Recent posts

#1

Virtual private networks / problem reaching parts of my n...

Last post by Alwin - Today at 10:45:17 PM

hello everybody :-)
i am new with opnsense, though not completely fresh with networks ...
but it seems i am too stupid here anyhow, so i ask for your kind help

i have a network 10.20.x.x with mask 255.255.0.0, and from a pc with the ip 10.20.7.94 i can reach all other nodes, e.g. 10.20.7.27 or 10.20.1.28 etc
setting up wireguard instance and one peer step by step following the opnsense documentation, i can connect via vpn and reach the firewall 10.20.7.27 and the pc 10.20.7.94 - but not the node 10.20.1.28 or any other node that are not in the 10.20.7.x range. of course i realize that there is a problem with masking somewhere, but i am unable to find it.

the LAN interface in OPNsense has the IPv4 address 10.20.7.27 / 16 , the WAN Interface is IPv4 with DHCP (connected to a Fritzbox with a fixed IP-address via DSL ) and with all searching i am unable to find a subnet mask problem or config that prevents the access to the whole network (10.20.x.x) and only let me reach the subnet, that has the opnsense firewall in it (10.20.7.x)

i very appreciate any help to solve this and point me to my fault in the configuration.

#2

General Discussion / Re: Help needed, LAN to LAN co...

Last post by meyergru - Today at 10:40:21 PM

I assume you want to set up a bridge with LAN and LAN2. Follow the Offizials docs, them it will work.

#3

26.1, 26,4 Series / Re: Is there anywhere to see L...

Last post by nero355 - Today at 10:32:37 PM

Assuming this is what's happening (OPNsense is unaware of LAN-only devices that weren't assigned a lease through OPNsense), what would someone like me use to monitor for devices on my LAN?

This is pretty much what you are looking for in OPNsense :

For the devices themselves, perhaps "Interfaces: Neighbors: Automatic Discovery"?

And if you happen to use Pi-Hole then you can use a built-in function that does something similar.

There are also projects like this one : https://github.com/netalertx/NetAlertX

Pick the one you like the most :)

I'm at virtually no risk, personally, not even from a neighbor - but it feels like security hole so just asking the question.

As long as you don't have random people connecting devices to your network without you knowing it the risk is pretty low...

Also to find the IP in the ARP table presumes that the traffic is passed through OPNsense.
So for communications between devices within the same subnet no ARP entry is added on the router.

Not always :

A device can ask all other devices on the network "Who is <another device> ?" and in that case it can appear in the ARP/RARP Cache.
Also that Cache expires so maybe there hasn't been any communication in the last 300 seconds :)

#4

General Discussion / Re: Help needed, LAN to LAN co...

Last post by nero355 - Today at 10:13:34 PM

I have my server on LAN2 I want my desktop to be able to ping the server from LAN, and ultimately allow my desktop to get access to some services my server exposes on different ports

I have attached the full firewall rules page of LAN and LAN2 as well as their interface configurations

When you install OPNsense the Default LAN has Firewall Rules that ALLOW traffic to ANY destination.

If you then create your LAN2 correctly as the next step, you could then copy that firewall rule from LAN to LAN2 and have two networks that can talk to each other.

There is no need for seperate ICMP Firewall Rules at all :)


The above ofcourse excludes things like the Windows built-in Firewall or IPtables/NFtables/UFW/etc. on Linux Servers/Clients !!

#5

General Discussion / Re: WAN Interface Change

Last post by nero355 - Today at 10:03:40 PM

I just update my internet connection from 1G to 2G and added a usb-c 2.5 dongle to the opnsense box

Please don't do this :)

In general the whole USB system is very sensitive to High CPU Load and could cause very strange/unexpected issues because of that...

It's something one should avoid at all times and use PCI/PCIe devices instead !!

#6

German - Deutsch / Problem mit Wireguard VPN kein...

Last post by Alwin - Today at 10:03:07 PM

Hallo liebe Mitmenschen :-)
Als Neueinsteiger in OPNsense mit leidlich Netzwerkerfahrung muss ich hier mal um Hilfe bitten, denn wahrscheinlich
bin irgendwo zu blöd ...
Ich habe ein Netzwerk 10.20.x.x mit der Maske 255.255.0.0, und kann von einem PC im LAN mit der 10.20.7.94/16 auch alle Knoten erreichen, wie z.B. 10.20.7.27 und 10.20.1.28.
Ich habe, Schritt für Schritt der OPNSense Dokumentation folgend, eine Wireguard VPN Instanz und einen Peer erzeugt, die angegebenen Routen eingetragen, und kann von einem nicht im LAN befindlichen PC mit dem aktuellen Wireguard Client die Rechner 10.20.7.94 und die Firewall mit der 10.20.7.27 erreichen, aber keinen der Knoten im Bereich 10.20.1.x wie z.B. die 10.20.1.28.
Das LAN Interface in der OPNsense ist mit IPv4 address 10.20.7.27 / 16 konfiguriert, das WAN Interface als IPv4 auf DHCP (hängt hinter einer Fritzbox, die eine feste IP-Adresse über DSL hat) und trotz allem herumsuchens finde ich nicht, wo mir eine falsche Netzmaske den Zugriff auf des gesamte Netz (10.20.x.x) verwehrt und mich nur auf den Bereich, in dem auch die Firewall ist (10.20.7.x) lässt.
Kann mir jemand einen Tipp geben, was ich hier falsch mache ?

