Messages

For every VLAN, including WAN, my FW has automatically created the following rule (hidden under "Automatically generated rules" pulldown menu.

Code Select Expand


Protocol Source Port Destination Port Gateway # Schedule Description
IPv4+6*         * * *     * * * *     let out anything from firewall host itself


I would understand if the source would be VLAN_address, but not an allow any to any.
Since it is autogenerated, I can not simply delete or adapt this rule either.

Hopfully I am misinterpreting this rule? If not, where does it come from and how do I get rid of it?

Check https://homenetworkguy.com/how-to/configure-wireguard-opnsense/ for a (working) way to set this up without interface IP addresses. (The IP address is taken directly from the wireguard portion of the setup)

If going from the os-wireguard-go to the os-wireguard plugin (like me), the config of the first is still there after uninstalling the first and installer the latter.

I do, hence I want them to match. I actually only noticed from the default lockout rules where they shouldn't have been.

'Swapping cables' or simply re-assigning interfaces will mess up my rules etc no doubt.
Guess I'll be trying my backup restore idea or will be doing the config from scratch to get this fixed.

[lan]

So I understand we can name interfaces and the likes, but for reasons unknown I have the following interfaces:

My_actual_LAN (opt2, vtnet3)
NOT_my_actual_LAN (lan, vtnet1)

So yes, I have already changed the 'lan' into something to my liking (i.e. NOT_my_actual_LAN) but I'd like these to match regardless.

So far, my idea is to go into a backup and change any 'opt2' into 'lan' and vice versa and then restoring that new config.
So first question: will this do what I think it does and not mess anything up if I do it correctly?
And secondly, is there an easier fix to make the system understand that vtnet3 is the actual LAN interface instead of vtnet1? Because the backup looks pretty daunting.  ;D

Code Select Expand

Line  272:       <interfaces>opt2,lan</interfaces>
Line  412:     <opt2>
Line  422:     </opt2>
Line  484:     <opt2>
Line  517:     </opt2>
Line  585:           <network>opt2</network>
Line 1243:         <network>opt2</network>
Line 1669:       <interface>opt2</interface>
Line 1677:         <network>opt2</network>
Line 1696:       <interface>opt2</interface>
Line 1704:         <network>opt2</network>
Line 1723:       <interface>opt2</interface>
Line 1730:         <network>opt2</network>
Line 1748:       <interface>opt2</interface>
Line 1755:         <network>opt2</network>
Line 1774:       <interface>opt2</interface>
Line 1781:         <network>opt2</network>
Line 1800:       <interface>opt2</interface>
Line 1808:         <network>opt2</network>
Line 1827:       <interface>opt2</interface>
Line 1835:         <network>opt2</network>
Line 1854:       <interface>opt2</interface>
Line 1862:         <network>opt2</network>
Line 1881:       <interface>opt2</interface>
Line 1889:         <network>opt2</network>
Line 1908:       <interface>opt2</interface>
Line 1916:         <network>opt2</network>
Line 1935:       <interface>opt2</interface>
Line 1944:         <network>opt2</network>
Line 1963:       <interface>opt2</interface>
Line 1969:         <network>opt2</network>
Line 1988:       <interface>opt2</interface>
Line 1995:         <network>opt2</network>
Line 2014:       <interface>opt2</interface>
Line 2040:       <interface>opt2</interface>
Line 2066:       <interface>opt2</interface>
Line 2092:       <interface>opt2</interface>
Line 2119:       <interface>opt2</interface>
Line 2125:         <network>opt2</network>
Line 2618:     <interface>opt3,opt2,opt1,lan</interface>
Line 2626:     <interfaceslistfilter>opt3,opt2,opt1,lan,wan</interfaceslistfilter>
Line 2628:     <traffic_graphs_interfaces>opt2,opt1,lan,wan</traffic_graphs_interfaces>
Line 3587:     <opt2>
Line 3612:     </opt2>
Line 3707:         <iface_array>opt2</iface_array>


Thank you for the reply and clarification why nobody responded :)

All I did was configure the CA certificate of the VPN provider (protonVPN) and then configured an OpenVPN client as explained at https://protonvpn.com/support/pfsense-2-5-x-vpn-setup/ up to step 4. Seemed to be pretty standard stuff.

in short:
step 1: add ProtonVPN rootCA
step 2: configure OpenVPN client
step 3: assigned ovpnc1 network port to interface ProtonVPN (opt5)
step 4: noticed that I had 2 FW rule interfaces and that my clients internet traffic was cut of.

and here we are .. hoping this bit info can help explain my VPN oddities?

Nobody to comment if I am being an idiot or if this is expected behavior, where it is coming from?

I am halfway through setting up a ProtonVPN connection (using OpenVPN) to route a specific VLAN through this VPN.

