Text only | Text with Images

OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: Wired Life on December 26, 2021, 04:35:59 PM

Title: disable "Dynamic state reset" for VPN
Post by: Wired Life on December 26, 2021, 04:35:59 PM
Hey, i'm facing the same issue described here
https://forum.opnsense.org/index.php?topic=14946.0
is there a way to fix this?

thanks!
Title: Re: disable "Dynamic state reset" for VPN
Post by: Fright on December 29, 2021, 08:35:28 AM
Hi
have you tried disabling "Dynamic state reset" option? is this causing any problem?
Title: Re: disable "Dynamic state reset" for VPN
Post by: Wired Life on January 04, 2022, 11:08:44 PM
I need to keep this enabled because of VoIP.
The connections need to be killed on new IP but only on PPPoE not on VPN.
Title: Re: disable "Dynamic state reset" for VPN
Post by: Fright on January 05, 2022, 04:12:23 PM
QuoteI need to keep this enabled because of VoIP.
I understand this, but some changes have been made and this option may no longer be needed
Title: Re: disable "Dynamic state reset" for VPN
Post by: franco on January 06, 2022, 08:39:07 AM
*on 22.1
Title: Re: disable "Dynamic state reset" for VPN
Post by: Wired Life on January 07, 2022, 02:23:59 AM
Quote from: franco on January 06, 2022, 08:39:07 AM
*on 22.1

On 22.1 what happens? Is there a solution to our problem?
Can you describe what has been changed and how to use it?
Title: Re: disable "Dynamic state reset" for VPN
Post by: franco on January 07, 2022, 12:46:59 PM
I'll defer this question to 22.1-RC1 release notes...


Cheers,
Franco
Title: Re: disable "Dynamic state reset" for VPN
Post by: chemlud on January 07, 2022, 05:43:48 PM
Quote from: franco on January 07, 2022, 12:46:59 PM
I'll defer this question to 22.1-RC1 release notes...


Cheers,
Franco

ETA in sight? :-)
Title: Re: disable "Dynamic state reset" for VPN
Post by: Fright on January 08, 2022, 04:03:19 PM
@franco
oops. my bad. did not check
Title: Re: disable "Dynamic state reset" for VPN
Post by: franco on January 10, 2022, 09:08:28 AM
Quote from: chemlud on January 07, 2022, 05:43:48 PM
ETA in sight? :-)

Wednesday :)
Title: Re: disable "Dynamic state reset" for VPN
Post by: franco on January 11, 2022, 10:53:50 AM
So working on the release notes what changed is the following:

The kill state on gateway failure option is no longer available due to heavy-handed disruption of the implementation leading to a number of support issues over the years. It was since switched to disabled by default, but we haven't seen a good use case for it so now it will be removed for good. The GUI IP change full state killing doing the same thing when a WAN IPv4 changes, however, will remain for the time being.

On the other hand, the default state killing on a WAN IPv4 change when said option is not enabled will change as follows:

1. The cache file used to determine which address was previously configured is now exclusive to the script handling the address change meaning it will never miss an address change which was previously possible. This already helps in some cases to make it function properly.

2. In addition to killing all states from said cached address the default function will now also kill all states with the address as the destination, which should fix cases where the state kill triggered but wasn't working for incoming connections which led to use of the IP address change GUI option which kills every state of the firewall (also not optimal obviously).


Cheers,
Franco
Text only | Text with Images