Messages

The problem was an external firewall blocking the traffic on the second IP...

Otherwise the setup quite straightforward:
1. Define a new Virtual IP.
2. Switch NAT to Hybrid mode
3. Define a new Outbound NAT rule: Source = DMZ net; NAT address - second, Virtual IP

That setup works fine so far

Hello!

I am trying to add a new Virtual IP to my DMZ and stuck in configuration.
Unfortunately there are not much information about how to set it up.
I'd appreciate any advice.

I have two WAN IPs which I am allowed to use: x.x.x.114/29 and x.x.x.115/29 These both use the same Gateway.
I have two networks: 172.17.17.0/24 - LAN and 172.17.18.0/24 - DMZ

I'd like my LAN to access the Internet and be accessible (certain ports via port forward) only via x.x.x.114/29 and my DMZ to access the Internet and be accessible only via x.x.x.115/29

I bet this is the simplest possible setup with VirtulaIPs, but I have no idea how to configure it.

Thank you!

Nevermind. I have rebooted the OPNsense and everything went back to normal. I.e. the rule which makes sense now is working and I got the Internet and all access.

I really don't know what happened - cache maybe?

The configuration that works for me (maybe it will be useful for somebody):

• Set up the Wireguard server on a host inside the LAN with no masquerading. Enable net.ipv4.ip_forward=1 and net.ipv4.conf.all.proxy_arp=1 options. Make its IP static and remember it.
• Configure peers
• Create a Port Forward rule to forward incoming connections from WAN port to the Wireguard server port.
• Create a Pass rule for the WAN interface to allow connections to the Wireguard port.
• Create a Pass rule in the LAN firewall section to allow connections from the Wireguard network (i.e. source = Wireguard network)
• Go to Firewall -> Settings -> Advanced and enable "Static route filtering" setting
• Go to System -> Gateways -> Configuration and add a new gateway in the LAN interface with the priority less than WAN gateway and address pointing to the Wireguard server
• Go to System -> Routes and create a new route to Wireguard network address via freshly created Gateway
• Go to Firewall -> NAT -> Outbound. Set "Hybrid outbound NAT rule generation" mode and add a new rule: Interface = WAN; Source = Wireguard network
• Optional: I have also created a firewall alias for the Wireguard network - it looks better in my opinion...

@dseven, thank you very much for your help and advice!!!

I was just experimenting with the rules: like just try everything one by one.
I cannot explain the logic behind this rule and it really confuses me.

At first yes, I saw the typo: 127 instead of 172. Fixed it and the Internet gone... So I put it back - exactly as you can see on the screenshot and the Internet came back again.
That is why I am confused. It shouldn't work. It even makes no sense, but it works! And I don't know why.

No, my Wireguard server is not masquerading - that's the whole point of the setup.

I got both the Internet and LAN working, but I have no idea why is this working.
I was experimenting with NAT rules and accidentally mistyped IP: 127.17.21.0/21 instead of 172.17.21.0/24 and... it worked.
If I disable the rule - I loose the Internet connection for the Wireguard clients. If I enable it, the connection is back.

I don't know why: this rule doesn't make sense to me. Can anybody explain it?

Hmm.

• I have added a new virtual network interface and created a new dedicated network: 172.17.18.0/24 with static IPs.
• Created a Firewall rule to accept all from the new network in the Firewall -> Rules -> WG_IN_1 (new network name) section.
• Moved the VPN server there: 172.17.18.2
• Adjusted the Wireguard server IP to 172.17.18.254 and its Peer IP to 172.17.18.202 (inside wg0.conf)
• Changed Port Forwarding from WAN to 172.17.18.254
• Disabled previously created route and gateway

Unfortunately, it didn't work: I cannot access any hosts at all.
The same situation happens if I create a new gateway pointing to 172.17.18.254 and a route: to 172.17.18.0/24 via freshly created gateway.

The firewall is all green though: it shows connections, but no traffic flows...

I got a little (partial) successes with the hack.

1. I have created a new Gateway in System -> Gateways -> Configuration pointing to 172.17.17.8 (Wireguard server)
2. I have created a new route in System -> Routes -> Configuration: to 172.17.21.0/24 via freshly created gateway.
3. In Firewall -> Settings -> Advanced I have enabled this option:
Bypass firewall rules for traffic on the same interface
This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.

After that I now have access to all the LAN hosts from the Wireguard! Yay!

Unfortunately I don't have Internet access from the Wireguard. I have created an outbound NAT for 172.17.21.0/24, but it didn't help...

Hmm. But before creating a new network: what about a hack with routes? What routes should I add to test if it works?

Except for the Wireguard server itself and the OPNSense, yes: there won't be any other non-Wireguard hosts in this network.
So technically there might be 1 interference: with the OPNsense. Because Wireguard doesn't know anything about it.

Regarding using a build in Wireguard server. I'd like to, but I can't: there is some specific software (like DPI or something) which should be running next to the Wireguard server.
Just to clarify: for now it is not installed and cannot interfere with the current setup.

Thank you very much for the suggestion!

I think I can do it. OPNSense is installed onto a VM so I can create another interface, assign a new network to it and move the Wireguard server into the new network.
A few questions about this setup:

• Should I enable DHCP on the new network?
• What firewall rules should I define?
• What will happen in case of IP address conflict? I.e. the Wireguard server will create a Peer with an IP which already exist in the new network?

Hello!

For some reason I have to use a standalone Wireguard server located on a dedicated host in my LAN.
All the Wireguard peers should have access to all the LAN hosts and vice-versa.

I was able to set everything up in a NAT (Masquarade) mode, but I want all the peers to be "visible" and manageable by their Wireguard IPs inside the OPNsense. Thus I am trying to set up the Wireguard server without a NAT (Masquerading).

Unfortunately I can't figure out how to set up firewall and routing properly.

My network setup:

• LAN: 172.17.17.0/24
• DNS server: 172.17.17.2
• Wireguard server: 172.17.17.8
• Wireguard network: 172.17.21.0/24. The network itself is defined in the Wireguard config and does not exist as a VLAN or any other type of network in the OPNSense. This should be fine because Wireguard is a Level 3 protocol.

Steps I took:

• Installed and configured a Wireguard server on 172.17.17.8; enabled both net.ipv4.ip_forward=1 and net.ipv4.conf.all.proxy_arp=1 options. Masquerading is turned off (or rather it is not turned on).
• Configured a peer for the Wireguard server.
• Created a Port Forward rule to forward incoming connections from WAN port to the Wireguard server port.
• Created a Pass rule for the WAN interface to allow connections to the Wireguard port.
• Created two firewall rules for the LAN to allow traffic in the Wireguard network. For more details - see attached screenshot. I believe the last rule is not required. If so I will delete it later.

The results are: I can connect to the Wireguard server, but I cannot access any host in the LAN or Internet.
If I try to ping on make nslookup any host using 172.17.17.2 I get messages that these requests are blocked (see screenshot #2) by the Default deny rule which I don't understand because I have defined the Pass rules to allow this kind of traffic.

I appreciate any help how to make this setup working. I believe some firewall rules and/or routes are missing, but I can't figure what exactly is wrong.