Messages

Here are my firewall rules:
Of course there are the automatically generated rules (not sure if there is an easy format I can extract these settings, so I am not typing them out)

Protocol: IPv4 TCP
source: *
Port: *
Destination: LAN address
Port: 443
Gateway: *
Description: Anti Lockout

Protocol: IPv4 TCP
source: *
Port: *
Destination: LAN address
Port: 80
Gateway: *
Description: Anti Lockout

Protocol: IPv4*
source: LAN net
Port: *
Destination: LAN address
Port: *
Gateway: *
Description:

Protocol: IPv4*
source: !VPN_Exceptions(list containing PS5 ip)
Port: *
Destination: LAN address
Port: *
Gateway: NORDVPN_VPN4
Description: Route all normal traffic through VPN

Protocol: IPv4*
source: VPN_Exceptions(list containing PS5 ip)
Port: *
Destination: LAN address
Port: *
Gateway: WAN_GW
Description: Route PS5 traffic through normal gateway

My OpenVPN settings:
Description: NordVPN
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP4
Device mode: tun
Interface: any
Remote server: be185.nordvpn.com port 1194 (and many other servers)
Select remote server at random -> checked
Retry DNS resolution --> checked infinitely resolve remote server
proxy authentication extra options: none
Username and pass --> is correct as VPN is working
TLS Authentication: Enabled - Authentication only
TLS Shared key -> copied from configuration NordVPN guide
Peer Certificate Authorisy: NordVPN_BE189_CA
Client Certificate: None (Username and Password required)
Encryption algorithm (deprecated): AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only
Compression: Legacy - Disabled LZO algorithm (--comp-lzo no)
don't add/remove routes --> checked
Advanced:

Code Select Expand

remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;Verbosity level: 3 (recommended)

Hi all,

I've got NordVPN setup through openVPN. This works absolutely great, but after a random amount of time, the connection fails.
OpenVPN starts spamming: write UDPv4: Can't assign requested address (fd=7,code=49)

What I can find that there is some routing issue, clogging up OpenVPN, a restart is then required. But because my DNS goes through a PiHole. resolving the VPN hostname does not work. So everytime I end up disabling firewall rule for VPN. Making sure I have connection again. Then re-enabling firewall rule for VPN access.

Main question is how can I prevent the upper error from OpenVPN, so I don't have a random blackout? Or a way, that I can recover from this faster.

Ok so if I think I set it up as you suggest, with the VPN_Exceptions containing my IP.

I was checking my public IP on the shield, but it was still showing the same as the VPN one. How does the last rule know it needs to take the regular PPPoE GW instead of the VPN?

Hi all,

I was succesfull setting up NordVPN on all my network devices, but I am having issues with services like Netflix/Disney+. My Nvidia shield has a fixed IP address, which I want to bypass the VPN

Firewall rules that are currently working:
LAN net to destination LAN address , to allow all internal traffic (standard)
LAN net to gateway NORDVPN -> to move all LAN traffic through the VPN

To fix this, I tried using aliases but this does not seem to work for me.
alias_VPN_pass to gateway NORDVPN -> to move all LAN traffic except the shield through VPN
alias_VPN_bypass to gateway WAN_GW -> to move only shield traffic outside of VPN

VPN_Pass is set to host with ip !10.10.1.43
VPN_bypass is set to host with ip 10.10.1.43

But this does not seem allow traffic at all. Can someone point me in the right direction to resolve this?

Hi all,

I installed a Mellanox MCX354A-FCBT dual 40Gbit card in my super micro X9. But I am having troubles getting the interface to show up in OPNsense.

I followed:
https://www.routerperformance.net/opnsense/mellanox-connecx-management-in-opnsense/


I followed the instructions and edited /boot/loader.conf.local. After a reboot the card seems to be detected.

Code Select Expand

mlx4_core0: <mlx4_core> mem 0xdfa00000-0xdfafffff,0xde000000-0xde7fffff irq 17 at device 0.0 on pci2
mlx4_core: Mellanox ConnectX core driver v3.7.1 (November 2021)
mlx4_core: Initializing 0000:02:00.0

From the guide it says, you can already change interfaces, but nothing is detected yet. Therefore I wanted to check the firmware on the cards.
I downloaded the latest firmware tool version, which seems to be 4.29.0-131

I can install everything fine, but when I try to run the following command

Code Select Expand

~/mft-4.29.0-131 # /usr/bin/mst status

I get permission denied, I already tried CHMOD on files inside mft folder and mst, but keep getting permission denied.

If I just run:

Code Select Expand

mst status
I just get:

Code Select Expand

MST devices:
------------




Most recent related post I could find was:
https://forum.opnsense.org/index.php?topic=31218.0
This was running on 22.7, currently I am on 24.7.3
Did anything change in between versions?

Anyone, any idea why the command doesn't work anymore?

All is solved and understood now I guess.
As my current install is 24.7.3, my Unbound DNS was enabled by default, this causes the first DNS server to be the gateway itself. When it is disabled I get the bare DNS servers set up in the System>Settings>General.

Thank you for the help and advice.

So I did find a "rogue" pihole docker floating in my synology, I disabled that, but didn't change anything as it was still setup on my old 10.10.1.0/24.

I also decided to isolate the rest of my network by plugging my desktop directly in the LAN interface of opnSense. That did not help

So I put the DNS settings in the general tab and started to play with settings again. On my test devices I kept getting 18.8.88.1 as the first DNS server and 8.8.4.4, eventhough my first one set up was 8.8.8.8

Under Services>Unbound DNS>DNS over TLS, I checked the setting "Use System Nameservers", this seems to work. My test devices still receive 18.8.8.1 as the first dns, but somehow get translated to 8.8.8.8

So anyway, it seems all my clients work. Except opnSense itself.
When I try to synchronize the time, it won't work.
If I ping from opnSense -> 0.opnsense.pool.ntp.org -> no response
If I ping from opnSense -> 185.89.20.5 (one of the ip's behind NTP address) -> I get response

If I ping from desktop, I get a response from all. So for some reason opnSense is not talking to the DNS server itself.

Unbound is enabled and enabled by default. But does not seem to be doing much.

Just one question. Do you want your clients to use your ISP DNS servers?

I tried this before with my mikrotik setup, but couldn't automatically receive the DNS servers from the ISP, therefore I am fine with using the Google DNS servers. I will get a pihole in place in the future, once everything is normally running.

Hi all,

First of, I just started with opnSense, so forgive me for any stupid question, I've searched around but can't quite find a topic with a similar issue.

I have installed opnSense on a seperate server with 2 LAN interfaces, 1 configured as WAN and 1 as LAN.
The WAN is setup with PPPoE and makes a succesful connection with the ISP (getting public IP)
The LAN is setup as IPv4 DHCP, which works fine.
My gateway IP is 18.8.88.1

It was my understanding that DNS servers would be setup under system>settings>general.
So I setup 2 servers 8.8.8.8 and 8.8.4.4

But when I check my clients the first DNS server they receive is 18.8.88.1 (which is the gateway) and second is 8.8.8.8, therefore they are not getting any DNSlookups and fail to connect to most of the internet.

The only way I was able to get my clients to connect is to head over to Services>ISC DHCPv4>[LAN] and enter the DNS servers there.

This way all my clients get the correct DNS servers, but it seems my gateway itself does not receive the correct DNS server, because it is not part of the LAN DHCP (I guess).

What is the correct way to setup DNS for all my devices in my configuration. I hope someone can steer me in the right direction. Thanks in advance.