"Recent posts
#91
Virtual private networks / Re: Routing OpenVPN Traffic th...
Last post by Monviech (Cedrik) - December 09, 2025, 08:16:08 AMDoes the IPsec tunnel have an SA open that allows the OpenVPN source network through, and the other side of the IPsec tunnel to return packets to that source?
#92
Virtual private networks / Routing OpenVPN Traffic throug...
Last post by cidimir - December 09, 2025, 08:06:14 AMI have an ipsec VPN set up between Site A (192.168.168.0/24) and Site B (10.0.0.0/24).
Site A is behind a Sonicwall; Site B is behind OPNSense. They can ping, file share, RDP, etc. correctly.
I've configured OpenVPN on the OPNSense box (assigning users an IP in the range 10.10.10.0/24 upon successful connection.) OpenVPN users can successfully reach the Site B LAN network (10.0.0.0/24) no problem.
What I want is for them to also be able to reach the Site A network; to ping or RDP to 192.168.168.x and for that to successfully go through OpenVPN, through the ipsec tunnel, and respond back.
However, a traceroute OpenVPN -> Site A won't even go through the OpenVPN tunnel unless 192.168.168.0/24 is a local route on the OpenVPN instance.
My current ipsec config has two children:
Local Remote
10.0.0.0/24 192.168.168.0/24
10.10.10.0/24 192.168.168.0/24
My OpenVPN instance has 10.0.0.0 and 192.168.168.0 as local networks for routing.
What am I missing? Any help would be appreciated.
Site A is behind a Sonicwall; Site B is behind OPNSense. They can ping, file share, RDP, etc. correctly.
I've configured OpenVPN on the OPNSense box (assigning users an IP in the range 10.10.10.0/24 upon successful connection.) OpenVPN users can successfully reach the Site B LAN network (10.0.0.0/24) no problem.
What I want is for them to also be able to reach the Site A network; to ping or RDP to 192.168.168.x and for that to successfully go through OpenVPN, through the ipsec tunnel, and respond back.
However, a traceroute OpenVPN -> Site A won't even go through the OpenVPN tunnel unless 192.168.168.0/24 is a local route on the OpenVPN instance.
My current ipsec config has two children:
Local Remote
10.0.0.0/24 192.168.168.0/24
10.10.10.0/24 192.168.168.0/24
My OpenVPN instance has 10.0.0.0 and 192.168.168.0 as local networks for routing.
What am I missing? Any help would be appreciated.
#93
High availability / Re: HA setup with no WAN CARP ...
Last post by MysteryIron - December 09, 2025, 06:51:39 AMCan we do something like this? I was able to get IP from my ISP to my virtual switch. But I am running into routing issues at my virtual switch.
[Modem] → hostpci0 (0000:06:00) → Virtual Switch VM
↓
[Virtual Switch bridges to two virtio NICs]
↓ ↓
vtnet5 (opnsense1) vtnet5 (opnsense2)
↓ ↓
[WAN] [WAN]
I was able to get opnsense1 as primary and opensense2 as backup. Failover etc all are working. My trouble is getting the routing done at Virtial Switch. I used Alpine Linux for my virtual switch.
All this on a Micro Firewall with 6 port - 2.5GB nics on motherboard / J6413 processor. I see CPU spiking up, but if this fix works, I won't mind throwing more cores to this.
[Modem] → hostpci0 (0000:06:00) → Virtual Switch VM
↓
[Virtual Switch bridges to two virtio NICs]
↓ ↓
vtnet5 (opnsense1) vtnet5 (opnsense2)
↓ ↓
[WAN] [WAN]
I was able to get opnsense1 as primary and opensense2 as backup. Failover etc all are working. My trouble is getting the routing done at Virtial Switch. I used Alpine Linux for my virtual switch.
All this on a Micro Firewall with 6 port - 2.5GB nics on motherboard / J6413 processor. I see CPU spiking up, but if this fix works, I won't mind throwing more cores to this.
#94
German - Deutsch / Re: VPN lässt sich nach Verwen...
Last post by RalfOE - December 09, 2025, 06:40:58 AMVielen Dank.
Ich hatte schon erwartet, dass es so einfach ist.
Das wäre dann damit gelöst.
