Messages

Why do you want to work with block rules? Everything is usually blocked unless allowed.  Maybe you can describe what you want to do and we can tell you what the best approach would be.

Another workaround is to build a virtual switch on the ESXi host and connect the OPNsense with a VLAN aware network adapter. In this way you can add the interfaces on the OPNsense side via the GUI.
Or use another hypervisor. OPNsense and ESXi seem to not play nice for this use case.

As I remember using VMXnet adapters is causing this error. Try E1000 adapters.

Do you have any firewall rules that allow pinging the OPNsense box on that interface?

I would at least try the virtualization way, before installing stuff on a box which is not meant to be there. Every big upgrade can break your custom software as OPNsense does not care about it.

Installing a basic Proxmox system is very easy. Use a new hard disk, so your current installation can stay as it is.

Then install OPNsense and check how much of bandwidth drop you get.

Or just use a dedicated NAS for storage like a Synology.

Add keepalive 25 to each of your peers.  Currently the wireguard connection gets broken when there's no traffic.

Thanks. I already had keepalive 25 on the "mobile" side. I now added it to other sides of the tunnels. So far no breakdown yet. Fingers crossed.

Hi,

I have a problem since 23.1 with my Wireguard setup. It worked like a clockwork for so long.
Setup:
3 branch offices (A, B and C) involved, connections between A&C and B&C. A&B have an OpenVPN tunnel between them for historical reasons.
A&B use "real" internet connection
C is on a Telekom 5g router and needs to initiate the connection, as there is no port forwarding possible.
C is loosing the connection since one upgrade. It is not really the the Wireguard connection which breaks, it seems to be some state problem. From one moment to another all packets coming via Wireguard are blocked because of a "state violation rule" (see screenshot). I configured one client on C, so that I can connect to it without using the Site-2-Site tunnel.
I logged in via SSH and tried to restart the Wireguard service with service wireguard restart. I can see that there a fresh handshakes on Site A&B but not traffic is flowing. I also tried pfctl -F states but that also doesn't help. Only thing that works is rebooting OPNsense on site C. Then it will work maybe for 2-3 days, sometimes it starts to hang earlier.
Site C is running 23.1.3 as.a virtual machine on a Proxmox host. The setup was working without any issue for many months.

What else can I check when this happens?

The local OPNsense on Site B should have an IP in the same subnet as the HTTPS server, correct?

Check if you are able to ping some IP in Site A from the HTTPS server or check the routing table of that server.
The requests would only look the same for the HTTPS server perspective if you would do NAT which I assume you are not doing.

Both WAN lines have different public IPs I guess? What is written in the ovpn files on the clients? Are there multiple lines similar like this "remote x.x.x.x 1194"?
The client usually tries to connect to the servers in that order. Sounds like the 5G IP/hostname is listed as the first "remote" line. If this is the case just swap both entries.

Sounds like the server you're trying to reach on port 443 is not sending the packets back the same route they are coming from. Is the OPNsense on Site B the default gateway for that server? If not you need to tell the server on Site B to use the OPNSense as a gateway for the originating network (Site A).

Hi, ich war ne Weile nicht hier unterwegs. Gibt es im November wieder ein UG Online-Treffen? Würde mich freuen.

Kann man schon so machen. Benutzt Du IPv6? Wenn nicht, abschalten.

Statt der Block Regel hättest du auch einen Alias anlegen können, wo alle privaten Netzwerke drin sind: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Und dieses per Destination invert bei der untersten Wifigast als Destination angeben. Dann kann das Gäste-WLAN alles im Internet aber nichts bei Dir lokal. Die Regel für DNS würde ja trotzdem greifen, da sie zuerst überprüft wird.

Rückfrage dazu:
- Was ist eine TI Box?
- was wird aktuell über die Fritzbox abgewickelt: Telefonie, Fernsehen(IPTV)?
- wie willst Du das WLAN zukünftig aufbauen? Soll das die abgelöste Fritzbox machen?

Ich bin eher dafür die Fritzbox als Internetgateway zu behalten, wenn IPTV und Telefonie darüber laufen. Ich setze die OPNsense in einem solchen Fall eine Ebene dahinter. Alle Switches sollten dann VLAN-fähig sein, dann kann man im ganzen Haus nach Wahl das Fritzbox-Netz oder eines der OPNsense Netze an einem jeweiligen Netzwerkport oder in einem bestimmten WLAN anbieten.

Ein weiterer Vorteil ist, dass man das im laufenden Betrieb umbauen kann und kaum Downtime hat. Man zieht einfach jedes Themengebiet für sich isoliert um, wie man eben Zeit hat.

Doppeltes NAT sollte man vermeiden, daher müsste man auf der Fritzbox lediglich ein paar statische Routen setzen (nicht schwierig) und ggf Ports vom WAN an die OPNsense durchreichen.


Um das VLAN-handling übersichtlich zu gestalten empfehle ich eine Controller-basierte WLAN- und Switch-Lösung, wie das Unifi System. So hat man ganzheitlich die Übersicht, welche VLANs es gibt und wo sie zur Verfügung stehen. Wenn man sowas an jedem Switch isoliert konfiguriert, verzettelt man sich leider oft.

Dangerous? I don't think so. Adguard works much better than Sensei and without consuming any hardware resources unlike Sensei. Wireguard-kmod works much better than the Opnsense implementation of wireguard. Much more stable and with far superior performance.

Don't have any stability issues with the OPNsense implementation of WireGuard. Can't say anything bad about the perfomance as the clients are maxing out their bandwidth.

Try to put a switch between WAN port and fibre-modem. Maybe that helps.