OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: fabio on April 26, 2017, 09:04:34 pm
-
Hi,
After the 17.1.5 upgrade seems the "default gateway switching" and the "Gateways Group" do not work any more
To be honest I'm not completely sure about the gw switching; I've tested it, not in a "deep way", the just last Friday ... but I remember it was working
instead about the "Group" I currently have the Tier 1 offline, the Tier 2 online, in the firewall there is a rule "any" configured with the gw group ... and a traceroute show the traffic is always routed via "Tier1". In this case I'm sure it was working...
Does anyone noticed a similar behaviours after the upgrade
Thanks
--
Fabio
-
Gooday to everyone
My problem is the following
My pc is connected to the LAN2 of the internet WAN3, to get maximum traffic in the LAN2, the Internet is disconnected from the pc connected in the network LAN1
I attached the image and the configuration of my opnsense.
I thank you for the attention and help to correct my problem in what I am doing wrong
-
Hi All,
Fortunately I've an "old VM" with a 1.7.3 so I was able to test the configurations on both the versions.
To be sure to test the same config I've the 2 fw in High Availability (with all the setting flagged)
opn1 - version 1.7.5 - master
opn2 - version 1.7.3 - slave
I can confirm that in my test "Allow default gate way switching" and "Gateways: Group" work ONLY on the 1.7.3 slave
... I'm quite sure all was working also on 1.7.4
--
Fabio
-
Yes, fabio, here also it is not working...
I came back to version 17.1.4 and it's working.
-
Exactly which is the right downgrade procedure ? I used the following one ... but looks like wrong
* opnsense-update -sn "17.1\/MINT\/17.1.4\/OpenSSL"
* opnsense-update -pf
Then I saw errors in the pkg database, fixed with:
* pkg shell
* CREATE VIRTUAL TABLE pkg_search USING fts4(id, name, origin);
* pkg upgrade (to upgarde only the pkg package)
DHCP was broken and I notice missing user in /etc/passwd ... so I've reinstalled the related pkgs
* pkg install -f isc-dhcp43-server
* pkg install -f flowd
* pkg install -f squid
As told this procedure looks like very wrong, anyway "all" seems work now
-
It seems this only affects the core package in an edge case. The portable solution is to downgrade the core package alone and leave the other packages at their latest version:
# opnsense-revert -r 17.1.4 opnsense
Cheers,
Franco
-
Hi Fabio,
There is a patch available here:
https://github.com/opnsense/core/commit/2f715d2
You can install it to 17.1.6 with the following command:
# opnsense-patch 2f715d2
Cheers,
Franco
-
Thanks franco.
I will update opnsense-patch 2f715d2 and anything downgrade this package.
Before, a backup of course haha.
-
Careful, it needs 17.1.6 first before opnsense-patch works.
-
Hi franco,
it worked.
Thanks!
-
Hi jorgevisentini,
Yay! Thanks for confirming. It's already queued up for 17.1.7.
Cheers,
Franco
-
Thanks franco,
I'll upgrade my firewalls during the weekend
Thanks again
-
Please let us know how that goes :)
-
Hi franco,
Unfortunately I still see problems after the patch :(
My tests had the following results
- "Gateways: Group" works as expected
- "Allow default gateway switching" seem still broken; the system default gateway do not switch in case of "down"
Then I noticed an additional issue:
I use my OPNSense as OpenVPN client, it route just a couple of specific network in the tunnel.
With 2f715d2 applied when I start the vpn session the ptp of the tunnel become also the default gw ... and after the session shutdown the default gw is completely removed
After the upgrade to 1.7.6 and before 2f715d2 the vpn worked as usual
-
Hi Fabio,
Thanks, forwarded the relevant info and will report back.
Cheers,
Franco
-
Hi Fabio,
Another fix via Ad:
https://github.com/opnsense/core/commit/ce8ef99
On a clean 17.1.6 both patches must be installed:
# opnsense-patch 2f715d2 ce8ef99
Cheers,
Franco
-
To keep you informed.
I've upgrade to 17.1.7, I see the same behaviour of 17.1.6+2f715d2 so "Gateways: Group" look good but not the "Allow default gateway switching".
With some other tests I noticed that, with the switching option enabled, the system start to use the 1st gateway listed in the "System: Gateways: All" page ignoring the "Default Gateway" flag
If the 1st become offline it swap to the 2nd and so on
If may I suggest ... should be great have the possibility to choose the order of the switching
In some way this also "explain" the reason why the openvpn ptp become the default gw.
I assigned, and enabled, the ovpnc1 interface to a Interface. After a vpn connection in the "System: Gateways: All" page appears 2 auto-geneerated gw (ip v4 and v6) listed at the "top of the list"
Cheers,
Fabio
-
Forgive me if I'm boring you but ... I see the same behaviour also in 1.7.8
Just to understand am I the only one who notice this behaviour?
... maybe there are something wrong in my conf.
Cheers,
Fabio
-
Hi Fabio,
I have been looking at "Allow default gateway switching" the last few days, fixed multiple bugs and now think it's really not very practical. Since we have gateway groups for failover as well, it could mean the default gateway switching will be removed in 18.1 or so.
Why are you using both features at the same time? They don't work in tandem...
Thanks,
Franco
-
Hi Franco,
At the moment, according to my tests, I'm only interested into "Allow default gateway switching"; as told maybe I'm starting from a wrong point
In my case all is realted to OpenVPN: my OPN box is also a VPN client, connected to the "vpn.example.com" server for a bunch of networks.
Obviously when the system default gateway goes also the tunnel goes down ... the systems has no more a gw so the tunnel is not able to turn up again.
At lease the box is not able to resolve the name, "openvpn[xxx]: RESOLVE: Cannot resolve host address: vpn.example.com: hostname nor servname provided, or not known"
I've tried to bind the VPN client the LAN address adding a any/any rules via a group gateway with the same results
(As double check I've just tried to replace the name with the IP and I see the same behaviour)
Another point is that if I use a 'Gateway' in the a firewall rule all the traffic that match the rule is forced through that gw ... ignoring the system routing
As result all the networks pushed by the vpn server are ignored (I have this in some specific host/ports rules that I don't want in the tunnel)
Maybe I can add exception rules for all the route pushed but seems a mess to maintain (and anyway threre is hte previous problem)
So from my current point of view you shouldn't remove the "Allow default gateway switching" :-)
As usual thanks for all the support and the great works
--
Fabio
PS:
Please forgive my terrible and confused english