Messages

1

Virtual private networks / Re: Wireguard Client Issues Passing Traffic

« on: March 28, 2023, 08:18:09 am »

I assigned the VPN to an interface and enabled it.

https://filerun.photosandbrew.xyz/wl/?id=EthJSTpN2WDN8mmTdO12389rrx8hUqvk

You need to assign IPv4 address (10.14.0.2) to the interface.
Also might need to tick the "This interface does not require an intermediate system to act as a gateway".

2

Virtual private networks / Re: Select diferent wan source for wireguard server

« on: March 24, 2023, 07:02:52 am »

Can you rephrase your question? I'm not sure I understand correctly but it sounds like you are trying to create Wireguard tunnel inside your VPN tunnel?

FYI, you can't pick source address for Wireguard since it listens to all interfaces so it will auto pick the destination address of the incoming traffic as source address.

3

23.1 Production Series / Re: Live View in Firewall->Log Files doesn´t update anymore since 05.03.2023

« on: March 22, 2023, 07:31:14 pm »

Is syslog-ng daemon running?
You might need to clean /var/log before restarting syslog-ng.

4

23.1 Production Series / Re: [SOLVED] Asynchronous IPv6 routing problem

« on: March 21, 2023, 11:05:13 am »

You are welcome.
Also I just re-read your posts, since your WG gateway is the only IPv6 upstream in your system you can just set up a static default IPv6 route (::/0) via your WG gateway.

5

23.1 Production Series / Re: Asynchronous IPv6 routing problem

« on: March 20, 2023, 12:13:04 pm »

I usually fix asymmetric routing by forcing the reply-to.
Try setting the "reply-to" field in your IPv6 pass rule on your WG interface to the WG gateway.

6

General Discussion / Re: Multicast

« on: March 09, 2023, 03:44:10 am »

Have a look at UDP Broadcast Relay https://forum.opnsense.org/index.php?topic=15721.0

7

General Discussion / Re: WG tunnel firewall state going stale, requires delete to restore connectivity

« on: February 28, 2023, 04:39:19 am »

Have you checked your wireguard status for handshakes, do they handshake normally (every 1-3 min)?

8

General Discussion / Re: DNS issues - only on opnsense host

« on: February 25, 2023, 01:02:41 am »

Code: [Select]

root@OPNsense:~ # sockstat -l | grep 'unbound\|AdGuard'
root     AdGuardHom 61200 13 udp4   10.0.0.1:53           *:*
root     AdGuardHom 61200 14 tcp4   10.0.0.1:53           *:*
root     AdGuardHom 61200 21 tcp4   10.0.0.1:8080         *:*
root     syslog-ng  19509 22 dgram  /var/unbound/var/run/log

I think we found the culprit. Your AGH only listen to LAN interface.
Edit your /usr/local/AdGuardHome/AdGuardhome.yaml and change the "bind_hosts" under "dns:" to '0.0.0.0' then restart AGH should fix this.

Edit: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file

9

General Discussion / Re: DNS issues - only on opnsense host

« on: February 24, 2023, 05:06:33 pm »

Try this and see if unbound is listening on the loopback:

Code: [Select]

sockstat -l | grep 'unbound\|AdGuard'
If it does, then try this:

Code: [Select]

pfctl -d
drill @localhost -p5553 google.com
pfctl -eto make sure it is not a firewall issue.

10

General Discussion / Re: DNS issues - only on opnsense host

« on: February 24, 2023, 05:43:05 am »

Looks normal.
Possibly ACL problem like Unbound/Adguard not accepting query from loopback
Can you try "drill google.com @127.0.0.1 -p 5553"
If it works then you should check Adguard's ACL to allow query from 127.0.0.1 or loopback adapter

11

General Discussion / Re: DNS issues - only on opnsense host

« on: February 24, 2023, 04:02:45 am »

What does the /etc/resolv.conf tell you?

12

23.1 Production Series / Re: NFS Mouting Failing due to illegal port

« on: February 23, 2023, 04:31:16 pm »

You said your VM has a public interface but you also said it is behind NAT so I'm not sure if internet outbound traffic goes to your OPNsense router, but in case it does you might want to check your NAT outbound rule.

IIRC NFS servers expect the source ports coming from clients to be under 1024 to be considered secure.
Make sure you check the "Static-port" on your NAT outbound rule to prevent firewall from modifying the source port on TCP and UDP packets.

You don't need port forwarding rules, those are for S-NAT aka Inbound traffic.

13

Virtual private networks / Re: VPN Gateway Subnet Routing

« on: February 23, 2023, 03:08:29 am »

It sounds like your Wireguard gateway became your default route.
To prevent it you need to check the "Disable Routes" on your Wireguard setting.

14

General Discussion / Re: reply to incoming packet not respecting policy based routing

« on: February 21, 2023, 04:09:03 am »

Set the 'reply-to' of the pass rule in the wg interface the packet came through to the wg gateway.

15

General Discussion / Re: how can I prevent the Web Gui being accessible via all default gateways?

« on: February 19, 2023, 06:09:14 am »

Have you checked Settings>Administration>Listen Interfaces? Its 'All' by default.