OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: debacler on August 08, 2020, 03:49:44 pm
-
Hello all, new to OPNsense and I'm hoping someone can help me out with this problem I ran into. Seems related to ipv6, which is an area I don't have much experience.
I did a new, clean install of 20.7. This went fine, however when checking for updates I would get a timeout or "package manager not responding" error with the plugin screen blank or showing only the installed packages and their status as orphaned.
If I set the system option to prefer ipv4, updates start working as expected. When testing from my desktop pc, ipv6 appears to be working just fine, with hosts resolving and pinging.
From the console, updates display the same behavior as the gui, normally when ipv4 is preferred and hanging when that option is disabled. IPV6 hosts seem to resolve, but pings fail from the console. Why would everything work from the desktop, but fail on the router itself? Have I misconfigured something? This is a very new, extremely basic install, so I'm not sure what I might have changed to cause this. As this happens with a clean install with all default settings, maybe there is some fallback behavior or error messaging that ought to be added to OPNsense to handle this situation?
Again, not my area of expertise - just recently got an ISP with ipv6 support - so hopefully I've done something dumb and you guys can point it out. ;D
-
I'm having the same issue. New opnsense user, new install. The 'System:Settings:General:prefer ipv4' trick unlocked the plugins and packages list.
-
There was a strange issue that caught me last year and affected sending mail via IPv6. I finally solved it by:
disable IPv6, Save -> enable IPv6, Save
as outlined in this post https://forum.opnsense.org/index.php?PHPSESSID=bq9ba6nsfc4vohgdf1e5mk3mmh&topic=1777.msg5578#msg5578 (https://forum.opnsense.org/index.php?PHPSESSID=bq9ba6nsfc4vohgdf1e5mk3mmh&topic=1777.msg5578#msg5578)
Wonder if it might help?
-
For the Record: Yesterday I had this also, however today everything worked.
Well except I either have multi wan failover working or my printer... No matter how I do, there is always some filter rules that goes wrong. And during one period the firewall log said rule xxx blocked that transaction, however the description of the rule was DHCP allow autogenerated rule... Very strange behaviour of filter rules today, hope for better stability tomorrow....
-
OK, tried the suggestion by fruit. Out of the gate it appeared to work! Interestingly I could now ping ipv6 from the firewall and the update check completed. However DHCPD6 showed as stopped and never came back up. After a reboot everything reverted to its broken state. Also, i saw that sylog-ng remained stopped. The log showed:
kernel: pid 73816 (syslog-ng), jid 0, uid 0: exited on signal 11 (core dumped)
Not sure if this is related, I've seen this happen several times before. It started manually.
Since the initial success, I've been unable to replicate my first working result. Toggling IPV6 doesn't seem to do anything in regards to updates, and ipv6 pings never worked again from the firewall. However, being able to ping ipv6 from the firewall after changing this the first time leads me to believe something is broken in the firewall rules.
I dunno, I'd like to get all this working as I've heard good things about OPNsense, but between this issue and the general instability of services, I am losing confidence that it is ready to be my daily driver. :(
-
OK, having toggled prefer ipv6 (presently off) and the firewall advanced enable ipv6 (presently on) it started working again. No faith that it will survive a reboot, but working as expected at the moment. IPV6 pings are working again from the firewall to outside hosts. FYI, never saw these being blocked in the firewall log even when it wasn't working. Was also able to update bogon lists, which also failed previously.
Is there any relevant information I can gather to diagnose and hopefully find a permanent fix? I am all but certain things are going to go belly up again the next reboot.
-
Hi, I have exactly the same problem.
I have built a two member carp firewall cluster on VMware 7.0 and OPNsense 20.7.0
Everything seems working fine functionally, but when I wanted to add the VMware tools package I could only get the package list updated on the master member but on the Standby member it times out waiting for the update.
Cannot see and packages available
I have the same settings on the two cluster members but only the master works. I think I have tried all the permutations re IPv6 on off in system general the fw advanced settings. No joy.
With one fw cluster members working and one not working, I still cannot find anything to help with why the same settings on both gives a different result.
Also same DNS and same other settings as far as I can tell.
attached are two screens from the consoles, one Member OK the other not
-
Hello,
I'm not sure why nobody replied to this thread with a solution. Even though this thread is over a year old, it came up as top result on Google when trying to find a solution for this problem.
I recently started with OPNsense to try it for WireGuard VPN and ran into the same updating problem and also not having a plugin list. Also seeing exactly the same with the enabling/disabling IPv6.
After doing a quick search and not finding anything, I figured to go troubleshoot myself as it must be something stupid I missed with IPv6 since disabling/enabling it temporarily fixes it.
One of the main drivers of IPv6 connectivity is ICMP and after taking a look at my firewall rules, guess what, there is no IPv6 ICMP rule by default.
Since ICMP is required for correct IPv6 connectivity, and it's being blocked, no chance it will work, hence no updates, no ping, no plugins.
Add the following rule to the Floating rule base to solve the problem (for OPNsense and all clients you may have connected on IPv6 in the future, for clients don't forget the internal interface too!):
PASS, Interface: WAN, Direction: ANY, TCP/IP: IPv6, Protocol: ICMP, Type: ANY, Source: ANY, Destination: ANY
That should do it, hope it helps for everyone being frustrated in the future (as more and more people get IPv6)
-
That’s odd because in my experience OPNsense adds relevant ICMPv6 floating rules itself when IPv6 is enabled. Wouldn’t be particularly useful if it didn’t
-
I can see a list of auto-generated IPv6, however, the destinations only seem to be link-local addresses.
As soon as I disable the firewall rule I've added myself I lose IPv6 connectivity to all non link-local IPv6 addresses from OPNsense and lose updating+plugin capabilities.