Topics

Hi everyone,

I have set a virtual LAB UP in eve-ng, I gave the OPNSense 25.1 High High Availability a go for the first time, before deploying them in a production environment.
Here is what I got at the end of the setup:

Node1 (master)


Node2 (backup)


Not an expert here, but I think that WAN and LAN should should be both in master status.
In order to fix it, I also tried to tinker with the advskew: I set 101 on the master and 100 on the backup node, I rebooted but nothing changed.

How can I fix it?
Thanks

Hi everyone,
I have set a Dual-WAN failover up on my OPNsense v. 24.7.8. The WAN1 gets a static IP, while WAN2 is under NAT and gets a dynamic IP.
As long as the WAN1 is up, the external PC connected to OPnsense via a Road Warrior Wireguard tunnel can reach the LAN behind OPNsense, but if WAN1 goes down there is no connection anymore (only the devices behind OPNsense can go to internet via WAN2..as expected).
I set up monitoring on the WAN interfaces as well as "Allow default gateway switching", but Wireguard still doesn't work via WAN2.
Any suggestions please?
Thanks

Hi everyone,

I was wondering if it is possible to set up a dual WAN failover where both WANs have the same gateway.
This could be the case if you have two modems/routers and two connection lines from the same ISP (or they could be different for that matter), and you put an OPNsense device behind them to better manage and protect your network.

Is it possible in OPnsense? Could there be some problems?
Thanks

Hi everyone,
I created two LABs in virtual environments, each running OPNsense as a firewall/router of their own LANs.
I also set a dual WAN failover on their WAN ports (one port with static IP, and a dhcp client on the other).
I then set a site-to-site Wireguard tunnel between the two OPNsense machines to make their LANs reach each other. Everything works great so far.

However, I noticed that the tunnel works as long as a WAN with static IP is UP on at least one side of the two LABs; in other words, if the two "static IP WANs" fail on both sides, the Wireguard tunnel stops working even though the two DHCP WANs are regularly up and the clients on both sides can go out to the Internet.
Is this expected and considered normal behaviour in a real-world scenario too?
Thanks

Moved to General Discussion. My bad, sorry

Hi,

I can access my OPNsense web GUI either from a management interface or directly from WAN (I set a firewall rule for that), no security issues since everything runs in a virtual lab environment.
I found out that I can't access the web GUI from local PCs running in a  VLAN,even though I set a pass rule for that, and the PCs can ping the local gateway (10.30.30.1) and go to the internet regularly.

here is the VLAN firewall rules:



and a Wireshark capture on the trunk interface:



I also disabled the firewall filters in the advanced option but I still can't access the web GUI from the "main" VLAN.

I don't know what it is wrong with it. Could you please help figure it out? Thanks

["Disable reply-to on WAN Rule"]

Hi everyone,

I installed OPNsense as a VM on two different PCs. In order to access their own WEB GUIs from WAN (just for convenience, they run on LAB environments which I use for learning purpose), I set pass rules to allow that, of course.
I can access the OPNsense's WEB GUI from the browser of the host where the VM runs,
BUT if I want access it from another PC (the other one when another OPNsense VM runs) , it isn't allowed unless I check "Disable reply-to on WAN Rule"



Could anyone please explain to me what this option is for and how does it work exactly?

Thanks

Hi,
I installed and enabled Zenarmor for the LAN interface (and IPS for the WAN as well).
I started to see this error message on the shell:

https://imgbox.com/ZzU5wxX4

Could anyone please tell me what it is about and if I can fix it?
Thanks

Hi
I created a lab with two OPNsense virtual machines in Pnetlab.
I set up Wireguard as a site-to-site VPN on both of them. The Wireguard itself seems to be working fine, as you can see from the images below:



On both OPnsense VMs, I set VLANs with a few VPCs, and I tried to reach them through the Wireguard tunnel, but they can't even ping each other.
However,  I can ping the VPCs from the diagnostic tools in the OPNsense VMs
I think I have already tried just about everything (set firewall rules etc) to get everything working, but I still find myself banging my head against this problem for about a week.
Could you please help figure it out? Thanks

My LAB topology

Hi,
I'd like to put an L3 switch behind OPnsense. The switch will manage a few VLANs and a DHCP server for each of them. Then, I would set a /30 subnet (say 192.168.10.0/30) between one interface of the switch (192.168.10.2/30) and one of the Firewall (192.168.10.1/30). The L3 switch would have 192.168.10.1 as a default gateway in the routing setup.
I'm not sure how to set Opnsense up to make it work properly. What should I do first on the routing setup side?
Could you help me figure it out?
Thanks

hi everyone,

Zenarmor free version runs on my OPNsense 23.7.8_1
I keep seeing this error message when I open the Zenarmor's dashboard:



So, I start it every time, but it stopped working after a little while:



I don't know what it is the problem with it?
Could you please help me figure it out?
Thanks

