Messages

I followed the official guide for Wireguard site to site VPN.

I have created the Wireguard instances and peers and they are handshaking, but I cannot send/receive to the remote LAN.

Do I need to create a Wireguard interface etc.?
Do I need to create routes somewhere?

The official guide doesn't mention either, but I can't ping the remote OPNSense router via the site to site VPN

(I am configuring it via a dial-in Wireguard VPN which does work fine - separate instance and port).

Any pointers much appreciated.

That works, but I also had to put a firewall rule on the LAN interface to allow the LAN source access to the 4G network interface.

Thank you so much for your help, much appreciated.

Under System: Gateways: Configuration  The 4G gateway has IP 192.168.100.254

Did you check "Upstream Gateway" there? This is needed.

It was not checked, so I have now enabled it.

If so, check in Firewall > NAT > Outbound if there are automatic rules added to that interface.

Having done the above there are no rules here, and I still can't access the device.

I have a 4G modem as a WAN port for backup (failover) but I cannot access the configuration page of the 4G modem

The OPNsense router IP is 192.168.123.254 and all local PCs are on that subnet

The modem is attached to one of the router interfaces with static IP 192.168.100.100  and the modem has static IP 192.168.100.254

Under System: Gateways: Configuration  The 4G gateway has IP 192.168.100.254

Ping monitoring works, failover works, and I CAN ping 192.168.100.254 from an SSH session to the router.  However, I can't ping it from my desktops.  I would like to be able to access the modem via the web for monitoring.

Any advice most welcome thank you

I have an entry in UnboundDNS > overrides - "host@localdomain"   which resolves to a local IP on my LAN (say 192.168.10.45)

Inside the LAN I can ping just "host" and get connectivity

However when I am connected to OPNSense via Wireguard VPN I have to use "host@localdomain" rather than just "host" (the latter does not resolve)

Please could anyone explain why and if this can be changed?

Many thanks

Changing from the on-board NIC (Fujitsu S920) to another network port in the router seems to have resolved the issue.  The router and switch indeed couldn't auto-negotiate.  Perhaps a driver issue?

Also, make sure there's a firewall rule in LAN interface, on top of the list, allowing the lan subnet (source) to the modem address (destination), without force any gateway or gateway group - just leave default.

Since you said "also" do I need to do both this and the other suggestion?  I am struggling with this now!

Note - if I disable the fibre (default) gateway, I can then ping both 192.168.100.100 (the address of the 4G interface) and 192.168.100.254 (the address of the 4G modem).  It is just when the preferred gateway is working that I can no longer ping these IPs.

This is not a major problem, but it would be useful to be able to access the 4G modem via web.

Add an outbound NAT rule on that particular interface.

As in Firewall > NAT > Outbound ?

Changed Modem to Hybrid (auto after manual rules)

I have created rule:

Interface: LAN
Destination address 192.168.100.254/32
Translation/target : 4G_IF_Address (i.e. the 4G modem interface)

But this does not help.

I have created a failover group and all works fine, but I cannot access the configuration page of the 4G modem

The LAN address is 192.168.123.0

The modem is attached to one of the router interfaces with static IP 192.168.100.100  and the modem has static IP 192.168.100.254

Under System: Gateways: Configuration  The 4G gateway has IP 192.168.100.254

Ping monitoring works, failover works, and I CAN ping 192.168.100.254 from an SSH session to the router.  However, I can't ping it from my desktops

What do I need to do to fix this?  I wondered about adding a route in system  > routes but it says "Do not enter static routes for networks assigned on any interface of this firewall"

Any advice most welcome 

Anyone ??  :)

Hi Patrick

That works fine - thank you. 

For future reference if anyone else reads this post, I did have to restart the router after making the changes (restarting the service alone for some reason was not enough)

Cheers
Richard

So if I want "dev" to resolve to 192.168.123.123

I use * as the host and "dev" as the domain?

It works, but is that right?  I am not convinced I've done that properly.

Thanks, I'll check that.  Which is the better way though?

I wish to have the OPNSense router enable DNS resolution for local hosts.  I can see two ways:

1. Use UnboundDNS and enable "Register DHCP Static Mappings"

2. Disable UnboundDNS and use DNSMasq instead.  I think the latter is better as I can then add other static hostnames other than those assigned by DHCP.

Is this the best way?

I am enjoying learning OPNSense so thank you for the help ;)