Regards,
S.

That's kinda insane brother! I have a small rack, too, so will Definitely do that, too. Heat is an issue in there anyway, but the case had cost 150€ and the vendor's proprietary fan costs 180€, so...

Interesting additional information. You guys are awesome! I've added one such fan to my amazon cart and will look for temp rise! I don't expect I can underclock the CPU? It's probably doing that on its own anyway these days?

Missed the LTE part, sorry. Then buying used is probably the only option to meet your price limit.

Hihi, ok, no problem! Thanks anyway!

I've ordered that aliexpress device for the 140$. Let's see what it does 🤣

You don't need four ports. An unmanaged 5 port gigabit switch can be found for 20€ or less.

https://www.mediamarkt.de/de/product/_d-link-dgs-105gle-desktop-switch-5-2777423.html

How would I realise a fail over Internet connection with 2 WANs with a switch instead of two NICs? How would the firewall/router know how to connect to the Internet?

that´s a arm device, go for x86

have you searched, one of the most asked questions...

anyhow, any old pc with a extra nic(intel) will work
or aliexpress..there are boxes under 200$ that will work

I read the first few topics here, which were quite advanced, so I thought I'd ask a quick question. It seems I can't get much Lower than 200€...

Do you also think 4gb memory and 32-64 GB SSD is enough? I would search the Internet for such devices, then...

A Protectli FW2B with 4G of memory and a 32G or 64G SSD is 200-ish and probably as low as you can get if you want to buy new.

https://protectli.com/product/fw2b/

Used mini PCs from e.g. eBay are an alternative. Just make sure there's a PCIe slot for an additional network interface (or 2 interfaces on board to begin with) and the interfaces are Intel, not Realtek!

The device with 4 ports (1 lan, 2 WAN) is at 280$ +60$ shipping to Germany :-( total price is 337$, about 300€. That's way too much for me :-( I can order the same device on Amazon Germany too, for 340€ :-D

Hi all,

I am currently using tp link omada's router/firewall and am very unhappy with a few shortcomings of the system, eg almost zero reporting upon errors, slow interface, no dns (what the f?)... So I want to test a different system. I think opnsense would be quite suitable for me. I have some knowledge of networking and have worked in a, let's say, related field. I don't need fancy, hardware consuming things like proxy or deep packet inspection, and I only have 3 users apart from an extensive smart home. I have a fail over wan requirement as I'm on LTE (separate router) and FTTH because I need to reliantly be able to work from home. I also want the Web interface to run smoothly, so even if firewall-ing and routing would run smooth, that's also a requirement, if that makes sense or is relevant 😊

Now I'm looking for some cheap hardware that's not making my purse explode 😆 I thought a pi5 would be interesting, but seeing that arm support is limited, maybe some other SoC board? I would like to stay below 100€. If that's not possible, 200€ would be ok-ish. I see a lot of fancy hardware on amazon for 200-300€ with nvme and extensive ram that's larger than my gaming computer. I don't need virtual machines on that device or the like, so I pretty much think it's overkill to have that.

I'd be really grateful if I could get some a dvice from you folks who have much more knowledge of the system requirements than I do!

Thanks a lot in advance

Edit: maybe something like this? I BANANA PI R3 Banana Pi Router 3, 4x 2GHz, 2GB, 5x 1 Gbit, - - - https://www.reichelt.de/banana-pi-router-3-4x-2ghz-2gb-5x-1-gbit--banana-pi-r3-p347958.html