"
I can't figure out what the issue is here. I read on a reddit post that I needed to use os-wireguard-go instead and I tried that and it still doesn't work. Is this a wireguard problem or a zenarmor problem? My wireguard client is set up to use the IP on my LAN interface for DNS, which is what my computer is set up to use, and my computer is filtered with zenarmor just fine, but my phone using wireguard is not.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Virtual private networks / Zenarmor does not work when using wireguard
February 20, 2024, 09:21:19 PM #2
21.7 Legacy Series / Interfaces randomly go down/unroutable
November 26, 2021, 11:12:38 PM
I have this issue where every so often (a bit on the spontaneous side, unfortunately) I lose internet. I can't ping my IPv4 LAN facing gateway. I can't ping my management port (which I created for troubleshooting this problem). Looking at /var/log/system.log, I see this:
I found another forum post that says marking their interface as the gateway solved their problem, but mines already set this way.
For now I've disabled gateway monitoring to see if it makes any difference, but I'm not sure why I'd lose my LAN facing stuff in this case.
Code Select
Nov 26 13:08:27 OPNsense dhclient[46336]: DHCPREQUEST on em0 to 208.110.116.101 port 67
Nov 26 13:08:27 OPNsense dhclient[46336]: DHCPACK from 208.110.116.101
Nov 26 13:08:27 OPNsense dhclient[52573]: Creating resolv.conf
Nov 26 13:08:27 OPNsense dhclient[46336]: bound to 208.110.116.102 -- renewal in 300 seconds.
Nov 26 13:13:27 OPNsense dhclient[46336]: DHCPREQUEST on em0 to 208.110.116.101 port 67
Nov 26 13:13:27 OPNsense dhclient[46336]: DHCPACK from 208.110.116.101
Nov 26 13:13:27 OPNsense dhclient[88047]: Creating resolv.conf
Nov 26 13:13:27 OPNsense dhclient[46336]: bound to 208.110.116.102 -- renewal in 300 seconds.
Nov 26 13:16:00 OPNsense root[28797]: reload filter for configured schedules
Nov 26 13:18:27 OPNsense dhclient[46336]: DHCPREQUEST on em0 to 208.110.116.101 port 67
Nov 26 13:18:27 OPNsense dhclient[46336]: DHCPACK from 208.110.116.101
Nov 26 13:18:27 OPNsense dhclient[87230]: Creating resolv.conf
Nov 26 13:18:27 OPNsense dhclient[46336]: bound to 208.110.116.102 -- renewal in 300 seconds.
Nov 26 13:23:27 OPNsense dhclient[46336]: DHCPREQUEST on em0 to 208.110.116.101 port 67
Nov 26 13:23:27 OPNsense dhclient[46336]: DHCPACK from 208.110.116.101
Nov 26 13:23:27 OPNsense dhclient[74715]: Creating resolv.conf
Nov 26 13:23:27 OPNsense dhclient[46336]: bound to 208.110.116.102 -- renewal in 300 seconds.
Nov 26 13:28:27 OPNsense dhclient[46336]: DHCPREQUEST on em0 to 208.110.116.101 port 67
Nov 26 13:28:27 OPNsense dhclient[46336]: DHCPACK from 208.110.116.101
Nov 26 13:28:27 OPNsense dhclient[65189]: Creating resolv.conf
Nov 26 13:28:27 OPNsense dhclient[46336]: bound to 208.110.116.102 -- renewal in 300 seconds.
Nov 26 13:31:00 OPNsense root[30800]: reload filter for configured schedules
Nov 26 13:33:27 OPNsense dhclient[46336]: DHCPREQUEST on em0 to 208.110.116.101 port 67
Nov 26 13:33:27 OPNsense dhclient[46336]: DHCPACK from 208.110.116.101
Nov 26 13:33:27 OPNsense dhclient[84129]: Creating resolv.conf
Nov 26 13:33:27 OPNsense dhclient[46336]: bound to 208.110.116.102 -- renewal in 300 seconds.
