Messages

Ich habe mich nicht beschwert, ich habe gefragt, wieso ich eine NB mit in der Opnsense hinterlegtem Clientnamen/IP in Unbound mit entsprechenden Domainaufrufen des NB's in der Opnsense sehen kann und einen Router mit in der Opnsense hinterlegtem Clientnamen/IP eben nicht.
Zur Verdeutlichung ein Bild:
Bei dem benannten NB handelt es sich um ein X1Carbon6th
You cannot view this attachment.
Die Aufrufe des angeschlossenen Routers sehe ich nicht.
Die Äußerung, dass der Router über eine andere Route DNS abfragt, klingt für mich entsprechend plausibel, da ich geschrieben habe, dass im Router ein anderer DNS-Server eingetragen ist und dann wohl die Opnsense nur als "Durchreiche" ins INetz genutzt wird.

JA, drill router.meine.locale.domain die IP ist definitiv vorhanden.
Ich hatte eingangs beschrieben, dass der Router über AGH und DNS(853) auflöst - kann es daran liegen? d.h. ich muss im AGH des Routers den DNS nicht auf den Server mit 853 legen sondern auf die Opnsense:53?

Ich erhalte eine IP ->Services: ISC DHCPv4: Leases
Ich sehe diese IP des Routers aber nicht im Unbound und eben auch keine Domainaufrufe. Die Domainaufrufe sehe ich allerdings im Live View der FW.
Wohingegen ich das NB mit der IP im Unbound sehe und entsprechende Domainaufrufe des NB's.

Vielen Dank für die schnelle Antwort - und ja, leider tut es das nicht.
Das Mapping ist aktiv, das Lease ist aktiv - eben nochmals durchgestartet - schweigen...so kann ich das das Setup auch aus anderen Routenverbindungen.

Ich sehe nur das Client-NB und die Opnsense selber als localhost - mehr nicht.

Ich bekomme den Router nicht mal mit einer Direktverkabelung ohne Switch in Unbound zu sehen.

Ich habe ein Verständnisproblem und bitte um Hilfe zur Lösung:

Opnsense mit einem LAN und einem WAN.
Am LAN hängt ein unmgmd. Switch, an dem ein Client-NB(über die LAN-Schnittstelle) und ein Openwrt-Router(über die WAN-Schnittstelle) angebunden sind.
Sowohl NB also auch Router sind als feste IP im DHCP Lease hinterlegt und aktiv.
Auf dem Router ist ein AGH(Port53) mit DNS Servern(Port853) aufgesetzt.
Alle Systeme sind jeweils rebootet worden.
Ich sehe im FW-Log der Opnsense den Datenverkehr des Routers aber keinen Datentransfer im Unbound. Ich sehe jedoch den Datentransfer des NB im Unbound mit dem in der Opnsense hinterlegten Clientnamen.

Frage:
Wieso sehe ich den Router nicht im Unbound jedoch den NB-Client?
Was muss ich einstellen, um den Router über die im DHCP hinterlegten Namen im Unbound
1. sichtbar erscheinen zu lassen und
2. Unbound dazu zu bringen, den Router "zu verarbeiten"

Vielen Dank.

Could you ever log in from internal network?
After finalizing the setup I thought to log in via IP:8080...
...test it...

Dear Mr. Hausen,

first of all I thank you for your extremly detaild support - phenomenal!
Unfortunately, it also clearly showed me that the OPNsense system is far beyond my horizon - and perhaps not my solution after all.
I'm switching from Fritzbox DSL to OPNsense fiber and yes, the network architecture is still from that time, but I can't change it directly due to various dependencies - hence my requests of suuport here in the forum.

Ok, back to my biggest issue at all:

1. Get the network structure and routing right - you probably did that already?

- add 192.168.x.11 as a gateway in OPNsense
- add a static route for 10.xyz.0/24 (?) via that gateway

Accomplished - ping WG-IP works.

2. Inbound port forwarding

The rules you outlined in your first post look correct - "ppp" is 51820 or similar I suppose? And make sure it's UDP!

Accomplished
Firewall: NAT: Port Forward
    Interface: WAN
    TCP/IP: IPv4
    Protocol: UDP
    Destination: Internet address
    Destinatoin port range: ppp
    Redirect target IP: 192.168.x.11[Router]
    Redirect target port: ppp

3. Outbound NAT
- create a firewall alias named "internal networks" or similar. Type "network(s)", add all internal networks you want NATed - that's at least 192.168.x.0/24 and 10.xyz.0/24 (?)
- create a rule: interface WAN, source "internal networks", NAT to "interface address"

Accomplished
- Firewall: Aliases
    Name: interne Netzwerke
    Host(s)
    Content: 192.168.x.0/24 10.xyz.0/24
    Description: Anbindung an WG

- Firewall: NAT: Outbound
    Interface = WAN
    TCP/IP Version = IPv4
    Protocol = UDP
    Source address = interne Netzwerke
    Source Port: 47362
    Destination: any
    Translation/target = Interface address

4. Depending on what you want to do add your WG network

If the network inside the WG tunnel should be using OPNsense for outbound Internet access etc.

- create another static route on OPNsense for the WG tunnel network via the internal router
- create a static route on the internal router for that same tunnel network pointing to the WG gateway
- add the WG tunnel network to the "internal networks" alias for NAT

Accomplished
- System: Routes: Configuration
Network Address: WG-Clients IP
Gateway: internal router(192.168.x.1)

As I setup the WG-Server in the past I pointed to the WG gateway(internal router[192.168.x.1])

- add the WG tunnel network to the "internal networks" alias for NAT

Does it mean to add all WG-client IP to "internal network"?

Thank you

Those clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.