Ich hatte schon erwartet, dass es so einfach ist.
Das wäre dann damit gelöst.
#95
General Discussion / Re: UPNP Broken
Last post by lmnsour - December 09, 2025, 05:28:42 AMOk, fixed it. Stupid error / typo on IP address... Thanks for the assist @franco!
#96
General Discussion / Re: Micron exits consumer mark...
Last post by lmnsour - December 09, 2025, 05:01:50 AMThe entire market is trending towards online subscriptions. Software subscriptions (Windows in on the war path to a Windows subscription model), gaming (Geforce Now), and soon hardware. Our kids will have to rent CPU cores, Memory, GPUs, etc... if someone (cough *STEAM*) doesn't step in.
Game development is also going down the proverbial "cooperate greed" toilet. I don't believe lack of graphics and HDD space optimizations are solely fueled laziness but part of a *wink *wink towards hardware developers such as Nvidia to drive up high end component demand and reliance on scaling and frame gen. Helldivers 2 just released a beta version that decreases HDD space by almost 1/3rd, from 130ish to 30ish GBs.
It's all a racket and I'm slowly turning into the old grumpy guy complaining about the good'ole days!
Game development is also going down the proverbial "cooperate greed" toilet. I don't believe lack of graphics and HDD space optimizations are solely fueled laziness but part of a *wink *wink towards hardware developers such as Nvidia to drive up high end component demand and reliance on scaling and frame gen. Helldivers 2 just released a beta version that decreases HDD space by almost 1/3rd, from 130ish to 30ish GBs.
It's all a racket and I'm slowly turning into the old grumpy guy complaining about the good'ole days!
#97
25.7, 25.10 Series / Local DNS overrides no longer ...
Last post by empty.watch - December 09, 2025, 04:32:36 AMA couple of days ago I upgraded from 25.7.7 (_4 or _6, can't remember exactly which) to 25.7.9, and immediately my local DNS overrides in Dnsmasq stopped resolving. I have an adguard server which is assigned via DHCP, and is configured with the OPNsense machine as the upstream for the local domain. Internet DNS lookups still work fine, however requests for the local DNS entries fail to resolve even when the OPNsense machine is queried directly.
I haven't been able to find anything wrong with the configuration (which has worked fine since I set it up a couple of months ago, and has continued to work through a couple of minor version upgrades until now). I tried reapplying the Dnsmasq settings (without any changes) to no effect.
In the Dnsmasq logs, post-upgrade (within minutes) I am now getting the message
In my research so far it seems this is normally because the upstream of the DNS server has been set to itself, and this behaviour is to prevent infinitely looping DNS requests. But the upstream for this OPNsense machine is set to Quad9, so I'm not sure what's causing it. I tried changing the upstream in Settings-General to another provider, but this also had no effect. Have I run into a bug introduced with the 25.7.9 update?
I haven't been able to find anything wrong with the configuration (which has worked fine since I set it up a couple of months ago, and has continued to work through a couple of minor version upgrades until now). I tried reapplying the Dnsmasq settings (without any changes) to no effect.
In the Dnsmasq logs, post-upgrade (within minutes) I am now getting the message
Code Select
ignoring nameserver <OPNsense IP> - local interfaceIn my research so far it seems this is normally because the upstream of the DNS server has been set to itself, and this behaviour is to prevent infinitely looping DNS requests. But the upstream for this OPNsense machine is set to Quad9, so I'm not sure what's causing it. I tried changing the upstream in Settings-General to another provider, but this also had no effect. Have I run into a bug introduced with the 25.7.9 update?
#98
Virtual private networks / Re: Applying Wireguard Peer Se...
Last post by crlt - December 09, 2025, 03:33:25 AMRestarting the wireguard tunnel interface also produces this behavior. After restarting (main menu reload button next to the wg interface) the static route from the Routes menu and the routes from BGP disappear. Need to click re-apply in the routes menu on opnsense and then stop and start FRR for the routes to get written again. Wireguard doesn't actually overwrite it but rather just removes it from the routing table.
Edit1: Based on this old bug report this would appear to be expected but I don't understand how it is bad design? how else would we do dynamic routing over redundant tunnels? https://redmine.pfsense.org/issues/11326 OpenVPN doesn't have this issue since using client specific overrides only adds iroutes and not kernel routes. Maybe the issue isn't wireguard but rather that when the wireguard interface is reloaded it removes any routes added by BGP which is what I'm seeing (the routes are in the BGP routes but not seen in the kernel routes).
