meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
sw:opnsense:issues [2019/04/09 10:38]
niziak 		sw:opnsense:issues [2020/10/21 15:05] (current)
niziak
Line 1: Line 1:
-====== multiwan: port relection ​not working ​======+====== ISSUES ====== 
 + 
 + 
 +===== flowd ===== 
 +flowd.log is 5GB. 
 +flowd_aggregate.py died (Insight Aggregator service). 
 +Workaround is to use monit: 
 + 
 +{{:​sw:​opnsense:​pasted:​20200513-140645.png}} 
 + 
 +===== Multiwan ===== 
 + 
 +==== multiwan: when primary WAN fails, local connectivity stops ==== 
 +Primary WAN fails: 
 +  - Local (from OPNSense host) DNS doesn'​t work 
 +  - local connectivity also doesn'​t work ``No route to host`` 
 +  - internet for LAN users works (switched to WAN2) 
 +  - one LAN device cannot connect to 8.8.8.8 DNS server, because this request is still forwarded to WAN1 
 + 
 +SOLUTION ? 
 +PROPOSALS:  
 +  - Allow DNS server list to be overridden by DHCP/PPP on WAN = CHECKED ​ <– uncheck this 
 + 
 + 
 +==== multiwan: port reflection ​not working ====
 **Scenario:​** **Scenario:​**
   * Not possible to connect to port-forwarded service using WAN IP   * Not possible to connect to port-forwarded service using WAN IP
-**Problem** +**Problem ​1** 
-  * Problem caused by Firewall-->​Rules-->​LAN,​ when all LAN traffic has gateway set. LAN to LAN traffic should use default gateway. +  * Problem caused by Policy based routing with Multi WAN setup: 
-**Solution**+    * Firewall-->​Rules-->​LAN,​ when all LAN traffic has gateway set. LAN to LAN traffic should use default gateway. 
 +**Solution ​1**
   * Add rule before default gateway rule: LAN net --> LAN net to use Gateway default   * Add rule before default gateway rule: LAN net --> LAN net to use Gateway default
  
 +**Problem 2**
 +  * When interface group is used as interface in **Firewall --> NAT --> Port Forward**, reply-to rules are not generated.
 +**Solution 2**
 +  * Do not create NAT rule for **interface group**. Use duplicated rules for each WAN interface
  
-====== multiwan: port forwards ​======+==== multiwan: port forwards ====
  
 **Scenario:​** **Scenario:​**
Line 16: Line 45:
   * Connection from world to WAN1 IP port 2196 works.   * Connection from world to WAN1 IP port 2196 works.
   * Connection from world to WAN2 IP prot 2196 doesn'​t work. It is correctly forwarded to LAN host, but response is sent using wrong WAN1 interface (src IP is WAN2 IP).   * Connection from world to WAN2 IP prot 2196 doesn'​t work. It is correctly forwarded to LAN host, but response is sent using wrong WAN1 interface (src IP is WAN2 IP).
 +**Solution **
 +  * Do not create NAT rule for **interface group**. Use duplicated rules for each WAN interface
  
-====== multi wan: lan gw was chosen ​======+ 
 +===== multi wan: lan gw was chosen ====
 If gateway switching is used, it is needed to set all not WAN gateways as forced down. If gateway switching is used, it is needed to set all not WAN gateways as forced down.
  
Line 46: Line 78:
 Firewall --> Settings --> Advanced: Tick **Disable force gateway** (Outgoing packets from this firewall on an interface which has a gateway will normally use the specified gateway for that interface. When this option is set the route will be selected by the system routing table instead.) Firewall --> Settings --> Advanced: Tick **Disable force gateway** (Outgoing packets from this firewall on an interface which has a gateway will normally use the specified gateway for that interface. When this option is set the route will be selected by the system routing table instead.)
  
 +
 +====== cannot reach another VLAN from VPN ======
 +
 +Check for asymetric routing. Firewall cannot track one way packet flow so packets are blocke by default rule.
 +Solution is to add pass rule without connection tracking enabled (tracking ''​none''​).