OPNsense Forum
English Forums => General Discussion => Topic started by: mikey00 on January 18, 2021, 03:53:02 pm
-
So i am running as a VM through proxmox, everything typically works just fine with my 1gb internet, i get close the same speeds my Netgear Nighthawk router was getting.
The issue is the WAN interface keeps dropping connection when it does its DHCP Renewal at 5AM sometimes it works just fine then other times the interface goes DOWN and internet is no longer working. A reboot always fixes the issue and internet comes back for the day typically.
I am using a Spoofed Mac address because i orginally thought it was the mac address because we would lose internet and the connection never came back after reboot. if i changed the Mac address to a spoofed one it worked just fine.
I am not sure what information to provide. keep in mind i am a Network admin so this is not rocket science for me but we are missing something on this end as this shouldnt be happening. is there a setting somewhere in opnsense that needs to be changed?
-
is support for this dead? is this why so many issues with software?
-
I would say nobody answered so far.
Is this a pass-through to a modem? If the link does not down/up and the lease is still valid DHCP will have no way of knowing to reload....
You can set a cron job for this, but it is only as good as the expected disconnect time and if the window is missed the above problem remains true.
Cheers,
Franco
-
I have a cable ISP (router set to bridge mode) with OPNsense and DHCP on WAN. From time to time I request a fresh IP by changing the MAC for WAN. For the last 8 months or so this doesn't work without a reboot of OPNsense and the bridged router.
Bonus: For the last 2-3 months, the box get's an IP and everything is up for 2-5 min, including all tunnels and then the connection is interrupted (no IP on WAN) and a second reboot is needed. It's a pain, but I think it's on the side of the ISP (the DHCP server on WAN had a 10.0.0.0/16 IP last time I checked...), no time to check with them. The ISP always tries to send me a new router (selling point: "It's white !1!!eleven!!"), I guess this new router cannot be set to bridge mode anymore...
-
You need to disable "block private IPs" from OpnSenses WAN interface settings.
10.0.0.0/16 ip block is reserved for private networks, not sure if OpnSense is able to get public IP that way (you might see ip like 10.172.1.1/24 or any private IP on Opnsense WebGui, but by googling, you'll see if both router and opnsense share same public IP), but it is able to connect to the internet as long as routes are correct and your ISP router has internet connection.
OpnSense WAN interface prevents itself from getting IPs which are reserved for private networks by default, and you need to disable that every time you aren't directly connecting WAN to the internet.
-
...
10.0.0.0/16 ip block is reserved for private networks, not sure if OpnSense is able to get public IP that way (you might see ip like 10.172.1.1/24 or any private IP on Opnsense WebGui, but by googling, you'll see if both router and opnsense share same public IP), but it is able to connect to the internet as long as routes are correct and your ISP router has internet connection.
OpnSense WAN interface prevents itself from getting IPs which are reserved for private networks by default, and you need to disable that every time you aren't directly connecting WAN to the internet.
Please read again, the ISP router is bridged. The ISP DHCP server is somewhere in 10.0.0.0/16. I can get a public IP on WAN of OPNsense, but only after 2 reboots.
-
Please read again, the ISP router is bridged. The ISP DHCP server is somewhere in 10.0.0.0/16. I can get a public IP on WAN of OPNsense, but only after 2 reboots.
That's basically what it does, gives you private IP because you are trying to copy IP of your router (MAC address spoofing basically allows you to combine multiple firewalls or routers by "spoofing" DHCP server with MAC address which is stored in DHCP leases.
If you set opnsense wan to spoof MAC address of a interface which IP is 192.168.1.1/24, then your OpnSense WAN IP is 192.168.1.1/24 and you need to disable private network block from it.
Another which you could try, is to setup your router so, that every single port on it gives devices public IP to any device. That ofc will expose your router completely to the internet (switches and access points do that when they are directly connected to the internet)
Anyway, you have to reboot your OpnSense everytime public IP changes, because the wan port doesn't have direct connection to the internet.
-
It worked without reboot for years. And the MAC I spoof for WAN is complete fake (the second half, at least).
Please, my point is: The problem is most likely on the ISP side. @TO: Have a look at your syslog for DHCP and see what fails (even better: a wireshark on the WAN...).
-
You can set a cron job for this, but it is only as good as the expected disconnect time and if the window is missed the above problem remains true.
As a temporary workaround, instead of relying on the cron schedule completely, he could schedule a test script to see if the interface is active (ping yahoo.com, say), and do the restart only if it fails.
-
It worked without reboot for years. And the MAC I spoof for WAN is complete fake (the second half, at least).
Please, my point is: The problem is most likely on the ISP side. @TO: Have a look at your syslog for DHCP and see what fails (even better: a wireshark on the WAN...).
