Topics

Hi guys,

I'm running the 19.1 clean install on an Intel NUC.

In the past i've been able to run my WAN connection PPPoE via a USB3 to Ethernet dongle using opensense version 17 and 18, but 19 is being very fussy

I've tried about 4 different USB to Ethernet adapters, and they all "detect" as bind-able interfaces, but all have some trade offs/issues

most are unstable, and will connect to my ISP for almost 1 min, then disconnect.
others will connect, and stay connected but limit my speed to 40Mbit.

pretty frustrating, any idea on workarounds? kernel update maybe, i dunno...

Cheers.

Hey Guys,

Just letting you know I found a bug, every time I click on Reporting>Traffic Graph and wait for a little while and watch the PC's on my network show traffic out the WAN, the WAN connection disconnects after about 20sec.

Only way to get it back is, disable/re-enable the WAN interface or reboot the PC

Details:
OPNsense 18.1.6-amd64
FreeBSD 11.1-RELEASE-p9
OpenSSL 1.0.2o 27 Mar 2018

Running on Intel NUC with USB to ethernet as WAN interface (if that helps)

Let me know if you need any other info.

Cheers.

Hey guys,

Did a clean install of 17.7 on my Intel NUC on the weekend, fresh install with no plugins/mods enabled,
Got my LAN interface setup as re01, and WAN setup as ue0.

The WAN interface is a USB to Ethernet dongle(plug) whatever, and it all works fine. Dont have any rules setup yet,  its pretty much a clean install.

Problem is, if i reboot or cold boot the system, the WAN interface disappears!
When i log back in to the GUI, the WAN interface is just "unassigned" and i have to add it again to get it working.

I've tried about 4 different brands of USB to Ethernet interfaces, and they all work prefect, until I reboot.

Can anyone explain whats happening here?

Cheers.

Hey Guys,

having a problem with opnsense, Im running 17.1.8 on an Intel NUC, my WAN connection is a USB to Ethernet dongle and after configuring the interface everything works fine.

BUT, once i reboot the PC the WAN interface just disappears, I have to manually add it again in the interfaces menu.

Weird huh? anyone else come across this issue?

Hi Guys,

Below is a step by step guide to configuring Opnsense 17.1.4 to route LAN traffic out via your private VPN provider.
(In my case, AirVPN)

I have a setup where I want all computers on my LAN to have a direct connection to the Internet, but "Some" computers I want connected to the VPN *cough torrenting cough *

===================================================================
Step 1:

Get all your certificate information together: (cert files supplied from your private VPN provider)

  - VPN_Provider.ovpn
  - CA.crt (Certificate Athortiy)
  - TA.key (OpenVPN Static key V1)
  - User.crt (User Certificate)
  - User.key (RSA Private Key)

===================================================================
Step 2:

Navigate to System > Trust > Authorities, "add or import CA"

- Descriptive name: VPNCA
- Certificate data: (paste the contents of your CA.crt file here)
- Certificate Private key:(paste the contents of your user.key file here, AKA RSA Private Key)
- Serial for next Certificate : None

SAVE

===================================================================
Step 3:

Navigate to System > Trust > Certificates, "add or import certificate"

- Method: Import an existing Certificate
- Descriptive name: none
- Certificate data: (paste the data in your user.crt file here)
- Private key data: Leave blank, otherwise enter your user.key data here, mine was manually entered in on the next step.

SAVE

===================================================================
Step 4:

Navigate to VPN > OpenVPN > Clients, "add client"
Edit the following settings:(some may differ depending on your VPN provider)

- Server Mode: Peer to Peer (SSL/TLS)
- Protocol: UDP (check your ovpn file)
- Device Mode: tun (check your ovpn file)
- Interface: (Your WAN interface)
- Local port:443 (check your ovpn file)
- Server Host or Address: 123.45.67.890 (check your ovpn file)
- Server Port: 443 (check your ovpn file)
- Server host name resolution: Ticked
- Description: "Name of your VPN Provider"

Cryptographic Settings:

