Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - mistra666

Pages1
#1
24.1, 24.4 Legacy Series / Re: 24.1.2 Wireguard does not work after updating
December 22, 2024, 02:31:24 PM
WireGuard is used as a gateway to access all clients in the WLAN/LAN (vLAN segements, USB-Ethernet LANs), Bridge. WLAN/LAN clients make DNS queries via WireGuard and take into the EDNS Client Subnet (ECS) for location-based steering, considers local split-zoned-LAN DNS TLD within the infrastructure.
- WAN works via vmxnet3 with ESXi NAT.
- vLANS ESXi PVN (Private Virtual Network)

What specific diagnostic data will be helpful? Firewall rules / pf Normalization / MSS / Wireguard / DHCP / ...?

I installed a fresh OPNsense 24.7 and configured NAT, other optimizations. On system ESXi sleep & wakeup via WOL we get that services cannot WireGuard restore even with WG keepalive 25s enabled. OPNsense is not properly able to restore services to operational state GW/DNS/FW rules state. There are issues with reordering services healthcheck recovery prioritization.
#2
24.1, 24.4 Legacy Series / Re: 24.1.2 Wireguard does not work after updating
December 22, 2024, 10:56:32 AM
OPNsense no longer works correctly with WireGuard, the most recent successful build of OPNsense with Wireguard was "23.1.11_1" (LTS EOL for me).

All new builds can not raise tunnels and work after OPNsense machines go to suspend state VM ESXi, priorities of gw, dns, firewall, nat, interfaces and other services work incorrectly and can not restart ordering/healthcheck services themselves.

And in version "23.1.11_1" I didn't even have to install KeepAlive on the tunnel WireGuard, all LAN networks (vLAN vmxnet3 / USB 3.1 Ethernet 1Gbps) worked very well.
OPNsense with WireGuard support has become a low-grade low-quality product. Maybe there is a race-condition in the new versions, I don't update releases anymore. Gradual update to the latest release for today does not give any promising results.

Normalization traffic of Bridge(between vLAN networks)/WG/vLAN(single without Bridge) strafe with MSS/MTU so that vmxnet3 packets pass optimally, interfaces are also configured with MSS/MTU. Use Manual Outbound NAT rule generation for WireGuard (I do not use assigned interfaces to WireGuard, and everything works "23.1.11_1") no leaks DNS/traffic without tunnel for LAN/bridge + DNS/DoH/DoT redirected to local path zoned DNS via Firewall rules.

+ split DNS is sorely lacking for zone splitting of networks, like this https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/
Pages1