Hello everyone,
I've been experimenting for the past few days, for the first time, with OPNsense 25.1.5_5 (amd64). I'm attempting to set up OSPF between an OPNsense machine and two Mikrotik routers.
I have established VPN connections using both WireGuard and ZeroTier:
- There's a ZeroTier L2 domain, shared by the three devices, configured in OSPF as multicast.
- Additionally, there are three point-to-point WireGuard connections, configured in OSPF as point-to-point.
Everything works as expected until I reboot OPNsense. After the reboot, only the WireGuard adjacencies are fully re-established. The Mikrotik routers show the OPNsense neighbor stuck in the Init state.
Here's what happens:
- Mikrotik routers send "Hello" packets via multicast.
- OPNsense also sends "Hello" packets via multicast.
- Mikrotik routers receive the "Hello" packets from OPNsense, which include its neighbor in the Init state, and this cycle continues indefinitely.
The only workaround I've found is to make a minor and seemingly irrelevant change to the OPNsense firewall rules and apply it (e.g., enabling or disabling an unrelated rule). This action re-establishes adjacency over ZeroTier.
Running
pfctl -d; pfctl -e also temporarily solves the problem, but only for half a minute.
Does anyone have ideas or suggestions to address this issue?
Apparently the firewall rules defined as floating and in interface groups including the zerotier interface are not effective for the zerotier interface after reboot.
So for example after reboot incoming multicast traffic for OSPF is dropped despite a rule in an interface group.
And web gui access from zerotier is not allowed despite a floating rule.
On the other hand, a rule for ospf multicast added on the zerotier interface is applied since reboot.
Is this some kind of limit/bug or should I change some setting?
Any workaround? Replicating and maintaining all rules from group also in ZT interface is not easy...
Opened github issue.
https://github.com/opnsense/core/issues/8574