Messages

Pretty sure it's not consistent on Starlink, I can ask for and receive a /56 via a DHCPv6-PD request but It seems to change if I lose connection long enough, I suppose I could try sending a prefix hint and seeing if I get the same one back.

If you ask them anything about IPv6 they'll just say they don't support it (It's enabled on the network and usually works but since their provided router doesn't use it yet they're not interested in supporting it)

Pretty sure it's not consistent on Starlink, I can ask for and receive a /56 but It seems to change I suppose I could try sending a prefix hint and seeing if I get the same one back.

If you ask them anything about IPv6 they'll just say they don't support it (It's enabled on the network and usually works but since their provided router doesn't use it yet they're not interested in supporting it)

Is there any way to use NPTv6 alongside PD, I had hoped to be able to use it in order to be able to failover to a secondary ISP but it looks like it expects you to manually set the prefixes to be translated.

Sadly I have no way of knowing what my V6 prefix will be for that wan as it's assigned by DHCPv6-PD and it tends not to be sticky either.

Hi,

@dragon2611 can you send a bug report from the upper right corner of Sensei GUI?

I think it might actually have been down to broken IPv6 that was being annoyingly intermittent, Turns out I had more than one V6 gateway and they had the same metric

Does that mean to mix tagged and untagged traffic on the same physical interface? Don't do that on BSD...

Oh, wasn't aware that causes an issue  :o

i3-6100T USFF machine 8gb ram, ~300Mbit connection.

Wan is a VLAN on em0
Lan is native
Various other VLANs.

Opnsense 21.7.7

Having Zenarmor installed even running in passive mode seemed to cause some weridness like connections hanging or being slow to establish.

Not sure if it's underpowered hardware or it gets upset at seeing the WAN vlans as well.

Only way to split the WAN and LAN interfaces would be to add a USB3 NIC.

I can't install in a VM on a Mac Mini in proxmox, It should (just about) meet the minimum requirements

CPU Model:Intel(R) Core(TM) i5-4260U CPU @ 1.40GHz
CPU Score:384496
Physical Memory Size:2.13 GB (Mini only has 4GB)

Code Select Expand

Please make sure you are running the latest OPNsense version

Code Select Expand

OPNsense 19.7.10-amd64

OPNsense isn't finding any newer updates than this  ???


I could try an install on more powerful hardware but then I'd have to tunnel the traffic I wanted to pass through Sensei to the datacentre first.

Edit:

Seemed to work following a reboot, guess there was an installed update that needed a reboot.

Otherwise if you have a ZT network with 0.0.0.0/0 to make other devices route via opnsense it tries to add the route on opnsense itself which usually leads to the opnsense appliance being somewhat unreachable.

Same problems with an R415,

AMD cpu issue perhaps?

Dell r415 also kernel panics and reboots after tying to upgrade it to 19.1

Managed to get into it's idrac and boot the old kernel.
>:(

not 100% sure, I know it was an 18.7 release before I updated and it also hadn't been done for a while.

The interfaces appear to be assigned ok, I'll reboot and do some further testing and see if I can come back with something slightly more useful than "it's broke".

Edit:

Looks like I ran into this issue - https://github.com/zerotier/ZeroTierOne/issues/787  :o

The subnet on bce0_vlan101 was advertised as a managed route in zerotier pointing at the VIP that my firewalls have on that Zerotier interface instead of the expected connected route for the /24 opnsense was learning the managed route from ZT in preference to the connected route.  Effectively giving it a route for that /24 that points at itself  ::)

Now why it only affected one of the firewalls and not the other one I don't have a clue as they are both connected to Zerotier, also not sure why it wasn't a problem before now either but whatever, least I've gotten to the bottom of it.

I've removed the managed route from zerotier.com for now, but ideally the Opnsense plugin for zerotier needs the option to ignore managed routes from zerotier or an interface to the blacklist config.

upgraded a Pair with one physical opnsense and one virtual from 18.7.6 i think it was to 18.7.10_3 and the now one of my Vlans can't ping out via the physical unit

its bce0_vlan101 so a broadcom NIC.

Oddly when I put the physical machine into carp maintenance mode and rebooted it I was able to ping it's IP address from one of the VM's on that Vlan, as soon as I took it out of maintenance mode and it took over the VIP I lost the ability for the VM to ping both the firewalls Real IP and the virtual ip.

At the moment I've left it in maintenance mode with the virtual secondary handling the traffic, one difference is the VM doesn't have Vlans where as the psychical does for the VM the Vlan tagging is done by the hypervisor so opt1,opt2.etc is just seen by opnsense as an additional nic

Can't see any updates on the mirrors  :o

pfsense has a rather nice feature where you can tie FRR to the status of a CARP IP so it doesn't run unless the firewall is the master.

Allows you to do some nice things like only have the primary firewall participating in BGP and avoids stuff occasionally being accidentally routed via the secondary

Any chance of getting this in opnsense,

I'd like to try sensei but I suspect i'd run into problems with lack of RAM and also I have an opensense HA pair with one physical and one virtual (KVM) so I think i'd run into the KVM/VIRTIO issue.

I'm wondering if I'd be better off starting another virtual firewall and stuffing it in the traffic path for the machines i'd want to put behind sensei.