Topics

When a device on siteB sends data to a device on siteA i can see that the traffic is sent through the wg1 interface. From siteB the connection is working fine.

When a device on siteA sends data to a device on siteB, it tries to send that data out the wan interface. SiteA System>Route shows there is a route for siteB's network pointing to wg1. I'm not sure what is wrong, as I have gone back over the doc for s2s multiple times. SiteA just won't route the traffic through the wg1 interface, even though there is a route statement for it.

SiteA LAN: 192.168.3.0/24
SiteB LAN: 192.168.2.0/24

SiteA route:

Code Select Expand

ipv4 192.168.2.0/24 link#11 US NaN 1420 wg1

SiteA log file where dst contains 192.168.2:

Code Select Expand

WAN2 2023-11-09T12:22:16-05:00 x.x.x.x 192.168.2.193 icmp let out anything from firewall host itself (force gw)

lan 2023-11-09T12:22:16-05:00 192.168.3.212 192.168.2.193 icmp Default allow LAN to any rule

Now what happens from siteB:

Code Select Expand

wg1 2023-11-09T12:23:56-05:00 192.168.2.193 192.168.3.33 icmp

[Am I missing a step to get wireguard on opnsense to update properly when you change a peer or instance and apply?]

Setting up wireguard site to site. On site b, I made a mistake and set the wrong allowed address on the peer. Didn't catch it until i looked at the routes under System-> Routes. realized that wouldn't go anywhere.

So i went to the peer, changed the allowed ip addresses. Save apply. No change to the route. So I disabled and re-enabled wireguard. No change to the route, incorrect rout was still listed. I had to delete the peer, recreate, and not until deleted the route and then restarted did it add the correct route.

In re-creating the route, i accidentally set to the port to 5182 instead of 51820 on the peer. So I edited the port. Apply. No change, the other firewall showed traffic coming from site b with a destination port of 5182. Tried disabling the peer, reenabling. No change.

Another strange thing. Site B, hitting the Apply button on wireguard settings takes up to 2-3 minutes for it to stop. Site A doesn't do this. They are both the same device.

Am I missing a step to get wireguard on opnsense to update properly when you change a peer or instance and apply?

[However this vlan wouldn't work until I added another inbound rule allow any traffic in.]

I've got two instances i manage.

I moved them both to protectli devices (2.5gb model).

Both of them have 1 vlan for guest network.
Firewall A the VLAN200 has two rules. It works fine.
1. block traffic from the LAN
2. Allow any outbound.
3. Outbound NAT is set to hybrid, as I have a homelab behind it.

Firewall B i created the same vlan, id 200.
Rules are the same. Block outbound to lan, allow anything out.
outbound NAT is set to Automatic.

However this vlan wouldn't work until I added another inbound rule allow any traffic in.

The only difference is Firewall A was a restore from another opnsense. Firewall B was a fresh setup.

I'm guessing I overlooked something in firewall A that firewall B didn't have. I'm about to help a friend setup an opnsense and i'll be creating a vlan for their guest network, just making sure I'm not forgetting something.

Firewall A:

Trying my first 1:1 nat, using an ip on our 2nd wan (wan2). Incoming traffic from outside works fine. firewall web gui port is set to 4433, so https://192.168.1.1:4433

However inside our lan port 80 and 443 don't work for the domain that uses the 1:1 nat. If i try to visit the domain, it spins and spins until finally changes the url to https://www.domain.com:4433

I've found this thread (https://forum.opnsense.org/index.php?topic=22819.msg108561#msg108561) and i changed settings to only answer firewall gui requests on the local lan. This fixed it appending the port 4433 but still not working. I'm missing something.

OPNsense 23.7.4-amd64, created a 1:1 nat.
external: wan2-IP/32
source: lan-IP/32
Nat reflection: default (reflection for 1:1 to is enabled).

