Messages

I've had this issue for years w/opnsense. I temporarily switched my home over to a fortinet 30e amd had zero issues with wifi calling. I've had to turn the feature off on my phone.

When the issue happens, I turn off wifi on my phone, then turn it back on after a few seconds. Bam, wifi calling works for a while. Ot does seem that opnsense is dropping the connection and my android doesn't know this and try to reconnect. During this time data/internet works fine. I've not has a chance to revisit the logs to see what is happening. Also odd, iphones don't seem to have this problem.not sure what the difference is between iOS and Android in regards to wifi calling though.

I found the issue.

The reason that traffic was trying to go out the lan was due to the wan group for Lan net. Changed it to default and it now works. SiteA can access siteB.

Also, curious what changing the lan net default gw from the wan group to the default will do to gateway switching.

When a device on siteB sends data to a device on siteA i can see that the traffic is sent through the wg1 interface. From siteB the connection is working fine.

When a device on siteA sends data to a device on siteB, it tries to send that data out the wan interface. SiteA System>Route shows there is a route for siteB's network pointing to wg1. I'm not sure what is wrong, as I have gone back over the doc for s2s multiple times. SiteA just won't route the traffic through the wg1 interface, even though there is a route statement for it.

SiteA LAN: 192.168.3.0/24
SiteB LAN: 192.168.2.0/24

SiteA route:

Code Select Expand

ipv4 192.168.2.0/24 link#11 US NaN 1420 wg1

SiteA log file where dst contains 192.168.2:

Code Select Expand

WAN2 2023-11-09T12:22:16-05:00 x.x.x.x 192.168.2.193 icmp let out anything from firewall host itself (force gw)

lan 2023-11-09T12:22:16-05:00 192.168.3.212 192.168.2.193 icmp Default allow LAN to any rule

Now what happens from siteB:

Code Select Expand

wg1 2023-11-09T12:23:56-05:00 192.168.2.193 192.168.3.33 icmp

Have you tried disabling hw.ibrs in system > settings > tunables?
This https://www.reddit.com/r/OPNsenseFirewall/comments/woaenn/slow_wireguard_performance/

I disabled it.

I also read to disable pmap.pti, however when i did i didn't get DHCP on my wan interface from comcast. So i re-enabled it until i could troubleshoot.

[Am I missing a step to get wireguard on opnsense to update properly when you change a peer or instance and apply?]

Setting up wireguard site to site. On site b, I made a mistake and set the wrong allowed address on the peer. Didn't catch it until i looked at the routes under System-> Routes. realized that wouldn't go anywhere.

So i went to the peer, changed the allowed ip addresses. Save apply. No change to the route. So I disabled and re-enabled wireguard. No change to the route, incorrect rout was still listed. I had to delete the peer, recreate, and not until deleted the route and then restarted did it add the correct route.

In re-creating the route, i accidentally set to the port to 5182 instead of 51820 on the peer. So I edited the port. Apply. No change, the other firewall showed traffic coming from site b with a destination port of 5182. Tried disabling the peer, reenabling. No change.

Another strange thing. Site B, hitting the Apply button on wireguard settings takes up to 2-3 minutes for it to stop. Site A doesn't do this. They are both the same device.

Am I missing a step to get wireguard on opnsense to update properly when you change a peer or instance and apply?

You know, i didn't even catch the other firewall's VLAN rule was in and not out. deleted the out rule and that vlan is working fine.

[However this vlan wouldn't work until I added another inbound rule allow any traffic in.]

I've got two instances i manage.

I moved them both to protectli devices (2.5gb model).

Both of them have 1 vlan for guest network.
Firewall A the VLAN200 has two rules. It works fine.
1. block traffic from the LAN
2. Allow any outbound.
3. Outbound NAT is set to hybrid, as I have a homelab behind it.

Firewall B i created the same vlan, id 200.
Rules are the same. Block outbound to lan, allow anything out.
outbound NAT is set to Automatic.

However this vlan wouldn't work until I added another inbound rule allow any traffic in.

The only difference is Firewall A was a restore from another opnsense. Firewall B was a fresh setup.

I'm guessing I overlooked something in firewall A that firewall B didn't have. I'm about to help a friend setup an opnsense and i'll be creating a vlan for their guest network, just making sure I'm not forgetting something.

Firewall A:

I finally switched it to a port forwarding nat, creating a group for ports and applying a firewall rule like i always do. Reflection doesn't work as expected, so i finally had to add overrides in unbound. however this server has about 30 domains on it... i didn't want to create that many overrides.

Based on the amount of posts of issues with this, it seems that it doesn't work as intended in opnsense.

I spun up a pfsense and followed their doc on it, it works as expected. Seems it is an opnsense issue. If someone has some pointers, and i've read way too many forum and reddit posts on this issue and the opnsense docs, i'm open to suggestions. Still couldn't make it work properly. Especially the reflection part.

