Messages

I understand I should configure at least the two allow rules to divert traffic to suricata but what happens with the block rule? I do nothing?

If it is already blocked by the FW rule, it does not need to be diverted further.

Right but what about port forwarding? How you handle these? They do not seem to have direct to...

Hi all,

great post. I have two small questions too.

1) What will happen for Nat Forwarding (now called "Destination NAT" in 26.1)? How you sent the traffic from these rules to suricata?

2) I only have 3 rules in my wan interface? One Block (For blocking traffic from Asia countries) and two rules for allowing openVPN and Wireguard. I understand I should configure at least the two allow rules to divert traffic to suricata but what happens with the block rule? I do nothing?


EDIT: PS. I have migrated my rules to the new Rules (New) section and delete all my previous rules.

Thanks maverickcdn for all the help and patience. I have tried many different things and tweaks (even undocumented) but notihing seems to work. In the past I have been able to successfully setup more than once openvpn server using tap and it was always successfull (after troubleshooting for a few hours of course like you)

This time however it seems impossible. Documentation and help suggest that it could work but it simply does not. I successully manage to have my clients connected but the correct routing table is simply not being build/sent to the clients and therefore no client can communicate with the internal network.

I am not sure what could the issue and how to fix it so for now I will stop and stick with the legacy version until I have some more info about where the issue could be hiding.

Again thank you for the help.

Hi maverickcdn,

my overview is actually similar to yours, I have OPT1 and OPT2 (connected to physical ports) which are part of the bridge0 (LAN) . My OPT1 and OPT2 are on the same LAN but I have other VLAN interfaces (OPTx) which have parent interface the first physical port which is the main connection to my internal switch that connects my LAN network. The VLANs are only being used from the Wifi access points so I have no need for now to add different subnets on the OPT1 and OPT2 so both of these are just part of the same LAN.

ovpns1 is the old VPN that works. This  is not assigned to anything in assignments but it does shows the correct subnet in overview. When I switch to the new OpenVPN instance I see the new ovpns2 interface but under Overview I see no ip subnet. As I explain before I tried assigning the ovpns2 interface in Assignments, created same or even more relax firewall rules similar of the old openvpn instance, assigned ovpns2 to the bridge0 along to the OPT1 and OPT2 interfaces, added a dhcp service on the openvpn interface etc but the best I could reach was to get the openvpn clients assigned the ips from the openvpn subnet.

Every time I try to traceroute something on my main LAN from an openvpn client I see the traffic never reach my LAN. Not sure if the issue is firewall or something else but I will try to create everything from scratch again and see if that solves the issue.

Is there a guide somewhere about how to create an openvpn instance (new version of openvpn) on opnsesnse that I missed?   

Hi maverickcdn,

my overview is actually similar to yours, I have OPT1 and OPT2 (connected to physical ports) which are part of the bridge0 (LAN) . My OPT1 and OPT2 are on the same LAN but I have other VLAN interfaces (OPTx) which have parent interface the first physical port which is the main connection to my internal switch that connects my LAN network. The VLANs are only being used from the Wifi access points so I have no need for now to add different subnets on the OPT1 and OPT2 so both of these are just part of the same LAN.


ovpns1 is the old VPN that works. This  is not assigned to anything in assignments but it does shows the correct subnet in overview. When I switch to the new OpenVPN instance I see the new ovpns2 interface but under Overview I see no ip subnet. As I explain before I tried assigning the ovpns2 interface in Assignments, created same or even more relax firewall rules similar of the old openvpn instance, assigned ovpns2 to the bridge0 along to the OPT1 and OPT2 interfaces, added a dhcp service on the openvpn interface etc but the best I could reach was to get the openvpn clients assigned the ips from the openvpn subnet.

Every time I try to traceroute something on my main LAN from an openvpn client I see the traffic never reach my LAN. Not sure if the issue is firewall or something else but I will try to create everything from scratch again and see if that solves the issue.

Is there a guide somewhere about how to create an openvpn instance (new version of openvpn) on opnsesnse that I missed?   

Thanks for the info. What is different is my setup is that I did not created the extra bridge to connect the LAN bridge (that contains the interfaces with the physical links) and the VPN bridge.  What I did was to add the vpn interface to the existing LAN bridge but it did not work. Will that make any difference?

Also I notice that you do not have anything in the "Local Network" under Routing. Here I have the the networks that would be accessible and should be pushed to the client(s). It is somehow counter intuitive since the way I understand it this is the way to push the actual routing to the client (or perhaps I am wrong)?

I do not see anything other that can fix the issue I am having. Do you have any idea?

I came from another platform after the now legacy mode was destined to be removed and don't know anything about it so I setup a working config (for me) by bridging (frowned upon it seems) the TAP interface and my LAN interface to a bridge where the bridge is the host network.  Whether this is the correct way or not it works great for my needs, if you want more details of my config let me know.

Just finish testing openvpn by adding it to the bridge of my LAN. I also tried all the options that I did last time, firewall rules, TCP instead of udp, etc but the result is the same.

