Messages

[adding the rule in 4(b)]

I presume you followed this guide: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

What I have noticed, that even though the guide lists it as not necessary for IPV4 traffic if you've configured a WG interface group, I resolved the problem you're having by adding the rule in 4(b).



Here's the weird thing: My Wireguard connectivity works fine without that rule (I can even disable it after the system has booted!), until I reboot.

Then I've got the same symptoms: cannot reach outside network.
Would be solved by manually rebooting Wireguard, or like you said, changing a little thing in the firewall.

After I explicitly added rule 4b to my system, Wireguard connectivity to the outside world now survives a reboot as well.

Would be very enlightening to have some OPNsense wizard explain to us why this is needed.

I'm out of my depth to explain why this could happen, maybe a race condition during boot.

Overall I rather prefer static port NAT rule than uPnP.

I would do both for a game-centric subnet. :)

Doesn't that conflict with eachother? Or is UPNP just inbound port forwarding, and nothing to do with the outbound NAT?

True, most devices to port randomization themselves, but it seems some (P2P, I think?) game clients and consoles really only work on specific ports, that they need a specific reply to.

Anyway, I'm glad my diagnosis seems correct - I've learned A LOT about NAT in the past days. That's what you get from upgrading to enterprise solutions, I guess.

Thank you. And the reason I did not encounter any problems with the Edgerouter setup is because I don't have, let's say, two XBOXes trying to play on the same game server at the same time, right?

Because the problem technically would occur when you have this situation:

(XBOX 1) 192.168.1.240:12345 -> (map to WAN IP, keep port) WAN IP:12345 -> (same XBOX GAME SERVER IP)
(XBOX 2) 192.168.1.241:12345 -> (map to WAN IP, keep port) WAN IP:12345 -> (same XBOX GAME SERVER IP)

And then there is ambiguity of what to do with return packets.

[this is not the issue at hand]

Hey everyone,

I'm trying to replace my old trusty Edgemax Edgerouter ERP-5 (because Unifi does not care about these Edgerouters any more, it seems) with a new shiny OPNSense device from Protectli. It's going well, but I've got one thing that puzzles me. First, my network topology:

(internet) -> ISP modem/router (192.168.0.1) -> OPNsense with static WAN IP (192.168.0.220) -> My LAN and all my devices (192.168.1.x)

• I'm stuck with that ISP modem/router that I cannot put into bridge mode. The only thing I can do is DMZ to a fixed IP (192.168.0.220). I've made my peace with this double NAT, it's the way it is - this is not the issue at hand. Don't worry, I've disabled the standard blocking of traffic from RFC1918 networks, otherwise the setup wouldn't work :)
• I've managed to replicate almost all functionality from the Edgerouter I want: static leases, port forwards, DNS redirect to Pihole, et cetera. Devices can contact the internet and eachother.

There is just one thing that's bugging me: I'm an avid gamer, and when I use my Edgerouter, all my consoles / PC games report NAT type 2 (moderate). When I use my new OPNSense box, that reverts to NAT type 3 (strict).

The initial reaction would be: just start configuring UPNP, but here's the thing: on my Edgerouter I could get to NAT Type 2 without having to resort to UPNP (simply not configured), and I'd like to replicate that exact behavior. I want a baseline to start from that is identical to what i had :).

I figured out it probably has something to do with outbound NAT rules, and the port selection. OPNSense, by default, randomizes the outbound port during the translation, for security reasons, if I am correct. I think my Edgerouter, by default, uses static ports mapping for outbound NAT (no randomization) for EVERY LAN CLIENT, and that makes everything "just work" to get to NAT Type 2.

In order to replicate this behavior in OPNSense, I've set Outbound NAT to Hybrid mode, copied the default auto-generated outbound rule to this section and just enabled the static port setting. For all traffic and clients, because most of the clients on my network use some online game functionality (laptops, consoles, ...). This change does indeed result in all consoles and game PC's reporting NAT Type 2 / Moderate behavior. Hurray.

Here's my questions:

• Do you think I've diagnosed the problem correctly and that is indeed the default Edgerouter behavior, and that I replicated this correctly? I know UPNP is the "correct" way of solving this, but I don't want to get into more configuration hell, and I was fine with the way the Edgerouter did it.
• Is there any downside to doing this? I know theoretically I can have issues when ports collide, let's say two XBOXes on my network try to connect to the same game server using the exact same port, and it is unclear for who the returning packet is meant. I've got to stress that I did not encounter any of those issues in doing it like this for 5 years on that Edgerouter, so this might be a non-issue.

Thank you for reading this, and happy holidays to you all.