OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: BertM on October 25, 2017, 10:52:11 am
-
For a test environment, I setup an OPNsense router, and after running the initial wizard, I noticed that I did not have internet connection.
Looking into the issue, I found that the DHCP server in OPNsense did not handout a value for the default gateway.
Although for the DHCP server (according to help in the web gui) the default is to use the interface IP, this did not seem to work.
After entering the interface IP address in the Gateway Field, everything worked OK, The DHCP client did get a default gateway configured and was able to connect to the internet.
When I removed the gateway entry from the web gui again, the DHCP clients did not get a gateway again.
So, it appears to be mandatory to enter the gateway for the DHCP server in the web gui.
This means that either the helptext in the web gui needs to be changed, or the web gui has to be changed to automatically take the interface address for the gateway.
Note that this issue exists in version 17.7, regardsless if you install from OPNsense-17.7-OpenSSL-dvd-amd64.iso or from the OPNsense-17.7.5-OpenSSL-dvd-amd64.iso
Kind regards,
Bert
-
Ahhh. So it's not just me!
I'm very new to opnsense so I just assumed I was doing something wrong. haha
-
Hi guys,
1. Are you sure the WAN DHCP gives out a gateway?
2. Are you sure you got your LAN DHCP lease *after* the WAN got its lease? If you get LAN before WAN, your LAN client is stuck without a gateway, because the OPNsense has no gateway to propagate yet.
3. Also of interest is the timing in the WAN lease, if it's too late during boot it may even just miss DHCP service start and provide a config to it without the gateway.
Normally, 1. / 2. / 3. do not happen easily. The behaviour has been reported about two or three times this year. That leaves thousands of boxes unaffected. :)
Cheers,
Franco
-
Franco,
This is on the LAN.
It has nothing to do with WAN.
WAN is static IP and properly configured.
Regards,
Bert
-
Oh, okay, that is a slight manual effort for sure.
It should always add "option routers LANIP", maybe you can double-check in /var/dhcpd/etc/dhcpd.conf
If that's the case, a route needs to be added to fix LAN client connectivity and/or setting a System: Gateway entry as the default gateway. Don't have these setups in my deployments so unsure...
Cheers,
Franco
-
I have no LAN - WAN only.
However at first it did do some odd behavior when I had a WAN and LAN.
Basically it assigned the WAN as LAN and the LAN as WAN. So I set up the interfaces manually and that was all solved.
Now with just a WAN, resolver is slow to set up on boot and I had to enter the DNS servers manually.
Maybe just being glitchy because its running under vmware.
-
A static IP configuration does not make your interface a >>WAN<< interface in the sense that it can automatically connect to the Internet (or the next hop on the way there), because it knows not where upstream is. At least a gateway needs to be set from the same interface configuration page, possibly set as default in System: Gateways if not being set automatically so that clients who will ask that interface IP for routing will have a way to route these packets.
Cheers,
Franco
-
Franco,
It seems you are right in that this DHCP issue is related to the issue with the apinger service.
But I think that the processes that creates the config files may need to be examined.
I decided to take a more structured approach in order to find what happens, and when.
Below is a detailed description of my approach, what I did and what the results were.
To test, I setup a OPNsense virtual machine on a VMware server.
The OPNsense machine had one network interface connected to a live internet connection, and one network interface connected to a LAN with only one Windows 7 PC connected.
I installed OPNsense using the OPNsense-17.7.5-OpenSSL-dvd-amd64.iso. After the installation and the reboot, I started the Windows 7 machine on the LAN.
The PC received proper DHCP configuration from the OPNsense (192.168.1.100/24 Gateway 192.168.1.1).
I started the web browser, connected to OPNsense at 192.168.1.1 and went through the initial configuration wizard.
In this wizard, I entered the following information for WAN:
Configuration type: Static
IPv4 address: 89.248.134.25/28
IPv4 Upstream Gateway: 89.248.134.17
I entered the address 192.168.10.1/24 for LAN.
After completing the wizard I rebooted the Windows PC and noticed that the PC did not have internet connection at that time.
Running IPCONFIG on the PC revealed that it did not have a default gateway configured.
I then configured the PC with a static IP address 192.168.10.20/24 , Gateway 192.168.10.1 and DNS 192.168.10.1
At that point, the PC had internet connection and I could browse the web. This means that routing etc. are OK.
I changed the PC configuration back to DHCP client, and again it did not get a gateway configured from DHCP.
Then, I restarted OPNsense, and after that I restarted the PC. The result was still that the PC did not get a gateway configured.
I started a web browser and connected to OPNsense, and noticed that the apinger service was not running.
I attempted to start it, but that failed.
Then, I did two things:- I enabled Secure Shell, Permitted root user login and permitted password login.
- In the Firewall I configured an "allow all" rule for WAN
To find why the PC did not get a gateway configured, I used PuTTY to connect to OPNsense, logged-on, opened a Shell, and issued the command:
cat /var/dhcpd/etc/dhcpd.conf
The result was:
option domain-name "i-sec.com";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;
option arch code 93 = unsigned integer 16; # RFC4578
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
subnet 192.168.10.0 netmask 255.255.255.0 {
pool {
range 192.168.10.10 192.168.10.245;
}
option domain-name-servers 192.168.10.1;
}
There you are! No line with "option rouiters 192.168.10.1", even though it should have taken the OPNsense interface address as the default.
I then openend the web gui, and in the DHCP server config page, for LAN I entered the proper gateway address (192.168.10.1) and saved.
