1
24.1 Production Series / 24.1.5: Wiregard routing/masquerading issue? How to rollback?
« on: April 05, 2024, 12:24:55 am »
I will do a poor job of explaining this, and my apologies for that in advance.
I was at the most recent version of OPNSense, and everything was working fine.
I updated to 24.1.5_1 this morning, and one of my Wireguard tunnels - whilst up - is not routing/passing packets as it did prior to this version being installed.
The interface (wg3) receives packets from the peer (I can remotely access the peer, and send ICMP or other traffic to the IP address of the wg3 endpoint on my OPNSense box.
However, no outbound packets traverse that interface, despite there having been no changes to my configuration for Wireguard for quite some time.
I have firewall rules in my OPNSense to permit certain hosts on my LAN to send to the remote peer, and am using outbound masquerading to masquerade as the "Interface address" for those packets -- again, nothing has changed here, and it was routing/passing packets just fine until this update.
I've tried a few reboots, just in case that might "clear something up", but to no avail.
On my OPNSense box, listening on the wg3 interface, I can see my remote peer's ICMP coming in:
But nothing is returned from 10.200.202.1, which is the wg3 interface.
WireGuard reports that it is up and handshakes are working fine, which is obviously the case or the ICMP wouldn't make it in.
I have several other WG interfaces, all of which are working fine as far as I can tell (Dashboard says all gateways are up, and packets seem to be flowing).
The only thing that is different about this particular interface (wg3) is that it's only meant to be listening on localhost, which means that the traffic to the remote endpoint needs to go to another process on my OPNSense box which is also listening on localhost.
Again, this was all working great till I updated, now not so much.
If I can't figure out a quick fix for this one, what's the right/best way to "rollback" OPNSense installs to the previous version whilst I ponder this a bit more?
Thank you!
I was at the most recent version of OPNSense, and everything was working fine.
I updated to 24.1.5_1 this morning, and one of my Wireguard tunnels - whilst up - is not routing/passing packets as it did prior to this version being installed.
The interface (wg3) receives packets from the peer (I can remotely access the peer, and send ICMP or other traffic to the IP address of the wg3 endpoint on my OPNSense box.
However, no outbound packets traverse that interface, despite there having been no changes to my configuration for Wireguard for quite some time.
I have firewall rules in my OPNSense to permit certain hosts on my LAN to send to the remote peer, and am using outbound masquerading to masquerade as the "Interface address" for those packets -- again, nothing has changed here, and it was routing/passing packets just fine until this update.
I've tried a few reboots, just in case that might "clear something up", but to no avail.
On my OPNSense box, listening on the wg3 interface, I can see my remote peer's ICMP coming in:
listening on wg3, link-type NULL (BSD loopback), capture size 262144 bytes
09:18:16.311527 IP 10.200.202.2 > 10.200.202.1: ICMP echo request, id 49148, seq 256, length 64
09:18:17.335410 IP 10.200.202.2 > 10.200.202.1: ICMP echo request, id 49148, seq 257, length 64
09:18:18.359476 IP 10.200.202.2 > 10.200.202.1: ICMP echo request, id 49148, seq 258, length 64
09:18:19.383596 IP 10.200.202.2 > 10.200.202.1: ICMP echo request, id 49148, seq 259, length 64
But nothing is returned from 10.200.202.1, which is the wg3 interface.
WireGuard reports that it is up and handshakes are working fine, which is obviously the case or the ICMP wouldn't make it in.
I have several other WG interfaces, all of which are working fine as far as I can tell (Dashboard says all gateways are up, and packets seem to be flowing).
The only thing that is different about this particular interface (wg3) is that it's only meant to be listening on localhost, which means that the traffic to the remote endpoint needs to go to another process on my OPNSense box which is also listening on localhost.
Again, this was all working great till I updated, now not so much.
If I can't figure out a quick fix for this one, what's the right/best way to "rollback" OPNSense installs to the previous version whilst I ponder this a bit more?
Thank you!