Hi,

I see this message on my OPNsense machine screen:




I'm still trying to make sense of it. I didn't notice any problems with OPNsense so far, I mean, everything works as expected.
Could you help me figure it out please?
Thanks

Hi,

I set a dual WAN failover on my Opnsense which is installed on a laptop.
The main WAN interface is a wifi dongle which works [almost] perfectly.
The second WAN is an ordinary ethernet interface.
I need this setup since the OPNsense device is meant to be a portable firewall/router.
The failover works, it switches to the second WAN if the primary goes down, and back to the main WAN when it is up again, even though there is an issue with the wifi re-connection as I wrote here in this thread already:

https://forum.opnsense.org/index.php?topic=37858.0

However, the DNS resolution (unbound is running) takes ages when the connection switches back to the main WAN (wifi), but no issue with the dns resolution when the connection switches from WAN1 (wifi) to WAN2 (ethernet).

Why?

Thanks

[interface->WAN2->save and apply]

Hi, and a happy new year to every one.

I managed to make a D-link wifi dongle work as a WAN interface on a laptop. It's going to work as a backup connection, or as a main WAN when I use the Opnsense device as a portable router.
I noticed that when the internet connection goes down and the up again this WAN interface doesn't re-connect automatically, I need to go to interface->WAN2->save and apply the setup again to make it re-connect to the AP. Is there a way to make it re-connect automatically?

Thanks

Hi,

I started with this setup
PC A: Dual WAN failover + wireguard setup
PC B: One simple gateway (no failover) + wireguard setup
Everything worked as expected. PC A and PC B can access each other's resource via SAMBA, and PC B can even connect to PC A via RDP

I setup a dual wan failover on PC B (same setup as PC A) too, and the wireguard tunnel stopped working.
I mean, the handshake seems to be up, but devices on opnsense's LAN side can't reach devices on the other opnsense's LAN anymore, not even ping one another.

I haven't yet understood what may have been wrong.

Could you please give me an hint as a starting point, just to see where I need to check the possible misconfiguration? Thanks

for the record, here are the two tutorials I followed to setup dual wan failover and wireguard for both machine:

https://www.youtube.com/watch?v=CcXYiFj9mBA  -> dual wan failover
https://www.youtube.com/watch?v=ah0Kkkqqfcg -> wireguard site-to site setup



Thanks

Hi,

Could anyone please help me make any sense of this error message?

https://imgbox.com/8walW3or



OPNsense is running as a VM in Proxmox (just for practice purpose at the moment), and its WAN port gets an IP from my physical home router (192.168.3.1), which manages my home LAN.
IP 192.168.3.100 is my desktop PC. I set a WAN pass rule for my PC so that it can reach the OPNsense dashboard and devices on the OPNsense LAN side.

Thanks

["Disable"]

hi,
I installed OPNsense on my Proxmox machine to practice with it, and wanted to get temporarily access to  its Web GUI from the WAN port to set it up more easily from my PC running on my home LAN managed by a physical router.
I hadn't managed to do it until I set "Disable" for the reply-to option in the WAN rule advanced settings, which did the trick.

However, I haven't yet understood what the reply-to is really for, and if it is safe to keep it disabled.

Again, I also have OPNsense running as a VM in my WMware workstation. I only set the pass rule on its WAN without disabling the reply-to option which is still set as "default". I can access its WEB GUI from the WAN nonetheless.
Why?

SSDP/DLNA across different subnets
Hi everyone

Is there a way to make SDDP (DLNA discovery) work across different subnets on Opnsense?

Thanks

Hi,
I was watching this video:

https://www.youtube.com/watch?v=HW9mUrF1ZgU

and I also read this OPNsense wiki:

https://docs.opnsense.org/manual/how-tos/multicast-dns.html?utm_source=pocket_reader


I need to figure out how it works exactly. So, sorry if my question may sound stupid to the most.

Assuming that I have a smart tv or something running on subnet 172.16.69.0/24 which uses mDNS and needs to communicate with a server on LAN 192.168.3.0/24 in order to get media contents, would the setup shown in the video be the same on OPNsense after installing Multicast DNS Proxy?

Thanks

Hi,
I installed Zenarmor plugin on my OPNsense 23.1.11 firewall (Which runs as a VM for the time being).
I set up the default policy on LAN interface (em1) to block a few web contents.
Here is the original setup:



and everything works as expected.
I then added another virtual interface  (em3) and set a subnet for GUEST in OPNsense. I wanted to use the same policy and setup on it as em1, so I checked mark (em3) in Zenarmor, but I got an error message when I clicked the APPLY button:

https://imgbox.com/WOEjaXx6


So, I set the tags on both interfaces accordingly:




I though that I had fixed the issue.

However, the block rules still seem not to be working on the guest(em3) interface as they regularly work on em1(LAN). In a few worlds, facebooks and adult content aren't blocked as expected.

Could anyone please help me figure it out?

Thanks