24.7.2: Dear OPNSense Community,
after switching from establish a permanent VPN Client Connection from OVPN (via OpenVPN) to Mullvad (Now via WireGuard) everything works fine; beside one small issue: IpV6 Gateway Monitoring Service doesn't start automatically after reboot.
When starting manually it takes a second and every works as expected.
Further Info:
- Mullvad given Gateway IPv6 Adress is an ULA Adress (fc00:xxx) and Monitor Adress is (for sure!) a GUA Adress
I rebooted right now and it seems to be likely a widget problem?
Log of "Boot" says this:
2024-08-25T12:39:02 wireguard_configure_do[286] done.
2024-08-25T12:39:02 dpinger_configure_do[5305] done.
2024-08-25T12:39:02 dpinger_configure_do[5305] Setting up gateway monitor MullvadV4...
2024-08-25T12:39:02 dpinger_configure_do[5305] done.
2024-08-25T12:39:02 dpinger_configure_do[5305] Setting up gateway monitor MullvadV6...
2024-08-25T12:39:02 system_routing_configure[5305] done.
2024-08-25T12:39:02 system_routing_configure[5305] Setting up routes for opt1...
2024-08-25T12:39:02 interface_configure[5305] done.
2024-08-25T12:39:02 interface_configure[5305] Configuring WGMVFRA interface...
2024-08-25T12:39:01 wireguard_configure_do[286] Configuring WireGuard VPN...
But Dashboard shows ...
- "Services" / "Gateway Monitor v6 Mullvad" is still red and
- "Gateways" / "Mulvvad v6" also (abd consequently) a red dot.
When I press "Play Button" in "Services / Gateway Monitor v6 Mullvad" both are becoming green and work as expected.
ps auxw | grep pinger
There you can see which interfaces dpinger is monitoring.
Okay - Now it becomes a litlle more clear...
1) Boot.log says (after fresh booting)
2024-08-25T13:30:16 wireguard_configure_do[287] done.
2024-08-25T13:30:16 dpinger_configure_do[61826] done.
2024-08-25T13:30:16 dpinger_configure_do[61826] Setting up gateway monitor MullvadV4...
2024-08-25T13:30:16 dpinger_configure_do[61826] done.
2024-08-25T13:30:16 dpinger_configure_do[61826] Setting up gateway monitor MullvadV6...
2024-08-25T13:30:16 system_routing_configure[61826] done.
2024-08-25T13:30:16 system_routing_configure[61826] Setting up routes for opt1...
2024-08-25T13:30:16 interface_configure[61826] done.
2024-08-25T13:30:16 interface_configure[61826] Configuring WGMVFRA interface...
2024-08-25T13:30:15 wireguard_configure_do[287] Configuring WireGuard VPN...
After connecting via ssh / root privileges and checking the services I see...
root@dragon:/home/udo # ps auxw | grep pinger
root 71574 0.0 0.0 13344 2540 - Is 13:30 0:00.01 /usr/local/bin/dpinger -f -S -r 0 -i MullvadV4 -B 10.71.233.139 -p
root 62158 0.0 0.0 12716 2288 0 S+ 13:31 0:00.00 grep pinger
root@dragon:/home/udo #
So the Monitor Gateway Service for IPV6 was not started automatically and the display of the widgets is "right" in Showing the red dotted Services.
Under System / Log Files / Audit I saw this issue:
2024-08-25T13:30:16 Warning wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The required MullvadV6 IPv6 interface address could not be found, skipping.
But why can it be found without problems when I start it manually after?
And why does the log of System / Log Files / Boot suggest that dpinger Service is done properly.
2024-08-25T13:30:16 dpinger_configure_do[61826] done.
2024-08-25T13:30:16 dpinger_configure_do[61826] Setting up gateway monitor MullvadV6...
Dunno, I'd install a kernel that does not have IPv6 completely screwed by the upstream security improvements before debugging any other IPv6-related things. You cannot monitor non-existent interface and then it may take too long for IPv6 to start working.
# opnsense-update -zkr 24.7.2-nd
and reboot.
Reference: https://github.com/opnsense/src/issues/218
Thx for your short reply and coding,
but unfortunately it didn't solve the problem.
System / Log Files / Boot...
2024-08-25T14:01:28 ntpd_configure_do[287] done.
2024-08-25T14:01:28 ntpd_configure_do[287] Starting NTP service...
2024-08-25T14:01:28 wireguard_configure_do[287] done.
2024-08-25T14:01:28 dpinger_configure_do[6519] done.
2024-08-25T14:01:28 dpinger_configure_do[6519] Setting up gateway monitor MullvadV4...
2024-08-25T14:01:28 dpinger_configure_do[6519] done.
2024-08-25T14:01:28 dpinger_configure_do[6519] Setting up gateway monitor MullvadV6...
2024-08-25T14:01:27 system_routing_configure[6519] done.
2024-08-25T14:01:27 system_routing_configure[6519] Setting up routes for opt1...
2024-08-25T14:01:27 interface_configure[6519] done.
2024-08-25T14:01:27 interface_configure[6519] Configuring WGMVFRA interface...
2024-08-25T14:01:27 wireguard_configure_do[287] Configuring WireGuard VPN...
So it still needs to start Gateway Ipv6 Monitoring manually after booting.
are you using a ip6 only connection on your router?
if not just monitor ip4 and disabled ip6 dpinger/ monitoring..
Quoteare you using a ip6 only connection on your router?
if not just monitor ip4 and disabled ip6 dpinger/ monitoring.
To disable a wanted feature can't be the solution.
Is there a possibilty to start the Monitoring services with a delay - so IPv4 / IPv6 Wireguard must be established first before establish the monitoring services?
Ok, perhaps if you stop messing with the GW monitoring setting up custom IPs that may be unavailable at that time, does that help?
I don't get the point really.
Wouldn't it be possible to start the Monitor Gateway Services automatically when set as "Last thing" in the bootup sequence? I don't know how to achieve this, but I guess it couldn't be the biggest challenge for developers.
Maybe somebody could do so?
Thx in advance,
best regards,
Udo
Sure. Feel free to patch the order. MeanwhĂle, I've suggested some debugging steps which could narrow down what's causing the problem. I don't get the point of pinging something else than the gateway unless that gateway blocks ping. Notably in case of a VPN.
Why is IPv4 Monitoring no Problem for the System (automatically when start), but IPv6?
Here is your clue which you have already posted
The required MullvadV6 IPv6 interface address could not be found, skipping.
Happy hunting.
Sorry, I just had the idea of show up a behaviour which could be better.
When it's not possible to improve it - then I just have to start a service manually after rebooting.
Thx for answering.
If you read the relevant code (https://github.com/opnsense/core/blob/a021a958682748bb50c5573cd145bce06cb1c2d0/src/etc/inc/plugins.inc.d/dpinger.inc#L202-L227), you'll see the reason why I suggested to stop adding your custom monitoring IP addresses improvements into the mix while debugging your issue.
This debate is pointless waste of time.