Trying my first 1:1 nat, using an ip on our 2nd wan (wan2). Incoming traffic from outside works fine. firewall web gui port is set to 4433, so https://192.168.1.1:4433

However inside our lan port 80 and 443 don't work for the domain that uses the 1:1 nat. If i try to visit the domain, it spins and spins until finally changes the url to https://www.domain.com:4433

I've found this thread (https://forum.opnsense.org/index.php?topic=22819.msg108561#msg108561) and i changed settings to only answer firewall gui requests on the local lan. This fixed it appending the port 4433 but still not working. I'm missing something.

OPNsense 23.7.4-amd64, created a 1:1 nat.
external: wan2-IP/32
source: lan-IP/32
Nat reflection: default (reflection for 1:1 to is enabled).

discovered that... ordered a protectli fw4c. It's what I have at home running opnsense... really don't need a xeon e5, it was just handy at the time.

I'm going to guess the protectli will have no issues with the throughput.

I've had a Precision t3600 as our firewall for sometime. Xeon E5, 32GB ram. We have the Jeirdus with Intel Chipset 82546 Dual Port Gigabit 8492MT PCI Server Network Card 1000M RJ45 NIC Ethernet Desktop Adapter (https://www.amazon.com/Jeirdus-Chipset-Gigabit-Network-Ethernet/dp/B07CGZD7YJ/ref=sr_1_2_sspa?crid=37Z85IG2PFYWK&keywords=2.5gb%2Bdual%2Bnic%2Bintel%2Bpcie&qid=1692974865&sprefix=2.5gb%2Bdual%2Bnic%2Bintel%2Bpcie%2Caps%2C95&sr=8-2-spons&sp_csd=d2lkZ2V0TmFtZT1zcF9hdGY&th=1).
This card is used for our wan connections, we have two coax and fiber.

one vlan and lan. Other than that i've read through a ton of forum posts and checked to ensure hardware offloading, etc were all disabled. No shaping policies. Wan connections both say: 1000baseT <full-duplex>

We recently went to 300Mbps fiber. Speed tests won't go above 170-190. If plug a laptop directly to the modem, 290Mbps all day long. Its definitely the firewall. The fiber carrier says they can see errors but could be our equipment or theirs... since I can get the proper speed directly connected, i'm betting it's opnsense.

1. Is it this card or the drivers for this card? It's older PCI.
2. Is there a better card that is truly dual nic (dual controllers)?

I tried to go through as many forum posts and reddit threads as I could before making this post. It's possible I missed something. We have updated to 23.7 still nothing changed.

In the bios, the new machine shows both nice have the same Mac address. Is this causing an issue with opnsens

Plugged old box (dell optiplex) back in and internet immediately starts working.

Would love to switch to this mini pc. Zbox-mi522nano. Seemed to be a good box for it. But something isn't right.

Both 23.1.

Backed up the configuration, modify the interface names in the xml toatch the old, imported. Is web gui.

I even have the Mac spoofed from the previous device for wan. So I get the same ip

Wan will not get an ip from dhcp.

I've tried remove the Mac spoof. I've restarted the modem. Xfinity modem.

OPNsense 19.7.1-amd64

Wan1 -  DHCP
Wan2 -  static ip

Previously they had att uverse on wan2 in dhcp and wan1 in DHCP from it's carrier, failover worked just fine. They switched to a new carrier with a static ip for wan2, failover stopped working. I followed this doc originally and have checked and re-checked the config: https://docs.opnsense.org/manual/how-tos/multiwan.html

It matches the how to doc. internally, once wan1 has been disconnected, you cannot ping by FQDN or IP to anywhere outside the firewall.

I can force traffic out wan2 and it works fine, when wan 1 is also working.

Outside of changing the connection to wan 2 carrier to a static IP and new gateway address (which was added to the GW group), nothing else has changed.

We have rules in the firewall that allow us to login remotely. When they pull wan1 from the firewall,  we cannot login using wan2 IP and they never start routing out wan2. When wan1 is reconnected, we can login via both public IP's of the firewall. Which seems extremely strange to me.

I understand that version 20 is available and we will plan to upgrade this unit to 20. I just don't understand why it has stopped working after changing the connection on wan2. There seem to be a few bugs related to DHCP and wan failover. Wan1 is a DHCP connection from that carrier and wan2 is static.

Bart,
don't know if your question goes in my direction but anyways, here I go:
According to the documentation of my conference system (BigBlueButton) I do not need a STUN server if the firewall's WAN interface has a fixed IP. In that case I can hardcode that IP in one of the configuration files instead of STUN server address and port. That's what I have done. Maybe that is not enough if clients are behind a router.

Stefan

Just getting back to this. I tried several stun servers (which we've used for clients in the past) and it didn't help.