Messages

Yeah delete the route.

Create a Rule on the 192.168.6.0 interface which matches the traffic you want to go to the pocketbeagle. At the bottom of the rule page you can select a Gateway, use the Pocketeagle-Gateway there

OK - I'll try that now. In the meantime, could you please look at the attached network diagram I've made to confirm it doesn't change your advice?

Delete that route. And create a Rule with Gateway selected, for the traffic you want to go to that device.

Not following you exactly...

so - delete the route for 192.168.6.0?

...and add a firewall rule with Gateway selected? Could you be a little more specific?

How will other hosts on the network find 192.168.6.0 hosts without a route on 192.168.1.1?

So nothin happening there when you make the unsuccessful ping

And here's a shot of the status of all ipv4 routes:

So nothin happening there when you make the unsuccessful ping

Maybe the problem is with my routing? Here's a shot of the route I added to allow the embedded device (aka pocketbeagle) to be found on the LAN:

What does the live log say while pinging?

Filtering on protoname=icmp, I see 1 (one) icmp going out on WANem0 from src 192.168.6.2 (green) in response to that unsuccessful attempt

**AND**

I see 1 (one) icmp going out on WANem0 from src 136.53.77.100 (green) in response to a successful attempt originating on host at 192.168.1.178

The differences I see in these 2 log entries are the source address for the successful ping is my external IP, whereas it's the internal IP for the unsuccessful one. And there's a "(force gw)" designation in the label for the successful ping attempt.

Here's a screenshot in case that's not clear:

[NOTE: You won't find the solution here. Instead, look here: https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553]

NOTE: You won't find the solution here. Instead, look here: https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553

I've just added an embedded device to my network that configures itself to use 192.168.6.0 network. The balance of my LAN is all on 192.168.1.0 and it has worked fine for years. I've added static routes in OPNsense to accomodate the new 192.168.6.0 subnet, and this seems to be working just fine - hosts on both subnets are able to connect to each other.

But I've run into what seems (to me) to be an odd problem - from a host on the 192.168.6.0 subnet I can ping hosts on the 192.168.1.0 subnet & all works fine. I can ping hosts on the Internet from 192.168.1.0 subnet as usual. However pinging hosts on the Internet from 192.168.6.0 subnet gets no reply. I suspect the firewall is blocking, but I don't find anything in the logs that helps isolate this (maybe I'm looking for the wrong things?). It seems that nothing from the 192.168.6.0 subnet is getting through - this based on failures to download webpages using `curl` with an IP address.

I have a "pass anything" rule on the LAN interface & use automatic outbound NAT generation rules. What could be blocking my replies originating in the 192.168.6.0 subnet?

My OpenVPN setup is working well enough in OPNsense. The only niggle is that once I'm on the "LAN side" of the firewall, DNS does not work for any of the hosts on the local network. Outbound DNS seems to work OK for an external VPN user, but the only way I can reach my internal hosts is to look up the DHCP assignment table in OPNsense!

I'm currently using Dnsmasq, set to listen on Port 53. "Register DHCP leases" and "Register DHCP static mappings" boxes are ticked.

Also, the MDNS Repeater is enabled. This one looks suspect... A note says "At least two interfaces must be selected.", but I've only ticked the LAN interface. ???

Unbound DNS and OpenDNS are NOT enabled.

How should I configure DNS to provide OpenVPN users with reliable DNS for all hosts on the local network??

Does the payment processor accept American Express cards? I can't get mine to go through!

Just to close this out, expired certs was the source of my breakage,; the version upgrade was coincidental. Once I installed a new CA and generated new certs for the user and the server, things fell into place. I had to edit my user config, VPN server config to add the new certs, then export a new Viscosity client package. After installing the new Viscosity profile, I was able to make a connection.

And FWIW, I'd like to suggest that OPNsense incorporate a feature to flag expired certs for the admin. (Am I spoiled?  :)

Just to follow up & hopefully avoid wasting anyone's time: I never found the "shortcut" I was hoping to find. Instead, I just created a new CA, generated new certs for server and user, and edited the OpenVPN server config to use them. It seems to be working now, so I'm moving on.

Just as an afterthought, I would like to say that I feel OPNsense, as good as it is, would benefit from a notification or message in the "lobby" to the effect that a cert has expired.

My CA (cert. authority), OpenVPN cert and my user cert have all recently expired. As a consequence it seems, I can no longer connect to my OpenVPN server (a very bad thing). I am back in the office here for a few days, and hope to get everything repaired quickly.

I have read https://forum.opnsense.org/index.php?topic=5592.0 in this forum that the solution for this is to create a new CA and certs. However, it seems (based on this Q&A: https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal) that it is possible to renew a root CA, such that existing certs will become valid again.

Can anyone comment on this? Is it possible to "renew" without starting over?

The System:Access:Tester has confirmed that my OTP generator, userid & Password are working as they should.

However... Looking at my self-signed CA and the certificates I generated last year, I see they are all expired. I am really fuzzy on the roles (and even the necessity for) Certs given that my OTP/2FA is in place, but it seems clear that they (Certs) must be required as they're included in the "How-To" guide.

Unless someone has a suggestion for eliminating the need for these Certs, I'll close this question. Once I've worked through the cert renewals, I'll post another question if I have difficulties.

[Versions OPNsense 19.1.2-amd64FreeBSD 11.2-RELEASE-p9-HBSDOpenSSL 1.0.2q 20 Nov 2018]

If you do 12 in the console do you find any updates ? You might be on 19.1.1

From the Dashboard, I see this:

Versions    
OPNsense 19.1.2-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2q 20 Nov 2018

A "check for updates" fm Dashboard reports "There are no updates available on the selected mirror."

It's as if something was blocking the VPN connection. But my fw rules haven't changed.

So I've been using v 18.X for some time. My OpenVPN server on OPNsense had always worked just fine with my `Viscosity` client. Recently, I upgraded OPNsense from v 18.X to v 19.X. Everything seems to work except my OpenVPN client refuses to connect.

And it's a "quick disconnect": as soon as the authentication is entered (userid + 2FA password), the client reports the connection as "down". I've double-checked my password, and my IP address (dynamic IP), and they're correct. The timing makes me wonder if the client config that I exported over a year ago is now deprecated in some way.

Any ideas? Did something change between v 18 and v 19 that would have broken an existing OpenVPN configuration?

Thank you for the suggestion. I looked at them (briefly), but it didn't seem that they were capable of doing what I need: I need to know when my IP address has been changed by my ISP. It's important because I'm away from my "home network" for months at a time, and I use the VPN to connect... which requires I know the IP address. And yes, I know OPNsense has a dynamic DNS client that updates my hostname (I use freedns), but I won't know that works until the IP address changes as there isn't a way to test & confirm it's working.

Anyway - I've found what seems to be a viable approach for doing this! I've not yet cobbled it into a working solution, but I hope to do that soon. The approach is to use one of the "what's my IP address" sites (e.g. https://www.whatsmyip.org/) in a cron job, then sending out an SMS or email to myself. FWIW, and in case it's of any interest to anyone else, the light came on after seeing this post on StackExchange: https://unix.stackexchange.com/questions/22615/how-can-i-get-my-external-ip-address-in-a-shell-script.

I should have thought of this before posting my question... I guess I got locked in on the idea that I should be able to accomplish this inside the OPNsense framework.