Nov 26 13:33:32 OPNsense kernel: em1: link state changed to DOWN
Nov 26 13:33:32 OPNsense kernel: em1_vlan35: link state changed to DOWN
Nov 26 13:33:32 OPNsense kernel: em1_vlan10: link state changed to DOWN
Nov 26 13:33:32 OPNsense kernel: em1_vlan30: link state changed to DOWN
Nov 26 13:33:32 OPNsense kernel: em2: link state changed to DOWN
Nov 26 13:33:32 OPNsense opnsense[93736]: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for lan
Nov 26 13:33:33 OPNsense opnsense[63600]: /usr/local/etc/rc.linkup: Hotplug event detected for Ooma(opt2) but ignoring since interface is configured with static IP (10.35.0.254 ::)
Nov 26 13:33:33 OPNsense opnsense[75016]: /usr/local/etc/rc.linkup: Hotplug event detected for WirelessGuest(opt3) but ignoring since interface is configured with static IP (10.10.0.254 ::)
Nov 26 13:33:34 OPNsense opnsense[80883]: /usr/local/etc/rc.linkup: Hotplug event detected for WirelessTrust(opt1) but ignoring since interface is configured with static IP (10.30.0.254 ::)
Nov 26 13:33:34 OPNsense opnsense[91909]: /usr/local/etc/rc.linkup: Hotplug event detected for MGMT(opt6) but ignoring since interface is configured with static IP (10.255.255.254 ::)
Nov 26 13:36:03 OPNsense kernel: em1: link state changed to UP
Nov 26 13:36:03 OPNsense kernel: em1_vlan35: link state changed to UP
Nov 26 13:36:03 OPNsense kernel: em1_vlan10: link state changed to UP
Nov 26 13:36:03 OPNsense kernel: em1_vlan30: link state changed to UP
Nov 26 13:36:03 OPNsense opnsense[52126]: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for lan
Nov 26 13:36:03 OPNsense opnsense[52126]: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface lan
Nov 26 13:36:03 OPNsense opnsense[52126]: /usr/local/etc/rc.linkup: ROUTING: entering configure using 'lan'
Nov 26 13:36:03 OPNsense kernel: em2: link state changed to UP
Nov 26 13:36:03 OPNsense opnsense[52126]: /usr/local/etc/rc.linkup: ROUTING: IPv4 default gateway set to wan
Nov 26 13:36:03 OPNsense opnsense[52126]: /usr/local/etc/rc.linkup: ROUTING: skipping IPv4 default route
Nov 26 13:36:03 OPNsense opnsense[52126]: plugins_configure ipsec (,lan)
Nov 26 13:36:03 OPNsense opnsense[52126]: plugins_configure ipsec (execute task : ipsec_configure_do(,lan))
Nov 26 13:36:03 OPNsense opnsense[52126]: plugins_configure dhcp ()
Nov 26 13:36:03 OPNsense opnsense[52126]: plugins_configure dhcp (execute task : dhcpd_dhcp_configure())
Nov 26 13:36:03 OPNsense opnsense[52126]: plugins_configure dns ()
Nov 26 13:36:03 OPNsense opnsense[52126]: plugins_configure dns (execute task : dnsmasq_configure_do())
Nov 26 13:36:03 OPNsense opnsense[52126]: plugins_configure dns (execute task : unbound_configure_do())
Nov 26 13:36:06 OPNsense opnsense[191]: /usr/local/etc/rc.linkup: Hotplug event detected for Ooma(opt2) but ignoring since interface is configured with static IP (10.35.0.254 ::)
Nov 26 13:36:06 OPNsense opnsense[6297]: /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'em1_vlan35'
I found another forum post that says marking their interface as the gateway solved their problem, but mines already set this way.
For now I've disabled gateway monitoring to see if it makes any difference, but I'm not sure why I'd lose my LAN facing stuff in this case.
#3
21.7 Legacy Series / Can't access web server (jNextcloud) due to HSTS error
October 31, 2021, 06:32:11 AM
I don't have this problem on other browsers, I'm using firefox. For some reason Firefox is getting the certificate of my opnsense firewall instead of Nextcloud. If I use another browser it works fine and shows the correct cert. My only thought on this is how my DNS server resides on opnsense so somehow that is causing this issue. There's no technical reason I can think of why it would happen otherwise. Nextcloud and my PC are on the same L2 network.
