Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Request: Please Allow Tunnel Interfaces to Be Assigned IPs or Atleast Gateways
« previous
next »
Print
Pages: [
1
]
Author
Topic: Request: Please Allow Tunnel Interfaces to Be Assigned IPs or Atleast Gateways (Read 1348 times)
SgtKilgore406
Newbie
Posts: 1
Karma: 0
Request: Please Allow Tunnel Interfaces to Be Assigned IPs or Atleast Gateways
«
on:
February 24, 2024, 06:43:14 am »
Hello!
I wanted to leave this suggestion, though more of a personal request, for the developers. Could you please reconsider how tunnel interfaces (WireGuard for example) are treated when it comes to assigning a static IP address to them?
The reason for this request is needing to have OPNsense automatically generate Outbound NAT rules for the VPN tunnel gateway. Normally, on any other interface, I would simply assign a static IP and then manually select the gateway that should be used. Unfortunately if I try that on a tunnel interface I am greeted with the following error:
"
The following input errors were detected:
Cannot assign an IP configuration type to a tunnel interface.
"
If I try leaving the IP address field alone and just set a gateway I get the additional error:
The field IPv4 address is required.
My network set up is very similar to this Reddit thread:
https://www.reddit.com/r/PFSENSE/comments/11x60g2/wantowireguardtolan_replyto_bug/?rdt=39763
In my case I'm using VPS hosting (mix of OPNsense and pfSense FWs) to act as a port forwarding front end with a WG VPN tunnel that links to my local OPNsense FW. For the port forward routing to work properly there needs to be outbound NAT rules so that port forwarded traffic flows back out through the VPN tunnel. While I could manually create the outbound rules it would be extremely messy given the number of interfaces I have.
As it stand currently I have to:
Export my configuration.
Find the tunnel interface in question.
Add the following line to the interface:
<gateway>GATEWAY_NAME_GW_IPv4</gateway>
Then re-import the configuration. For the re-import I just select the interfaces.
That allows me to force the gateway assignment on the tunnel interface and have OPNsense create the auto Outbound NAT rules.
For my sanity and possibly others it would be nice to have the ability to set a static IP, or at the very least assign a gateway, to tunnel interfaces from the OPNsense GUI.
Sincerely,
SgtKilgore406
P.S.
This topic is the result of me pulling my hair out the last 3+ hours troubleshooting why my port forwarding stopped after the 24.1 upgrade on my local FW. (Everything else upgraded without issue by the way, great job on this release!)
P.S.S.
I originally started my firewall journey with pfSense, and have about a decade of experience with it. I am currently almost 2 years into my OPNsense journey and really like what it has to offer. I know pfSense allows tunnel interfaces to be assigned IP addresses and I think that would be a nice feature for OPNsense to have as well.
Logged
paschtin
Newbie
Posts: 6
Karma: 0
Re: Request: Please Allow Tunnel Interfaces to Be Assigned IPs or Atleast Gateways
«
Reply #1 on:
March 21, 2024, 08:28:52 pm »
I had a working setup for at least a year with a site-to-site Wireguard tunnel according to this setup:
https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html
When I tried to add another Wireguard interface to my setup, I was facing this exact issue. Entering an IP and selecting a gateway for a wireguard interface was possible in an older version, and now it isn't anymore. What is the correct way of doing this now (24.1.4)?
Regards
Logged
Patrick M. Hausen
Hero Member
Posts: 6841
Karma: 574
Re: Request: Please Allow Tunnel Interfaces to Be Assigned IPs or Atleast Gateways
«
Reply #2 on:
March 21, 2024, 09:43:21 pm »
Assign a tunnel address in the WG instance settings. Assign AllowedIPs in the WG peer settings. Voila - IP address on the tunnel interface and a route for everything you like into the tunnel.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Request: Please Allow Tunnel Interfaces to Be Assigned IPs or Atleast Gateways
«
Reply #3 on:
March 22, 2024, 06:57:43 am »
Keep in mind if you set a network for your tunnel address you don't need "allowed" "IPs" that are inside that network because the whole network is already "allowed" (routed really).
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Request: Please Allow Tunnel Interfaces to Be Assigned IPs or Atleast Gateways