Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - mfpb

Pages1
#1
26.1 Series / Re: Traffic to the VIP is detected on the wrong interface
March 24, 2026, 09:56:23 AM
I forgot to mention that I'm using a DNAT rule:

On any interface, from any source to the WAN address on port 443, traffic is translated to 192.168.10.10:443.

So I only have issues when a device on vlan6 tries to connect via NAT. If it connects directly to 192.168.10.10, everything works.

After that, I tried to create a single DNAT rule applied only to the vlan6 interface. However, the firewall still detects traffic on the vlan2 interface. I also tried disabling the vlan2 interface and removing the VLAN from the L2 switch. Nothing changes
#2
26.1 Series / Traffic to the VIP is detected on the wrong interface
March 23, 2026, 08:51:30 AM
Hello,

I have two OPNsense 26.1.4 instances with the same configuration (but different CIDRs).

OPNsense A (no issues) was updated from 25.x to 26.1, and then the firewall was migrated to the new rules.
OPNsense B (has issues) was installed fresh. The legacy firewall rules were manually copied from OPNsense A, and the firewall was migrated to the new rules.

I have a native network and several VLANs:

native: 10.0.0.0/24
vlan2: 10.0.2.0/24
vlanN: 10.0.N.0/24
vlan6: 10.0.6.0/24

These networks are grouped into interface groups:

group1: native, vlan2, ...
group2: vlan6, ...

I also have a VIP (IP alias), which I tried binding to the loopback or the native interface: 192.168.10.10
OPNsense HAProxy is bound to the VIP address on port 443.

Firewall rules:

Allow IN on interface "group1" from any to "This Firewall" TCP/443
Allow IN on interface "group2" from any to "This Firewall" TCP/443

When I try to access the VIP from a computer in vlan6, the traffic is blocked.

In the live logs, I see:

block IN interface vlan2 from 10.0.6.123:12345 to 192.168.10.10:443

If I disable the rule
"allow IN interface 'group2' ...", I get:

block IN interface vlan6 from 10.0.6.123:12345 to 192.168.10.10:443

I don't understand why vlan2 appears in the first case. And why it is blocked.
#3
General Discussion / Setup tun interface
September 02, 2025, 01:46:27 PM
Hello!

I want to setup tun interface permanently.

I tried to use /etc/rc.conf.d/tun and /etc/rc.conf

Code Select
cloned_interfaces="tun0"
ifconfig_tun0_name="mytun0"

But after reboot nothing changes.
I tried to create it manually with ifconfig and it works, but until next reboot.
Pages1