Messages

I recently started noticing that one of the WAN circuits in my dual WAN setup regularly goes down with a dpinger error.  I have started noticing this after upgrading to Opnsense 24.1 and enabling IPv6 on the interface that is failing.  Looking at the logs for Gateways I see these constantly

2024-04-13T13:26:48-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:47-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:46-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:45-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:44-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:43-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:42-05:00   Notice   dpinger   Reloaded gateway watcher configuration on SIGHUP   
2024-04-13T13:26:42-05:00   Notice   dpinger   Reloaded gateway watcher configuration on SIGHUP

This error comes immediately after gateway watcher is reloaded.  Not sure why SIGHUP is being generated when there is no change in the firewall or reboots.  This happens only on one of the gateways (primary)

Is there any way to search or filter on rules in Opnsens?  For example if I want to search for a rule which contains an IP address and destination port.  I have been trying to do this but has not be able to find any easy way

Thanks

This issue seems to be similar to something which I had raised earlier here https://forum.opnsense.org/index.php?topic=31961.msg154479#msg154479.  But there was no response or solution.  The workaround that I am working on is to reset the state table after the firewall has any reboots or upgrades and once the state table is reset the routing seems to work fine

Has this been observed by anyone?  The issue is becoming more frequent and I have to reset the table every couple of days for this to keep working.  Is this a bug introduced in OpnSense / FreeBSD?

I had posted this in the 22 forum earlier.  https://forum.opnsense.org/index.php?topic=31961.msg154477#msg154477

The issue with outbound NAT seems to still persist in the 23 version also.  The issue is that if there is a gateway group with dual WAN interfaces in it and for operational reason a specific outbound traffic is redirected to a gateway with a lower priority (other than the gateway group) sometimes the outbound traffic seems to land up on the wrong gateway.  Rebooting the appliance does not seem to solve the issue, but manually clearing the state table again puts the traffic onto the correct gateway. 

This used to work fine in all earlier versions so seems to be some kind of bug introduced recently.

Skip rules when gateway is down is checked to prevent gateway rewrite on failure.

For now the issue seems to have been resolved.  As part of troubleshooting I was looking into the state table and i could see that the state table had entries which shows that the traffic was blocked since it was on the wrong interface (but there was not logs in the firewall live logs) After resetting the state table it started working again

One question that I have further on this is :  Does the state table clear during a reboot or the state table has to be cleared manually?  Is there any scavenging mechanism so that wrong state tables does not remain

I was managing an OpnSense system which was running flawlessly over the past few years.  But in the last month I started noticing an issue which seems to have been introduced recently as the same configuration had been working find for more than 2 years.  In the setup there is a server in a DMZ interface which needs UDP port 36605 to be forwarded to it.  The server will also contact other servers in the internet on the same UDP port (36605).  This setup is behind a firewall with 2 WAN interfaces.
This particular traffic to port 36605 needs to go via the WAN2 interface (WAN1 is default).  There is rule in the interface which will direct traffic to WAN 2
The inbound NAT seems to work fine, but outbound traffic (even though there is no NAT on the WAN1 interface for the DMZ server network ) seems to end up in WAN1 instead of expected WAN2.  A rough illustration is attached.

Does someone have suggestions or is this a bug.

Thanks

Found it it is in the IPsec Advanced settiings

I dont think it is there.  I can see the rules in the Internet interface but no way to delete them

How do I disable the automatically generated VPN rules in Opnsense

I know I had done this earlier.  But right now I am unable to find where I can do it  ???

thanks

From what I see from your post all your servers have a public and and a private IP.  To acheive this trying to introduce OpnSense may be an overkill.

Do you have root access into the boxes?  Linux by default comes with routing between interfaces disabled.  You will need to enable ip routing enabled and then provided there is no firewall in the boxes (iptables etc) then this will work.  If you have firewalls running on the boxes then you will have to do additional configuration on the forward chain of the firewall.   

Googling how to route between interfaces will give you a ton of resources on how it is done

I was in the process of upgrading my Firewall from an old hardware with 4 network cards with another hardware with 6 network cards.  From what I have seen is that the backup when restored does not restore the interface configuration and it has to be manually added.  Even when the interfaces are manually added with the same name it was seen that the Firewall rules are now applied to a wrong interface.  It appears that the firewall rules are tagged to the internal WAN / LAN / Opt_x interface names rather than the physical names.  This makes the backup practically useless for a quick restore.  The rules seem to work only when the new interfaces are added sequentially to mimic the old internal interface names.  Is this a bug that can be fixed where the firewall rules can be tied to the given interface names rather than the internal names?

Interestingly the dhrelay lists all interfaces except the WAN interfaces even though the config says only to use a single interface.  (See attached screenshot).

Maybe this is where the issue is?

The screenshot of the config.  The expectation is the since the Relay is configured only on the Media interface the DHCP server should receive it from there.  But it receives a relay from Routed uplink interface also as a relay agent

I have not seen an option to specifically exclude the interface from the Relay in OpnSense.  But in the Relay configuration page only the VLAN interface has been configured as a Relay agent