Recent posts

#1
General Discussion / Re: Why do I need to temporari...
Last post by lmoore - Today at 07:26:26 AM
Quote from: tbk49 on July 05, 2026, 08:53:02 PMSince I'm running GRE over IPSec, do I need a GRE rule on WAN

No - I hadn't fully visualised your set-up when I posted that rule.

In review, you don't mention having OPNsense logging of Default block being enabled. This is where I would expect PF to log the blocked packets arriving from the peer at the other end.

As you don't have an interface for IPsec, testing with a rule which is applied to all interfaces other than your WAN may help;

e.g. setting Invert interface in the rule I provided earlier. You may want to enable logging initially to verify the rule is being used.

@329 pass log quick on ! re0 inet proto gre all no state label "9dc1eb15-4dd3-44b1-adbc-04385d9f9955"
#2
Heres the example setup from the documentation:

https://docs.opnsense.org/manual/how-tos/dynamic_routing_ospf.html#ipsec-failover-with-policy-based-tunnels-gre-and-ospf

I wrote that, but Im not an expert on GRE, but I didnt have issues with it not establishing with the firewall enabled.

Maybe what you have is a new issue, or something that wasnt noticed yet.

Though I know others who e.g., get Hurricane Electric IPv6 nets over GRE and there arent too many reports that something is wrong with that either.

So the simplest assumption is that the firewall rules are wrong somehow.
#3
High availability / CARP / HA with dual WAN failov...
Last post by hollyjohn - Today at 06:01:30 AM
Hello,
I have two OPNsense servers, each with its own dedicated WAN connection, configured with CARP/HA. Failover works as expected if the primary server fails, becomes unresponsive, or is taken offline for maintenance.

The issue I'm seeing is that there is no failover when only the primary server's WAN connection goes down. The primary firewall remains the CARP master, so traffic doesn't switch to the secondary firewall even though its WAN connection is still up.

Can anyone point me in the right direction on what I should be checking or configuring to ensure the backup server takes over when the primary server loses WAN connectivity? Any suggestions would be greatly appreciated.
#4
The test is to know if the ports are in bypass. The device appears to have 3 sets (6 ports) that are paired 1x1 (x3) for a type of "lan-wan" bypass configuration. Since the ports are colored same on top row, a different color on bottom row, it's 3 over 3, so they pair vertically. So make sure you are using 1top and the one right below it.

#5
Quote from: Patrick M. Hausen on July 03, 2026, 09:32:09 AMA routing table is commonly referred to as a FIB - a forwarding information base. And people like Perlman did not mangle terminology, they defined it.

The difference between a router and a switch/bridge is that a router works at layer 3 and a switch/bridge at layer 2. It is not necessary to invent separate terms for the act of passing a packet.

I give up.
Give up?

L3 FIB (next hop)
L2 ARP/CAM (where to forward)
L1 Tx

Seems 100% legit to me, there's no forwarding in L3.
#6
General Discussion / Re: Why do I need to temporari...
Last post by tbk49 - Today at 01:45:23 AM
Quote from: Patrick M. Hausen on Today at 01:01:50 AMThe most common scenario is either to use a policy based IPsec VPN in tunnel mode without a tunnel interface

'Without a tunnel interface'. Do you mean without something like GRE?

I've set up policy based IPsec, but IPsec is a unicast technology. To do dynamic routing over it where OSPF broadcasts to multicast address this needs to be encapsulated in GRE to pass over the IPsec tunnel. Hence why you run a ptp protocol over IPsec. It was also common at one time to run L2TP over IPsec too. Haven't you ever heard of that either?

Perhaps it is not common in 2026 but this detours from the issue at-hand. The issue being the GRE tunnel doesn't come up unless the firewall is disabled. That doesn't make sense -- I have appropriate firewall rules, so why does the firewall prevent communication? It should be far simpler to get to the explanation for why this is happening than what it will be to spend time removing all the config to set up route based IPsec with VTI.

WG is not possible at the moment.
#7
The most common scenario is either to use a policy based IPsec VPN in tunnel mode without a tunnel interface or use a route based IPsec VPN with a virtual tunnel interface in tunnel mode. I am not aware of any installation that uses GRE in 2026. That's why I asked what you want to achieve with that.

What kind of device is the peer? If it's OPNsense, I'd run WireGuard.
#8
General Discussion / Re: Password Reset
Last post by cookiemonster - Today at 12:23:16 AM
Very good.
#9
General Discussion / Re: Why do I need to temporari...
Last post by tbk49 - July 05, 2026, 11:53:24 PM
Quote from: Patrick M. Hausen on July 05, 2026, 09:17:23 PM
Quote from: tbk49 on July 05, 2026, 08:45:46 PMI am using tunnel mode, not transport. That a problem?

That entirely depends on what you want to achieve and how the other side is configured.

In tunnel mode as used in most scenarios you would not run an additional GRE tunnel inside the IPsec tunnel. Why are you doing that?

Maybe because I'm inexperienced and haven't spent months reading the RFCs?

I'm running a site-to-site connection. I'm not sure what you mean by "inside", but my understanding is "GRE/IPSec" = "GRE over IPSec" meaning your local tunnel address is the IPSec loopback IP and the remote tunnel address is the IPSec loopback of the peer. Then you give the GRE interface its own private IP. Then you do dynamic routing via GRE. So for example:-

Device A:

loopback (for IPSec) - 10.22.22.1/30
GRE interface local address - 10.22.22.1/30
GRE interface remote address - 10.22.22.2/30
GRE interface IP - 172.25.1.1/30

Device B:

loopback (for IPSec) - 10.22.22.2/30
GRE interface local address - 10.22.22.2/30
GRE interface remote address - 10.22.22.1/30
GRE interface IP - 172.25.1.2/30

After the IPSec connection passes Phase 2 the GRE interface comes up (should...) and communication is via 172.25.1.0/30 network. Is this what you mean by running GRE 'inside' IPsec? Because if so, that's what I'm doing. What is the most common scenario you refer to?
#10
26.1, 26,4 Series / Re: Change WAN based on RTT/Pi...
Last post by nero355 - July 05, 2026, 10:42:25 PM
I think you would need a Routing Protocol that works with delay as it's metric and is ofcourse used for Internet Routing and not just Private LAN Routing like CISCO's EIGRP for example, but which protocol that would be I have no idea, so maybe someone with more up-to-date information can share his/her input about this :)