"Recent posts
#1
25.7, 25.10 Legacy Series / OPNsense rejecting ipv4 RESPON...
Last post by sja1440 - Today at 04:02:43 PMI have OPNsense 25.10.
This problem has me completely stumped. It only occurs when the the ipv4 request (eg TCP SYN, ICMP..) originates from any VM on my Fedora workstation. It does not happen when the request originates from my workstation or from a VM in a PRoxmox server.
I have taken captures from the workstation and the LAN and WAN interfaces on OPNsense.
This is what I see on the WAN interface:
* If I execute 'wget 142.251.209.46' from my workstation I see the traffic you would expect.
* If I execute 'wget 142.251.209.46' from the Debian VM I see an incoming SYN,ACK followed immediately by OPNSENSE sending out an icmp Host Unavailable.
I can see no discernible difference between the two ipv4 requests.
The issue is clearly being caused from within OPNSense, but where and why?
Why should OPNSense reject a protocol response when the firewall has already let the outgoing ipv4 message pass?
Anybody have some ideas on how I can diagnose this?
This problem has me completely stumped. It only occurs when the the ipv4 request (eg TCP SYN, ICMP..) originates from any VM on my Fedora workstation. It does not happen when the request originates from my workstation or from a VM in a PRoxmox server.
I have taken captures from the workstation and the LAN and WAN interfaces on OPNsense.
This is what I see on the WAN interface:
* If I execute 'wget 142.251.209.46' from my workstation I see the traffic you would expect.
* If I execute 'wget 142.251.209.46' from the Debian VM I see an incoming SYN,ACK followed immediately by OPNSENSE sending out an icmp Host Unavailable.
I can see no discernible difference between the two ipv4 requests.
The issue is clearly being caused from within OPNSense, but where and why?
Why should OPNSense reject a protocol response when the firewall has already let the outgoing ipv4 message pass?
Anybody have some ideas on how I can diagnose this?
#2
26.1, 26,4 Series / Re: All Port Forwards Broken w...
Last post by nero355 - Today at 03:08:20 PMQuote from: LostSpark on Today at 04:24:13 AMmy WAN (fiber) IP was wrong inside OPNsense.What was the IP exactly ?!
it was simply not the same IP as what I got when I typed "what is my IP" into google.
Manually restarting my modem fixed the problem...
My guess is you were behind CG-NAT and that's why the Port Forwards did not work.
#3
26.1, 26,4 Series / Re: This makes me want to cry!...
Last post by roohoo - Today at 03:06:02 PMI installed Sophos firewall to see how it fared. For the first 15 hours, it worked perfectly, then all internet access stopped. It had dropped the connection to my (Gigaclear) fibre modem. Rebooting the VM had no effect. Only physically turning off the machine and turning it back on worked.
I'm starting to think that my wildly unlikely hypotheses that something on my network - or Gigaclear's - is sending malformed packets that can kill a router might actually be the case.
I was going to try pfsense too, but I've lost my enthusiasm.
Sorry I didn't get to try your troubleshooting ideas but constantly changing my router got really old really fast and my wife and others grew most perturbed every time their connectivity was interrupted!
Thank you again.
If I decide to investigate the benefits of OPNsense again in the future, and the troubles remain the same, I'll report in on this thread.
Thank you all.
I'm starting to think that my wildly unlikely hypotheses that something on my network - or Gigaclear's - is sending malformed packets that can kill a router might actually be the case.
I was going to try pfsense too, but I've lost my enthusiasm.
Sorry I didn't get to try your troubleshooting ideas but constantly changing my router got really old really fast and my wife and others grew most perturbed every time their connectivity was interrupted!
Thank you again.
If I decide to investigate the benefits of OPNsense again in the future, and the troubles remain the same, I'll report in on this thread.
Thank you all.
#4
26.1, 26,4 Series / Re: 26.1.6_2 - All traffic blo...
Last post by opsnerd - Today at 02:50:27 PMI'm also having this problem. Seems I cannot remove the legacy rules, which preclude the new Rules from taking effect.
#5
General Discussion / Re: OPNsense 26.1.1 with Adgua...
Last post by MCMLIX - Today at 01:42:56 PMThank you (akore) for posting this install setup.
#6
26.1, 26,4 Series / Re: OpenVPN - Via UDP no routi...
Last post by PotatoCarl - Today at 12:13:48 PMIf you mean a route in the OpenVPN Rules "Source" OpenVPN Network to any, I have this. Does not change anything.
#7
26.1, 26,4 Series / Re: OpenVPN - Via UDP no routi...
Last post by PotatoCarl - Today at 12:12:16 PM"So this would be a good time to migrate to the new connections."
Well, I always believe it is a good time to do this if the "old" config is running, so you know when it breaks how it was working before.
I tried already multiple times to "just make a new UDP VPN" with the new config, but I do not even get a connection yet. So currently trying to get the "old" config back to work.
I tried a Laptop with Linux and an Android phone to work: Both failed on both UDP instances to route anything into the VPN, name lookup etc.
They get an IP out of the range, the connection claims to be up. Whenever I get a connection via one of the UDP servers, no routing into the VPN is possible. With TCP it works fine.
All servers are identically configured, only the ports and UDP/TCP settings are different, firewall rules seem to be fine, too.
Well, I always believe it is a good time to do this if the "old" config is running, so you know when it breaks how it was working before.
I tried already multiple times to "just make a new UDP VPN" with the new config, but I do not even get a connection yet. So currently trying to get the "old" config back to work.
I tried a Laptop with Linux and an Android phone to work: Both failed on both UDP instances to route anything into the VPN, name lookup etc.
They get an IP out of the range, the connection claims to be up. Whenever I get a connection via one of the UDP servers, no routing into the VPN is possible. With TCP it works fine.
All servers are identically configured, only the ports and UDP/TCP settings are different, firewall rules seem to be fine, too.
#8
General Discussion / Resolved: Re: Wireguard Tunnel...
Last post by PotatoCarl - Today at 11:59:27 AMHi
I am stuck at the same point here, but I am using unbound.
In the client config: "allowed IPs to pass tunnel" is the IP of the gateway 192.168.30.1/32
The tunnel in the instances is configured as 192.168.30.0/24
No DNS in the interfaces selected (although I tried to set 192.168.30.1, too, but that did not change anything)
I can open the pages with entering the IP address, but cannot lookup any DNS name.
Unbound runs on "all" interfaces.
Gateway and interface for the Wireguard instance is configured as described here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
I am running with 2 WANs and copied the configuration to both of them (although wireguard only runs on one WAN at this time).
Any ideas?
The Wireguard itself connectecs fine, in the app also the "correct" DNS server 192.168.30.1 is shown.
EDIT: Resolved: The DNS is not x.x.x.1 but x.x.x.0 to be set then it is working fine.
I am stuck at the same point here, but I am using unbound.
In the client config: "allowed IPs to pass tunnel" is the IP of the gateway 192.168.30.1/32
The tunnel in the instances is configured as 192.168.30.0/24
No DNS in the interfaces selected (although I tried to set 192.168.30.1, too, but that did not change anything)
I can open the pages with entering the IP address, but cannot lookup any DNS name.
Unbound runs on "all" interfaces.
Gateway and interface for the Wireguard instance is configured as described here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
I am running with 2 WANs and copied the configuration to both of them (although wireguard only runs on one WAN at this time).
Any ideas?
The Wireguard itself connectecs fine, in the app also the "correct" DNS server 192.168.30.1 is shown.
EDIT: Resolved: The DNS is not x.x.x.1 but x.x.x.0 to be set then it is working fine.
#9
Zenarmor (Sensei) / Re: Zenarmor - Secure Connecti...
Last post by spooner.arthur - Today at 11:21:33 AMYes, I can see the Connection in the Live Session.
But how can I fix my problem?
But how can I fix my problem?
#10
26.1, 26,4 Series / Re: All Port Forwards Broken w...
Last post by meyergru - Today at 09:08:57 AMAre you sure that you are talking about a "modem", not a "router"? This sounds more like a router-behind-router setup where OpnSense does not control its real WAN IP address.
