Messages

Strange thing for me is that sometimes I can load the site and other times I cant so its like the site works sometimes. I noticed because on checking again after it worked first time I suddenly couldnt access it. now its working again.

Maybe you use blocking like ids or something because works for me.

Ok thank you for replying. Its appreciated you took the time to think about it.

With regards to my setup it is as follows. However at this exact moment its a little different as last night I did a load of testing (all made no difference) where I tired adding gateways, disabling automatic routes, adding manual routes, trying different things on outbound nat, removing interfaces adding interfaces etc. However seems like there is zero difference regardless what I do.

When you follow the opnsesne wireguard roadwarrior guide you end up with the auto generated wireguard interface and another one you make that if you look in interfaces - overview has the IP address you set under local- tunnel address.

So for example my LAN is 192.168.2.0/24 and the local tunnel address of WG interface is 192.168.200.1/24.

A client connects and is assigned an IP like 192.168.200.10/32 (ie by wireguard config).

So what is working? So basically everything important. The firewall itself can ping the 192.168.200.10 and the client on 192.168.200.10 can access any lan device and ping any lan device or the firewall on both 192.168.200.x range and 192.168.2.x range (so LAN and WG ranges work from the connecting roadwarrior side essentially).

However the LAN clients cant ping a wg ip. So for example if I am on a pc with 192.168.2.12 as its IP behind the firewall I cant ping 192.168.200.1 (the firewalls wg IP). I also cant ping 192.168.200.10 (A clients IP over the wg tunnel). I believe services cant be accessed either (eg I cant telnet to 192.168.100.10 on port 80).

So the traffic from LAN - a wireguard IP does not work. Im not sure if this is by design or not. Is it possible you are not allowed to try ping these IP's as they are exclusively for only clients on the WG tunnel? I assumed the firewall could or would know how to route a packet around its own interfaces to be able to reply to a ping but maybe I am wrong. I am using the kernel version of WG if that makes a difference. It could be I am expecting something that is not really designed to work.

P

What you have all said makes sense. I am continuing to investigate further.

Has anyone else ever had an issue where if you follow the guide to the Wireguard Roadwarrior setup everything works except from a LAN client you cant ping a WG client thats connected?

Strange, solution worked perfect for me... did you reboot after and double check you made the change?

No worries thanks for trying to help anyway. Yes its a unifi switch and has an option... I will sit on this problem for a while and if I notice anything will post back but as there is no immediate answer will require me to do some digging around on my own to try make progress...

No actually I dont have that setup. I have a normal RJ45 connection going from the wan port of the firewall to the switch which the switch vlan tags and then an SFP module in a different port on the same switch which is also on that same vlan as the connection is fiber and I cant plug that directly into the firewall as there are no ports to accommodate it. As far as I know everyone else on Bell Fibe has it working or at least they claim to have it working on the posts I have read at 1500 MTU.

Im at a loss why it doesnt work then. I have a switch that should allow it, and set all the options as others did but simply doesnt work :(

Do you have a usb nic anywhere by any chance. Some usb nics send a reset packet that broadcasts over the network that causes problems with many devices.

I see... I did set the parent interface to 1508 but I had not considered/didnt know the hardware would make a difference. I am using a protectli box so the nics are intel gigabit nics. If that doesnt support this then that would make sense I cant get it to work.

Thank you both for your replies. Unfortunately when I do ifconfig my MTU is not changed despite setting it. I dont know why this is:

pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492

I have checked and rebooted multiple times and for sure edited the MTU on the dummy interface and the pppoe connection in addition. There must be something different but I cant work it out.

I think something else must be wrong as mine displays all of them (currently 12) in that list endpoints section.

Hi,

Im with an ISP that allows the MTU of 1492 to be brought up to 1500 on a pppoe connection. Its not clear to me how everyone else achieved this. I have read several topics on the forum and tried the suggestions but I cant seem to get it to work on OPNsense 21.7.5-amd64.

I had a pppoe connection on top of em0 interface working on MTU of 1492 and started by setting the MTU to 1508 there which then states "calculated MTU 1500"

This had no effect so I read other posts that said you needed to make a dummy interface of em0 and simply enable it and set an mtu of 1508 there which I also did.

This also had no effect even after rebooting. The pppoe dials and ends up with an mtu of 1492 at the end. What is the method people use to force an mtu as I am clearly missing a step?

Kind regards
P

If privacy is such a concern to you then dont use sensei. I has to have some data collection to manage licensing, sync with the cloud portal etc. Thats a fact of life for commercial products. Dont use Azure, dont use O365, dont use AWS, dont use anything where some data has to be stored elsewhere. IE nothing useful since everything is using cloud these days. Good luck but you will find it impossible integrating useful products like this if you cannot have a single bit of your data leave your site. Simple fact of life. Ship has already ailed on this. No turning back now.