Quote from: CJ on October 01, 2023, 03:21:05 pmYes, IIRC, this was done to avoid issues with dynamic interfaces such as wireguard not being picked up. So instead of a default deny with allow rules added for each interface subnet, unbound was changed to a default allow.I see, I must have missed that in the changelog. I do remember something to that effect, but not the UI changes being mentioned. The Default Action setting doesn't work for me, though. It only affects OPNsense itself, but not the Interfaces. They continue having Unbound access regardless if set to Deny. I'm probably misunderstanding how the option should be used.What about the missing Allow Snoop/Deny Non-local/Refuse Non-local?
Yes, IIRC, this was done to avoid issues with dynamic interfaces such as wireguard not being picked up. So instead of a default deny with allow rules added for each interface subnet, unbound was changed to a default allow.
I do. They don't show anything being blocked, but they do show a different outgoing address being used. Before WG service restart, pings go out to WAN from the WG interface IP. After restart, from the WAN interface IP. NAT not working?OPNsense fresh boot, before manual WG restart:Code: [Select]wan 2023-10-01T15:43:55 10.101.80.1 1.1.1.1 icmp let out anything from firewall host itself WGxInternet 2023-10-01T15:43:55 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet wan 2023-10-01T15:43:54 10.101.80.1 1.1.1.1 icmp let out anything from firewall host itself WGxInternet 2023-10-01T15:43:54 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to InternetAfter manual WG restart:Code: [Select]wan 2023-10-01T15:44:56 192.168.61.10 1.1.1.1 icmp let out anything from firewall host itself (force gw) WGxInternet 2023-10-01T15:44:56 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet wan 2023-10-01T15:44:55 192.168.61.10 1.1.1.1 icmp let out anything from firewall host itself (force gw) WGxInternet 2023-10-01T15:44:55 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet
wan 2023-10-01T15:43:55 10.101.80.1 1.1.1.1 icmp let out anything from firewall host itself WGxInternet 2023-10-01T15:43:55 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet wan 2023-10-01T15:43:54 10.101.80.1 1.1.1.1 icmp let out anything from firewall host itself WGxInternet 2023-10-01T15:43:54 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet
wan 2023-10-01T15:44:56 192.168.61.10 1.1.1.1 icmp let out anything from firewall host itself (force gw) WGxInternet 2023-10-01T15:44:56 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet wan 2023-10-01T15:44:55 192.168.61.10 1.1.1.1 icmp let out anything from firewall host itself (force gw) WGxInternet 2023-10-01T15:44:55 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet
I did a fresh installation of OPNsense on a separate machine to continue my troubleshooting with the issues I've been having with the new Wireguard kernel update to 2.0 and it looks like the 'main issue' is starting to lead to here: Wireguard doesn't establish a connection at boot.I disabled Unbound DNS to rule that out as the culprit for the issues I've been having since updating to 23.7.3 (when Wireguard was updated to 2.0) and it looks like it wasn't related. I backed up all my configuration _before_ doing the Wireguard setup. Can reboot, use internet, etc. nothing wrong whatsoever. But then the problem started after I setup Wireguard. Just for clariy, here's what I did:Setup an endpoint, setup the local instance, and enable it. You get a Wireguard connection from the Firewall itself and can see this with the `wg` command. You can ping and curl and verify VPN access from the firewall. Before doing anything else - Reboot the firewall. Now go back to the Wireguard plugin, and you'll see it tries to send data, but never receives. It's completely stuck, even with the default NAT rules. Verified in an SSH session too, just to make sure. Go to the plugin, uncheck it, save, check it again, save... VPN connection is back and running. So I'm starting to think the main issue/bug I've been running into the past month or whatnot is potentially a result of this issue. All in all, can +1 the report of WG not working unless manually restarting the plugin.
What does your config look like? Did you change any other settings besides setting up WG?Also, I want to clarify something. Are you attempting to initiate traffic from the OPNSense side to the client and that's not what's working? Or are you initiating traffic from the client side to OPNSense?What do your WG configs look like? Are you using IPs, domains, etc?
Apologies, forgot to reach back out on this!1. Made changes to nothing else except WG because I wanted to confirm it was WG and not something else2. Neither work prior to restarting the service, both work after3. IPs, following the guide word-for-word from the OPNsense wiki as well. Basically kept DNS out of this as much as possible. Hoping Kinerg's bug report and next update will resolve all this though, so guess we'll see soon-ish?
