Messages

You cannot view this attachment.

Should all my redirect rules point to that port, (HTTP, HTTPS)?  I feel like I might have tried that.

EDIT:  I changed the DNS rule to 9053, and the HTTP/S rules to 9040.  Same behavior.  I have another port forward rule for DNS lower in the rules list for those devices that try to bypass my hardwired DNS, but that shouldn't be blocking anything from the TOR rules, as they are on top in the Port Forward rules.

Happy thanksgiving,

I've been wanting to mess with TOR for a while, but always get frustrated trying to set it up.  No matter what, it just never seems to work no matter what guide I follow, and I'm hoping someone can steer me to what I'm doing wrong.

Right now I have the TOR plugin installed, service is running, and the configuration for the plugin is listening on the LAN interface.  The transparent proxy is enabled, port 9040, DNS port 9053.

There is a VLAN called TOR as opt4 vlan01 with a static IP set of 172.16.200.1.

I created NAT port forward rules in the screenshot, and there are matching rules showing in the LAN rules.
You cannot view this attachment.

I'm probably just completely turned around on this, and trying to follow online guides, most of which are written for people with more understanding, and many are likely completely outdated.  Can someone point me to what is wrong here?  If I enable these rules, web pages don't open, they just time out.

Thanks!

There hasn't been any updates on this, but the problem persists.

Created a bug report.

https://github.com/opnsense/core/issues/9165

Also, I have completely disabled the IPv6 gateway so that only the IPv4 is active, and the internet works fine even though it's reporting 100% packet loss on that gateway.  As if I'm browsing offline with 100% packet loss. 

I tried the suggestion of setting the Monitor IP to the address of the modem itself, and it shows online again.  However that doesn't indicate the internet is working, so I switched back to 1.1.1.1 and it's offline again.  Tried 8.8.8.8 also, stays offline. 

It didn't hold up.  WAN shows 100% loss for days now, having never recovered again.  I show DHCP6 online for the last week.

Today, for no reason what-so-ever the IPv4 gateway now shows no packet loss, but the IPv6 gateway is still offline.  I haven't changed the configuration, but it just recovered all on its own.  I have no idea...  Let's see if it holds up.

Maybe some strange and obscure issue because of the Double NAT that cellular internet causes?  But it always worked until now, so I suspect something changed on the OPNSense side.

They seem to be there...  I've always had this set to automatic, and this is what is there...

You cannot view this attachment.

Here you go.  1.1.1.1 has always been set as the Monitor address.

You cannot view this attachment.

It's configured via DHCP, and is from a cellular modem.

You cannot view this attachment.

I can ping 1.1.1.1 from a PC on the network, and the firewall is processing rules and traffic.  Yet, the gateway monitor reports the network as offline with 100% loss.  There have been no configuration changes, just the upgrade.  Any specific configuration you need to know?

Thanks for the help...

Immediately after the upgrade to 25.7, both of my gateways show "100% Loss" in the widget, and the log has numerous "Warning dpinger WAN_GW 1.1.1.1: sendto error: 65" messages.  I've tried rebooting the router, rebooting the modem, restarting services, etc...  In all different orders.  All I managed to do was get the initial IPv4 gateway showing 100% packet loss, to getting both the IPv4 and IPv6 gateways to show 100% loss.

I can browse, so the internet is working.  Been working for years, until the moment I upgraded.

Any ideas what could cause this?
Thanks.

Thank you for the help!

Thanks,

I just want to make sure my understanding is sane...

I'm setting rules for things that pass as normal, and the reason I was doing it this way is to allow me to log the redirection rules to see which devices are trying to circumvent my internal NTP (and DNS, etc...). If a device is requesting something from my internal servers, fine...  They pass with no problems.  If something hard codes a different server, I want a log entry saying so.

That's my thinking, I just want to make sure this makes sense in terms of normal firewall procedures.  I figured I'd ask to see if there was anything wrong with doing it this way...

So I'm assuming this is fine functionally?  Thanks for the advice, I'm by no means an expert.  Better to get second opinions.   8)