Messages

1

21.1 Production Series / How to move SWAP to a different drive?

« on: February 24, 2021, 09:46:36 pm »

Hi there,

This may not be much related to OPNsense but I would like to get some guidance in moving SWAP to a new partition/disk. Currently I am running OPNsense VM on Proxmox with SSD, I would just like to move the SWAP partition to another HDD, is it possible?

Thanks in Advance,

Regards,
Bobby Thomas

2

20.7 Legacy Series / Re: Having issues getting public IP on WAN interface

« on: January 02, 2021, 07:04:20 pm »

No, it's not related to routing or NAT, as soon as I change the modem from bridge mode to routed mode I get the private IP from the modem. As for the "Block private networks", it's already unchecked. My ISP doesn't provide IPv6 addresses yet, so it's not related to IPv6.

 I think this is something related to DHCP client service or some configuration on the ISP side which restricts IP allocation to certain MAC addresses (like some virtual mac addresses which has unknown OUI).

3

20.7 Legacy Series / Having issues getting public IP on WAN interface

« on: December 24, 2020, 04:05:06 pm »

Hi Team,

Hope everyone enjoying the holidays.

Well it seems like my holidays are going from bad to worse. Coming to the point I have an OPNsense firewall setup in a VM in Proxmox and it has been working great, couple of weeks back my ISP replaced my Docsis 3 ethernet cable modem with a wifi one, since then I was facing issues. I have disabled the wifi on the new Wifi Docsis modem and configured Bridge mode (as I need public IP terminating on my OPNsense firewall). I got public ip on the modem for some time then it started causing issues, I started getting IP address from 192.168.5.0/24 range even though I have disabled DHCP service on the wifi modem. What ever I do, I only receive an IP address from the range 192.168.5.0/24 on my OPNsense firewall, while if I connect a PC to the modem I am hetting a public IP issued by ISP DHCP server. I am scratching my head to understand why it's happening like this.

I also tried a different approach by assigning the MAC address of the PC to the OPNsense WAN interface and then it gets the public IP but it cannot communicate with anything in WAN (cannot ping gateway or it seems no traffic passing through). Any idea how I can get this issue fixed? I think there is some issue with OPNsense DHCP client service.

Thanks in advance,
Regards,
Bobby Thomas

4

20.7 Legacy Series / Re: Letsencrypt certificate export or HA proxy config? Need opinion

« on: October 29, 2020, 11:13:59 pm »

Why don’t you just use split-dns for this? OPNsense is handling letsencrypt on public ip. Then you define an override in unbound for the same hostname as you used for the letsencrypt cert with the internal IP of the OPNsense.

I thought of doing this but I will have to import the cert from firewall and update than on the server every 3  months. So I thought I will go with HA Proxy.

Regards,
Bobby Thomas

5

20.7 Legacy Series / Re: Letsencrypt certificate export or HA proxy config? Need opinion

« on: October 29, 2020, 11:12:41 pm »

I don't use unbound for homeassistant but for other haproxy services that depend also on LE and I don't have problems. Inside and vpn are redirected to the local address (the new virt-ip of the haproxy-frontend) but LE is working and looking for the official dns-servers.

Edit:
the condition and rule is simple:
cond: host starts (match or end will most likely be also possible) with: fqdn / or something like it
rule: it cond -> execute function use backend ...
rule selected/applied on the frontend then.

Best regards,
Bernd

I got it working for LAN, I will go through the VPN part in sometime, Thank you for your valuable suggestion.

Regards,
Bobby Thomas

6

20.7 Legacy Series / Re: Letsencrypt certificate export or HA proxy config? Need opinion

« on: October 29, 2020, 12:12:42 pm »

Thank you for the suggestion Bernd, I will give it a try with HA Proxy, the only concern I am having is with name resolution from inside and how to configure rules in HA Proxy according to that.

