Messages

1

Virtual private networks / Wireguard OPNsense DNS Resolution Broken

« on: Today at 07:13:16 am »

Try port 51820 on the endpoint rather than the multihop port

Otherwise you will need to post screenshots of your config (masking private keys) to troubleshoot

2

Virtual private networks / Re: Wireguard OPNsense DNS Resolution Broken

« on: October 15, 2021, 11:40:41 pm »

I suspect your issue is not the DNS server. It’s a public IP and you aren’t doing selective routing. That warning you quote is from a selective routing tutorial - in that case wg-tools’ behaviour of overwriting resolv.conf can cause issues with resolution on OPNsense itself

But anyway, after deleting the DNS server in the WG settings, did you disable and re-enable the Local config, as the guide you used instructs? Worst case a reboot of OPNsense should fix the issue

3

21.7 Production Series / Re: Recommendation for using extra disk space

« on: October 15, 2021, 08:25:53 am »

https://forum.opnsense.org/index.php?topic=24174.0

4

General Discussion / Re: Very basic, newbie question, first time running it live.

« on: October 14, 2021, 11:27:35 am »

You will need to create the DHCP static mappings for your devices in OPNsense. IMO it is better practice to allocate static mappings outside the DHCP pool, although I don’t think OPNsense will stop you doing otherwise

5

21.7 Production Series / Re: VLAN/Multiple OPNsense LAN Ports Question

« on: October 13, 2021, 11:18:18 pm »

Use one interface for untagged and a separate physical interface for untagged traffic.

I suspect you meant to say “a separate physical interface for tagged traffic”.

I suspect you are probably right that this is largely a concern for edge cases. I’d hope for normal firewall behaviour that carefully defined rules (eg making sure source IPs in the rules are confined to what they should be, rather than using “any”) will avoid unanticipated outcomes. Franco in fact suggests this in his original comment

6

21.7 Production Series / VLAN/Multiple OPNsense LAN Ports Question

« on: October 13, 2021, 04:31:34 am »

As as result of this comment, I now have my VLANs on a separate NIC to the NIC that LAN is on

7

General Discussion / Internal IPv6 network with DNS setup help

« on: October 11, 2021, 08:29:43 am »

I use ULAs for all local IPv6 communications. OPNsense advertises ULA prefixes and capable local devices get ULAs via SLAAC (as well as GUAs via SLAAC)

I have a separate box running pihole and unbound for DNS. Pihole listens on an IPv4 local (RFC1918) address and an IPv6 ULA. OPNsense gives out those addresses as DNS servers to all local clients via DHCP and RA/RDNSS (and in fact I have OPNsense force the use of those addresses). The pihole has local DNS entries configured for various local hosts, configured to return their IPv4 local address and IPv6 ULA

8

21.7 Production Series / Re: Can't add same vlan to second interface

« on: October 10, 2021, 11:17:09 am »

OPNsense is a firewall/router, not a switch. So you can’t assign one VLAN to multiple NICs, unless you bridge those NICs and assign the VLAN to the bridge

9

21.7 Production Series / Re: IPV6, prefix delegation and 2 LAN subnets

« on: October 10, 2021, 11:02:49 am »

Well, your ISP sucks! Which ISP is it?

10

21.7 Production Series / Re: IPV6, prefix delegation and 2 LAN subnets

« on: October 10, 2021, 04:13:46 am »

It looks like then that your ISP does not support requesting the whole /56 PD, but rather you have to request individual /64 PDs for each internal interface. It appears then that you might have to do some manual configuration to achieve this, as it does not appear that the UI allows multiple PDs to be requested (I’m assuming for example it does allow multiple prefix IDs to be specified in the advanced field on the WAN interface?).

This post may be of assistance to do it manually:

https://forum.netgate.com/topic/153288/multiple-ipv6-prefix-delegation-over-at-t-residential-gateway-for-pfsense-2-4-5

11

General Discussion / Re: Firewall is showing a lot of "Default deny rule" for IPv6 interface connections

« on: October 10, 2021, 02:01:10 am »

Right, this is not a setup I am familiar with or am confident that should work. Effectively you seem to be seeking to use the same subnet for both the WAN interface and internal clients

12

General Discussion / Re: Firewall is showing a lot of "Default deny rule" for IPv6 interface connections

« on: October 10, 2021, 01:08:11 am »

Ah, so your IPv6NET is the WAN interface, rather than an internal interface that you are using only for IPv6 access?

IMO then you need to configure a rule on the LAN interface that forces all IPv6 traffic incoming on that interface to use the IPv6NET gateway

13

General Discussion / Re: 2 Wan interfaces > Use one for Wireguard exclusively?

« on: October 10, 2021, 12:44:55 am »

This how-to should help with the second part: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

As for the first part, I’m guessing, but perhaps if you create a FW rule on the required WAN interface, direction OUT, source This Firewall to the VPN port (eg 51820), that might work?

14

General Discussion / Re: Firewall is showing a lot of "Default deny rule" for IPv6 interface connections

« on: October 10, 2021, 12:38:42 am »

Screenshot is good. Try specifying the WAN IPv6 gateway in the rule, rather than default

15

General Discussion / Re: Firewall is showing a lot of "Default deny rule" for IPv6 interface connections

« on: October 10, 2021, 12:08:43 am »

Post the full config for the FW rule on IP6NET