Messages

76

Virtual private networks / Re: Wireguard setup

« on: February 04, 2023, 08:09:35 pm »

In opnsense, on the peers tab, add the LAN subnets to allowed.

This is completely wrong. It will break routing within the LAN network, as OPNsense will route all packets destined for the LAN networks down the tunnel instead.

I suggest you research what “Allowed IPs” means in WireGuard.

Not wrong. You have to tell it what networks are allowed to traverse the tunnel.
Works very well on multiple tunnels here.

77

General Discussion / Re: DHCP not working for new VLAN

« on: February 04, 2023, 06:58:48 pm »

So show 17 and 18 then.
You would need to tag the new vlan on the lagg.

Just to add, I have a couple sg-350's. They come with all ports set to trunk. You really should set access ports to access and leave the trunks as trunk. Would make life easier when troubleshooting. Obviously it'll work as is but it should be corrected.

78

Virtual private networks / Re: Wireguard setup

« on: February 04, 2023, 06:12:18 pm »

You want the "Interface Address" to be the actual tunnel subnet. You want the allowed IP to the the /32 for each client.

Just noticed you don't have the allowed IP's set correctly.
You're missing the LAN IP's on the client, and missing the tunnel IP's on the peers.
Wireguard terminology is so weird...
In opnsense, on the peers tab, add the LAN subnets to allowed.
In the client, on the peers tab, add the tunnel host address as a /32. So 10.10.42.1/32 (BTW, you could've kept it at .254, wouldn't make a difference)

79

General Discussion / Re: DHCP not working for new VLAN

« on: February 04, 2023, 05:24:21 pm »

Which one goes to the router?
You only show 7 - 16.

80

Virtual private networks / Re: Wireguard setup

« on: February 04, 2023, 05:16:31 pm »

In the Status tab I can see:

Code: [Select]

interface: wg1
  public key: [REMOVED]
  private key: (hidden)
  listening port: 51820

peer: [REMOVED]
  endpoint: X.X.X.X:58853
  allowed ips: 10.10.42.1/32
  transfer: 21.68 KiB received, 15.50 KiB sent
  persistent keepalive: every 30 seconds

peer: [REMOVED]
  endpoint: 46.4.23.90:39594
  allowed ips: 10.10.42.2/32
  transfer: 21.68 KiB received, 15.21 KiB sent
  persistent keepalive: every 30 seconds

Why are you using random ports for the peers? Just stick with the same as the tunnel.

Peer1:

Code: [Select]

[Interface]
PrivateKey = [REMOVED]
Address = 10.10.42.1/32

[Peer]
PublicKey = [REMOVED]
AllowedIPs = 192.168.1.0/24, 192.168.3.0/24
Endpoint = [REMOVED]:51820
PersistentKeepalive = 30
Peer2:

Code: [Select]

[Interface]
PrivateKey = [REMOVED]
Address = 10.10.42.2/32

[Peer]
PublicKey = [REMOVED]
AllowedIPs = 192.168.1.0/24, 192.168.3.0/24
Endpoint = [REMOVED]:51820
PersistentKeepalive = 30

Change the interface address on both peers to the actual subnet. ie /24.
A /32 will not let you browse anything.

81

General Discussion / Re: DHCP not working for new VLAN

« on: February 04, 2023, 12:51:06 pm »

I did.

If I switch to VLAN 2 Untagged on the port, it picks up the IP immediately, but if I put VLAN 3 it just times out. Also tried on my AP, which is what I was trying to originally do, configure a VLAN for IoT and after it was failing, i went and plugged a laptop directly to the port.

If other VLANs didn't work, I would point at the switch, but both my wifi guest (VLAN 1733) and VLAN 2 work without any issues, which makes me point to Opnsense

Post a pic of the firewall rules.

Just because vlan2 works doesn't mean the switch is configured correctly, but it is a 'hint' that it is. You still have to make sure vlan3 is taggged on the trunk and untagged on an access port.

82

General Discussion / Re: Port forward for a NAS with VPN

« on: February 04, 2023, 12:46:39 pm »

When I read it again, I can see what you mean…

I’ll try to be more detailed.

1. Since the NAS has another external ip than the rest of the network, can I still use the same firewall rule as if it had the same external ip? Why I ask is that the router doesn’t really handle the external ip of the NAS with the current setup. It’s all handled by the nas. The NAS itself is a part of the same LAN as the rest of the devices.

2. How can you test if a port is open on a device I can’t browse with? It would be nice if you could enter the ip and the port you

Makes more sense?