Edit2: Could do an outbound SNAT on the wireguard interface src any dest any NAT'ed it to the interface IP but then that would remove the ability to define granular firewall rules on the opposite rules as it would look like everything originates from the tunnel address.
Edit3: Is this expected? should I create a bug report? would it be an opnsense or frr bug?
Edit1: Based on this old bug report this would appear to be expected but I don't understand how it is bad design? how else would we do dynamic routing over redundant tunnels? https://redmine.pfsense.org/issues/11326 OpenVPN doesn't have this issue since using client specific overrides only adds iroutes and not kernel routes. Maybe the issue isn't wireguard but rather that when the wireguard interface is reloaded it removes any routes added by BGP which is what I'm seeing (the routes are in the BGP routes but not seen in the kernel routes).
Edit2: Could do an outbound SNAT on the wireguard interface src any dest any NAT'ed it to the interface IP but then that would remove the ability to define granular firewall rules on the opposite rules as it would look like everything originates from the tunnel address.
Edit3: Is this expected? should I create a bug report? would it be an opnsense or frr bug?
#99
German - Deutsch / Re: Dynamische WAN IP - Info-M...
Last post by drosophila - December 09, 2025, 01:13:06 AMDas müßte mit Monit gehen. Also zuerst Monit einrichten mit Email usw., und dann einen Test erstellen:
Erst in "Service Test settings" einen neuen Eintrag:
Name -> File content changed
Condition -> Checksum failed
Action -> Alert
Speicherm
und dann in "Service Settings"
Name -> DynDNS_change
Type -> File
Path -> /var/cache/ddclient/ddclient.cache (!Das kann auch woanders sein, mußt Du mal mit "find ddclient.cache" suchen!)
Start ->
Stop ->
Tests -> File content changed (oder wie auch immer Du die oben erstellte Bedingung genannt hast)
Depends -> nothing selected
Description -> Check for change in ddclient IP cache
Soweit jedenfalls die Theorie, aus dem was ich auf die Schnelle an Docs gefunden habe. Andere Backends werden ihre Files anders nennen, aber das Prinzip bleibt dasselbe. Das "native" Backend aus OPNS macht das sicher auch so, aber das Script müßte ich aber auch erst suchen und dann den Dateinamen extrahieren. Evtl. kennt den hier ja jemand schon und erspart uns die Sucherei?
Wie man da jetzt noch die IP in die Mail bekommt, fällt mir spontan allerdings nicht ein.
Erst in "Service Test settings" einen neuen Eintrag:
Name -> File content changed
Condition -> Checksum failed
Action -> Alert
Speicherm
und dann in "Service Settings"
Name -> DynDNS_change
Type -> File
Path -> /var/cache/ddclient/ddclient.cache (!Das kann auch woanders sein, mußt Du mal mit "find ddclient.cache" suchen!)
Start ->
Stop ->
Tests -> File content changed (oder wie auch immer Du die oben erstellte Bedingung genannt hast)
Depends -> nothing selected
Description -> Check for change in ddclient IP cache
Soweit jedenfalls die Theorie, aus dem was ich auf die Schnelle an Docs gefunden habe. Andere Backends werden ihre Files anders nennen, aber das Prinzip bleibt dasselbe. Das "native" Backend aus OPNS macht das sicher auch so, aber das Script müßte ich aber auch erst suchen und dann den Dateinamen extrahieren. Evtl. kennt den hier ja jemand schon und erspart uns die Sucherei?
Wie man da jetzt noch die IP in die Mail bekommt, fällt mir spontan allerdings nicht ein.
#100
25.7, 25.10 Series / Re: Could This Be The Reason?
Last post by Patrick M. Hausen - December 09, 2025, 12:58:09 AMAdding the magic security device [1] to your network will improve security. Of course.
Might contain traces of sarcasm.
[1] https://www.ranum.com/security/computer_security/papers/a1-firewall/index.html
Might contain traces of sarcasm.
[1] https://www.ranum.com/security/computer_security/papers/a1-firewall/index.html
