Hello,
i have updated my OPNsense to version 23.1.4 und now the clients cannot assign an IPv6-address anymore. The OPNsense interfaces itselfs have an IPv6 address, but the clients don't get an IPv6 address. I guess there es a problem with DHCPv6.
I also receive a 503 Service Unavailable Error Message when i connect to my opnsense. A revert to version 23.1.3 fix my problems successfully.
It seems like, that the clients don't gets the IPv6 Default Gateway. Maybe this is the problem?
I think its fantastic they push out update after update say they solved problems but in
all updates they fix problems, they also destroy things that working, how should it be
if you do some testing before push out update. Now there is more problems with IPV6
Client dont get any IP, You dont get any prefix from provider.......
With all your respect i really dont understand this.
//P
Now i have updated to version 23.1.4 several times. And now my clients gets an IPv6 address, but now i receive 503 Service unavailable error and can't connect to my opnsense via webinterface. Please fix the problems.
My ipv6 works fine.
Maybe you could try restarting the radvd service? That is what provides the default gateway.
I get furthermore 503er error messages. Via SSH i have tried to restart all services, but it doesn't helped. I will revert to version 23.1.3.
Did you try rebooting?
Yes, serveral times
Are you using ULAs or VIPs
ULAs only. I don't have changed the IPv6-settings. Version 23.1.3 runs absolutely fine and without 503 error.
My ipv6 is having having problems too. It seems related somehow to radvd and VIPs
Did you revert back to version 23.1.3? Runs with the latest version all fine? In any case something is wrong with version 23.1.4.
Im still on 23.1.4. trying to debug first.
Where are you see the 503 Service unavailable error.
radvd is definitely broke.
Only, if i want to connect to the opnsense webui.
I had to revert back to 23.1.3.
radvd service is definitely broken in 23.1.4 with "can't join ipv6-allrouters" in the System: Routes: Log File
Where can i find this Log files?
System: Routes: Log File
I have it on "informational"
I was getting 503s trying to reach the web gui as well - ended up shelling in and restarting lighttpd, after which I was able to log in. This isn't the first time I've had trouble with that tho...
Thanks, what is the shell command to restart lighttpd?
From other Thread:
"with the Hotfix 23.1.4_1 my IPv6 work fine now, thanks. But i had a 503 Service Unavailable Error. I think i have found the issue:
System -> Settings -> Administration -> Listening Interfaces
My settings was only on LAN-Interface. After Upgrade to 23.1.4(_1) i received the 503 Service unavailable Error on OPNsense Web Interface. Now i have set to All (recommended) and the issue is gone."
Looks like the persistence to get this minor issue fixed made the problem worse on 23.1.4. I've written a new patch that should sidestep the underlying issue:
https://github.com/opnsense/core/commit/33ad50456
# opnsense-patch 33ad50456
Please report back if it works or not...
Cheers,
Franco
Hi franco,
i have applied this patch, but the patch doesn't work. I receive furthermore 503 error. The login window will appear. I enter my login details (incl. 2FA) and then the 503 error comes up.
That's funny because that's the first time you say 503 is not on the login page. I'm sorry, I can't work on moving goal posts.
Ok, no problem. I will set to all interfaces. ;)
Quote from: franco on March 22, 2023, 08:16:52 AM
Looks like the persistence to get this minor issue fixed made the problem worse on 23.1.4. I've written a new patch that should sidestep the underlying issue:
https://github.com/opnsense/core/commit/33ad50456
# opnsense-patch 33ad50456
Please report back if it works or not...
Cheers,
Franco
I'll apply the patch and let you know if I still the issue in the future - thanks Franco!
Did both of you get in this situation after upgrading from 22.x to 23.x?
For me, that upgrade got IPv6 totally (and for me, unfixable) upset.
After installing 23.x from a clean slate, basic IPv6 works immediately. No problems with the GUI either. What not works for me: static DHCP6 leases (with recreating the rest of the configuration still a work in progress).
I wasn't on 22.7 long enough to really get a sense if this came with 23 - all I know is that at some point I was getting 503s, and the logs implied it was because the service couldn't grab the port. Easy enough to fix, though, so I've not really worried about it...
Can you check the PHP error file on a sudden 503?
# cat /tmp/PHP_errors.log
Cheers,
Franco
Quote from: franco on March 22, 2023, 08:16:52 AM
Looks like the persistence to get this minor issue fixed made the problem worse on 23.1.4. I've written a new patch that should sidestep the underlying issue:
https://github.com/opnsense/core/commit/33ad50456 (https://github.com/opnsense/core/commit/33ad50456)
# opnsense-patch 33ad50456
Please report back if it works or not...
Cheers,
Franco
Having 503 too, but as far as I can see my IPv6 works (PPPoE+IPv6 DHCP on WAN side, stateless DHCPv6 on the LAN side)
the patch, on the other hand, unfortunately does not solve the 503 when webgui is accessed (via LAN IPv4 address, for what it worths)
also no PHP error logs under /tmp.
Thanks,
Ivan.
Update:
First applied the patch from Franco I did a 'configctl webgui restart' and that didn't bring back GUI
Then I went to reply to Franco in this thread.
After that I rebooted opnsense, and this time GUI is working. I rebooted the second time and GUI still works, so hoping it lasts.
Thanks
Ivan.