Then I went back into the shell, and entered "cat /var/dhcpd/etc/dhcpd.conf". The result was:
option domain-name "i-sec.com";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;
option arch code 93 = unsigned integer 16; # RFC4578
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
subnet 192.168.10.0 netmask 255.255.255.0 {
pool {
range 192.168.10.10 192.168.10.245;
}
option routers 192.168.10.1;
option domain-name-servers 192.168.10.1;
}
This time is did have the option routers line.
I now restarted the PC, it got properly configured by DHCP from the OPNsense, and it was now able to browse the web.
Because the DHCP config should have taken the interface address by default, I decided to find-out what would happen if I removed the Gateway from the configuration page in the web gui.
So I removed it on the configuration page in the web gui, went back in the shell and issued the "cat /var/dhcpd/etc/dhcpd.conf" command.
The result was:
option domain-name "i-sec.com";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;
option arch code 93 = unsigned integer 16; # RFC4578
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
subnet 192.168.10.0 netmask 255.255.255.0 {
pool {
range 192.168.10.10 192.168.10.245;
}
option domain-name-servers 192.168.10.1;
}
It had just removed the option routers line again!
For now, I just left this as it was, and decided to have a look at why the apinger service would not start.
Even though internet connection worked when the PC on the LAN had a gateway configured, I wanted to make sure the upstream gateway for WAN was properly configured.
I went into the Shell and issued the command "netstat -rn"
The result was:
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 89.248.134.17 UGS em0
89.248.134.16/28 link#1 U em0
89.248.134.25 link#1 UHS lo0
127.0.0.1 link#4 UH lo0
192.168.10.0/24 link#2 U em1
192.168.10.1 link#2 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
::1 link#4 UH lo0
fe80::%em0/64 link#1 U em0
fe80::250:56ff:fe94:1242%em0 link#1 UHS lo0
fe80::%em1/64 link#2 U em1
fe80::1:1%em1 link#2 UHS lo0
fe80::%lo0/64 link#4 U lo0
fe80::1%lo0 link#4 UHS lo0
That looked good. The default gateway was OK.(89.248.134.17)
Now let's look at the apinger config with "cat /var/etc/apinger.conf"
Just the bottom part of the file looked like:
target default {
## How often the probe should be sent
interval 1s
## How many replies should be used to compute average delay
## for controlling "delay" alarms
avg_delay_samples 10
## How many probes should be used to compute average loss
avg_loss_samples 50
## The delay (in samples) after which loss is computed
## without this delays larger than interval would be treated as loss
avg_loss_delay_samples 20
## Names of the alarms that may be generated for the target
alarms "down","delay","loss"
## Location of the RRD
#rrd file "/var/db/rrd/apinger-%t.rrd"
}
OOPS! There is no target IP to ping.
Then, I went into the web gui again to System ==> Gateways ==> All, and clicked the pencil button to edit the gateway.
All settings already looked OK, but just to be on the safe side, without making any changes, I clicked Save and then Apply settings.
This immediately started the apinger service.
So what changed?
Let's look at the apinger config again with "cat /var/etc/apinger.conf"
Now, the bottom part of the file looked like:
target default {
## How often the probe should be sent
interval 1s
## How many replies should be used to compute average delay
## for controlling "delay" alarms
avg_delay_samples 10
## How many probes should be used to compute average loss
avg_loss_samples 50
## The delay (in samples) after which loss is computed
## without this delays larger than interval would be treated as loss
avg_loss_delay_samples 20
## Names of the alarms that may be generated for the target
alarms "down","delay","loss"
## Location of the RRD
#rrd file "/var/db/rrd/apinger-%t.rrd"
}
target "89.248.134.17" {
description "WANGW"
srcip "89.248.134.25"
alarms override "loss","delay","down";
rrd file "/var/db/rrd/WANGW-quality.rrd"
}
Suddenly, it had a target configured.
OK, now let's go back to the DHCP issue. Remember that I left off with the option routers line missing in dhcpd.conf.
I verified that it was still like that by entering "cat /var/dhcpd/etc/dhcpd.conf" in the shell.
In the web gui I now went to Services ==> DHCP ==> Server, selected the LAN tab and, without making any changes, clicked Save.
After that I looked at the dhcpd.conf again with "cat /var/dhcpd/etc/dhcpd.conf". The result was:
option domain-name "i-sec.com";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;
option arch code 93 = unsigned integer 16; # RFC4578
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
subnet 192.168.10.0 netmask 255.255.255.0 {
pool {
range 192.168.10.10 192.168.10.245;
}
option routers 192.168.10.1;
option domain-name-servers 192.168.10.1;
}
Yep! The option routers line is there.
Resume:
- In DHCP on the LAN, the default of the interface IP address does not make it into /var/dhcpd/etc/dhcpd.conf
- The properly configured Upstream router address, works OK for the routing table (and in fact allows a working internet connection) but does not make it into /var/etc/apinger.conf
- Without making any changes, saving the default gateway settings in the web gui enters the upstream router info in /var/etc/apinger.conf, after wich the apinger service starts automativally
- After saving the upstream router address (without making any changes), you can also save DHCP settings without making any changes, and then the proper info propagates into /var/dhcpd/etc/dhcpd.conf
Maybe I'm crazy, but for me we can just call it OPN and leave the "sense" part out. ???
To me, it does not really make sense. ;)
But at least I now know what happens.
Kind regards,
Bert