- TLS Authentication: Ticked (paste the data in your ta.key file here, AKA OpenVPN Static key V1)
- Peer Certificate Authority: Select "VPNCA" or whatever you called the description in step 2.
- Client Certificate: Select "Userkey CA:VPNCA *In Use"
- Encryption: Check your VPN Provider, mine was AES-256-CBC (256 bit key, 128 bit lock)
- Auth Digest Algorithm: SHA1(160-bit) (Check with your VPN Provider)
- Disable IPV6: Ticked
- Advance Configuration: "Paste the below data into the field"
   
   persist-key
   persist-tun
   remote-cert-tls server
   auth-nocache
 
- Verbosity level: 3

SAVE

NOTE: The first time you enter this page, the "TLS Authentication" section to paste your ta.key does not show up until you've clicked save. So go back to this menu after saving, and paste it in 

===================================================================
Step 5:

Check to see if your VPN connection is online,

- Navigate to VPN > OpenVPN >  Connection Status

You should see "Status" UP with your "Remote Host" IP address supplied from the VPN Provider

Now check the log file for the words " Initialization Sequence Completed "
If you've come this far your on the right track :)

===================================================================
Step 6:

- Navigate to Interfaces > Assignments
- Select the pull down menu under "new interface" and make sure the "ovpnc1" option is selected
- Click the orange "+" button
- Tick Enable Interface and Save
- Description = VPN (note this is a "Virtual" interface, its not referenced to an physical Ethernet port)
- IPV4 Configuration type = DHCP
- IPV6 = None
- Note: Leave all other settings as default (empty/unticked)

===================================================================
Step 7.

- Navigate to Firewall > Aliases > View
- Add a new Alias
- Name: VPNTraffic
- Description : VPNTraffic
- Type: Host:
- First entry: 192.168.X.X

NOTE: (enter the IP address of Computers/devices you want to be on the VPN here. I personally enter the IP address of my Wireless router I have attached to my LAN, The wireless router has DHCP enabled so all wireless devices connected to this access point have their traffic passed via the VPN )

If you dont have a spare Wifi router, you can manually add IPs to computers on your network here.

My Network Map:  WAN--->Opnsense--->LAN--->Switch--->Wifi router runing its own DHCP - - - -> "Wireless devices"

!!!WARNING!!! Dont dodge this step, even if you think you know what im doing, the whole point of making aliases is important, and it wont work without them.

- SAVE
===================================================================
Step 8:

Ok so heres the weird part, This had me going nuts for a while, but after a bottle of Jack Daniel's Tennessee Honey, it finally clicked!.
You NEED to use aliases rather than specifiying IP ranges directly, it makes all the difference for some reason, even though the concept
is the same.

- Navigate to Firewall > NAT > Outbound
- Select "Manual outbound NAT generation" (Leave the default generated WAN rules AS IS)
- Add a new rule

Rule 1.
- Interface: VPN (The one you created in Step 6)
- Source: VPNTraffic ( The alias you created in Step 7)
- Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
NOTE: Leave ALL other options as default/any

Rule 2. (Same as Rule 1, but....)
- Destination port: 500 (Select "Other" from dropdown menu and enter 500 in the field)
- Static Port: Ticked
NOTE: Leave ALL other options as default/any

Rule 3.
- Interface: VPN (The one you created in Step 6)
- Source: Single host or network, 127.0.0.0 / 8
- Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
NOTE: Leave ALL other options as default/any
NOTE: Make sure the above rules "are above" your auto generated WAN outbound rules when looking at the entire list from top to bottom.

- Apply settings.
====================================================================
Step 9.

- Navigate to Firewall > Rules > LAN
NOTE: The order of Rules from top to bottom on this page matter:
Starting at the top, you should have the "Anti-Lockout Rule"
Next, start adding rules as follows:

Rule 1. (The Rule to pass selected clients traffic out via the VPN)
- Interface: LAN
- TCP/IP Version: IPv4
- Source: VPNTraffic (Alias)
- Gateway: VPN_DHCP (ie, the auto-generated VPN Gateway option)

Rule 2. (Pass all other traffice out via the defaul gateway "WAN")

- Interface: LAN
- TCP/IP Version: IPv4
- Source: Any
- Gateway: WAN_PPPoE (ie, the auto-generated WAN Gateway, the name might be different depending
on your WAN connection method)

- Apply settings

NOTE: All other tabs in my rules section eg OPENVPN/VPN/WAN are empty NO RULES exist.
your settings may differ, but thats the basic setup. Also, check:
https://www.dnsleaktest.com/ and
https://www.ipchicken.com/
after you've completed these steps.
=================================================================
DONE :)

If I've missed anything, feel free to troll ;)

Cheers