Quote from: franco on March 22, 2023, 08:16:52 AM
Looks like the persistence to get this minor issue fixed made the problem worse on 23.1.4. I've written a new patch that should sidestep the underlying issue:
https://github.com/opnsense/core/commit/33ad50456
# opnsense-patch 33ad50456
Please report back if it works or not...
Cheers,
Franco
I have the Web GUI set to run on two Listen Interfaces: Mgmt (management VLAN), OPT1 (personal network interface for my one PC)
System -> Settings -> Administration -> Web GUI -> Listen Interfaces
Reason: Lowers the attack surface area, the other VLANs and networks do not need nor should ever be accessing the WebGUI so if it is not listening at all it is better off.
the SSHd is also setup the same way.
OPT1 also has IPv6 enabled and that has been working great with the fix in 23.1.4_1. DHCPv6 and radvd error etc are gone.
With the above 33ad50456 patch applied I was able to reproduce the 503 Service Unavailable error on the subsequent reboot. Before I didn't know when it would happen just the next time I tried to open the WebGUI it would have the service unavailable error.
configctl webgui restart via SSH would get it to work again for awhile.
My hunch from what I am reading in this thread is the interface up/down is triggering the issue and it will likely happen after one or more restarts of my OPT1 connected PC.
I also do not see any PHP errors
cat /tmp/PHP_errors.log
cat: /tmp/PHP_errors.log: No such file or directory
Web GUI Log file and what happened between the entries
action: reboot after applying opnsense-patch 33ad50456
2023-03-25T14:20:06-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/server.c.1704) server started (lighttpd/1.4.69)
action: connection timeout after attempting to login to web gui after reboot.
action: "configctl webgui restart" issued via SSH
2023-03-25T14:20:23-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/server.c.1057) [note] graceful shutdown started
2023-03-25T14:22:12-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/server.c.1704) server started (lighttpd/1.4.69)
action: 503 Error from the web gui after login and just checking out the web gui log file. This was new as haven't been actively using the web gui when it threw the 503 error before.
2023-03-25T14:25:49-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/mod_openssl.c.3438) SSL (error): 5 -1: Operation timed out
2023-03-25T14:25:49-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/server.c.2078) server stopped by UID = 0 PID = 57711
2023-03-25T14:26:00-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/gw_backend.c.274) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-1: No such file or directory
2023-03-25T14:26:00-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/gw_backend.c.274) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-0: No such file or directory
2023-03-25T14:26:00-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/gw_backend.c.960) all handlers for /ui/index.php? on .php are down.
2023-03-25T14:26:03-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/gw_backend.c.351) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-1 0 /tmp/php-fastcgi.socket
2023-03-25T14:26:03-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/gw_backend.c.351) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-0 0 /tmp/php-fastcgi.socket
configctl webgui restart issued via SSH
2023-03-25T14:26:09-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/server.c.1057) [note] graceful shutdown started
2023-03-25T14:27:30-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/server.c.1704) server started (lighttpd/1.4.69)
while typing this up in the "General" log
No commands were issued to cause that error to my knowledge
2023-03-25T14:31:12-06:00 Error opnsense /usr/local/etc/rc.restart_webgui: The command '/usr/local/bin/flock -ne /var/run/lighty-webConfigurator.pid /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '1', the output was ''
Then in the Web GUI Log
2023-03-25T14:31:12-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/mod_openssl.c.3438) SSL (error): 5 -1: Operation timed out
2023-03-25T14:31:12-06:00 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/server.c.2078) server stopped by UID = 0 PID = 54531
The Web GUI is still working without 503 or connection timeout via the OPT1 interface...for now?
The current lighttpd pid according to top
87005 root 1 20 0 18M 7932K kqread 1 0:00 0.00% lighttpd
Hopefully this helps troubleshoot the issue.
> Reason: Lowers the attack surface area
It doesn't unless you screw up your firewall rules. But then again screwing up access by ignoring the GUI warning is same same but different? All in the name of security of course. ;)
Cheers,
Franco
INADDR_ANY is special.
INADDR_ANY is special.
INADDR_ANY is special.
...
I had the same issue, since updating yesterday to the latest version.
I just saw the 503 service unavailable and restarted the webgui service, it is working for now but the errors are still popping up in logs.
Can't share this enough it seems: https://docs.opnsense.org/manual/settingsmenu.html#listen-interfaces
Cheers,
Franco
Ok, I removed "LAN" from listen interfaces and went back to default "All (recommended)". It makes no sense to me why the GUI would need to listen on the WAN side.
To be frank I don't expect everyone to understand but the fact is e.g. if you have LAN tracking an IPv6 WAN this is what it is because without NAT you do not have a static address and this reload *must* happen. We are not trying to make arbitrary rules here...
And this wouldn't happen if people would use a real management interface to access the web GUI in the first place. A LAN is not a management interface.
Cheers,
Franco
@Gromheim "All (recommended)" does not mean
- listen on LAN
- listen on WAN
- listen on OPT1
- ...
It means
- listen on the special address 0.0.0.0 also called INADDR_ANY
- listen on the special address :: also called IN6ADDR_ANY
These addresses work regardless of interfaces coming and going, addresses changing etc. It's a fundamental property of the socket API.
That's why it is the recommended setting and why changing this leads to all sorts of problems if your network configuration is not 100% static.
@Patrick M. Hausen, @franco - many thanks for the explanation! Indeed, I expected I was _wrong_, was just looking for this piece of information. Maybe discussions like these help at some point make the gui or docs more self-explanatory. Of course, nothing helps against ignorant users (I hope I am not one of them).