It's important to note if I hit the server with its IP address, I get the correct certificate (but nextcloud barks because the URL is not the FQDN, which is expected). I am mystified as to why I get an opnsense cert instead of my letsencrypt cert. It happens with sensei/zenarmor on or off.
It's important to note if I hit the server with its IP address, I get the correct certificate (but nextcloud barks because the URL is not the FQDN, which is expected). I am mystified as to why I get an opnsense cert instead of my letsencrypt cert. It happens with sensei/zenarmor on or off.
#4
Virtual private networks / PPTP/L2TP Internet
October 29, 2021, 07:07:58 AM
Hi All,
My ISP is one of the smaller ones that uses PPTP/L2TP to run over other companies wires to give me internet. Currently they gave me a mikrotik in which I connect OPNsense to (protectli appliance) and the mikrotik and protectli each get an IP out of a public /30.
I can see on the mikrotik the "connect to" IP address, where my credentials go as well. I don't see source IP address configuration so it's kind of like black magic to me.
I'm confused on the roles involved with my actual physical WAN interface (em0) and the "Point-to-Point" section. They sort of seem to overlap and I'm not sure what goes where. Right now the mikrotik has a static for the other IP in my /30 and dishes out DHCP for the remaining IP to my firewall.
Should my WAN interface be changed from DHCP to PPTP (or L2TP, as I think my provider accepts both... but one step at a time here)? If I do this it is asking for a local and remote address below. I don't know what these are. I've just been given a gateway IP which is RFC1918 (172.16.X.X) and my public IPs. I would assume the remote box would contain the "Connect To" IP address I see in the PPTP config on the mikrotik. But not a clue what the local address or mask would be.
I'm sorry if this is confusing but I really don't understand how this is supposed to work at all.
My ISP is one of the smaller ones that uses PPTP/L2TP to run over other companies wires to give me internet. Currently they gave me a mikrotik in which I connect OPNsense to (protectli appliance) and the mikrotik and protectli each get an IP out of a public /30.
I can see on the mikrotik the "connect to" IP address, where my credentials go as well. I don't see source IP address configuration so it's kind of like black magic to me.
I'm confused on the roles involved with my actual physical WAN interface (em0) and the "Point-to-Point" section. They sort of seem to overlap and I'm not sure what goes where. Right now the mikrotik has a static for the other IP in my /30 and dishes out DHCP for the remaining IP to my firewall.
Should my WAN interface be changed from DHCP to PPTP (or L2TP, as I think my provider accepts both... but one step at a time here)? If I do this it is asking for a local and remote address below. I don't know what these are. I've just been given a gateway IP which is RFC1918 (172.16.X.X) and my public IPs. I would assume the remote box would contain the "Connect To" IP address I see in the PPTP config on the mikrotik. But not a clue what the local address or mask would be.
I'm sorry if this is confusing but I really don't understand how this is supposed to work at all.
#5
General Discussion / Internet randomly dies
August 31, 2021, 05:07:17 PM
Hi,
Twice now since I installed opnsense on a protectli I've had it kill internet on me. I can't even ping the firewall inside IP. What I do to fix it is push the power button until it shuts down, then turn it on again and all is well.
I have a suspicion that it's sensei causing the problem but I can't be certain without examining logs. The reason I suspect it is because once I initiate the shutdown sequence internet comes back fairly quickly until the box shuts down, so its seems as if a service is shut down at the point it comes back.
Short of being prepared at that moment to console into the firewall I'm not sure what I can do to check what occurred around that time.
OPNsense 21.7.1-amd64
FreeBSD 12.1-RELEASE-p19-HBSD
OpenSSL 1.1.1k 25 Mar 2021
Twice now since I installed opnsense on a protectli I've had it kill internet on me. I can't even ping the firewall inside IP. What I do to fix it is push the power button until it shuts down, then turn it on again and all is well.
