"Recent posts
#1
26.1 Series / SUPPORT NEEDED - Reply-to does...
Last post by Oriann - Today at 01:01:35 PMHello folks
coming from pfSense and after few hours of happiness to see more advanced development here I struggle to set up symetric routing correctly with current version of OPNsense.
Here is ticket on github - https://github.com/opnsense/core/issues/9806
In short:
I have multiwan setup at home. I am hosting few services on WAN1 and few on WAN2. Everything looks like normal but yesterday I have tested downloading from my cloud from remote location which is hosted on WAN2 and I have wondered why is downloading so slow when I have stronger upload on WAN2 than WAN1. I have found out that handshake to my cloud is made correctly via WAN2 BUT download stream will start on WAN1.
What I have tested to fix this:
1. Forced rules reply-to WAN2
2. Disable forced gateway in settings
3. Check Bind states to interface
4. Gateway policy routing
Nothing worked.
Everytime OPNsense honors default gateway no matter what you set in rules.
I am curious why this worked out of box on pfSense right after setting up rules and port forward and here it does not work (even after hardsetting rules and state behavior).
Can somebody help me to test this out and maybe make some logs for devs ? This needs to be fixed if its broken here. I really wish to stay here because of more options but this keeping me back.
Thanks in forward.
coming from pfSense and after few hours of happiness to see more advanced development here I struggle to set up symetric routing correctly with current version of OPNsense.
Here is ticket on github - https://github.com/opnsense/core/issues/9806
In short:
I have multiwan setup at home. I am hosting few services on WAN1 and few on WAN2. Everything looks like normal but yesterday I have tested downloading from my cloud from remote location which is hosted on WAN2 and I have wondered why is downloading so slow when I have stronger upload on WAN2 than WAN1. I have found out that handshake to my cloud is made correctly via WAN2 BUT download stream will start on WAN1.
What I have tested to fix this:
1. Forced rules reply-to WAN2
2. Disable forced gateway in settings
3. Check Bind states to interface
4. Gateway policy routing
Nothing worked.
Everytime OPNsense honors default gateway no matter what you set in rules.
I am curious why this worked out of box on pfSense right after setting up rules and port forward and here it does not work (even after hardsetting rules and state behavior).
Can somebody help me to test this out and maybe make some logs for devs ? This needs to be fixed if its broken here. I really wish to stay here because of more options but this keeping me back.
Thanks in forward.
#2
Virtual private networks / ipsec problem
Last post by catlover123 - Today at 12:53:57 PMHi everyone,
I'm currently trying to get IKEv2 / IPsec remote access running on OPNsense 26.x and I'm a bit stuck, so I'm hoping someone here has done a similar setup before or can point me in the right direction.
Setup (simplified)
The problem
At this point I'm unsure if I'm missing:
If I'm missing important information, feel free to ask and I'll provide what I can.
Thanks in advance!
I'm currently trying to get IKEv2 / IPsec remote access running on OPNsense 26.x and I'm a bit stuck, so I'm hoping someone here has done a similar setup before or can point me in the right direction.
Setup (simplified)
- OPNsense is running in an internal network, currently on 192.168.90.1/24
- There is another firewall (sophos) in front of it (not directly exposed to the internet)
- Required ports (UDP 500 / 4500) are forwarded to OPNsense
- I'm testing from a Windows client
- IPsec IKEv2 Remote Access connection
- Proposals are set (AES / SHA / DH, nothing exotic)
- EAP-MSCHAPv2 for authentication
- A Client Pool is configured
- Child SA is configured (local subnet + remote/client subnet)
- Firewall rules are in place to allow IPsec traffic
- User certificate created, signed by the local CA, imported on Windows
- Windows VPN is configured as IKEv2
The problem
- The VPN connection does not establish
- There is no meaningful output in the IPsec logs
- It feels like the traffic is not fully reaching or being handled by IPsec, but I can't pinpoint where it breaks
At this point I'm unsure if I'm missing:
- a specific IPsec setting
- something Windows-specific for IKEv2
- or a routing / firewall detail that's easy to overlook in this kind of "firewall-behind-firewall" setup
If I'm missing important information, feel free to ask and I'll provide what I can.
Thanks in advance!
#3
26.1 Series / Re: 26.1.2 - crashed and reboo...
Last post by franco - Today at 11:23:56 AMAnd you're using DCO and have the same crash dump?
Cheers,
Franco
Cheers,
Franco
#4
Announcements / Re: OPNsense 26.1.2 released
Last post by franco - Today at 11:18:26 AMA hotfix release was issued as 26.1.2_5:
o firewall: add missing implementation for "disablereplyto" in new rules
o firewall: fix encoding issue in dashboard widget
o captive portal: fix hard-timeout calculation
o kea: add required scope to prefix watcher link local address route
o backend: allow non-intrusive config_read_array() and fix a gateway group delete issue with it
o firewall: add missing implementation for "disablereplyto" in new rules
o firewall: fix encoding issue in dashboard widget
o captive portal: fix hard-timeout calculation
o kea: add required scope to prefix watcher link local address route
o backend: allow non-intrusive config_read_array() and fix a gateway group delete issue with it
#5
25.7, 25.10 Series / Re: Kernel panic on DEC2752
Last post by thomisus - Today at 10:15:36 AMHi Franco,
I had already done a clean reinstall but the problem still there.
Now, after latest update my issue seems fixed. Uptime, as of now is 7 days. Finger crossed.
I had already done a clean reinstall but the problem still there.
Now, after latest update my issue seems fixed. Uptime, as of now is 7 days. Finger crossed.
#6
26.1 Series / Re: 26.1.2 - crashed and reboo...
Last post by Comp User - Today at 10:10:49 AMNot to hijack this topic, but I have similar problems with the 26.x installation.
Bare installation will be functioning, but after a - mandatory for plugins as AGH - update it crashed and the only option is reinstall.
Option 12 shows that per attempt different files will cause it, it looks like "spin the bottle" to me, but with the same result; not functioning.
I had similar issues with the upgrade from 25.1 => 25.7; 17 "new" files that prevent / rollback the upgrade, but it wouldn't broke the system.
Bare installation will be functioning, but after a - mandatory for plugins as AGH - update it crashed and the only option is reinstall.
Option 12 shows that per attempt different files will cause it, it looks like "spin the bottle" to me, but with the same result; not functioning.
I had similar issues with the upgrade from 25.1 => 25.7; 17 "new" files that prevent / rollback the upgrade, but it wouldn't broke the system.
#7
German - Deutsch / Re: DHCP läuft nicht v.26.1
Last post by meyergru - Today at 10:07:45 AMChoose your poison: https://docs.opnsense.org/manual/dhcp.html
#8
German - Deutsch / Re: DHCP läuft nicht v.26.1
Last post by k0ns0l3 - Today at 10:05:50 AMQuote from: Patrick M. Hausen on Today at 09:36:36 AMVorteile von Kea gegenüber ...?
ISC - einfache Antwort: ISC ist EOL, Kea ist der offizielle Nachfolger
DNSmasq - schwieriger: manche halten Kea für die bessere Architektur, DNSmasq macht sehr viele Dinge auf einmal, ich habe lieber DHCP, DNS und RA in getrennten Diensten. Außerdem kann Kea HA, DNSmasq nicht.
Thx, also KEA ist kein muss bei 26.1 habe ich richtig verstanden.
Lg
#9
German - Deutsch / Re: NAT zwischen 2 Interfaces
Last post by Bob.Dig - Today at 09:54:40 AMQuote from: ahlewurscht on Today at 09:13:12 AModer gibt es hier weitere Ideen wie man den Zugriff realisieren kann?Du kannst zum einen das eine, in der Fritzbox hinterlegte Netz von vornherein größer machen, sodass alle Netze der OPNsense abgedeckt sind. Zum anderen kannst Du in der Fritzbox die WireGuard-Config exportieren, in einem Editor das neue Netz hinzufügen und die WireGuard-Config wieder importieren.
#10
German - Deutsch / Re: DHCP läuft nicht v.26.1
Last post by Patrick M. Hausen - Today at 09:36:36 AMVorteile von Kea gegenüber ...?
ISC - einfache Antwort: ISC ist EOL, Kea ist der offizielle Nachfolger
DNSmasq - schwieriger: manche halten Kea für die bessere Architektur, DNSmasq macht sehr viele Dinge auf einmal, ich habe lieber DHCP, DNS und RA in getrennten Diensten. Außerdem kann Kea HA, DNSmasq nicht.
ISC - einfache Antwort: ISC ist EOL, Kea ist der offizielle Nachfolger
DNSmasq - schwieriger: manche halten Kea für die bessere Architektur, DNSmasq macht sehr viele Dinge auf einmal, ich habe lieber DHCP, DNS und RA in getrennten Diensten. Außerdem kann Kea HA, DNSmasq nicht.