No, not really.
1. How can your NAS have a different external address?? Do you have two internet connections?
But then you say the NAS is on the same LAN. Two nics in NAS, one connected to LAN and one connected to another router?

2. did you go to the website I posted?? It doesn't test the NAS, it tests the port through the firewall. You don't need to go to it from the NAS, just from a LAN port on the firewall.

83

General Discussion / Re: DHCP not working for new VLAN

« on: February 04, 2023, 03:41:21 am »

Did you add the new vlan to the trunk port?

84

General Discussion / Re: Port forward for a NAS with VPN

« on: February 03, 2023, 11:48:28 pm »

The majority of this post makes no sense at all but if you just want to check for an open port, go here:
https://www.grc.com/shieldsup

85

Virtual private networks / Re: Wireguard site-2-site OpnSense to PFSense

« on: February 03, 2023, 07:34:53 pm »

You'd have to provide more info.
What are the tunnel addresses?
This is a site to site but you have 2 /32 addresses allowed, what are they?

The biggest problem with Wireguard is there is no "Right way" of setting it up. Meaning there can be multiple ways to make it work and there should only be one.

Use the packet capture, are both sites reaching the WAN of the other site?
Did you set up the proper routes and gateways?

86

General Discussion / Re: Strange VLAN Behaviour

« on: February 03, 2023, 11:40:14 am »

I did both, manual one picked a wrong IP address and the automatic didn't picked up DNS IP at all.

I think you said that backwards. Manual is a static IP. The pc will accept any address you give it.
What  does "wrong IP" mean? If you plug into vlan4, it should get an IP in the vlan4 subnet. Did it not?

I understand now. However I'm still puzzled why does my PC still accepts the manual configuration I have entered and the status changes to connected when in fact it didn't connect to OPNSense at all ? Usually when you are connected to a normal router and assign a wrong IP, your connection will disconnect but not in this case for some reason.

Is this behaviour normal and how managed switches work where it will accept any IP address that I inserted in my PC settings even if it's wrong ?

Why wouldn't it accept it?? It doesn't know what network you're connecting to. You set a static IP, it can't tell you "hey, you're giving me the wrong IP for that network.", YOU need to be smart enough to know that.
"Connected" doesn't mean connected to opnsense, the pc wouldn't know what type of router you're using. It means it has an active network connection.
I have never seen a pc disconnect when it has the wrong IP assigned. Again, how would it know?? You gave it the IP.

My main question is, how can I test if VLANs work in accordance with my Firewall rules ?

One way I know you can test this is by plugging into each VLAN port then pinging each VLAN Gateway from the currently connected VLAN and see if there's a response. Are there any other tests that people perform to check if VLANs work correctly ? If so, what would you recommend ?

Post pics of your switch config and firewall rules for each interface.
Sounds like the switch isn't configured correctly.

87

Virtual private networks / Re: Wireguard site-2-site OpnSense to PFSense

« on: February 02, 2023, 04:37:55 pm »

No issues here. Had 2 tunnels between the two but now only 1. And soon to be none!

88

General Discussion / Re: Strange VLAN Behaviour

« on: February 02, 2023, 03:27:59 am »

1) While still being connected to VLAN 4 port on the switch, I manually assign IP Address, netmask and gateway to the one of a VLAN 1. To my surprise, I successfully get assigned the available IP Address from VLAN 1 that I selected but DNS for some reason is not picked up.

You are not "getting assigned" an IP, you set the IP. DNS won't be "picked up" unless you use DHCP. Since you set a static IP, you would also need to set the DNS statically.

2) When I try to ping anything on the VLAN 1, I get a response saying "ICMP_Seq=1 Destination Host Unreachable" no matter if there is a device with that IP or not. I can't also access the logon page that's allowed on VLAN 1 which I guess is a good thing.

Yes, that should happen since you're on the vlan4 network, but you set an IP in the vlan1 network.
It's the same as you going to your neighbors house, with a static IP from your house, and plugging into their network. You won't get anywhere.

My questions to this scenario would be:

• Is this how VLANs work behind the scene ?

Behind the scene? No, that's how networking works period.

• Is this what you can call a VLAN Hopping ?

Vlan hopping? No, you're on one network with an IP that isn't routable on it.

• Is this a result of a misconfiguration on a switch ? 

Switch seems to be configured correctly.

• Is this behaviour normal ?

Yes.

89

23.1 Legacy Series / Re: Cannot delete multiple VLANs from GUI

« on: January 31, 2023, 08:45:52 pm »

Yes, you have to do them one at a time.

90

Virtual private networks / Re: OpenVPN - site to site UP but no traffic or ping

« on: January 31, 2023, 02:13:11 am »

Post pics