Regards,
Bobby Thomas

7

20.7 Legacy Series / Letsencrypt certificate export or HA proxy config? Need opinion

« on: October 29, 2020, 09:34:59 am »

Hi OPNSensers,

I am a bit confused here, trying to think of a method to implement a solution. Here are some details about the issue I am currently facing. I have an Openhab server for automation in the inside and I have access to it over http/https only from inside. There are some android apps which require https and public ca signed certificate for api access (as from Android 10 they have those restrictions). I have Letsencrypt service running for CA cert which signs my ddns domain. I previously had pi-hole where I have created a static DNS A record for my ddns domain pointing to Openhab and then I imported the Letsencrypt certificate to openhab from OPNSense, after this android app worked well. Now I have moved away from pi-hole as I am now using Unbound and Bind for dns filtering. Also it's very hectic to manually import the certificate to the openhab every three months, so I want to know if I can use HA proxy for this purpose. I only need to access this server from inside and vpn networks and not from outside but I need it to use the Letsencrypt cert for ssl.

It maybe a little confusing to you to follow, but let me know if you require any additional details.

Thanks in advance
Regards,
Bobby Thomas

8

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 02:01:43 pm »

I checked all available good documentations and also the official ones:
https://www.routerperformance.net/opnsense/opnsense-and-wireguard/

I have no idea why you set your local networks in local instance.

This is nowhere documented.

Maybe this would was dismissed with FreeBSD 11.2 and now throws an error in FreeBSD 12.1

Ok, I may have overlooked this during while configuring the local instance. I think I added my LAN as well as Zerotier to Wireguard config thinking it's similar to ipsec config. Anyways I removed it now and everything looks good. I will keep this in mind when configuring WG in future.

Thank you Michael. Appreciate your assistance.

Regards,
Bobby Thomas

9

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 01:31:47 pm »

WHERE did you set this 192.168.1.0/24? in local instance or endpoint?

Local instance (on the firewall).

10

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 01:19:19 pm »

route -q -n add -inet 192.168.1.0/24 -interface wg0

The line above indicates that this should be a network on the other side of the VPN tunnel.
If one of your local interfaces has this network, wireguard will break. In 20.1 it seems FreeBSD just ignored this.

Got it, After removing LAN and restarting the service Wireguard service came back online. Is this how it should be configured?

Thanks and regards,
Bobby Thomas

11

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 01:01:40 pm »

But it points to wireguard interface .. can you remove it?

Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.

Thanks and regards,
Bobby Thomas

I removed it, still the service is down.

root@firewall:~ # service wireguard restart
wg-quick: `wg0' is not a WireGuard interface

• wireguard-go wg0

INFO: (wg0) 2020/08/03 16:29:35 Starting wireguard-go version 0.0.20200320

• wg setconf wg0 /tmp/tmp.HQjWBJgx/sh-np.rUTYLg
• ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
• ifconfig wg0 mtu 1420
• ifconfig wg0 up
• route -q -n add -inet 10.1.1.3/32 -interface wg0
• route -q -n add -inet 10.1.1.2/32 -interface wg0
• route -q -n add -inet 10.1.1.1/32 -interface wg0
• route -q -n add -inet 192.168.1.0/24 -interface wg0
• rm -f /var/run/wireguard/wg0.sock

root@firewall:~ #

Do I need to remove LAN (192.168.1.0/24).

Thank you,
Regards,
Bobby Thomas

12

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 12:57:04 pm »

But it points to wireguard interface .. can you remove it?

Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.

Thanks and regards,
Bobby Thomas

13

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 12:42:25 pm »

route -q -n add -inet 192.168.2.0/24 -interface wg0

Is this your LAN?

No that's my Zerotier Network. I wanted to access devices in the Zerotier Network when I'm connected to the vpn.

14

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 11:30:30 am »

Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas

/usr/local/etc/rc.d/wireguard restart

Via console

I need this output

Sorry I thought you wanted to know the status of the service after entering that command. Below is the output of the command.

root@firewall:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface

• wireguard-go wg0

INFO: (wg0) 2020/08/03 14:56:06 Starting wireguard-go version 0.0.20200320

• wg setconf wg0 /tmp/tmp.UtpkrEW8/sh-np.dztf3d
• ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
• ifconfig wg0 mtu 1420
• ifconfig wg0 up
• route -q -n add -inet 10.1.1.3/32 -interface wg0
• route -q -n add -inet 10.1.1.2/32 -interface wg0
• route -q -n add -inet 10.1.1.1/32 -interface wg0
• route -q -n add -inet 192.168.2.0/24 -interface wg0
• rm -f /var/run/wireguard/wg0.sock

root@firewall:~ #

By the by, I tried a manual restart and the issue still persist.

Thank you,
Regards,
Bobby Thomas

15

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 02, 2020, 08:16:50 pm »

Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas