Welcome to the Home Network Guy forum!

Recent Posts

Pages: 1 [2] 3 4 ... 10
11
Troubleshooting / Wireguard Site-to-site with selective routing
« Last post by ReDaLeRt on December 28, 2021, 08:19:16 AM »
Hello.

I followed the tutorial here, as a first troubleshooting step: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/#_

My issue with selective routing is accessing a specific public ip range (213.13.24.0/24) from an Openwrt Site "B" connected site-to-site through an OPNsense Site "A".

Configuring that subnet range on the Site "B" as "allowed ips" to the tunnel, so that Site "B" could access it through the Site "A", it isn't working as expected:

Code: [Select]
tracert 213.13.24.11

Tracing route to 213.13.24.11 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  OpenWRT.lan [192.168.0.1]
  2    17 ms    14 ms    15 ms  10.0.0.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.

The site "B" LAN range is 192.168.0.0/24 with tunnel IP 10.0.0.2/32, the Site "A" is 192.168.10.0/24 with tunnel IP 10.0.0.1/32, and the WG tunnel range is 10.0.0.0/24. Both sites are connected to the internet with public IP addresses on their WAN interfaces.

The OPNsense configuration is presented within the attachments bellow.

A half workaround on the site B is to enable masquerading to get selective routing, but blocks site A to access site B:

Code: [Select]
uci set firewall.lan.masq="1"
uci commit firewall
/etc/init.d/firewall restart

I'm hoping that someone could shed some light into this. :-)

Thanks.
12
How-to Discussions / Re: Clarification on Basic DMZ How-to
« Last post by Home Network Guy on December 01, 2021, 11:51:45 AM »
Yes, it sounds like you have a great understanding! You're welcome. I'm glad you like my posts.

I think what happened is that I mimicked some of the rules I used on my network since I knew they worked properly. Then later I realized I had some unnecessary rules created on my firewall and cleaned them up. However, I didn't think to go back to clean them up on that article. I've had several revisions of my rules on my firewall so sometimes cleanup is necessary! Thanks for pointing that out because I like having accurate information.
13
How-to Discussions / Re: Clarification on Basic DMZ How-to
« Last post by Spectre5 on November 30, 2021, 01:00:30 AM »
Great, thanks.  Just trying to confirm my understanding!  Great site, thanks for all your posts!
14
How-to Discussions / Re: Clarification on Basic DMZ How-to
« Last post by Home Network Guy on November 25, 2021, 11:14:20 PM »
That’s a good catch. I may have made those rules mimic the rules I was using at the time of the writing of the article so I know I had working rules.

Rule 3 is redundant (unless accessing some other service on the DMZ interface that is running on OPNsense).

I need to go back to simplify and clean up those rules. Thanks for the feedback!
15
How-to Discussions / Clarification on Basic DMZ How-to
« Last post by Spectre5 on November 25, 2021, 02:46:29 PM »
I've read through Basic DMZ article here:
https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense/

I have a question on the firewall rule in the section "Allow access to DMZ network interface".  It indicates that "...this rule is necessary because of the next firewall rule below that blocks all private networks. Without it, the network would not have Internet access since the interface/gateway IP address would be blocked"  However, I don't understand why this is true (that the internet wouldn't work without this rule).

In a previous rule the DNS is already allowed, so the DMZ can resolve URLs to IP address.  Then the clients would request that IP address, which is not a private address and would then fall into rule 5, "Allow access to all other traffic".

If you don't care about pinging the router nor accessing the router from the DMZ, then what traffic would this "allow access to the DMZ network interface" be necessary for?  As far as I can tell, you can access the internet with out.

I've disabled this rule and my DMZ can still access websites just fine (although my network topology and rules are not all identical to this article).  Am I missing something?
16
Tech Discussions / Re: IPv6 Confirmation
« Last post by Home Network Guy on November 12, 2021, 11:19:18 AM »
Sorry I didn't see this sooner. I think sometimes subsequent comments are not always emailed to me to reduce the number of email notifications.

I don't know if the track interface will work behind another firewall unless you can somehow use delegated prefixes from the other router you have on your network. The ISP provided modem/router is not always the most feature rich. They seem to only have the most basic features available for you to manipulate (hence why OPNsense/pfSense is awesome). My guide was written as OPNsense being the main router. When you run OPNsense behind another router, it complicates the set up and you may not have all features available to you or you have to go about configuring them differently because you are now on a network that's behind another network. Having OPNsense as your main top level router enables you do more since it's the main entry point into your network.

I know we have had some discussions on Twitter, but I wanted to reply for others to see.
17
Tech Discussions / Re: IPv6 Confirmation
« Last post by Shaggy on October 31, 2021, 04:52:52 PM »
Just wanted to give a full update on where I'm at. I dug further and tried following the guide but with no luck, IPv6 for devices is not working.

-WAN uses DHCP6.
-I switched my LAN interface to use a Track Interface (can only select Prefix 0).
-I created the WAN rule requested for All:547 -> All:546.

What I have noticed is the the dhcpcd service is not running. I sadly don't have the skill to troubleshoot this issue any further.

Would you be able to point me in the right direction of how I could troubleshoot this issue?
I would like to add that the OPNSense Firewall is behind another Gateway:
Rented Modem -> OPNSense -> Switch -> Device
18
Tech Discussions / Re: IPv6 Confirmation
« Last post by Shaggy on October 28, 2021, 02:30:58 AM »
No problem! Please report back since others may be interested in that info. I only have one Android tablet I could test with.
Screenshot is of my Pixel 5 being connected to the Wi-Fi network using DHCPv6.

Update:
I noticed I am currently only getting a IPv6 Address that is either for LAN or Loop Back.
Could this be a loopback address?
19
Tech Discussions / Re: IPv6 Confirmation
« Last post by Home Network Guy on October 17, 2021, 04:03:43 PM »
No problem! Please report back since others may be interested in that info. I only have one Android tablet I could test with.
20
Tech Discussions / Re: IPv6 Confirmation
« Last post by Shaggy on October 17, 2021, 02:34:23 PM »
Your welcome, thank you for responding back.

I am mistaken, I tested connectivity on a non OPNSense router. I will be able to test IPv6 connectivity after I have configured my VLANs.
Pages: 1 [2] 3 4 ... 10