Messages

Hi All,

I hope you're doing well.

We've encountered an issue with port forwarding for our cameras. After enabling port forwarding (NAT port to the camera recorder), it causes our WireGuard VPN and external access to the GUI to stop working. However, when we disable the NAT ports, everything starts working again.

Could you advise who might be able to help resolve this issue? Additionally, is it necessary to port forward or NAT the camera port to maintain all services functioning properly, or is there an alternative configuration we should consider?

Looking forward to your guidance.

Hello everyone,

I received two /29 subnets from our ISP. Currently, I'm using the first /29 as the uplink, with the other 7 IPs functioning as virtual IPs, which is working well.

The second /29 subnet has its own gateway, which has been added as well, with those IPs also set up as virtual. However, our Layer 3 switch is having trouble routing this second subnet because we need to configure a static route in OPNSense.

Could someone advise on how to set up the static routing for the second subnet?

Your support is greatly appreciated.

Thank you!

Yup, after the upgrade DOT DNS couldn't resolve in order to load Wireguard.
I've tried lowering DNSSEC standards and it helped, at least the BOGUS or NXDOMAIN responses lasted "only" 10sec, so the boot was fast, and WG successful.
I will not use IPs. IPs change.
I just hope Adguard will move to the early part of the boot sequence, so I don't need to use Unbound just to satisfy (unreliably) the boot process.

i have resolve it before with change the dns name of the extern site to the ip, after the last update OPNsense 24.1.7_4-amd64 has crashes it.
i am using DOT too.

Edit: ive got it resolved. Make sure to check the wireguard plug in. Somehow it disappeared. Reinstall it

Hi everyone,

We are using WireGuard as a site-to-site VPN between four offices. These offices are connected to site A, so sites B, C, D, and E are connected to site A.

I want to allow RDP and ICMP from sites B and C, and allow all traffic from sites D and E. Can you please advise how to set this up? I appreciate any support.

I managed to resolve this issue. Most of the S2S VPN connections were using the DNS name of the peer instead of the IP address. I am using DNS over TLS, which somehow didn't resolve these two VPN sites correctly. I changed their DNS names to IP addresses, and they started working. I thought I'd share my resolution here.

Sorry guys for my late reaction due to some health issues.

In some situations, when I have a DMZ, it forwards every port to OPNsense. Do you mean that even if OPNsense is behind a DMZ, it still needs port forwarding? I've noticed that OPNsense doesn't handle double NAT well.

I am experiencing the same issue. After updating to OPNsense 24.1.6, my WireGuard setup stopped working. I have multiple sites, and I'm concerned because some sites work, while others do not.

The error message I'm getting on both sites is:

Code Select Expand


/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt3 interface

Solved it!

Don't ask why but the gateway was gone and on the interface it was set to "automatic".

I had to recreate the gateway and reconfigure it on the interface and things started working again.

i am facing a similar issue, do you mean the Site to Site Gateway was Gone?

If there is another router in front you need a port forward rule on that other router, too.

There is a router in front of the OPNsense. We're dealing with double NAT. Are you asking if I should still forward the port on the ISP router even if there's a DMZ set up for the OPNsense?

As an alternative to setting "Associated firewall rule" to "Pass" you could set it to "None" and then create your own explicit filter rule.

Can you explain what you exactly mean ?

For that NAT port forward - did you set the "Associated firewall rule" to "Pass"?

I have tried those but it didn't works.
I understand it's a double NAT.
There is a isp router draytek in front of it and the opnsense is a dmz.
Could the double nat be the cause ?

Does anyone have any suggestions? I would appreciate the help—I can't seem to resolve this issue. I've tried every tutorial and solution I could find online.

Hi Everyone,

I created a NAT rule to allow access to our internal camera system from outside the network. The rule is applied on the NAT and is automatically reflected on the WAN interface of the firewall.

However, when I try to access the cameras from an external location, I get the following error message: "Default Deny / State Violation." I've attached a screenshot showing the error.

Could someone please advise on what I might need to do to resolve this issue? Any guidance would be greatly appreciated.

Thanks in advance!

You can leave gw group for that rule, the 'disable force gateway' option will override that, so don't care about it.
Yes, lower number for WAN1 ia higher priority.
First time I hear about a WG tunnel, but it should not be affected.

Thank you for your answer.
i have followed up those steps unfortunately it didnt force the switching when WAN1 was cable was remoed.
i remeber me strugling with this couple of years ago. but i give up using it.

Configure both as upstream. This causes OPNsense to use both for upstream according to priority. It will always use the GW online with higher priority, though there is no need for GW groups, but you can leave GW groups and firewall rules as they are.

So on the lan firewall rule keep using the default gateway or the use the gateway group I used ?
So WAN gateway and WAN2 gateway as upstream GW, but GW 1 with low numbers so it will be high priority and used for the up stream.
If I do so the Wireguard tunnel will remain working ?