"
Previously on 23.1 I've had an issue where Unbound DNS wouldn't work for WireGuard client upon reboot if Unbound wasn't set to listen on all interfaces. The fix was to restart Unbound after OPNsense boot.
I've now updated to the latest 23.7.5 and have a new problem. Now I can see Unbound resolving the DNS requests even if not set to listen to All interfaces, but WireGuard simply doesn't pass any traffic back to the endpoint (I can't ping to Internet via IP nor hostname). Now, instead of having to restart Unbound, the only way to get Internet access on the endpoint is to restart the Road Warrior WireGuard instance on the Dashboard. A second WireGuard instance for site2site communication is operating normally.
Another issue is that, unlike before, there is no Access Control list in Unbound, only the custom rules are showing. Is there a way to view all the active ACLs?
Also, the Default Action option only shows Allow/Deny/Refuse, while the manual states there should also be Allow Snoop/Deny Non-local/Refuse Non-local. Is this dynamically linked to some other option? And the option only affects the firewall itself, interfaces continue to have DNS access even when set to Deny. Is this intended behavior?
EDIT: Allow Snoop/Deny Non-local/Refuse Non-local seem to be relevant only to manual ACL rules.
I've now updated to the latest 23.7.5 and have a new problem. Now I can see Unbound resolving the DNS requests even if not set to listen to All interfaces, but WireGuard simply doesn't pass any traffic back to the endpoint (I can't ping to Internet via IP nor hostname). Now, instead of having to restart Unbound, the only way to get Internet access on the endpoint is to restart the Road Warrior WireGuard instance on the Dashboard. A second WireGuard instance for site2site communication is operating normally.
Code Select
2023-09-27T22:25:03 Notice wireguard Wireguard interface WGxInternet (wg1) started
2023-09-27T22:25:03 Notice wireguard Wireguard interface WGxInternet (wg1) stopped
2023-09-27T22:17:02 Notice wireguard Wireguard interface WGSite2Site (wg2) started
2023-09-27T22:17:02 Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '10.101.1.2/30' -interface 'wg2'' returned exit code '1', the output was ''
2023-09-27T22:17:01 Notice wireguard Wireguard interface WGSite2Site (wg2) stopped
2023-09-27T22:17:01 Notice wireguard Wireguard interface WGSite2Site (wg2) can not reconfigure without stopping it first.
2023-09-27T22:17:01 Notice wireguard Wireguard interface WGxInternet (wg1) started
2023-09-27T22:17:01 Notice wireguard Wireguard interface WGxInternet (wg1) stopped
2023-09-27T22:17:01 Notice wireguard Wireguard interface WGxInternet (wg1) can not reconfigure without stopping it first.
Another issue is that, unlike before, there is no Access Control list in Unbound, only the custom rules are showing. Is there a way to view all the active ACLs?
Also, the Default Action option only shows Allow/Deny/Refuse, while the manual states there should also be Allow Snoop/Deny Non-local/Refuse Non-local. Is this dynamically linked to some other option? And the option only affects the firewall itself, interfaces continue to have DNS access even when set to Deny. Is this intended behavior?
EDIT: Allow Snoop/Deny Non-local/Refuse Non-local seem to be relevant only to manual ACL rules.
