Messages

Hey, hier ist, wie ich mein Setup gelöst habe:

1.   Zwei IPs bei Hetzner: Eine IP zeigt direkt auf Proxmox, die andere auf OPNsense. So bleibt die Struktur sauber getrennt.
2.   Proxmox bekommt eine WAN- und eine LAN-IP, um das interne und externe Netzwerk ordentlich zu trennen.
3.   Auf der Hetzner-Firewall blockiere ich sämtlichen eingehenden Traffic zur IP von Proxmox, um zu verhindern, dass es von außen erreichbar ist.
4.   Für den Zugang zum internen Netzwerk baue ich eine WireGuard-VPN-Verbindung zur OPNsense auf. Über das VPN kann ich dann von intern auf die OPNsense und Proxmox zugreifen.
5.   Falls der VPN-Zugriff mal ausfällt, kann ich über Hetzner meine aktuelle IP für den WAN-Zugriff auf Proxmox freigeben und komme so im Notfall trotzdem ran.

Gruß
oezay

Hi,

Did you create the necessary routes on both sides?

Have you set up a Virtual Interface on OPNsense?

On the Sophos side, have you configured the connection as a tunnel and assigned the IP to this interface?

Did you add the ReqID in the IPsec connection on OPNsense and then reference it in the Virtual Interface?

Maybe you could share screenshots of your settings. It would make it easier to assist you.

Hope this helps!

Oezay

Hello everyone,

I've set up an IPsec connection between two OPNsense devices, and it's working fine overall. One of the OPNsense devices has "Start" set as the Start Action, while the other is set to "None." The issue I'm facing is that after either OPNsense device reboots, the connection doesn't automatically re-establish. I always have to go to the side with "None" and click "Play" in the Status Overview to bring the connection back up.

Does anyone have an idea how to automate this process or what I might need to adjust?

Thanks,
Oezay

Hi everyone,

I have created a NAT rule, and it works as expected. However, in the live view, the allowed connections are displayed in green and marked as allowed, but they are labeled as "Default deny / state violation rule." Some connections are forwarded to the internal host but are still shown as blocked in the live log with the "Default deny / state violation rule" label.

I've noticed that if the initial incoming packets arrive on the primary WAN IP, the label remains blank. However, when packets come in on the virtual IP on the WAN interface, the "Default deny / state violation rule" label is applied.

Has anyone encountered this issue or know how to ensure that the correct description specified in the NAT rule is displayed in the live view? This behavior occurs both with associated rules and with explicitly created firewall rules.

Thank you for your support!
oezay