meta data for this page
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
sw:opnsense:issues [2019/04/09 11:13] niziak |
sw:opnsense:issues [2020/10/21 15:05] (current) niziak |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ======= multiwan ======= | + | ====== ISSUES ====== |
| - | ====== multiwan: port reflection not working ====== | + | |
| + | ===== flowd ===== | ||
| + | flowd.log is 5GB. | ||
| + | flowd_aggregate.py died (Insight Aggregator service). | ||
| + | Workaround is to use monit: | ||
| + | |||
| + | {{:sw:opnsense:pasted:20200513-140645.png}} | ||
| + | |||
| + | ===== Multiwan ===== | ||
| + | |||
| + | ==== multiwan: when primary WAN fails, local connectivity stops ==== | ||
| + | Primary WAN fails: | ||
| + | - Local (from OPNSense host) DNS doesn't work | ||
| + | - local connectivity also doesn't work ``No route to host`` | ||
| + | - internet for LAN users works (switched to WAN2) | ||
| + | - one LAN device cannot connect to 8.8.8.8 DNS server, because this request is still forwarded to WAN1 | ||
| + | |||
| + | SOLUTION ? | ||
| + | PROPOSALS: | ||
| + | - Allow DNS server list to be overridden by DHCP/PPP on WAN = CHECKED <– uncheck this | ||
| + | |||
| + | |||
| + | ==== multiwan: port reflection not working ==== | ||
| **Scenario:** | **Scenario:** | ||
| * Not possible to connect to port-forwarded service using WAN IP | * Not possible to connect to port-forwarded service using WAN IP | ||
| Line 15: | Line 37: | ||
| * Do not create NAT rule for **interface group**. Use duplicated rules for each WAN interface | * Do not create NAT rule for **interface group**. Use duplicated rules for each WAN interface | ||
| - | ====== multiwan: port forwards ====== | + | ==== multiwan: port forwards ==== |
| **Scenario:** | **Scenario:** | ||
| Line 27: | Line 49: | ||
| - | ====== multi wan: lan gw was chosen ====== | + | ===== multi wan: lan gw was chosen ==== |
| If gateway switching is used, it is needed to set all not WAN gateways as forced down. | If gateway switching is used, it is needed to set all not WAN gateways as forced down. | ||
| Line 35: | Line 57: | ||
| System --> Gateways --> Single --> ... --> Mark Gateway as Down | System --> Gateways --> Single --> ... --> Mark Gateway as Down | ||
| - | ======= static route from LAN to LAN not working ======= | + | ====== static route from LAN to LAN not working ====== |
| Problem is that all outgoing traffic on LAN interface is using LAN gateway (autodetected) | Problem is that all outgoing traffic on LAN interface is using LAN gateway (autodetected) | ||
| Line 56: | Line 78: | ||
| Firewall --> Settings --> Advanced: Tick **Disable force gateway** (Outgoing packets from this firewall on an interface which has a gateway will normally use the specified gateway for that interface. When this option is set the route will be selected by the system routing table instead.) | Firewall --> Settings --> Advanced: Tick **Disable force gateway** (Outgoing packets from this firewall on an interface which has a gateway will normally use the specified gateway for that interface. When this option is set the route will be selected by the system routing table instead.) | ||
| + | |||
| + | ====== cannot reach another VLAN from VPN ====== | ||
| + | |||
| + | Check for asymetric routing. Firewall cannot track one way packet flow so packets are blocke by default rule. | ||
| + | Solution is to add pass rule without connection tracking enabled (tracking ''none''). | ||