ClickyMcTicker

ClickyMcTicker , 28 days ago

@bluetrain

>I have had this configured to IP passthrough mode without issue for years. But, after the Opnsense upgrade (and defaults), I did notice that my gateways were configured differently. Previously, my upstream WAN gateway was the IP address of the BGW320-505 box. Now, my upstream WAN gateway is my WAN IP address with a .1 substituted for the final digit.

This is critical info. You have been configured for IP Passthrough for exactly however long ago you updated.

ClickyMcTicker , 28 days ago

@bluetrain
> This doesn’t seem to be an issue and comports with everyone’s guides online for configured IP passthrough mode on the BGW320-505 and, in fact, Opnsense does show my WAN IP address as my actual address (something it did not before!).

This corroborates my assessment. You were previously in a double NAT situation. You saw your WAN IP on your gateway because your WAN IP was your gateway, not your interface IP. You now see the ISP’s head end IP as the gateway due to IP passthru

ClickyMcTicker , 28 days ago

@bluetrain
> The strongest example I’ve uncovered of this is, from my WAN (or LAN) directly accessing my WAN IP.

What have you been testing from? Laptop pointed to LAN IP, laptop pointed to WAN IP, and cellphone with WiFi disabled pointed to WAN IP?

ClickyMcTicker , 2 months ago

@mfat Depending on how they’re blocking VPNs (i.e. blocking specific ports, or allowing specific ports), you may be able to run one on a non-standard port. As an extreme example, you could run Wireguard on port 80 (HTTP), which is practically the last possible port that can ever be blocked on public internet.