106
General Discussion / Re: OpnSense in small Enterprise segment - negative feedback
« on: October 10, 2021, 08:28:20 pm »
For the HA option are you just saying you want active-backup option?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
107
German - Deutsch / Re: github timeout wegen FireHOL block
« on: October 07, 2021, 11:06:01 pm »
Which list are you using?
That ip does not exist in firehol 1:
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
That ip does not exist in firehol 1:
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
108
21.1 Legacy Series / Re: BELL FIBE IPTV (Ontario)
« on: September 28, 2021, 10:30:55 pm »
I have not done it before but as I dont have TV from bell but here is a post that suggests the VLAN is 34 for TV.
In addition, I am informing you not to use 192.168.2.x in your network. The TV boxes are hard coded to their IP's on that range. You will 100% have issues if you dont re ip your home network (and want tv).
Here are posts that explain how to do it:
https://www.idscomm.ca/blog/bell-fibe-internet-iptv-with-pfsense
https://forum.netgate.com/topic/78892/how-to-get-bell-fibe-in-quebec-ontario-internet-and-iptv-working-with-pfsense
In addition, I am informing you not to use 192.168.2.x in your network. The TV boxes are hard coded to their IP's on that range. You will 100% have issues if you dont re ip your home network (and want tv).
Here are posts that explain how to do it:
https://www.idscomm.ca/blog/bell-fibe-internet-iptv-with-pfsense
https://forum.netgate.com/topic/78892/how-to-get-bell-fibe-in-quebec-ontario-internet-and-iptv-working-with-pfsense
109
Virtual private networks / Re: Wireguard port - public wifi
« on: September 28, 2021, 09:45:21 pm »
I cant explain why it doesnt work for you. I mean I am totally stuck on what to look at next. I cant think of a reason what could be causing you an issue 
110
Virtual private networks / Re: Wireguard port - public wifi
« on: September 28, 2021, 02:14:09 pm »
Here is the proof it works from an iphone. My iphine gets an ipv6 address so thats why the endpoint looks strange but I assure you this works on ipv4 clients also (just easier to rest from my phone quickly).
111
Virtual private networks / Re: Wireguard port - public wifi
« on: September 28, 2021, 02:03:27 pm »
Currently because I was testing for you guys I have 2 rules:
NAT
Rules
However they both work currently. Presumably as mine work and you are wanting to achieve the identical setup (one forwards to same port, the other redirects from a different port) yours should also work (when you have 2).
Dont forget to modify the port on the client connecting afterwards. Thats also a requirement obv.
P
NAT
Rules
However they both work currently. Presumably as mine work and you are wanting to achieve the identical setup (one forwards to same port, the other redirects from a different port) yours should also work (when you have 2).
Dont forget to modify the port on the client connecting afterwards. Thats also a requirement obv.
P
112
21.7 Legacy Series / Re: 21.7.3. - high CPU - Mem usage:OK - very slow web access - HALF SOLVED
« on: September 28, 2021, 01:03:39 am »
Then I am stumped
113
21.7 Legacy Series / Re: 21.7.3. - high CPU - Mem usage:OK - very slow web access - HALF SOLVED
« on: September 27, 2021, 10:36:09 pm »
Can you check IPv6 is not causing an issue by disabling it entirely:
https://www.thomas-krenn.com/en/wiki/OPNsense_disable_IPv6
https://www.thomas-krenn.com/en/wiki/OPNsense_disable_IPv6
114
Virtual private networks / Re: Wireguard port - public wifi
« on: September 27, 2021, 09:31:26 pm »
Under my rules, wan the destination is the internal IP of the firewall not wan address (mine is working so assume correct?). Probably because of stateful inspection the bottom wan rule is never hit (the rule above stops further processing of rules). You could try reorder the bottom rule and move it before the rule that is to wan address in your screenshot.
Im pretty sure this is the issue because I only use nat rules even when forwarding to the router itself (ie as opposed to just opening the wan up directly). The reason for this is in my case I use IDS/IPS on the LAN interface so without making the packet process through the lan the router itself will not have this port protected by any filtering you have in place. Indeed some small cost of a cpu cycle is incurred by the packet having to move across and interface but a faster CPU can mitigate that and probably the cost is so small you will be unable to detect it. The same reason could apply if you used sensei on the LAN.
Also I am pretty sure a nat rule is the default way it was done in the documentation before, but I did just check and it is no longer like that so I think this was changed in the documentation at some point because I assumed everyone did it this way, and at one point Im fairly confident it was the case.
Im pretty sure this is the issue because I only use nat rules even when forwarding to the router itself (ie as opposed to just opening the wan up directly). The reason for this is in my case I use IDS/IPS on the LAN interface so without making the packet process through the lan the router itself will not have this port protected by any filtering you have in place. Indeed some small cost of a cpu cycle is incurred by the packet having to move across and interface but a faster CPU can mitigate that and probably the cost is so small you will be unable to detect it. The same reason could apply if you used sensei on the LAN.
Also I am pretty sure a nat rule is the default way it was done in the documentation before, but I did just check and it is no longer like that so I think this was changed in the documentation at some point because I assumed everyone did it this way, and at one point Im fairly confident it was the case.
115
21.7 Legacy Series / Re: 21.7.3. - high CPU - Mem usage:OK - very slow web access - HALF SOLVED
« on: September 27, 2021, 08:04:22 pm »
I also had this before when I setup bridging incorrectly. Did you have any bonding or bridging at all?
116
Virtual private networks / Re: Wireguard port - public wifi
« on: September 27, 2021, 07:54:51 pm »
MTR you cannot redirect to ‘wan address’ as this is the external ip of the firewall. Try redirecting it to 192.168.1.1 in your case.
117
21.7 Legacy Series / Re: 21.7.3. - high CPU - Mem usage:OK - very slow web access to OPNsense
« on: September 27, 2021, 02:00:58 am »
Any strange vlan setup?
118
Virtual private networks / Re: Wireguard port - public wifi
« on: September 26, 2021, 08:29:34 pm »
See - I told you it had to work.
GG.
Pete
GG.
Pete
119
Virtual private networks / Re: Wireguard port - public wifi
« on: September 25, 2021, 07:15:34 pm »
Yup J posted this already. It goes to the opnsense ip address.
120
Virtual private networks / Re: Wireguard port - public wifi
« on: September 25, 2021, 05:23:29 pm »
I cant understand why you guys cant get redirecting from a different port to work. On mine it works perfectly fine. I can run wireguard on any port And just redirect a different external port of my choosing. Honestly I dont see how this cant work for you. Its like a basic feature of the firewall to be able to do this.
Maybe you guys are removing the rule that allows wireguard to listen in the port its configured. Can you rule this out by having 2 nat rules (one original rule to the same wireguard port its listening in and a second nat rule where the redirect is performed). If this scenario works then you guys are deleting the rule to allow wireguard to service requests on the port it is listening on which would break it obviously.
Maybe you guys are removing the rule that allows wireguard to listen in the port its configured. Can you rule this out by having 2 nat rules (one original rule to the same wireguard port its listening in and a second nat rule where the redirect is performed). If this scenario works then you guys are deleting the rule to allow wireguard to service requests on the port it is listening on which would break it obviously.