So far I have configured the ProtonVPN/OpenVPN and am able to connect.
What I don't understand is:

1) if this VPN is connected, my other traffic fails/gets interrupted before I even configured any rules to use this VPN. To post this message I had to disconnect the VPN.
Looking at gateways, 2 OpenVPN gateways  (IPv4 en IPv6) have been created automatically, but both have preference 255 while my normal WAN has 254 which should have preference, right?

2) With this VPN active I get 2 Firewall: Rules: OpenVPN options. Adding rules to one does not influence the other so they are not the same. It seems the system has automatically created one of these 'interfaces'? Giving my interface another description changing one of these.
Even after disabling my OpenVPN interface 1 Firewall: Rules: OpenVPN remains.
Where is the other -default one(?)- coming from?  I only have a single OpenVPN interface (opt5, ovpnc1).

anyone?

Since Jan 28th the Intrusion Detection service of my opnsense install has been 'crashing'.
I can find the error below being repeated since. No idea what I did on Jan 28th or if I did anything to cause this.

Code Select Expand

2022-03-03T12:22:19 Error suricata [101865] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:vtnet4/R failed: Invalid argument
2022-03-03T12:21:09 Notice suricata [100250] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode

vtnet4 is one of my interfaces, but how do I go about figuring out what is going wrong here?
I can start the service, but a minute later it stops again.

Probably an oversight as you guessed, because

I'd consider that a bug. Why don't you file a bug report with screenshots to make the point clear?
Here: https://github.com/opnsense/core/issues

I did just do that. Thank you for the confirmation :)
https://github.com/opnsense/core/issues/5354

You've missed my point I think.
Everything works.

But per default the system names its interfaces WAN, LAN, OPT1, OPT2 etc. They get mapped to whatever your host has for names. Nothing wrong here.
But, you can also change the names of your interfaces so ie.OPT1 get replaced with whatever you named it. This new name (for what opnsense thought of as OPT1) is now reflected throughout the system, except when configuring RA interfaces. There the old WAN, LAN, OPT, OPT2 is mentioned again instead of whatever I named the interfaces.

So when you try to configure RA for This-is-my-LAN (my name), the RA interface setting within mentions (e.g.) OPT1 instead.

It seems that somebody simply forgot this setting mentions an interface name and hence no config to replace the default name with the users custom name is done.

I have renamed all my interfaces and this shows up pretty much everywhere now.
In fact, what the system thinks is LAN is now my WAN.

Works great until I tried setting RA for my interfaces. There the RA interface suddenly used the default WAN, LAN, OPT1 OPT2 etc. naming.
Now the RA interface for my DMW shows as LAN. My actual LAN shows OPT1 as RA interface.

Is there any reason for using the original i'face names her instead of whatever I named them?

uch, I did not realize I needed to go CLI for this.
Thank you for your example and the hint towards man dhcp6c.conf. I did not know of that.

The following DHCPv6 solicit from my old fritzbox router gives me what I want when connecting with the fritzbox: my ISP returning my fixed IPv6 prefix which I can then use.

Code Select Expand


DHCPv6
    Message type: Solicit (1)
    Transaction ID: 0x1566a5
    Elapsed time
    Client Identifier
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 117794bc
        T1: 0
        T2: 0
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Preferred lifetime: 0
            Valid lifetime: 0
            Prefix length: 0
            Prefix address: ::
    Reconfigure Accept
        Option: Reconfigure Accept (20)
        Length: 0
    Option Request
        Option: Option Request (6)
        Length: 18
        Requested Option code: DNS recursive name server (23)
        Requested Option code: NTP Server (56)
        Requested Option code: Simple Network Time Protocol Server (31)
        Requested Option code: Identity Association for Prefix Delegation (25)
        Requested Option code: Prefix Exclude (67)
        Requested Option code: Vendor-specific Information (17)
        Requested Option code: SOL_MAX_RT (82)
        Requested Option code: INF_MAX_RT (83)
        Requested Option code: PCP Server (86)
    Vendor Class


Now I am trying to do the same with OPNsense but failing horribly.
Anyone can point me to the correct syntaxt to request those options?

Euhm..

Was trying to get IPv6 working on my new OPNsense install.
Moved the server running OPNsense to my lab, reconnected it and now OPNsense seems to ignore any and all DHCP (IPv4) OFFERs coming in from the ISP. OFFERS seem to get lost somewhere between host and client.
Switch port-mirror sees the OFFERs but a packet capture from OPNsense WAN interface doesn't. Mmm.

Running this on Proxmox host. I don't need any special config for the interfaces right?
Any ideas on how to troubleshoot this further?

sigh.. why does the solution always appears shortly after I've made an idiot of myself on a public forum?
I just wasted several hours because
solution: I had  a 802.1Q tagged public vlan on the Proxmox host but an untagged/native vlan on the switch. :-[