Messages

Ok, I found the issue....I am not sleeping enough: I left active the VPN client on the pc, so everything was routed through that before reaching the opnsense.

Disabling it, the printer was reachable again and the live view was working again (even without flagging the the log option on the single rules).


Next time that the live view doesn't show everything as usual, I will try to activate the log flag on every rule and double check if it does resolve the issue.

Thank you @Seimus

Hi, I am referring to the tab itself.
Until some time ago it worked perfectly, now I do not know what happened.

I implemented many roules at Floating level, but I think those shouldn't affect the Live view page (or not?).

My understanding is that the live view shows any communications passing through the interfaces.

Hello,
since the last update to  24.7.11_2, the firewall live view doesn't show a lot of information that were shown before.
For example if from my pc I try to ping the printer, I see nothing on live vew (also filtering by source or destination).

I am missing something? Maybe I changed some settings?
This is a huge problem for me as this is the main tool I use to identify blocks in the internal network.

Thanks a lot

Hello, I succesfully installed ntopng and created the script to download the GEO data from Maxmind.

Now my question is: how can I schedule the automated run of such script and forget about it?

Thanks

I changed configuration, switching from the gateway group style (suggested by OPNSENSE documents to manage wireguard connections) to a WAN gateway style (wireguard gateway are now eligible as default/active WAN routing).

The issue is greatly mitigated, but sometimes still happens. In my case, the switch off/in of the offline gateway is not enough, I have to perform 1 or more TRACEROUTE to the gateway addresse (i.e. 10.2.x.y).

The other thing I observed is that, in case I switch off/on the modem, half of the time the pubblic IP of the main WAN gateway is not updated and I have to force an update using interfaces/overview/commands/reload button.

@pjw, are you using gateway group?

PS: I forgot to mention that with the new configuration, the siwtch netween one conenction/wireguard VPN and the the other is immediate, instead before it required up to 5 minutes.

The problem identified was the change in the format of blocking lists I use with Unbound dns, I tried to switch from the usual "asterisc wildcard" to the RTP format.

The second is not compatible and as a result, the firewall started to randomly call the addresses reported inside (one of the lists is referred to DNS services).

I restored the old format, and (for now) everything seems to be back to normal.
Thanks

Hi newsense, thankd for the reply. I agree with you in general terms, but my main problem here is that I can't understand the originator of these dns calls.

I found also that perfoming a ping from opnsense, is not reported inse the livenlog of the firewall...I am missing something? I expected to see any connection inside the live log and see every dns request inside the unbound report page.

I believe that these call are done by the firewall itself (maybe are the repositories of filtering lists), but i cannot see these requests (and investigate) nor in the unbound reporting, nor in the firewall log. I can instead find them inside the sevices/unbound dns/log file.

I remember that before the Logs collected also the caonnection intiated by the firewall itself (maybe I am wrong).

Many thanks.

Since a couple of days I see the following behaviour:

- on external DNS server (i.e cloudflare, nextdns,...) there are multiple requests pointing to other DNS servers all around the world;
- the ID source of these call is the Unbound server within the OPNSENSE;
- looking to reporting/unbound dns/details there is no record of any of such calls;
- looking to services/undound dns/ log file there are records of such calls but I can't identify the source yet
- trying to get the IP behind such dns servers and check the firewall log, still gives no answer.

Some of the addresses are: dns4me.net, dns.0x55.net, dns.0ooo.icu, dns-gcp.aaflalo.me, dns.688447.xyz ...

Strange thing is that I blocked bing.com in the blacklist of Unbound DNS, but I still see requests on the external DNS server.

Any hint about how to proceed? Thank you

@dseven thank you!
I had to change something but finally I was able to route everything (in this case only the unbound dns was missing) through the VPN gateways.
To do so I had to set the VPN gateway as default gateway but the involved flag are two:
- system-configuration-VPN gateway- flag on "Upstream Gateway" (and set a priority number lower than WAN gateway)
- system-settings-general- flag on "Gateway switching"

This way the VPN gateways become eligible as default gateway and everything is routed through that.

From previous ocnfiguration:
- kept the NAT rules for the VPN Gateways;
- removed the gateway group used to manage the multi-wan (now directly managed in the main gateway page);
- updated the internal subnets firewall PASS rules to the default gateway.

Please, if you think of any error /suggestion, let me know.

Hello, I try to clarify my question: setting the VPN wireguard connection as a default gateway, only the traffic toward the external will go through that OR I have to create specific firewall rules to route the traffic between internal subnets or to the internal unbound dns server?

Thanks

Hello, I am trying to forward the DNS requests passing through the WAN to the VPN gateway.
I was not able to create a working system using the outbound NAT + firewall rules. Instead I was able to set the VPN gateway as the default one (and have the dns queries go through it).

Does this method have any bad effect? To be considered that I want all the clients to go through that VPN.

Thanks

Today I will try again to set an outgoing rule from wan to redirect the dns queries towards the vpn gateway.
It seems that the query is properly redirected but i do not understand what is missing...should I create a NAT rule as done for the internal lan towards the VPN gateway?

I do not understand how this could resolve the routing issue through the vpn.
That settings only specify the external dns ip...isn't it?

Additional info: i also tried to select the outoing interface (within unbound dns settings) but it has no effect. I also restarted the firewall, but no effect

I am trying to forward all the traffics outcoming from WAN interface to a gateway group (that has inside 3 wireguards VPN and, as last priority, the WAN interface itself).

The three wireguard are used only for outgoing traffic (provider is Proton) and are properly working.
I just miss the last step to forward what is processed directly by the firewall and go outside through the WAN, like the unbound dns external request.

I am using an external DNS provider  with Unbound DNS (not the one provided by the VPN provider).

I am already trying since several weeks and read multiple forums/posts but no real solution was defined.

I read several times the opnsense guide about the the DNS leak, but I do not understand what they suggest in a case like mine.

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html  I think the poitns 3 or 4 of the DNS leak paragraph.

Anyone was able to achive this?