meta data for this page
Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
sw:opnsense:issues [2019/04/09 11:13] niziak |
sw:opnsense:issues [2020/10/21 15:05] (current) niziak |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ======= multiwan ======= | + | ====== ISSUES ====== |
- | ====== multiwan: port reflection not working ====== | + | |
+ | ===== flowd ===== | ||
+ | flowd.log is 5GB. | ||
+ | flowd_aggregate.py died (Insight Aggregator service). | ||
+ | Workaround is to use monit: | ||
+ | |||
+ | {{:sw:opnsense:pasted:20200513-140645.png}} | ||
+ | |||
+ | ===== Multiwan ===== | ||
+ | |||
+ | ==== multiwan: when primary WAN fails, local connectivity stops ==== | ||
+ | Primary WAN fails: | ||
+ | - Local (from OPNSense host) DNS doesn't work | ||
+ | - local connectivity also doesn't work ``No route to host`` | ||
+ | - internet for LAN users works (switched to WAN2) | ||
+ | - one LAN device cannot connect to 8.8.8.8 DNS server, because this request is still forwarded to WAN1 | ||
+ | |||
+ | SOLUTION ? | ||
+ | PROPOSALS: | ||
+ | - Allow DNS server list to be overridden by DHCP/PPP on WAN = CHECKED <– uncheck this | ||
+ | |||
+ | |||
+ | ==== multiwan: port reflection not working ==== | ||
**Scenario:** | **Scenario:** | ||
* Not possible to connect to port-forwarded service using WAN IP | * Not possible to connect to port-forwarded service using WAN IP | ||
Line 15: | Line 37: | ||
* Do not create NAT rule for **interface group**. Use duplicated rules for each WAN interface | * Do not create NAT rule for **interface group**. Use duplicated rules for each WAN interface | ||
- | ====== multiwan: port forwards ====== | + | ==== multiwan: port forwards ==== |
**Scenario:** | **Scenario:** | ||
Line 27: | Line 49: | ||
- | ====== multi wan: lan gw was chosen ====== | + | ===== multi wan: lan gw was chosen ==== |
If gateway switching is used, it is needed to set all not WAN gateways as forced down. | If gateway switching is used, it is needed to set all not WAN gateways as forced down. | ||
Line 35: | Line 57: | ||
System --> Gateways --> Single --> ... --> Mark Gateway as Down | System --> Gateways --> Single --> ... --> Mark Gateway as Down | ||
- | ======= static route from LAN to LAN not working ======= | + | ====== static route from LAN to LAN not working ====== |
Problem is that all outgoing traffic on LAN interface is using LAN gateway (autodetected) | Problem is that all outgoing traffic on LAN interface is using LAN gateway (autodetected) | ||
Line 56: | Line 78: | ||
Firewall --> Settings --> Advanced: Tick **Disable force gateway** (Outgoing packets from this firewall on an interface which has a gateway will normally use the specified gateway for that interface. When this option is set the route will be selected by the system routing table instead.) | Firewall --> Settings --> Advanced: Tick **Disable force gateway** (Outgoing packets from this firewall on an interface which has a gateway will normally use the specified gateway for that interface. When this option is set the route will be selected by the system routing table instead.) | ||
+ | |||
+ | ====== cannot reach another VLAN from VPN ====== | ||
+ | |||
+ | Check for asymetric routing. Firewall cannot track one way packet flow so packets are blocke by default rule. | ||
+ | Solution is to add pass rule without connection tracking enabled (tracking ''none''). | ||