Messages

Thanks guys, will look into it.  Much appreciated.

The endpoint is for example "vpn.domain" which resolves to the Static IP of the OPNSense WAN interface.

I think the issue is that from external networks this resovles to say 80.12.15.40 but inside the LAN this doesn't work as it's the IP of the external OPNSense interface.

I think I might need "split DNS"?  I have created an override in Unbound DNS so from inside the LAN "vpn.domain" resolves to the LAN IP of the OPNSense router.

But services still don't work...?

I have a wireguard VPN on my mobile which connects to OPNSense over 5G when I am away.  This works fine.  But, when I am back and the phone connects to the LAN via WiFi and the phone no longer connects to servers etc.

I understand that I need to do something to make this work, so I can just leave the VPN client connected all the time.  It would be much easier than having to manually turn the VPN client on and off every time I go out / come home.

Please could anyone help with this?  Is this best practice? 

I followed the official guide for Wireguard site to site VPN.

I have created the Wireguard instances and peers and they are handshaking, but I cannot send/receive to the remote LAN.

Do I need to create a Wireguard interface etc.?
Do I need to create routes somewhere?

The official guide doesn't mention either, but I can't ping the remote OPNSense router via the site to site VPN

(I am configuring it via a dial-in Wireguard VPN which does work fine - separate instance and port).

Any pointers much appreciated.

That works, but I also had to put a firewall rule on the LAN interface to allow the LAN source access to the 4G network interface.

Thank you so much for your help, much appreciated.

Under System: Gateways: Configuration  The 4G gateway has IP 192.168.100.254

Did you check "Upstream Gateway" there? This is needed.

It was not checked, so I have now enabled it.

If so, check in Firewall > NAT > Outbound if there are automatic rules added to that interface.

Having done the above there are no rules here, and I still can't access the device.

I have a 4G modem as a WAN port for backup (failover) but I cannot access the configuration page of the 4G modem

The OPNsense router IP is 192.168.123.254 and all local PCs are on that subnet

The modem is attached to one of the router interfaces with static IP 192.168.100.100  and the modem has static IP 192.168.100.254

Under System: Gateways: Configuration  The 4G gateway has IP 192.168.100.254

Ping monitoring works, failover works, and I CAN ping 192.168.100.254 from an SSH session to the router.  However, I can't ping it from my desktops.  I would like to be able to access the modem via the web for monitoring.

Any advice most welcome thank you

I have an entry in UnboundDNS > overrides - "host@localdomain"   which resolves to a local IP on my LAN (say 192.168.10.45)

Inside the LAN I can ping just "host" and get connectivity

However when I am connected to OPNSense via Wireguard VPN I have to use "host@localdomain" rather than just "host" (the latter does not resolve)

Please could anyone explain why and if this can be changed?

Many thanks

Changing from the on-board NIC (Fujitsu S920) to another network port in the router seems to have resolved the issue.  The router and switch indeed couldn't auto-negotiate.  Perhaps a driver issue?

Also, make sure there's a firewall rule in LAN interface, on top of the list, allowing the lan subnet (source) to the modem address (destination), without force any gateway or gateway group - just leave default.

Since you said "also" do I need to do both this and the other suggestion?  I am struggling with this now!

Note - if I disable the fibre (default) gateway, I can then ping both 192.168.100.100 (the address of the 4G interface) and 192.168.100.254 (the address of the 4G modem).  It is just when the preferred gateway is working that I can no longer ping these IPs.

This is not a major problem, but it would be useful to be able to access the 4G modem via web.

Add an outbound NAT rule on that particular interface.

As in Firewall > NAT > Outbound ?

Changed Modem to Hybrid (auto after manual rules)

I have created rule:

Interface: LAN
Destination address 192.168.100.254/32
Translation/target : 4G_IF_Address (i.e. the 4G modem interface)

But this does not help.

I have created a failover group and all works fine, but I cannot access the configuration page of the 4G modem

The LAN address is 192.168.123.0

The modem is attached to one of the router interfaces with static IP 192.168.100.100  and the modem has static IP 192.168.100.254

Under System: Gateways: Configuration  The 4G gateway has IP 192.168.100.254

Ping monitoring works, failover works, and I CAN ping 192.168.100.254 from an SSH session to the router.  However, I can't ping it from my desktops

What do I need to do to fix this?  I wondered about adding a route in system  > routes but it says "Do not enter static routes for networks assigned on any interface of this firewall"

Any advice most welcome 

Anyone ??  :)

Hi Patrick

That works fine - thank you. 

For future reference if anyone else reads this post, I did have to restart the router after making the changes (restarting the service alone for some reason was not enough)

Cheers
Richard