The old setup of WG server and client still established.
WG-Server: 10.xyz.1/24, DNS is the current internal router.

Did it. All client-IPs have now routes to internal router(192.xyz.11)

"- create a static route on the internal router for that same tunnel network pointing to the WG gateway"
I didn't setup a WG gateway in OPNsense or does it meant to setup internal router to WG 10.xyz.1/24?

Those clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.

OK, of course there are the client-IPs...for each client-IP a route?!

If the network inside the WG tunnel should be using OPNsense for outbound Internet access etc.

- create another static route on OPNsense for the WG tunnel network via the internal router
- create a static route on the internal router for that same tunnel network pointing to the WG gateway
- add the WG tunnel network to the "internal networks" alias for NAT

That should do it.

Please excuse another question of understanding:

The WG server has already had 7 clients set up from the past.
What exactly may I understand by your instructions, please:
- create another static route on OPNsense for the WG tunnel network via the internal router
                  - add 192.168.x.11 as a gateway in OPNsense
                  - add a static route for 10.xyz.0/24 (?) via that gateway
          --> ins't it the same???
- create a static route on the internal router for that same tunnel network pointing to the WG gateway - I sould setup WGServer (49.xyz as Gateway as well???)
- add the WG tunnel network to the "internal networks" alias for NAT

Thanks you

OK, that went faster than expected. So let's do some community work ;-)

Code Select Expand

Modem[Internet](192.168.y.1) <-> [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1) <-> Router(192.168.x.11) <-> WG-Server(10.xyz.1)[PORT:ppp)

1. Get the network structure and routing right - you probably did that already?

- add 192.168.x.11 as a gateway in OPNsense
- add a static route for 10.xyz.0/24 (?) via that gateway

Can you ping the WG server from OPNsense?

Currently not because OPNsense Gateway can not find the WG-Server.

PING 10.xyz.1 (10.0.49.1) 56(84) bytes of data.
From OPNsense Gateway(Internet (opt3)   pppoe0) icmp_seq=1 Destination Net Unreachable

This is the situation before I will start to follow your instructions above.

Update_1:
Setup Gateway and routing --> ping works!

I can get to writing a more helpful answer tomorrow latest, possibly tonight even, but for now I still have some work to do so please have patience.

Thank you for your reply.
Please take your time, I have not questioned this either!

Are you really trying to VPN in through 3 layers of NAT? Modem + OPN + Router?

You shouldn't have to create explicit rules for outbound NAT for this scenario.
That was the 2nd part of the first reply.
I ran a simpler form of this as a test a few weeks back (edge-OPN - internal-OPN-Wireguard-Server) and I did NOT have to mess with outbound NAT on either.

Thank you for your dedicated feedback.

Since your "solution support" is rather limited to accusations and "I solved it differently" maybe you can kindly give me specific hints on my architecture to solve my problem...I can NOT rebuild the architecture right now and I know that OPNsense provides a WG on its own.

Since I am neither a product owner of OPNsense nor a network architect, I have come to the forum in the expectation of a support with "my" problem.


Thank you

Why don't you just use "add associated filter rule" in Port Forwarding? Then OPNsense would create the correct rule automatically.


If using automatic outbound NAT mode OPNsense should have added a rule for the source of the LAN subnet automatically. This should include 192.168.x.11.

Thanks for responding.

I have now setup the Port Forwarding rule again and OPNsense created the FW-Rule WAN automitcally! - Are the rules correct?

Modem[Internet](192.168.y.1)  <->  [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1)  <->  Router(192.168.x.11)  <->  WG-Server(10.xyz.1)[PORT:ppp)
Firewall: NAT: Port Forward
    Interface: WAN / Internet?
    TCP/IP: IPv4
    Protocol: UDP
    Destination: Internet address
    Destinatoin port range: ppp
    Redirect target IP: 192.168.x.11[Router]
    Redirect target port: ppp

Firewall: Rules: WAN
    Action: Pass
    Interface: WAN / Internet?
    Direction: in
    TCP/IP version: IPv4
    Protocol: UDP
    Source: any
    Destination: 192.168.x.11[Router]
    Destination port: ppp

I activated the Hybrid mode for Firewall: NAT: Outbound and can't see an automatically generated rule...
1. Why not?
2.  If manually generated is it correct?
Firewall: NAT: Outbound
    Interface = Internet
    TCP/IP Version = IPv4
    Protocol = UDP
    Source address = 192.168.x.11
    Source Port: ppp
    Destination: any
    Translation/target = Interface address

Thanks

Team,

I'm looking for the correct routing and ruleset for accessing an internal WG server.

The structure is as follows:

Modem[Internet](192.168.y.1) <-> [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1) <-> Router(192.168.x.11) <-> WG-Server(10.xyz.1)[PORT:ppp)

Pass rule for the WAN interface to allow connections to the Wireguard port
Firewall: Rules: WAN
    Action: Pass
    Interface: WAN / Internet?
    Direction: in
    TCP/IP version: IPv4
    Protocol: UDP
    Source: any
    Destination: Internet address
    Destination port: ppp

Port Forward rule to forward incoming connections from WAN port to the Wireguard server port
Firewall: NAT: Port Forward
    Interface: WAN / Internet?
    TCP/IP: IPv4
    Protocol: UDP
    Destination: WAN address / Internet address?
    Destinatoin port range: ppp
    Redirect target IP: 192.168.x.11[Router]
    Redirect target port: ppp
 
 
Firewall: NAT: Outbound
    Interface = Internet
    TCP/IP Version = IPv4
    Protocol = UDP
    Source address = 192.168.x.11
    Source Port: ppp
    Destination: any
    Translation/target = Interface address

Where is the error or is a routing still missing?

Thank you.