Have you tried if releasing and renewing WAN IP on OpnSense solves the issue same way reboot does?
If so, then your OpnSense might just have wrong release time.
Certain routers might have something called lengthen expiry (or similar, different brands have different label for it and can't remember exact term, since it's been years when I had to play with internet ----> router <----> firewall topology).
First of all your issue shouldn't require reboot, what should work, is just release the IP and renew it (lazy way would be disabling network interface, wait for 1 minute and enable it again or detaching ethernet cable wait for 1 minute and attach it back)
-
Have you tried if releasing and renewing WAN IP on OpnSense solves the issue same way reboot does?
Definitely. Won't help. But where is the TO? Any news?
-
Definitely. Won't help. But where is the TO? Any news?
What do you mean by TO?
-
https://www.dict.cc/?s=thread+opener+TO
;-)
-
So the way mine works is daily it attempts to renew the ip but never establishes connection to the DHCP server. it keeps the same ip but no internet. if i reboot it works fine this process works for about 2 weeks. then at the 2 weekish mark i can reboot 10 times and it never gets internet, i change the mac address and boom its back online again. i think it maybe tied to duplicate mac address found on the DHCP server. being that i am using spoofed mac addresses.
-
think it maybe tied to duplicate mac address found on the DHCP server. being that i am using spoofed mac addresses.
That most likely is the reason, another what might be reason, is if you setup static WAN IP on the device, which is spoofing mac addresses.
If I'm not mistaken, static IPs don't get requests sent by ISPs to confirm connections existence, so your device is connected to internet until ISP sends next request.
-
Made it 4 days lost internet today at 10:50am release renew did not work same as always reboot resolves this is 4 days on the new ip after spoofing mac. We will see what happens at the 2 week mark
Thanks for the support guys troubleshootingnis a pain but version keeps saying it’s my end
-
just providing an update to this issue. its stilll ongoing some times i last a few weeks months even other times its minutes to hours before i lose internet again. I dont think its opnsense but more less the ISP not allowing the mac address or the mac address i am spoofing to comes back online and kicks me off lol.
I use a mac generator to create fake Mac Addresses to change my ip anytime i choose to (kinda like using a proxy or VPN annoymously but its still a local area ip). this used to work perfectly fine with a Sonicwall setup but using opnsense or pfsense Verizon does not work well with for whatever reason. I dont even get over 300mb for speed when i pay for 1g and with Sonicwall or even a Nighthawk router i was getting at least 750mb so i am not impressed at all with opnsense work with Verizon as an isp. I would like to hear from other users with their experiences with different ISP.
-
Gotta love "network admins" that cannot even troubleshoot their home networks properly and then blame the software without any additional data to back it up.
My first thought: If you suspect that your mac spoofing is an issue why not temporarily disable it to see if the problem goes away? Maybe your ISP limits the amount of DHCP leases and if you keep changing MAC you reach the limit and no further DHCP leases will be offered?
Another possibility could be that your virtualized environment has troubles with the spoofed mac and the virtual Interface. (And also a MAC generator? Really? Is it that hard to come up with random MAC's on your own?)
Sniffing on WAN should help you see if you receive DHCP offers and acks.
Regarding performance probably not enough raw power to route your packets? Overbooked host? Other VM's eating up your CPU cycles?
I'm pushing 500Mbit on a virtualized host with an 8th gen i5 2.10GHz base frequency.
-
I ran a SonicWall before with no issues at all. the only reason why i switched is because the Sonic wall couldn't handle 1gb speeds and had only a 500mb through put.
I only said it was weird that it started happening when i switched firewalls. I have even swapped back to my old one and it works fine as it should, with obvious speed and latency issues but no network drop.
instead of bashing people have a little common decency to actually help the community instead of trying to insult people who you think you know more than.
My Virtual Server is a commercial Grade blade server (Dell) that came from a business running 40+ VMs from it pretty sure it has enough capabilities with 128G Ram as well. I also have 1 Network Card with 2 Interfaces ( 1 WAN, 1 LAN -which goes to a Layer 3 Switch that feeds 4 different VLANS). I have thought about adding another card for DMZ handling but i can do all of that routing from my Layer 3 switch.
-
also disabling the Mac address doesn't work either. I did notice however since my last update i made a change to the virtual Mac address through the Hardware settings for the VM itself rather than changing the Mac address in OPNsense, i cant say whether or not that fixed the issue as i have the cron job still running. I can try to turn it off and see if the issue is still happening or not, maybe the mac address spoofing from OPNsense is not recommended way when running from a VM im not sure, i don't have alot of knowledge of OpnSense thats why i came here asking for pointers but instead get treated like i am noob to networking lol its so funny its pathetic.