I've had a Precision t3600 as our firewall for sometime. Xeon E5, 32GB ram. We have the Jeirdus with Intel Chipset 82546 Dual Port Gigabit 8492MT PCI Server Network Card 1000M RJ45 NIC Ethernet Desktop Adapter (https://www.amazon.com/Jeirdus-Chipset-Gigabit-Network-Ethernet/dp/B07CGZD7YJ/ref=sr_1_2_sspa?crid=37Z85IG2PFYWK&keywords=2.5gb%2Bdual%2Bnic%2Bintel%2Bpcie&qid=1692974865&sprefix=2.5gb%2Bdual%2Bnic%2Bintel%2Bpcie%2Caps%2C95&sr=8-2-spons&sp_csd=d2lkZ2V0TmFtZT1zcF9hdGY&th=1).
This card is used for our wan connections, we have two coax and fiber.

one vlan and lan. Other than that i've read through a ton of forum posts and checked to ensure hardware offloading, etc were all disabled. No shaping policies. Wan connections both say: 1000baseT <full-duplex>

We recently went to 300Mbps fiber. Speed tests won't go above 170-190. If plug a laptop directly to the modem, 290Mbps all day long. Its definitely the firewall. The fiber carrier says they can see errors but could be our equipment or theirs... since I can get the proper speed directly connected, i'm betting it's opnsense.

1. Is it this card or the drivers for this card? It's older PCI.
2. Is there a better card that is truly dual nic (dual controllers)?

I tried to go through as many forum posts and reddit threads as I could before making this post. It's possible I missed something. We have updated to 23.7 still nothing changed.

Both 23.1.

Backed up the configuration, modify the interface names in the xml toatch the old, imported. Is web gui.

I even have the Mac spoofed from the previous device for wan. So I get the same ip

Wan will not get an ip from dhcp.

I've tried remove the Mac spoof. I've restarted the modem. Xfinity modem.

OPNsense 19.7.1-amd64

Wan1 -  DHCP
Wan2 -  static ip

Previously they had att uverse on wan2 in dhcp and wan1 in DHCP from it's carrier, failover worked just fine. They switched to a new carrier with a static ip for wan2, failover stopped working. I followed this doc originally and have checked and re-checked the config: https://docs.opnsense.org/manual/how-tos/multiwan.html

It matches the how to doc. internally, once wan1 has been disconnected, you cannot ping by FQDN or IP to anywhere outside the firewall.

I can force traffic out wan2 and it works fine, when wan 1 is also working.

Outside of changing the connection to wan 2 carrier to a static IP and new gateway address (which was added to the GW group), nothing else has changed.

We have rules in the firewall that allow us to login remotely. When they pull wan1 from the firewall,  we cannot login using wan2 IP and they never start routing out wan2. When wan1 is reconnected, we can login via both public IP's of the firewall. Which seems extremely strange to me.

I understand that version 20 is available and we will plan to upgrade this unit to 20. I just don't understand why it has stopped working after changing the connection on wan2. There seem to be a few bugs related to DHCP and wan failover. Wan1 is a DHCP connection from that carrier and wan2 is static.

Two opnsense firewalls. Both on latest update. One at Home and one at the office

SIP Client can register just fine using cellular data.

On wifi at my house, it will not.

Office has Nat Port forward The IP's listed are fake.
Protocol     Source       Port        Address      Ports               Destination       Ports
TCP/UDP     *                 *           5.5.5.5        5060-5090       192.168.1.10    5060-5090
UDP             *                 *           5.5.5.5        16384 - 32768  192.168.1.10  16384 - 32768

I can see the traffic getting to the server behind the office firewall. I can see traffic coming back...it just doesn't connect. Unless i use Verizon's Data signal. So it's something in the NAT between the firewalls, i just can't figure out what.

This has been a problem for a while, i've just ignored until this covid stuff. Am i forgetting something? I have to be. the 16 hour days are getting to me, very tired.

Did it myself first Firewall > Lan > reject from 192.168.1.139/32 any destination any protocol

Didnt work.

Found this: https://forum.opnsense.org/index.php?topic=9188.0

Essentially what I did. It didnt work. Am I missing something ?

Setup, Opnsense 18.7 upgraded to 19.1 using GUI.
previously this worked fine.
WAN Port Forward anything on 5060-5090 to WAN NET is forwarded to internal IP of PBX.
Domain override for subdomain used for SIP to translate to internal IP for internal connections.

These two things are still working. Externally softphone registers and internally hitting subdomain url translates to internal IP.

