Re-application of firewall rules needed to allow Wireguard routing after reboot

Seimus · November 29, 2023, 02:49:49 PM

Thats correct,

Gateway monitoring is set only for WAN interface > TELCO GW
For WG there is no Gateway monitoring configured.

Regards,
S.

Seimus · January 06, 2024, 12:46:43 PM

Hello @Franco,

I upgraded OPN to 23.7.11 and still can see the issue for WG. NAT rules not being applied for WG even and need to be reapplied after reboot. Using automatic NAT rules.

Regards,
S.

Seimus · January 17, 2024, 03:43:38 PM

I upgraded OPN to 23.7.12, can confirm issue is still present and reproducible. Weird that this happens.

When I will have time I will change the NAT mode and configure the NAT rules manually to see if it will behave differently (currently I am using NAT in automatic mode).

Regards,
S.

Westie · January 29, 2024, 07:52:42 PM

Hi Franco

I'm still experiencing this issue in production as well as my homelab.

As I'm rebooting more often in my homelab, I'm having to manually restart dhcpd/DNS services to take into consideration wireguard

My new workaround script is: https://gist.github.com/Westie/5557cffd927dd32de93255e5ac4a22e0

As an aside, when booting the firewall VM I've noticed in the serial console that DHCP, DNS services etc seem to set up before Wireguard/other VPN services have been set up.

May this might be related to the issues I'm experiencing?

CJ · January 30, 2024, 09:05:17 PM

Quote from: Westie on January 29, 2024, 07:52:42 PM
Hi Franco

I'm still experiencing this issue in production as well as my homelab.

As I'm rebooting more often in my homelab, I'm having to manually restart dhcpd/DNS services to take into consideration wireguard

My new workaround script is: https://gist.github.com/Westie/5557cffd927dd32de93255e5ac4a22e0

As an aside, when booting the firewall VM I've noticed in the serial console that DHCP, DNS services etc seem to set up before Wireguard/other VPN services have been set up.

May this might be related to the issues I'm experiencing?

Do you have Unbound, etc restricted to certain interfaces? That can cause the problem of it not listening on dynamic interfaces that aren't there when it starts. That's why everything in OPNsense is set to listen to all interfaces and uses firewall rules to lock down access.

Seimus · February 03, 2024, 05:24:50 PM

Not sure if to reopen this thread under 24.1 subforum, but for now I will post here.

This issue is still present on 24.1 as well. Interesting fact is that on the 23.7 release, from live view I could see that Rules work as they should but traffic is not NAted.

Now on 24.1 I can see that after the reboot, WG traffic that is going thru the OPNsense towards the internet starts to hit the default Deny rule. When checking the Rules on the dedicated WG interface they were all present. After hitting the apply button it started to work again. One note here I have my WG interface as part of FW Group, either after hitting the apply there or on the interface directly, WG traffic towards internet started to work again.

Regards,
S.

franco · February 04, 2024, 12:05:27 PM

We will be tracking this here: https://github.com/opnsense/core/issues/7148

Seimus · February 04, 2024, 04:00:22 PM

Thanks franco I always forget that GitHub BUG reports for OPN exists too. I will track this there!

Regards,
S.

Re-application of firewall rules needed to allow Wireguard routing after reboot

Seimus

November 29, 2023, 02:49:49 PM #15

Seimus

January 06, 2024, 12:46:43 PM #16

Seimus

January 17, 2024, 03:43:38 PM #17

Westie

January 29, 2024, 07:52:42 PM #18

CJ

January 30, 2024, 09:05:17 PM #19

Seimus

February 03, 2024, 05:24:50 PM #20

franco

February 04, 2024, 12:05:27 PM #21

Seimus

February 04, 2024, 04:00:22 PM #22