Remote Access to OPNSense 24.7_9

[tim777]

attached  screenshots in addition to the FW rule for WAN already posted.

Please tell me if I missed something.

[cookiemonster]

thanks for stepping in Patrick.
tim777 - your WAN firewall rule. Missing here. Still on your very first post on the thread but can you double check.
You showed it all wrong for WG. That is a rule for port 80 and from what seems an internal alias, but you later wrote that you had followed the different docs and tutorials, so best to confirm.

[tim777]

Hi Cookiemonster,

You can find the screenshot on page 2 replay #26.
There is the WAN rule UDP to 51820.
This is not an alias, I just renamed WAN to WAN_Digi (later a second I-Net provider is planned as backup). Maybe I shouldn't have done this?

[cookiemonster]

I saw that one and thought it couldn't be it. Why would you use that network as a source of traffic to allow?
It should be "any". Compare with the manual https://docs.opnsense.org/manual/how-tos/wireguard-client.html, step 5. In short, please review your rules. Right now that rule is not allowing the client to reach the FW.

[cookiemonster]

now wait, my mistake. I was looking at #22 I think. Saw the correct #26 after. I'll check this again. Need to be in work meetings from now.

[tim777]

Need to be in work meetings from now.

I know, I know, this thing that holds us back from  important things to do 

[cookiemonster]

I can't see anything wrong with the rules. My guess then is we need to check your public keys are the right ones in the right place. But first let's also check it your client is reaching the FW from the outside. From the flatline in the widget it suggests either not or blocked but firewall rule seems fine.
Can you go to Firewall > Log files > Live view and filter with: port contains 51820 (or whatever port you have wg interface listening on); interface contains wg (whatever name you gave to your wg interface, it will appear in the dropdown). Enable "Select any of given criteria (or) ". For hits to leave a record, you need to have enabled logging on the WAN rule for wireguard.
Then try to connect from your client. It it is hitting, we shall see it here.

[Patrick M. Hausen]

Also: are you sure the OPNsense WAN address is publicly reachable and not behind CGNAT?

If your WAN address starts with anything from 100.64. to 100.127. you cannot to your OPNsense via IPv4.

[tim777]

Hi, the IP is reachable, I was able to connect to the Vilfo router. The provider comes even with a DDNS.

Thanks guys for your support! I need a solution until Friday evening, otherwise I have to switch back. Don't know if I will try again if it doesn't work.
I have also some other requirements, Like site-to-site VPN, different device groups that should use different VPN connections, or go through the I-net provider, etc. If this supposedly easy task does not work, what to expect for the rest? I don't know if it's this new version or a general problem. It's my second attempt to use OPNsense.
While I'm not a FW specialist  I'm still quite experienced with IT.


Could Pfsense be a better solution?
I know it's almost the same, but maybe more stable.
Regards

[Patrick M. Hausen]

Use tcpdump to check if packets from your Mac arrive at the WAN interface ...

[tim777]

I have started the tcpdump.

But first I checked with the Network Analyzer App on my phone the public IP (from outside of my network).

Ping ok
Trace route gives results
Whois also gives information about the provider etc

but

Port scan = 0 open/all blocked? That shouldn't be, since I have some rules on the FW.


Also I noticed under Interfaces/Overview that the igc0 IF (first physical port that is connected to the WAN/ONT) with a IPv6 address is not assigned. I have a WAN IF as PPPoE where I can see the public IP.