Messages

16

20.7 Legacy Series / Re: Single WAN, but Multi Gateway not working

« on: January 24, 2021, 07:53:48 am »

Hi Franco,

No internet.

From a LAN PC i was constantly pinging an internet server.
Then I shutdown 192.168.179.254 and the ping was timing out until I turned it on again.
192.168.179.1 was up and had internet connection.

Soko

17

20.7 Legacy Series / Single WAN, but Multi Gateway not working

« on: January 23, 2021, 04:12:54 pm »

Hi guys,

I was running OPNsense successfully with one LAN and two WANs (one gateway each) with a Gateway Group for failover according to https://docs.opnsense.org/manual/how-tos/multiwan.html.

Now after a change in my network I'm having the failover gateway in the same WAN-network as the main gateway.

So I thought "No biggy!" and

• Added the new gateway to System-Gateway-Single
• Swapped in the Gateway-Group the old failover (tier 2) for the new failover gateway
• Adjusted the DNS servers in System-Settings-General
• Deleted the old failover gateway and the 2nd WAN

But now, once my main gateway fails, the failover gateway is marked "active" but I have no internet on my LAN side.

Does anybody know why?

Here are a little more details....

Original/old/working config:
LAN: 192.168.254.0/24 (OPNsense static 192.168.254.253)
WAN: 192.168.179.0/24 (OPNsense static 192.168.179.253, Gateway 192.168.179.254)
WANFailover: 192.168.253.0/30 (OPNsense static 192.168.253.1, GatewayFailover 192.168.253.2)

New/not-working config:
LAN: 192.168.254.0/24 (OPNsense static 192.168.254.253)
WAN: 192.168.179.0/24 (OPNsense static 192.168.179.253, Gateway 192.168.179.254, GatewayFailover 192.168.179.1)

thanks
Soko

18

General Discussion / With VLAN I need to manually set MSS. Why?

« on: January 23, 2021, 02:38:17 pm »

Hi guys,

It took me days to figure this out but I'm also curious if someone of you has an hypophosis or even can explain this to me. I usually like very much to understand why something is happening

First my - I admit - a little exotic network configuration:

• Switch-GBit-Eth-Port (tagged VLAN 1 + 99) <=> Win10 with Realtek NIC
• With Realtek Diagnostic Tool I have installed 2 separate VLAN NICs in Win10. One for VLAN1, one for VLAN99. So everything that uses one of the two NICs gets the corresponding VLAN-ID
• OPNsense runs in a VM (VMWare) with two virtual NICs. VIRT1 is bridged to NIC-VLAN1. VIRT2 to NIC-VLAN99
• In OPNsense VIRT1/VLAN1 is LAN. VIRT2/VLAN99 is WAN.

So far so good and everything worked perfectly... at the first glance at least.

From a LAN PC I was able to:

• Resolve DNS names
• Ping (ICMP) into the internet via IP or dns name

But no internet page (browser) was working. Even the one I was able to ping successfully.

Once I've changed in Interfaces->WAN MTU=1500 and MSS=1456 everything worked perfectly.

So I somehow have to manually accommodate the 4 bytes of VLAN tagging. Just changing the MTU to a smaller number (even 1000) didn't help.

Now for someone who knows really much about this things I'm happy to learn and also have the following questions:

• Why do I have to do this only on the WAN interface and not on LAN?
• Why am I still able to browse to the OPNsense website from a LAN PC if the issue seems to be somewhere between the OPNsense and the switch port?
• Or in other words: Why does this issue only occur on internet TCP traffic and not local TCP traffic?

Thanks in advance
Soko

19

20.7 Legacy Series / Re: Exclusive DNS server for each WAN possible?

« on: January 01, 2021, 10:49:17 am »

Sorry, maybe "untrusted" was not the correct word. Maybe "not-so-trusted" would be better

I also still see a point in activating/deactivating DNS servers on gateway changes but I understand that it's not high up in the wanted feature list of OPNsense.

I'm basically satisfied by the knowledge that all DNS servers are used all the time. So I just misinterpreted the settings in OPNsense.

20

20.7 Legacy Series / Re: Exclusive DNS server for each WAN possible?

« on: December 31, 2020, 02:34:43 pm »

As has been established already, that doesn't seem possible with OPNsense at the moment.

OK, thats more or less what I wanted to know: Its not possible with OPNsense.

I think you might be helped by reading up on how DNS works, and most important: How Unbound works inside.

I know how DNS works. But nowhere it says that all available DNS servers need to be used (in parallel). That apparently specific to Unbound. So I know now that Unbound cannot do that...

But again, i fail to understand why it's an issue.

WAN A with DNS A is a secure/trusted internet connection and is the highest tier in my Multi WAN group.
WAN B with DNS B is untrusted and should be only used as failover when WAN A is down.

So the issue is, that I don't want the untrusted DNS B used when WAN A (and therefore DNS A) is available.