#7

Italian - Italiano / Come configurare un IP tramite...

Last post by dodo - Today at 09:59:34 PM

Buona sera a tutti.

Sto sperimentando una conversione da Shorewall a OPNsense e sto trovando difficoltà ad implementare il Proxy ARP di un IP pubblico WAN verso la DMZ.

In Shorewall indicavo l'IP pubblico del server in DMZ, l'interfaccia della DMZ e l'interfaccia WAN su cui pubblicarlo.

Esempio:

NET=20.1.1.0/29, GW=20.1.1.1, FW=20.1.1.2, IP_in_DMZ=20.1.1.3 (proxy ARP)

Qualcuno sa come aiutarmi?

Grazie in anticipo.

Dario

 

[Clients]

#8

26.1, 26,4 Series / Re: local DNS resolution

Last post by daegan_ - Today at 09:54:07 PM

why is local dns resolution hard to configure?

It's not :)

why are there so many poorly documented (within the web ui) legacy features that do not explain when to use said legacy feature?

Not sure what you are talking about, but it's mainly a matter of understanding how OPNsense has everything built around Unbound even when you don't use ISC or KEA as the DHCP Server, so everyone using DNSmasqd gets confused easily...

is there a tutorial for opnsense 26.x.x that explains how to setup local dns resolution for unbound+dnsmasq

That is well documented @ https://docs.opnsense.org/

But this part :

so that pihole can see host names?

Is something you will have to figure out yourself by understanding how DNS in OPNsense works :

Clients => DNS Query to Local Gateway IP => Query goes to Unbound @ Port 53 => DNS Records are requested directly from the Root DNS Servers.

This is a problem when you are using DNSmasqd that also does DNS :

Clients => Request for DHCP IP Address => Query goes to DNSmasqd which runs on the Local Gateway IP => DNSmasqd sends the available DHCP IP Address to the Client and registers it's Hostname in it's DNS Database/Cache.

But...

Unbound doesn't know the Hostname of the Client unless you make sure it queries DNSmasqd @ Port 53053 Locally.

So this :

pi hole conditional forwarding has been enabled.

Does not work even when you (Correctly! Mind the syntax !!) ENABLE it and tell Pi-Hole to query the Local Gateway IP for DNS Records => They all go to Unbound and NOT DNSmasqd !!

any leads to help educate me on this matter are appreciated.

IMHO the best you can do is this :

(Personally I would not do this, I would just setup Unbound on the Pi-Hole and direct Pi-Hole to use the local Unbound resolver + then disable Unbound on OPNsense and point OPNsense Clients to Pi-Hole as its their DNS server)

I did the same right after installing OPNsense since I already had https://docs.pi-hole.org/guides/dns/unbound/ running for years! ;)

For Local DNS Resolution I have also been using the Local DNS Records option in Pi-Hole for many years.

But in your case you could change DNSmasqd Port 53053 to Port 53 after disabling Unbound on OPNsense and your Conditional Forwarding in Pi-Hole should then start to work :)

i have figured out how to tell dnsmasq to specify pihole as the dhcp advertised dns server.
so the dns flow is client -> pihole -> opnsense ip as the dns upstream on pihole

That will work, but is IMHO a mess and should not be the desired setup, because then you need to :
- Tell OPNsense Unbound about OPNsense DNSmasqd.
- Tell Pi-Hole that it's OK to send Local DNS Queries to the Upstream DNS Server.



Hope this all works for you as an explanation and if you need more help then let me know :)

this goes leaps and bounds towards my understanding. I very much appreciate you taking the time to post.

#9

Virtual private networks / Re: OpenVPN Rules - interface ...

Last post by grapes2331 - Today at 09:50:43 PM

Thank you, that was my thinking as well. I'll give this a try.

#10

26.1, 26,4 Series / Re: local DNS resolution

Last post by daegan_ - Today at 09:39:46 PM

i appreciate everyone responding to me. yes I'm new. i am very likely mislead by old information and thus frustrated. i will review your helpful tips here and see what i can do to get my setup working. I particularly appreciate those who are breaking down the flow.

I realized I was dealing with unbound or dnsmasq not talking to each other in some way. so my frustration took over and I decided to post here and take a break.