I came from another platform after the now legacy mode was destined to be removed and don't know anything about it so I setup a working config (for me) by bridging (frowned upon it seems) the TAP interface and my LAN interface to a bridge where the bridge is the host network.  Whether this is the correct way or not it works great for my needs, if you want more details of my config let me know.

thanks I will try it and let you know

The only thing I notice that propably is relevant is that under Interface-->Overview the new ovpns is not getting assigned either an "IPv4" address or any "Route" while the old one from the legacy server does. I am guessing here if it does not get assign the proper data then it will not sent them to client later correct?

This won't show a route/address as the OVPN interface should be a member of your bridge interface along with your LAN interface for a TAP config

Is your bridge correctly setup? https://docs.opnsense.org/manual/how-tos/lan_bridge.html

You mean add the openvpn interface as a member of the bridge LAN? No i did not do that. In the old vpn it did not have to and I never notice anywhere that in the new openvpn it needs to do that?

I have been running openvpn (legacy now) for the past 2+ years on opnsense with no issues to mention. I have configured it in TAP mode and had two clients connected to my home network remotely. 

After noticing that the openvpn is being migrate to the new openvpn instance version I decided to try and migrate everything to the new version but unfortunately I am unable to make it to work as expected. My clients do get connected to the server but after that I can not ping anything on my home lan network. If I try traceroute on any of my lan ip(s) from a client it shows that it can not find the home lan. It would seem to me that there is not routing info being sent from openvpn server to the clients.

I believe I have copied all the settings, certificates etc correctly to the new openvpn instance and I can see the service is coming up just fine. I have setup the same firewall rules and exported the clients again from the opnsense interface to be sure everything is up to date. I tried numerous different scenarios such as to assign the new ovpns to and interface, enabling that interface and setting firewall rules on that one too, creating a bridge and adding the ovpns interface to it but still nothing.

The only thing I notice that propably is relevant is that under Interface-->Overview the new ovpns is not getting assigned either an "IPv4" address or any "Route" while the old one from the legacy server does. I am guessing here if it does not get assign the proper data then it will not sent them to client later correct?

Does anyone have any clue what it going on here and why the new OpenVPN Instance is working as expected? Did I miss a step somewhere and I should add something to the interface and/or route in order to make it work?

Thanks

I end up buying a pentium 8505 with 16GB ram and 4 2.5GB network ports. I think running zenarmor will still not be enough and get the full 1GB speed of my ISP but the alternative options were too expensive anyway. Will try of course the setup and see how it goes when it arrives.

thanks BrandyWine for the info. are you running zenarmor on lan as well or just suricata on the wan? how much tweak did you perform on the opnsense side after installing?

I also thinking of going with a cpu i3-1215u instead of the N150 but not sure if it is worth it.

Hi all,

I have been running opnsense for almost two years now on a fujitsu futro S920 with 8GB ram and AMD GX-222GC SOC CPU. I know this machine is not the strongest out there but it serve me well on my previous connection which was 200MB/50MB (download/upload). In that setup I was also running Openvpn, wireguard, suricata on wan in ids mode and zenarmor in LAN in ips mode. I have arround 50-60 devices connected to the internet (but most of them are IOT devices). Ok things were not ideal due to one of the nics being a realtek but still I was happy giving the amount of money put to it.

Now I have upgrade to a fiber connection of 1GB/250MB (download/upload) speed. In order to get the most of my router I replaced zenarmor with adguard and make some tweaks on the tunnables of the router. Overall I do not see the cpu gets bottleneck all the time but when I speedtest (from a wired pc directly connected to the router) I only get in the best case scenario ~850MB download. Most of the times my speed is capped at around ~550MB. Not sure if there is something I can do more to get more of my speed, I tried disabling suricata and stopping other services but the result was the same.

So I am thinking to moving to new hardware and migrating everything to a new router. I search online to either a dell/HP/lenovo SFF pc or either a ready made router from aliexpress (with N150 cpu and 16GB ram) but I having trouble figuring out whether the new system will be enough.

My requirements are:
1) Being able to get my full speed 1GB/250MB
2) Run OpenVPN for 2-3 clients (not heavy traffic all the time)
3) Run wireguard for 2-3 clients (not heavy traffic all the time)
4) Have a few VLans configured
5) Enable IPv6 in the near future
and ideally ...
6) Run Suricata in IPS mode in wan
7) Run Zenarmor in IPS mode  in LAN

Is the N150 even close enough to what I want to achieve or I need to stay clear? What is the recommended hardware for my setup? What are your thoughts on the matter?

Thanks

Phanos

Also the same. I tried updating 24.7_5 but the issue is still there.

I tested FF, chrome, Edge on Linux, Windows and Safari on iOS. Rebooted the router many times and only one browser logged in.

Clear cache many times.

No solution. I think we have to wait for opnsense team to give us an update that fixes the issue.

Thanks. I guess we are stuck with the issue until an update comes and fix it.