However, internally the firewall is blocking 5060, LAN TO LAN, to the PBX system. It cites the Default Deny Rule. So Internal resolution is working, the firewall log shows the internal LAN address of the softphone going to the internal address of the PBX with DST of 5060, except it gets blocked. Deskphones are working fine.They only point to the IP of the phone system, not the domain.

It would seem something with Domain Overrirde is causing this... but i'm not sure how or why. Any ideas?

I see in the cron menu there is an option to "issue reboot" opnsense. I can't find anything about this in the documentation, to simply restart is there anything else needed for the cron job? Such any special parameters?

I am behind my opnsense fw. I connect to an openvpn at a client's. Internal resolution of their lan works fine.
Their DNS Server: 192.168.1.13
Opnsense FW: 192.168.3.1

While I am connected to that openvpn, local lan DNS fails. NSLOOKUP shows that it tries the client's DNS server, then it tries the next server which is my FW. It returns nothing.

Code Select Expand

;; Got SERVFAIL reply from 192.168.1.13, trying next server
Server: 192.168.3.1
Address: 192.168.3.1#53

** server can't find XXXX: NXDOMAIN

However, if I disconnect from the vpn my overrides work correctly. It's really strange.

Unbound is set to "All" for interfaces, firewall isn't blocking the connection.

My workstation is opensuse leap 42.3. Redirect gateway is NOT enabled on the VPN. Anywhere I should look?

Suddenly this morning, after a reboot RTP ports were being blocked.
PBX is inside lan. Port forwards and wan rules were working this morning.

I had added LAN rules to block everything from the PBX system except 5060, 16384-32768, 5080, and 443 inside the lan only. I applied these rules but later deleted. I then restarted the firewall sometime after that. When it came back up, no sound on phones. It will ring out to external numbers, but no sound. Internally calls work.

I can use a cloud port check and 5060 is Open. However, the RTP ports listed above show blocked.

Nothing in the live view of the log. FusionPBX system. Anyone got an idea? I'm out of them.

https://www.amazon.com/gp/product/B0719L1VFK/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1

I used the VGA image and it installed fine. Made a few changes, added a NAT forward, linked DHCP to unbound dns for internal dns, nothing major.
Rebooted and it would hang up after "Starting system logging..." then several of these: "CAM status command timeout" then it would start over.

I'm currently loading the nano image to see if there's any difference. The reviews have quite a few saying pfsense works great on it, so i assumed opnsense wouldn't have any issue. Not sure what happened.

I've had opnsense up and running for about a week now. Dell optiplex 980 mid-tower, i5.

Ral chipset PCIE card, detected by installation just fine (18.1).

LAN (em1)       -> v4: 192.168.3.1/24
OPT1 (em2)      ->
WAN (em0)       -> v4: X.X.X.X/29
WIRELESS (ral0_wlan1) ->

Bridge from WLAN to LAN, it's in Access Point mode, pretty much everything is default except the SSID, WPA passphrase, etc.

I've never defined any rules explicitly in the firewall. I'm very much almost a default setup.

What's really the issue now, I've ordered a Blink camera system and it's all wifi. With my phone on the same wifi i keeps having issues sending video, connecting to the blink cloud etc.

Being so new to opnsense, I'm not even sure where to start.

FYI this followed the unit from the version 17.something i started with to the 18.1 i just upgraded too.

I'm new to opnsense and I've been lurking for a quite a while getting opnsense running on a dell optiplex 980. Then i read a post mentioning QOTOM and about fell out of my chair.

I've read posts on this forum about the QOTOM hardware and it seems like my choice.

I like this one:
https://www.aliexpress.com/item/QOTOM-4-LAN-Mini-PC-with-Core-i3-4005U-i5-5250U-processor-and-4-Gigabit-NIC/32812678037.html?spm=2114.10010108.100009.1.21d01bcaKwKMQB&traffic_analysisId=recommend_2037_null_null_null&scm=1007.13482.91320.0&pvid=46ab5e3a-62a4-4d02-aa74-c392845f1ccb&tpp=1

My problem:
1. The same device listed by the same seller with drastically different prices? Drastically being +$10-$20 difference. Anyone know why? Sometimes the same specs! Google shopping shows even more price variations.

2. Amazon has them but they don't have SSD, RAM, etc for more money than aliexpress. Does anyone have a goto place that won't take 2 weeks to ship?