Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - issuing_scone

Pages1
#1
General Discussion / Re: Intermittent traffic drops
December 22, 2025, 10:44:51 PM
Solution was simple and an oversight on my part.

I had created a NAT outbound rule for LAN devices, but I had forgotten to make one for WireGuard devices. The reason the result was intermittent was because the firewall was allowing traffic until sessions died, at which point it would begin blocking attempts to renew sessions that were expired.

While Live View showed traffic being blocked by the default deny rule on the VPN interface, that stopped when the NAT outbound rule was made, meaning that kill switch etc. were not interfering, but just appearing as if part of the cause while they weren't actually. It also explains why the any any allow rule didn't do anything, - it wasn't a firewall rule causing the block.

Sleeping on an issue does wonders. :-)
#2
General Discussion / [SOLVED] Intermittent traffic drops
December 21, 2025, 06:19:50 PM
Hello,

My network currently has the following requirements:

* All specified devices must always be connected to the internal network.
* All specified devices must always exit the network via the company-provided VPN service.
* All specified devices must kill-switch, so if the company-provided VPN drops, all devices must too.

In isolation, without all three being active at once, the current setup in OPNsense works.

I have followed the kill switch guide that is available here: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html, and set up the local tag NO_WAN_EGRESS for LAN and with a match for the Floating Rule.

However, when I create that blocking rule, the WireGuard always-on devices drop access to the external network and solely function internally.

I can see in Live View that, indeed, it is blocking traffic, but despite several configurations including a literal any / any, the traffic is still blocked by the default deny rule state violation rule. Further, it is intermittent, so that devices will occasionally connect to external websites, or a ping will execute 5 times correctly, before then dropping and dying and being blocked again.

I cannot for the life of me figure out what causes the intermittent drop where it will work 40% of the time and not the rest. I also cannot figure out why the NO_WAN_EGRESS rules interfere with the WireGuard clients.

I've attached all the images I had space to attach because 256KB is the limit. Do note that all firewall rules for WG have the NO_WAN_EGRESS tag. Further, the WAN interface has no rules.

WireGuard_Devices contains two test devices that have WireGuard installed and are connected to the firewall. Their IP addresses are 10.5.0.1 and 10.4.0.1.
Pages1