Messages

16

21.1 Legacy Series / Re: Issues With DNS- Randomly Cannot Connect to Web Pages? 21.1 In Proxmox/HyperV

« on: April 04, 2021, 09:55:03 pm »

I'm not sure personally, maybe your ISP is not letting you get too ROOT DNS servers

https://www.iana.org/domains/root/servers

17

21.1 Legacy Series / Re: Issues With DNS- Randomly Cannot Connect to Web Pages? 21.1 In Proxmox/HyperV

« on: April 04, 2021, 09:37:45 pm »

Hey,

Have you tried changing the DNS mode of unbound to do forwarding to say Cloudflare or Quad9?

By default unbound works as a recursive DNS server, but changing it to forwarding, is common thing people do.

Quick test to see if that's the issue is to override DNS on the client machine, to see if the internet start functionating correct, if it does then unbound is the issue.

18

Tutorials and FAQs / Re: TUTORIAL: Set up WireGuard for limited local hosts to use external VPN provider

« on: March 13, 2021, 11:04:17 pm »

Yes, pTables does have IP resolved for FQDN I had set

Screenshot us your rule then, cause it sounds like it should be working.

19

Tutorials and FAQs / Re: TUTORIAL: Set up WireGuard for limited local hosts to use external VPN provider

« on: March 13, 2021, 10:47:07 pm »

Ah ok :-)

Go to "Firewall: Diagnostics: pfTables" and select your alias from the drop down, is it populated with the IPs you expect?

20

Tutorials and FAQs / Re: TUTORIAL: Set up WireGuard for limited local hosts to use external VPN provider

« on: March 13, 2021, 06:20:19 pm »

I'm only using YouTube.com as an example .... the destinations I'm trying to force thru VPN are simple websites that resolve to a single IP.

I was able to setup rules easily on my old Asus router (via AsusWrt-Merlin firmware).

So I'm hoping that achieving same thing with OPNSesne should be doable.

Oh then if they're simple websites, this is very doable.

Have you made sure your SitesToVPn rule is above your rule that allows traffic to the internet?
Also you need to make sure the Outbound NAT rule is there.

21

Tutorials and FAQs / Re: TUTORIAL: Set up WireGuard for limited local hosts to use external VPN provider

« on: March 13, 2021, 06:00:50 pm »

I created a hosts alias for both group of PCs (PC1, PC2, & PC3), and another host alias for destinations that should be routed via VPN (e.g. UseVPN alias has YouTube.com, Amazon.com, google.com).

I setup rule same as listed in main post, but instead of !RFC, I have UseVPN as destination... but this is not working. All traffic continues to go out WAN interface. But works fine when I revert back to !RFC

because your only looking at the hosts in the main URL of the webpage, when you load youtube.com you make many other requests to domains other than youtube.com

If you press F12 on a blank tab, click the network tab on the newly popped up window. Then browse to youtube, you will see other domains other than youtube.com being loaded. For example "i.ytimg.com".
Trying to VPN certain websites via their base url domain, isn't always possible, when they use a CDN or a CDN of their own, because usually many other domains get used.

One way around it is to VPN the IP blocks that YouTube uses, but even this isn't always a fool proof way.
So you could get an IP for youtube.com which for me is "216.58.210.206", then lookup what ASN the IP is apart of which is AS15169, then get all the IPs owned by this ASN number. Which is a lot of ranges, because its Google's ASN, so any traffic going to Google, in these ranges would get VPN'd.

https://traceroute-online.com/ip-asn-lookup/

What your trying to do if not easy...

22

21.1 Legacy Series / Re: Migrated from pfSense to OPNsense

« on: March 08, 2021, 10:55:09 pm »

Ah I gotcha, good use of a container to put pi hole in it.

Hmm have you misconfigured your gateway or something on the containers? Can the containers ping OPNsense?

Some people say your better off not restoring PFsense to OPNsense, as it can cause off issues but I think that's mainly for complex setups.

