Messages

You should have assigned WAN to the PPPoE interface. PPPoE and WAN are supposed to be one and the same thing if your uplink works via PPPoE.

You are right, the problem was the interface assignments and in return wrong firewall entries.

All good now thanks for your help.

I have finally resolved the problem. The answer was my original question. Shall the firewall rules be applied to the WAN or PPPoE Interface?

I have removed the WAN firewall entry and added the same to the PPPoE Interface and that did the trick.

To all having the same problem, this is the answer. Many thanks

Thanks I will figure out somehow to do trial and errors. Hopefully will get there.

Finally can you please advise if adding peer in attached way is correct? I won't use the peer generator. I am a bit confused particularly with Public Key and Allowed IPs (Peer Generator and manual adding seem to be a bit different to me)
 

Sorry I was playing around with the Firewall, realised it was a mistake in the source and destination.

MTU was lowered yes.

Disabled/enabled instance and the device was rebooted.

Generally I tested to log from external network.

I will get another firewall, different location and try again, if this also does not work, it is probably either me or there are real problems with wireguard setup with Opnsense. I am not sure how others make this work, as you said adding peer is a very painful process, it is possible that I may have done something wrong with the peer configuration files.

Ps: Is Open VPN setup a less painful process? Any guides? I have a very simple setup as you have seen from the images, all I want is to have VPN access to the local network and connect to the internet as well once VPN is established.

Please see attached. I am having trouble adding peer though using peer generator. Without presssing store text, it never saves (but it is already ticked). When I press, the keys change. When I finally save, endpoint info does not appear on the peer, which I need to add manually again. Not sure if these are known bugs for version 26.1.2

I have also created normalisation rule for Wireguard (Group) as per the document, if you need to me to attach it as well, please let me know, thank you.

Hi,

I have static IP so no need for Dynamic DNS etc..

I think I will give up. It simply doesn't work. Should not be this difficult. And for the note I believe Opnsense is quite buggy in Wireguard (especially for peer generator). Anyway I won't go into the details much. Please see the firewall log which I could get, the packets simply being discarded for the reason I don't understand.

Obviously your clients cannot connect from outside. That may be because of different reasons, it can even fail before your own WAN firewall rule kicks in, like:

- bad DNS resolution, so that your client cannot find your Wireguard endpoint.
- double NAT setup (router-behind-router), like when your OpnSense is behind an ISP router instead of a bridge modem or ONT.
- your ISP providing CG-NAT only, which essentially is double NAT as well.

Hi,

There is no double NAT. Bridge modem + Opnsense only.
No CG - NAT. I have real IPV4 address if this is what you mean.

What is Bad DNS resolution and how can I troubleshoot it?

And also if you kindly show me how to check the logs for information, will be appreciated.

Hi,

Unfortunately I still cannot figure out what I have done wrong

Steps taken as per the road warrior setup:

1) Wireguard Instance created

2) Client peer generated using the peer generator (MTU value is for the PPPoE)

3) Interface assigned

4) Firewall rule has been done for WAN

5) Firewall rule has been done for Interface

6) Normalisation rules have been done as per the guides.

When I am connected to the LAN and turn on wireguard, handshake is done however from outside there is no handshake. I wonder if the firewall does not allow the connection or is there something else? Please see the PDF file attached with the steps showing the screenshots.

I am not sure how to check the logs though, I am new to Opnsense, if you need logs, I will try to provide them.

What would be the difference between WAN and pppoe0?

One is just an assigned name for the underlying PPPoE interface - unless you made the mistake of naming the physical NIC (or VLAN) as WAN.

That is the problem with many of those videos: There is no such thing as a step-by-step tutorial, because each situation is different, like your example clearly shows.

You have to understand how things work, otherwise you will be stuck at each crossing.

With a PPPoE connection, you can have one of these topologies on the WAN side:

1. ISP ONT/modem -> physical NIC ("ONT") -> PPPoE interface ("WAN")
2. ISP ONT/modem -> physical NIC ("ONT") -> VLAN ("VLANXX") -> PPPoE interface ("WAN")

With OpnSense, you have either two or three logical interfaces. Name them according to the scheme above. Firewall rules should always be applied to "WAN", which usually is the same thing as "pppoe0". You do not even need explicit names for ONT and VLANXX, unless you want to have direct ONT/modem access. You also do not need firewall rules for "ONT" either, as per default, everything is blocked.

You obviously use it differently, which causes your confusion:

ISP ONT/modem -> physical NIC ("WAN") -> PPPoE interface ("???")

Many thanks

I have a very simple setup. No VLANS. 

ISP -> PPPoE (WAN) -> LAN Devices

So I did apply the firewall rules to the WAN interface as per the video, so what could be wrong?

Is there a way to check logs or something else that I can identify the problem?

Hi

I have setup wireguard instance and clients as exactly in this video, it clearly shows

what to do.

However when I connect to the server, it establishes connection but packets are not received.

The only difference is I have pppoe connection (as interface), however I have  allowed Wireguard port on the WAN firewall only.

Do I need to open firewall port on pppoe interface rather than WAN? Or how can I trouble shoot? Thanks.

Thank you,

As a starting point, I will try as you have suggested, 1 network range for each physical interface.

So from what I understand, these separate LANs still can communicate with each other and to eliminate this, I will need firewall rules to block traffic. I need a search on this.

Out of curiosity, if my whole network is good enough with 3 separate LANs, and I already have separate ports on the firewall, I won't need to implement any VLANs?

Is there any advantage to implement VLANs, I believe the goal is to create separate networks, which I am already doing it with separate physical ports?

Hi

I am new to Opnsense and watching related videos.

I have a 5 port firewall device where 1 is WAN and the other is LAN by default.

Just wondering without buying managed switches, use the existing unmanaged switches that I have and use:

The default LAN port for trusted network (192.168.1.0 range)

The 2nd LAN port for Guest network (192.168.10.0 range)

The 3rd LAN port for IoT devices
(192.168.20.0 range)

And add use the remaining LAN port same way if required.

The ports do not have to communicate with each other, as long as there are assigned correct IP ranges and have access to the internet, that will be a start for me.

Can you explain briefly or send me links to read how this can be done?

VLANs using the same physical port and managed switches will be my next step forward.

did you try my last suggestion, what was the outcome ?

Yes your solution has worked. I removed the USB  mouse (kept the keyboard on) and rebooted the system. I can now see the console.

I am not asking the reason (do I need to know?) At the end of the day we would need keyboard, not the mouse using the console?

All I can guess is that the console needs waking up but that is actually "there". I can't think of a way the console would be only available on boot but not reboot.
Can you try that, reboot, wait for the time when you can get to the UI so the system is fully initialised, then use the keyboard to see if the console (the login prompt in this case) comes up?

Or at a wild guess on a reboot if you are using EFI, that maybe there's a buffer variable kept and is not initialised ? Truly wild guess, thinking aloud here.

Thank you, if anyone else has a suggestion I will appreciate. As I said I am new to Opnsense, if I have to send the hardware back and get another one, I will do so.

Thanks, I've checked and there is only 1 x NVme Drive + with UEFI

I have disabled the boot logo, now I can see attached Image 1 (before this, the screen was blank). Every time I reboot the system, from this stage it does not go forward to the login page.

However, Opnsense boots fine in the end and I can access to the web interface with another device (Image 2)

This now only happens on reboot. If I power on + off, everything works fine.

Let me know the possible causes pls.