I have a suspicion that it's sensei causing the problem but I can't be certain without examining logs. The reason I suspect it is because once I initiate the shutdown sequence internet comes back fairly quickly until the box shuts down, so its seems as if a service is shut down at the point it comes back.
Short of being prepared at that moment to console into the firewall I'm not sure what I can do to check what occurred around that time.
OPNsense 21.7.1-amd64
FreeBSD 12.1-RELEASE-p19-HBSD
OpenSSL 1.1.1k 25 Mar 2021
#6
General Discussion / Firewall has no implicit deny all
August 24, 2021, 05:38:48 PM
I have multiple VLANs on my network and for the life of me I cannot figure out why the implicit deny all doesn't seem to work. Take for instance, I have my wired VLAN and my WiFi VLAN:
LAN:
10.0.0.0/24
WiFi:
10.30.0.0/24
When I ping from my WiFi net to my LAN net, it should be dropped.
But instead, I'm seeing it permitted and matching this floating rule that was automatically created with the description:
"let out anything from firewall host itself"
There's even a "default deny any" rule above that one. So I'm not sure where these rules are coming from and it isn't secure.
Where are these coming from and how do I secure it?
LAN:
10.0.0.0/24
WiFi:
10.30.0.0/24
When I ping from my WiFi net to my LAN net, it should be dropped.
But instead, I'm seeing it permitted and matching this floating rule that was automatically created with the description:
"let out anything from firewall host itself"
There's even a "default deny any" rule above that one. So I'm not sure where these rules are coming from and it isn't secure.
Where are these coming from and how do I secure it?
#7
Zenarmor (Sensei) / New install with sensei on protectli vault crashing
July 22, 2021, 12:30:03 AM
Hey all,
I'm new to both opnsense and sensei. I was previously using pfsense and suricata. I just bought a protectli vault (4GB RAM, i3) and installed sensei. Once I turn it on it runs fine for a short while. CPU usage is low, everything looks good. Eventually, like in about 5-10 minutes, my interface completely dies for no apparent reason. If I'm consoled onto the protectli I can ping out my WAN int wihtout issue, I can ping the LAN facing IP (the one assigned to the box) without issue, but I cannot ping anything on my LAN. If I reboot (I turned service start to manual) then everything is fine for hours. Turn on sensei and shortly after same issue.
I'm not sure how further to debug this on my own.
Sensei version:
Engine Information
Engine Version: 1.9.2 Last Update: 07/07/2021 10:46
App & Rules DB Version: 1.9.21070514 Last Update: 07/07/2021 10:46
Opnsense version:
OPNsense 21.1.8_1-amd64
FreeBSD 12.1-RELEASE-p19-HBSD
OpenSSL 1.1.1k 25 Mar 2021
Hardware:
Protectli Vault 6 Port, Firewall Micro Appliance/Mini PC - Intel Dual Core i3-7100U, AES-NI, 4GB RAM, 32GB mSATA SSD
I'm new to both opnsense and sensei. I was previously using pfsense and suricata. I just bought a protectli vault (4GB RAM, i3) and installed sensei. Once I turn it on it runs fine for a short while. CPU usage is low, everything looks good. Eventually, like in about 5-10 minutes, my interface completely dies for no apparent reason. If I'm consoled onto the protectli I can ping out my WAN int wihtout issue, I can ping the LAN facing IP (the one assigned to the box) without issue, but I cannot ping anything on my LAN. If I reboot (I turned service start to manual) then everything is fine for hours. Turn on sensei and shortly after same issue.
I'm not sure how further to debug this on my own.
Sensei version:
Engine Information
Engine Version: 1.9.2 Last Update: 07/07/2021 10:46
App & Rules DB Version: 1.9.21070514 Last Update: 07/07/2021 10:46
Opnsense version:
OPNsense 21.1.8_1-amd64
FreeBSD 12.1-RELEASE-p19-HBSD
OpenSSL 1.1.1k 25 Mar 2021
Hardware:
Protectli Vault 6 Port, Firewall Micro Appliance/Mini PC - Intel Dual Core i3-7100U, AES-NI, 4GB RAM, 32GB mSATA SSD
Pages1