Yeah I have a IOT Network so I get the point of that requirement.

That guide looks fine, more or less how I would go about it, pretty much.

I can TeamViewer your machine if you want me to see the setup with my own eyes, if not can keep chatting here 

23

21.1 Legacy Series / Re: Migrated from pfSense to OPNsense

« on: March 08, 2021, 08:47:09 pm »

Hi,

That default deny rule in the floating rules, will get caught by any interface, so no you don't need to create any end deny rules in your interface rules.

How do you want DNS configured in forwarding mode to like 1.1.1.1 or 8.8.8.8 or in recursive DNS mode?
In that guide he's using the two DNS services on different networks, do you really need that complexity? You can just send all your DNS traffic to SurfsharkVPN's DNS server via the DNS servers in the DHCP settings, if you want VPN'd clients to use the VPN connection, or you can use NAT rules to NAT any traffic going to port 53 and redirect them over the tunnel to surfsharkvpn, many ways to do this one.
Personally I use DNSoverTLS and send all DNS requests using that, to stop ISP snooping it.

As for the networking issue in your containers, that sounds like an issue with your setup, if VMs get an IP than something else is a miss with your containers.

24

21.1 Legacy Series / Re: 2 HA CARP masters ?!

« on: March 07, 2021, 10:14:26 pm »

Did you enable Promiscous for the whole vswitch or just the one network?

EDIT: you may also need to enable "MAC Address changes" and "Forged transmits".
Since the carp MAC address moves between the two VMs

25

21.1 Legacy Series / Re: Use openvpn as client and server breaks it all

« on: March 07, 2021, 10:07:04 pm »

that sounds very strange... you shouldn't need to do that...

Have you changed any settings in "Firewall: Settings: Advanced", kinda sounds like when the gateway goes up or down its killing all the states.

26

21.1 Legacy Series / Re: Use openvpn as client and server breaks it all

« on: March 07, 2021, 07:51:44 pm »

I've had OpenVPN server and OpenVPN client running at the same time on OPNsense for years, so something isn't quite right with your setting it sounds...

Have you left the "Local port" on the VPN client blank? if so try putting in a port you know isn't in use like 1195.

Can you screenshot the settings for each server and the client? Would make things easier to see how you've configured them :-)

27

21.1 Legacy Series / Re: Can I challenge let's encrypt with opnsense natted?

« on: March 07, 2021, 07:21:44 pm »

It's working

You just have to point your DNS Names to your public IP. And forward Port 80 maybe 443 as well to your OPNsense

Have you tested this then?

I thought what they might need to do, is port forward the "Local HTTP Port" found in "Services: Let's Encrypt: Settings", and then once that's forwarded it may kick in to action. So when the HTTP challenge is done, that port its already forwarded to the OPNsense box making the request, so it should then work.

I'm guessing he's done the DNS A record to point to his WAN IP on the first router/firewall.

28

21.1 Legacy Series / Re: Can I challenge let's encrypt with opnsense natted?

« on: March 07, 2021, 06:32:03 pm »

You don't change who you've registered the domain with but who your DNS provider is.

You change the name servers from their free provided DNS to Cloudflare. For example, I have my domain with NameCheap and then I use CloudFlare DNS.

Am I right in saying this OPNsense your working on is be hide another OPNsense or firewall?

29

21.1 Legacy Series / Re: Use openvpn as client and server breaks it all

« on: March 07, 2021, 02:57:54 pm »

Wonder if its the routes being added to OPNsense when the client tunnel comes up.

I usually tick "Don't pull routes" then create a gateway, and do policy based routing. Otherwise the VPN client messes with the default routes if your connecting to a VPN provider such as Private Internet Access

30

21.1 Legacy Series / Re: Issue regarding dedicated reverse proxy and lan access (from lan only)

« on: March 07, 2021, 02:54:32 pm »

lets encrypt plugin, I recommend you use DNS instead of HTTP challenge is less prone to problems :-)

It supports a lot of DNS providers.