Messages

I use netcup myself to provide my location with IPv6. I use Zerotier to tunnel the traffic from OPNsense at Netcup to my home OPNsense, but i need atleast 3 /64 to do that.

Route48 project looks really interesting, providing /48 with BGP, WIreguard or Zerotier is very exotic, i give it a try.

I try to understand your configuration, so you have wan from xs4all and a VPN Provider and you want some sources or targets to go over the PIA Tunnel and the rest goes over your xs4all?

You have to do create a NAT rule and a Firewall rule and place them over your rules that allowing/natting WAN (because they address "all"). In these rules you decide if you want to go over PIA depending on source or target or maybe both. Firewall rule has PIA as gateway interface and the NAT rule has PIA as its translation interface.

You cant just route into PIA as PIA cannot work with your LAN IPs, you have to go out with your assigned IP from PIA and this is where the NAT rule comes into play. Depending if you get a public or privat IP from PIA, you maybe end up with double NAT which does not work well with some protocols.

And please do not nag to much, its a community Forum.

I dont think it is the drive. On FreeBSD the system normaly goes really verbose (cam errors) on your terminal screen on a drive fault.

There are some reports about issues after people updated to 22.1.8, aliases not working anymore, rules has to be saved again and stuff like that. I updated three KVM to 22.1.8 and had no issues, but these are the more simple setups. Most of my production / heavy duty OPnsense installation run on the business edition and intentionally lags behind the minor releases.

If this happend again, try to logon locally and check if your installation is still alive.

* pppoe wan
* 10g

In my experience that did not work well with high bandwith, no matter if FreeBSD or Linux, pppoe has way to much overhead for that.

Hello,

i run an dualstack IPsec connection between two sites for quiete some time. Both sides run OPNsense BE. The IKEv2 policy based tunnel is running on IPv4 transport and has two phases, one for IPv4 and another one for an IPv6 Subnet.

After updating both sides to OPNsense Business Edition 22.04, IPv6 between this sites suddently stopped working. I checked every setting, rules, phases and sniffed several interfaces and found something strange in that process. My first tought was Strongswan is not sending anything at all, but then i found that everything i send reaches the remote sites server and the response reaches my local firewall, i can see reponses on enc0: but it never reaches my local LAN. I temporarly set an allow rule for everything that comes in on ipsec but no luck, traffic is stuck in the firewall.

I have a second tunnel based on Zerotier to another site that works fine with IPv4 and IPv6. I have a IKEv2 Mobile IPSEC connection on my local Firewall that works fine, both IPv4 and IPV6.

What can possibly block incoming IPv6 traffic that comes trough that IPSec tunnel? i see reponses on enc0, but never reaches out to my LAN. It all worked well on the previous version.

I am a bit lost here.

Hi,

any solution to this? i just created a new opnsense install and trying to setup a s2s ipsec connection. Starting ipsec by hand tells me there is not configuration file in "/usr/local/etc/strongswan.oipensense.d/*.conf". Log is completly empty.

I checked ciphers and i use aes-gcm-256 and sha256, that should be supported on FreeBSD 13.x. This connection was created on the latest version of OPNsense.

Hi,

i just did an upgrade on one of my private OPNsense installations and made my Mobile IKEv2 Dual Stack, no issues on my end, Windows and Android devices getting IPv4 and IPv6 and IPv6 is working fine.

Hi,

did you find a solution for this issue? i hope this is not really an issue with 22.1, i use dualstack ikev2 road warrior in production and plan to hop on 22.1 on the next minor update.

I checked it on my side and try to add a phase 2 to a mobile p1

in 21.10 (= 21.7) if i create a p2 for a mobile p1 i get a screen without "remote network", thats what i expect, but in 22.1 you get the "normal" p2 window with a remote network, that does not make any sense for a mobile ipsec, i think its a bug.

It maybe an issue with MTU and MSS Size, there are some posts in this forum about performance issues and ipsec, worth a try.

Hi,

i updated one of my OPNsense machines to 21.7.6 a few days ago and today i rebooted this machine. I got complains that some services are no longer available, after checking i found that NGiNX no longer startup because of a sudden port conflict between lighttpd and NGiNX. I checked the config history and no changes was made, just updating and rebooting.

I can see that lighttpd listen on a high port (that i configured) with SSL and for some reason on port 80, that is also the port that NGiNX wants to bind to. I have no idea whats broken here, lighttpd or NGiNX or maybe letsencrypt? i see two lighttps processes, one with lighty-webConfigurator.conf and another one with lighttpd-acme-challange.

I did two reboots, no success.

Hi,

yes i noticed that for some weeks, sometimes ipsec tunnels are down and ipsec status show that phase 1 is up but all phase 2 are missing. I have to press restart on opnsense to get it fixed, triggering a restart from the peer does not bring the phase 2 back.

Hi,

you need to blacklist the openvpn network, you need this custom parameters in zerotier:

for example:

"physical": {
   "192.168.0.0/24": {
      "blacklist": true

Any ad blockers? i had massive issues connecting to OneDrive (Business) after having stuff like pihole, blocklists etc. running. This only affacted setup OneDrive (Login/Relogin) never the usage.

Hi,

just some feedback from my update experience yesterday. Two OPNsense systems in a carp cluster with:

5x IKEv1
2x IKEv2
35 currently active Mobile IKEv2 clients.

Most of them aes-gcm and some aes-cbc, all of them with sha256. No issues to report, all tunnel and client connections working well after after the update. But i had one little issue today, we got an power outtage and after reboot two tunnels stopped working with authentication failure, only thing that helped was open phase 1 and press apply/save again, authentication errors stopped. Just restarting the connection wasnt enough.