Messages

What exactly does OPNsense show you as the interface speed?

I have OPNsense running on Proxmox VE and it shows "10Gbase-T <full duplex>" on all interfaces.
I also have one OPNsense VM running on ESXi 6.7 U3d, but can't access it right now (it also uses VMXNET3 NICs).

If you use the Intel E1000e NICs for your OPNsense VM, they will be limited to 1Gbit/s btw - make shure to use vmxnet3.

Have you tried uninstalling and reinstalling the os-zerotier Plugin?

AFAIK these are just package messages and can be ignores, since you configure ddclient from the GUI in OPNsense. :)

Other than that, have you got the plugin to work?

What kind of devices / Hosts are in the LAN and VLAN2 Network?
What Services (Port, Protocol) in the LAN Network are you trying to access from the VLAN2 Network?
Are there multiple Gateways?
...

Some additional information would probably help with solving your Problem :)

The fastest way would probably be to revert back to 22.1.7 for the time being.

Do you see any errors in "VPN --> IPSec --> Log File" ?

In the 22.1.8 Changelog the only things about the Firewall I could find is this:

• firewall: various usability and visibility improvements for aliases
• firewall: performance improvement for large numbers of port type aliases
• firewall: simplify sort and add natural sorting in alias diagnostics

I suppose your Network looks something like this?

Code Select Expand

[SMB Clients] <-- 172.16.33.x --> [OPNsense 1] <-- IPSec (WAN) --> [OPNsense 2] <-- 10.3.32.x --> [SMB Server]

Can you show how your Firewall Rules Look like? And do you have multiple Gateways?
I haven't used IPSec with OPNsense yet, only with OpenVPN and WireGuard, but from the other recent Posts, it seems like there might be issues with both IPSec and Aliases in 22.1.8.

Same for me, my OPNsense VMs also report being still on 22.1.8, but "freebsd-version -kru" reports 13.1-RELEASE - so I guess the Updates still works

Updating your packages will likely do nothing, since the FreeBSD Base and Kernel are updated via freebsd-update (opnsense-update) instead of pkg.

Can you send the output of "opnsense-version -O" and "freebsd-version -kru" ?

Only thing I can say is that port 16393 udp belongs to Apple FaceTime, maybe DOS, Portscan or misconfigured ISP Routers ...

Have you set anything up in "Services --> DHCPv4 --> [Interface Name] --> Failover peer IP" ?
If so, are the IP addresses correct?

# opnsense-update -bkzr 22.7.b

If i run `opnsense-update -bkzr 22.7b` on my OPNsense 22.1.8 VM, I get the following error:

Code Select Expand

Fetching base-22.7b-amd64.txz: ..[fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/sets/base-22.7b-amd64.txz.sig: Not Found] failed, no signature found

--- Edit ---

I missed one dot ... I typed

Code Select Expand

opnsense-update -bkzr 22.7b instead of

Code Select Expand

opnsense-update -bkzr 22.7.b

I updated my two OPNsense VMs (HA Cluster) and they seem to work fine, no errors yet :)

I am using this with my dual WAN setup (1x cable, 1x dsl):

Firewall --> NAT --> Port Forward
--> Add (+)

- Interface                                WAN1
- Protocol                                 UDP
- Destination                            WAN1 address
- Destination port range           from:                to:
                                                OpenVPN        OpenVPN
-  Redirect target IP                 Single Host or Network
                                                127.0.0.1
- NAT reflection                        Use system default
- Filter rule association             Add associated filter rule
- Save

--> Add (+)

- Interface                                WAN2
- Protocol                                 UDP
- Destination                            WAN1 address
- Destination port range           from:               to:
                                                OpenVPN        OpenVPN
-  Redirect target IP                 Single Host or Network
                                                127.0.0.1
- NAT reflection                       Use system default
- Filter rule association            Add associated filter rule
- Save


VPN --> OpenVPN --> Servers
--> Edit

- Interface                                Localhost
- Save

Thanks a lot for the write up, I will try this out as soon as I can :)

The only thing that could be added on Part 4.3 is to use an Alias for Port 80 and 443 to only use one Firewall Rule ;)

["My License Key"]

https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html#generate-license-key
Just a minor detail (Generate License Key):  Click in the "My License Key" link and generate a key.

The Link is now called "Manage License Keys".

Woran liegt das? Naja weil dein ganzes LAN2 eigentlich das FB Netz ist, von der FB das DHCP bekommt und jedes Gerät in LAN2 ergo alle Pakete nach extern an die Fritzbox schickt? Die ggf. eben keinerlei Route kennt zu LAN1 Geräten? Oder hast du der FB beigebracht, dass alles was aus LAN kommt (deren Netz) via der Sense in LAN2 geroutet werden soll? Wahrscheinlich nicht.

Warum gehts mit DHCP? Weil du NAT auf automatic outbound hast und bei DHCP die FB der Sense nen Default GW pusht und damit das Interface LAN2 kein LAN mehr ist sondern ein WAN Uplink. Dadurch gelten auch automatic outbound NAT rules und jedes Paket wird ausgehend geNATtet wenns rausgeht - was dazu führt, dass wundersamerweise die Pakete wieder den Rückweg zur Sense finden, weil die Pakete alle von der Sense LAN2 IP zu kommen scheinen. Wenn du ne statische IP vergibst, dann wohl ohne Gateway FB in LAN2 und damit auch kein "WAN" Style Interface. Dadurch kein Auto-NAT, dadurch kein Rückweg der Pakete weil in FB keine Route zu 192.168.1.0 bekannt, daher Pakete verloren.

Das ist einfach Routing Logik :)

Danke für die ausführliche Erklärung, jetzt verstehe ich auch genau was das Problem war :)
Bin leider noch ein Anfänger was Routing angeht, wo kann man sich denn am besten dazu schlau machen?

Um @JeGr zusammenzufassen: leg auf der Fritzbox eine Route für das LAN 192.168.1.0/24 an und alles wird gut.

Danke für den Tipp, habe es eben gemacht und es geht jetzt ohne meiner Ausgehenden NAT Regel :D