Topics

SO, I have been running OPNsense with wireguard on top of it for quite a while now, but have recently noticed my wireguard setup isn't working anymore.
Both my peer devices (mobile phone and laptop) are having issues.
FW has a rule to allow any to WAN_addr udp 1234
A record remote.domain.tld resolves to this WAN_addr
I have wg0 tied into my VPN interface and have a VPN_net alow any any rule set.
Tunnel address is an internal subnet x.y.z.1/24.
Peer endpoint address is remote.domain.tld:1234 (non-default port).
Peer address is x.y.z.2/32 and x.y.z.3/32
Peers allowed IPs is 0.0.0/0

Symptoms:
Peer shows tunnel state active, I can see traffic sent (on the peer), but none received.
Interface shows status up, but down for both peers and transfer sent/receive does not move. Any way to reset these statistics?

Why is this not working anymore?

Curious. Is Firewall > Diagnostics > Aliases supposed to contain no packet or byte data?  Or am I missing a setting somewhere?

Can someone explain the details regarding getting/offering the correct/a specific prefix from an ISP?

Say I should get the following range:
eg. 2001:db8:ffff:ff00:0000:0000:0000:0000/56   
The prefix in this would be    2001:db8:ffff:ff00::0/56

Now, say i want 2001:db8:ffff:ff01::0/64 for one vlan 1  and 2001:db8:ffff:ff02::0/64 for vlan 2 and 2001:db8:ffff:ff79::0/64 for vlan 79.
How do I go about configuring OPNsense prefix IDs to enable that?

Should the prefix ID for vlan 1: 01, vlan 2: 02 and vlan 79: 79?

Or am I completely wrong here? Or is my ISP not giving me the correct range?

My wireguard plugin shows up as missing (in red).

Code Select Expand

Name
Version Size Tier Repository Comment
os-wireguard (missing) N/A N/A N/A N/A N/A

When I click the + to install I get this 'warning': "Third party software
This software package is provided by an external vendor, for more information contact the author?"

When ignoring that warning and clicking install it doesn't appear to have anything to install:

Code Select Expand

***GOT REQUEST TO INSTALL***
Currently running OPNsense 24.7.2 at Tue Aug 27 21:19:10 CEST 2024
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'os-wireguard' have been found in the repositories
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

Strang thing is though..  wireguard seems to be working. My client is able to connect and pass traffic.
So how do I get my system to show up correctly?  Rebooting did not help unfortunately.

For every VLAN, including WAN, my FW has automatically created the following rule (hidden under "Automatically generated rules" pulldown menu.

Code Select Expand


Protocol Source Port Destination Port Gateway # Schedule Description
IPv4+6*         * * *     * * * *     let out anything from firewall host itself


I would understand if the source would be VLAN_address, but not an allow any to any.
Since it is autogenerated, I can not simply delete or adapt this rule either.

Hopfully I am misinterpreting this rule? If not, where does it come from and how do I get rid of it?

[lan]

So I understand we can name interfaces and the likes, but for reasons unknown I have the following interfaces:

My_actual_LAN (opt2, vtnet3)
NOT_my_actual_LAN (lan, vtnet1)

So yes, I have already changed the 'lan' into something to my liking (i.e. NOT_my_actual_LAN) but I'd like these to match regardless.

So far, my idea is to go into a backup and change any 'opt2' into 'lan' and vice versa and then restoring that new config.
So first question: will this do what I think it does and not mess anything up if I do it correctly?
And secondly, is there an easier fix to make the system understand that vtnet3 is the actual LAN interface instead of vtnet1? Because the backup looks pretty daunting.  ;D

Code Select Expand

Line  272:       <interfaces>opt2,lan</interfaces>
Line  412:     <opt2>
Line  422:     </opt2>
Line  484:     <opt2>
Line  517:     </opt2>
Line  585:           <network>opt2</network>
Line 1243:         <network>opt2</network>
Line 1669:       <interface>opt2</interface>
Line 1677:         <network>opt2</network>
Line 1696:       <interface>opt2</interface>
Line 1704:         <network>opt2</network>
Line 1723:       <interface>opt2</interface>
Line 1730:         <network>opt2</network>
Line 1748:       <interface>opt2</interface>
Line 1755:         <network>opt2</network>
Line 1774:       <interface>opt2</interface>
Line 1781:         <network>opt2</network>
Line 1800:       <interface>opt2</interface>
Line 1808:         <network>opt2</network>
Line 1827:       <interface>opt2</interface>
Line 1835:         <network>opt2</network>
Line 1854:       <interface>opt2</interface>
Line 1862:         <network>opt2</network>
Line 1881:       <interface>opt2</interface>
Line 1889:         <network>opt2</network>
Line 1908:       <interface>opt2</interface>
Line 1916:         <network>opt2</network>
Line 1935:       <interface>opt2</interface>
Line 1944:         <network>opt2</network>
Line 1963:       <interface>opt2</interface>
Line 1969:         <network>opt2</network>
Line 1988:       <interface>opt2</interface>
Line 1995:         <network>opt2</network>
Line 2014:       <interface>opt2</interface>
Line 2040:       <interface>opt2</interface>
Line 2066:       <interface>opt2</interface>
Line 2092:       <interface>opt2</interface>
Line 2119:       <interface>opt2</interface>
Line 2125:         <network>opt2</network>
Line 2618:     <interface>opt3,opt2,opt1,lan</interface>
Line 2626:     <interfaceslistfilter>opt3,opt2,opt1,lan,wan</interfaceslistfilter>
Line 2628:     <traffic_graphs_interfaces>opt2,opt1,lan,wan</traffic_graphs_interfaces>
Line 3587:     <opt2>
Line 3612:     </opt2>
Line 3707:         <iface_array>opt2</iface_array>