21

20.7 Legacy Series / Re: Exclusive DNS server for each WAN possible?

« on: December 30, 2020, 02:00:38 pm »

Since I run a Multi-WAN also, I know for a fact that my WAN-FTTH (prim) is used for all DNS lookups, and when my WAN-LTE takes over (FTTH fails) it of course changes route out. So I am a bit curious how set up the Multi WAN part?

I'm not quite sure if you mean the same thing as I do. I don't have a problem which WAN is used to contact the DNS server. My issue is, that I want to use different DNS with different active WANs.
Or am I missing something here?

My Multi WAN setup is done as described here: https://docs.opnsense.org/manual/how-tos/multiwan.html

22

20.7 Legacy Series / Re: Exclusive DNS server for each WAN possible?

« on: December 30, 2020, 08:49:18 am »

@marcquark: My issue isn't that the DNS go through the wrong WAN. I thought DNS A is use solely wen WAN A is up. And DNS B (through WAN B) is used solely when WAN A is down.

@tong2x: Thats what I was worried about. I've disabled Unbound and used Dnsmasq. There is the option "Query DNS servers sequentially" which sounds promising.
First tests were OK, but just now dnsleaktest showed DNS B again

23

20.7 Legacy Series / Re: Running as a test system in VM, can't access hosts on LAN?

« on: December 30, 2020, 08:27:51 am »

Pfuhhh... beats me than unfortunately.
I'm running OPNsense in a VM too and everything works out fine. At the beginning I've had DHCP enabled on the LAN side as well. Now I'm running static IPs.

24

20.7 Legacy Series / Re: Running as a test system in VM, can't access hosts on LAN?

« on: December 29, 2020, 04:54:35 pm »

Hi,

Just to be on the save side here as you haven't mention your VM configuration:
Did you set the virtual network card of your VM to bridged mode?

Soko

25

20.7 Legacy Series / Exclusive DNS server for each WAN possible?

« on: December 29, 2020, 03:56:00 pm »

Hi guys,

In short: Can I define a single DNS server for each gateway/WAN which gets exclusively/solely used when the gateway/WAN is the active one in a failover gateway group?

In long:
I'm running a multi WAN setup successfully at the moment. The gateway group uses gateway/WAN=AT111 when available and gateway/WAN=BACKUP when AT111 fails.

This failover works as it should.

In System->Settings->General->DNS-Server I've entered 2 DNS servers. One for each gateway.

www.dnsleaktest.com revealed to me, that both DNS servers are used by Unbound DNS (forwarding mode is enabled).

After reading the help to each setting carefully I'm kinda shocked that this is how it should be?!?

At General->DNS-Server the column header for the gateway says "Use gateway". Which may mean something like"Packages to this DNS server send using this gateway".
But not - as I thought - "When this gateway is active use solely this DNS server".

Also at Unbound-DNS->General it reads: "If forwarding is enabled, Unbound will use the DNS servers entered in System: General setup".
So this also doesn't say something like "I will use only the entry from there that fits the current gateway".

thanks
Soko

PS: The DNS server for AT111 is only reachable through AT111. Thats why I need this feature

26

Zenarmor (Sensei) / Re: Different route for streaming/Netflix

« on: December 27, 2020, 09:06:47 am »

Hi mb,

I was worried that this would be the answer
So it is theoretically possible... which is something i guess...

Thanks
Soko

27

20.7 Legacy Series / Re: Different route for streaming (Netflix) possible?

« on: December 27, 2020, 09:04:54 am »

Main problem is to find all Netflix network addresses and to keep that alias up-to-date.

This is why I hoped there is another solution than that
Like an application based rule. Apparently its possible as Sensei can block Netflix traffic. So it should be possible not just to block but also to route in a different way...or do I miss something here?

thanks
Soko

28

20.7 Legacy Series / Different route for streaming (Netflix) possible?

« on: December 26, 2020, 05:42:11 pm »

Hi guys,

I know its possible to setup different rules (based in alias/host/IPs) to route a device through a different WAN than the rest of the network.

What I like to do though is to route Netflix traffic to a different WAN. Is this possible?
So I would like to browse on a computer through the WAN1 and just the Netflix app on it should use WAN2.

Thanks
Soko

PS: I've posted basically the same in the Sensei forum (https://forum.opnsense.org/index.php?topic=20628.0) as I thought this is the way to go... but I can't find out how. So maybe there is a way without Sensei.

29

Zenarmor (Sensei) / Different route for streaming/Netflix

« on: December 26, 2020, 05:37:16 pm »

Hi guys,

I've just installed Sensei on my OPNsense and understand how I can block different apps like Netflix etc...

What I like to do though is to route just the Netflix traffic through my WAN2, while all other traffic goes through WAN1. I cannot do it IP/host based as the same host should use WAN1 for standard traffic just for Netflix WAN2.

Is this even possible?

Thanks
Soko