Topics

1

General Discussion / openvpn servers/clients [legacy] - change in opnsense 24.1

« on: February 22, 2024, 11:57:05 pm »

I believe it was the upgrade between 23.7 and 24.1 that openvpn servers/clients now says [legacy] next to them.

Does this mean they're going to go EOL/discontinue at some point?

I looked at the roadmap link here but it doesn't mention this change. Nor a mention of this in the future. Is there somewhere that details the future of openvpn client/server for opnsense? I don't want to be caught with my pants down if it suddenly stops working when I patch to a new release.

[legacy] is scary wording for someone who relies on it.

Thanks.

2

Virtual private networks / openvpn internal network route ignored - after multiwan added to an endpoint

« on: February 06, 2024, 10:48:06 pm »

Hi. I've set up countless (open)vpn site2site setups over the last decade with pfsense. Now I'm all-in on opnsense. I had it working fine 12 hours ago before I added in multi-wan. Now that multi-wan is going, openvpn no longer routes properly. Rather than use the VPN tunnel IP to route traffic, it uses the upstream hop. See below:

 1?: [LOCALHOST]                      pmtu 1500
 1:  192.168.1.1                                           0.965ms asymm  2
 2:  100.64.0.1                                           39.816ms asymm  4
 3:  172.16.251.70                                        38.100ms asymm  4
 4:  undefined.hostname.localhost                         51.994ms (This broken router returned corrupted payload) asymm  8
 5:  undefined.hostname.localhost                         42.959ms asymm  6
 6:  den-b3-link.ip.twelve99.net                          43.309ms !N
     Resume: pmtu 1500

Note that 192.168.1.1 is my upstream hop because I have cgnat behind starlink.

My source network is 192.168.150.0/23 and my destination is 192.168.148.0/23. Each end of the site-to-site connects to a hub opnsense host and that hub communicates traffic between the two networks. Again, something I've done many times.

The remote end (192.168.148.0/23) can ping and communicate with the local side (192.168.150.0/23). When the remote side does a traceroute, it correctly talks to the VPN's tunnel subnet (172.30.1.16/28).

But when the local side tries to connect to the remote network, it skips routing through the tunnel's subnet gateway (172.30.1.17). And goes out the the public (192.168.1.1) gateway. And as you can see in the example above, it doesn't reach the real end point.

I have verified that the local opnsense has a route setup for 192.168.148.0/23 to go to the tunnel subnet gw (172.30.1.17). But it is being ignored anytime I send traffic.

As mentioned at the start of the post. This was working until I added multiwan on the local (192.168.150.0/23) opnsense.

I've rebooted. I've deleted and recreated the openvpn client configs. I've scoured the configs for 3-4 hours now. The VPN connects but the route is just broken.

Any ideas?

3

General Discussion / Firewall: Log Files - default template

« on: January 13, 2024, 05:39:40 am »

Hi. Is there a way to set a default template for my firewall logs?

Reason I ask is that I have a bunch of noisy neighbors on my /24 who constantly hit me with UDP broadcast(?) traffic. Like 10 packets a second.

Which is making it pretty difficult to watch the logs for what's going on. I have made a template to block the external subnet and that works great. But I have to wait for the logs page to load each time and then select it. Plus there doesn't appear to be a way to set any template on the Dashboard Firewall Log widget.

Is there any way to set a default filter on the logs? Perhaps in a template that is selected by default.

I've tried googling and searching the forum for firewall log & default template but all I'm getting is results lots of other unrelated topics.

Thanks in advance.

4

General Discussion / change an interface's identifier

« on: November 11, 2023, 05:56:03 am »

I couldn't seem to find any posts or info to answer this, or I didn't pick the right search terms.

But I have a brand new setup with three NICs. I intend to have one for my LAN (internal), WAN (primary gateway), and OPT1 (backup LTE).

But during the setup, the system assigned the "identifier" of "lan" to the LTE interface. And "opt1" to the LAN interface. See attached image.

I'd like to reverse these. I couldn't find where to change these.

And I can't just move the NIC cords because I need certain NICs to do certain duties for performance reasons.