I am halfway through setting up a ProtonVPN connection (using OpenVPN) to route a specific VLAN through this VPN.

So far I have configured the ProtonVPN/OpenVPN and am able to connect.
What I don't understand is:

1) if this VPN is connected, my other traffic fails/gets interrupted before I even configured any rules to use this VPN. To post this message I had to disconnect the VPN.
Looking at gateways, 2 OpenVPN gateways  (IPv4 en IPv6) have been created automatically, but both have preference 255 while my normal WAN has 254 which should have preference, right?

2) With this VPN active I get 2 Firewall: Rules: OpenVPN options. Adding rules to one does not influence the other so they are not the same. It seems the system has automatically created one of these 'interfaces'? Giving my interface another description changing one of these.
Even after disabling my OpenVPN interface 1 Firewall: Rules: OpenVPN remains.
Where is the other -default one(?)- coming from?  I only have a single OpenVPN interface (opt5, ovpnc1).

Since Jan 28th the Intrusion Detection service of my opnsense install has been 'crashing'.
I can find the error below being repeated since. No idea what I did on Jan 28th or if I did anything to cause this.

Code Select Expand

2022-03-03T12:22:19 Error suricata [101865] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:vtnet4/R failed: Invalid argument
2022-03-03T12:21:09 Notice suricata [100250] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode

vtnet4 is one of my interfaces, but how do I go about figuring out what is going wrong here?
I can start the service, but a minute later it stops again.

I have renamed all my interfaces and this shows up pretty much everywhere now.
In fact, what the system thinks is LAN is now my WAN.

Works great until I tried setting RA for my interfaces. There the RA interface suddenly used the default WAN, LAN, OPT1 OPT2 etc. naming.
Now the RA interface for my DMW shows as LAN. My actual LAN shows OPT1 as RA interface.

Is there any reason for using the original i'face names her instead of whatever I named them?

The following DHCPv6 solicit from my old fritzbox router gives me what I want when connecting with the fritzbox: my ISP returning my fixed IPv6 prefix which I can then use.

Code Select Expand


DHCPv6
    Message type: Solicit (1)
    Transaction ID: 0x1566a5
    Elapsed time
    Client Identifier
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 117794bc
        T1: 0
        T2: 0
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Preferred lifetime: 0
            Valid lifetime: 0
            Prefix length: 0
            Prefix address: ::
    Reconfigure Accept
        Option: Reconfigure Accept (20)
        Length: 0
    Option Request
        Option: Option Request (6)
        Length: 18
        Requested Option code: DNS recursive name server (23)
        Requested Option code: NTP Server (56)
        Requested Option code: Simple Network Time Protocol Server (31)
        Requested Option code: Identity Association for Prefix Delegation (25)
        Requested Option code: Prefix Exclude (67)
        Requested Option code: Vendor-specific Information (17)
        Requested Option code: SOL_MAX_RT (82)
        Requested Option code: INF_MAX_RT (83)
        Requested Option code: PCP Server (86)
    Vendor Class


Now I am trying to do the same with OPNsense but failing horribly.
Anyone can point me to the correct syntaxt to request those options?

Euhm..

Was trying to get IPv6 working on my new OPNsense install.
Moved the server running OPNsense to my lab, reconnected it and now OPNsense seems to ignore any and all DHCP (IPv4) OFFERs coming in from the ISP. OFFERS seem to get lost somewhere between host and client.
Switch port-mirror sees the OFFERs but a packet capture from OPNsense WAN interface doesn't. Mmm.

Running this on Proxmox host. I don't need any special config for the interfaces right?
Any ideas on how to troubleshoot this further?

sigh.. why does the solution always appears shortly after I've made an idiot of myself on a public forum?
I just wasted several hours because
solution: I had  a 802.1Q tagged public vlan on the Proxmox host but an untagged/native vlan on the switch. :-[