Quote from: HansJ on June 20, 2025, 01:02:17 AMI have a seperate VLAN for every gamer in our household. (for easy management of who is downloading to much, who needs to go to bed, who is beeing punished :) )
So the VLAN's are not realy for security, but more for management especialy since we have a very slow internet connection (only 95Mbps)
Quote from: mtchetch on March 13, 2026, 01:20:05 PMIf you did everything correctly the Wireguard log will start logging events every minute. These are accessible directly in the wireguard VPN log menu.
Code Select Expand2026-03-13T14:04:00 Notice wireguard wireguard peer connected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=56s
2026-03-13T14:03:00 Notice wireguard wireguard peer disconnected: instance=wg0, peer_name=laptop, peer_pubkey=9V3VB9ALJtB0lgvhpCetVVEbZW6YH6Rnk=, endpoint=192.168.11.228:54553, allowed_ips=192.168.12.3/32, handshake_age=513s
2026-03-13T13:58:12 Notice wireguard wireguard peer disconnected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=381s
2026-03-13T13:54:36 Notice wireguard wireguard peer connected: instance=wg0, peer_name=laptop, peer_pubkey=9V3VB9ALJtB0lgvhpCetVVEbZW6YH6Rnk=, endpoint=192.168.11.228:54553, allowed_ips=192.168.12.3/32, handshake_age=9s
2026-03-13T13:51:57 Notice wireguard wireguard peer connected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=6s
Peers are marked disconnected when they have not handshaked in 300 seconds / 5 min.
For the life of me I do not understand why this simple logging is not part of the Wireguard implementation on every firewall, since it is essential to know who is accessing your firewall and from where.
root@fwa:~ # cd /usr/local/etc/rc.syshook.d/start
root@fwa:/usr/local/etc/rc.syshook.d/start # ls
10-newwanip 25-syslog 90-carp 90-openvpn 95-beep
20-freebsd 50-ntopng 90-cron 90-sysctl 99-wireguard-dns-fix
root@fwa:/usr/local/etc/rc.syshook.d/start # chmod +x 99-wireguard-dns-fix
#!/bin/sh
# Header: Dynamic Wireguard Startup Sync for OPNsense 26.1
# Description: Extracts peer data from config.xml and ensures DNS stack is ready.
# Note: This script will "man-guess" that .1 is a reachable gateway address if a .0 network is found.
# Optimization: Checks if the tunnel is already up before performing any actions.
# Logging: Outputs to system log with tag "man-guess-wg" and priority "user.notice".
# --- Configuration ---
PEER_NAME="wg_peer"
REQUIRED_SERVICES="unbound dnsmasq AdGuardHome"
CONFIG_PATH="/conf/config.xml"
LOG_TAG="man-guess-wg"
MAX_RETRIES=20
SLEEP_INTERVAL=5
log_msg() {
# Output to stdout and OPNsense System Log (General)
echo "$1"
logger -p user.notice -t "$LOG_TAG" "$1"
}
# 1. Extract the Endpoint (serveraddress)
CHECK_HOST=$(xmllint --xpath "string(//wireguard/client/clients/client[name='$PEER_NAME']/serveraddress)" $CONFIG_PATH 2>/dev/null)
# 2. Extract the first entry from Allowed IPs (tunneladdress)
RAW_IP=$(xmllint --xpath "string(//wireguard/client/clients/client[name='$PEER_NAME']/tunneladdress)" $CONFIG_PATH 2>/dev/null | cut -d',' -f1 | cut -d'/' -f1)
# Logic: Convert network address (ending in .0) to gateway (.1) for ping test.
# This part is a confident man-guess that .1 is the responding address.
TUNNEL_IP=$(echo "$RAW_IP" | sed 's/\.0$/.1/')
# Validation: Stop if configuration data is missing
if [ -z "$CHECK_HOST" ] || [ -z "$RAW_IP" ]; then
log_msg "ERROR: Extraction failed for '$PEER_NAME'. Check if the name matches in config.xml."
exit 1
fi
# --- INITIAL CHECK ---
# If the tunnel is already reachable, we exit immediately to avoid unnecessary restarts.
if ping -c 1 -t 2 "$TUNNEL_IP" > /dev/null 2>&1; then
log_msg "STATUS: Tunnel to $TUNNEL_IP is already UP. No action taken."
exit 0
fi
check_process() {
pgrep -f "$1" > /dev/null
return $?
}
log_msg "STATUS: Tunnel is DOWN. Initiating sync for peer: $PEER_NAME (Target: $CHECK_HOST)"
for i in $(seq 1 $MAX_RETRIES); do
SERVICES_READY=true
# Verify that all DNS-related services are running
for SERVICE in $REQUIRED_SERVICES; do
if ! check_process "$SERVICE"; then
SERVICES_READY=false
break
fi
done
if [ "$SERVICES_READY" = true ]; then
# Check if the dynamic hostname can be resolved yet
if host "$CHECK_HOST" > /dev/null 2>&1; then
log_msg "DNS OK: $CHECK_HOST resolved. Restarting Wireguard via pluginctl."
# Official OPNsense 26.1 method for plugin service management
/usr/local/sbin/pluginctl -s wireguard restart
# Allow time for handshake and routing table updates
sleep 15
if ping -c 1 -t 3 "$TUNNEL_IP" > /dev/null 2>&1; then
log_msg "SUCCESS: Connectivity to $TUNNEL_IP confirmed."
exit 0
fi
fi
fi
# Log status every 5th attempt to keep the system log clean
if [ $((i % 5)) -eq 0 ]; then
log_msg "WAIT: Attempt $i/$MAX_RETRIES - Dependencies or DNS not ready."
fi
sleep $SLEEP_INTERVAL
done
log_msg "FATAL: Timeout reached. Connectivity could not be verified for $PEER_NAME."
exit 1
Quote from: nero355 on April 29, 2026, 11:55:16 PMWorkaround: Whitelist Docker IP subnets in Crowdsec
QuoteBy default, CrowdSec whitelists private LAN IP addresses. You can add your own IPs or events to prevent false positives.
Quote from: petavef405 on April 29, 2026, 07:09:33 PMYeap bridging VLANs isn't really the right move here- it tends to break things more than fix themmDNS/multicast forwarding is the key here. Bridging VLANs causes headaches; better to keep segmentation and just enable proper discovery between networks.
What you actually need is to let the VLANs "see" each other not merge them. Steam uses local discovery so even if routing works the PCs won't find each other without multicast/broadcast passing through.
So in simple terms:
-Keep VLANs as they are
-Allow traffic between them in firewall
-Enable something like mDNS repeater / multicast forwarding on your router
If your router doesn't support that honestly the easiest way is just to put the gaming PCs in the same VLAN when you're downloading stuff
# cat /tmp/rules.debug | grep binat
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1000::/64 -> (igc1:0)/64 # NPTv6 WAN<->LAN (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1001::/64 -> (igc1:0)/64 # NPTv6 WAN<->MANAGE (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1002::/64 -> (igc1:0)/64 # NPTv6 WAN<->VPN (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1003::/64 -> (igc1:0)/64 # NPTv6 WAN<->CLEAR (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1004::/64 -> (igc1:0)/64 # NPTv6 WAN<->GUEST (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1005::/64 -> (igc1:0)/64 # NPTv6 WAN<->IOT (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1006::/64 -> (igc1:0)/64 # NPTv6 WAN<->LAB (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1007::/64 -> (igc1:0)/64 # NPTv6 WAN<->MOBILES (/64)