Messages

Hello,

I have the same problem, after one or two hours the traffic stops, but the Tunnel (phase 1 and 2) is up. Attached yoc can find screenshosts of configuration.

Thank you

[Firewall A]

bartjsmit you are right!  ;D

This is my configuration.

Firewall A

VXLAN

VNI: 100200
Source Address: a.a.a.a
Source port: 5248
Remote address: b.b.b.b
Remote port: 5248
Multicast group: none
Device: none

I assigned (without IP address) and activated an interface using as device VXLAN_100200
I created a bridge with members VXLAN_200 and VLAN_200
On WAN interface:

Protocol: IPv4 UDP
Source: b.b.b.b
Destination: a.a.a.a (WAN Address)
Destination port: 5248

Firewall B

VXLAN:

VNI: 100200
Source Address: b.b.b.b
Source port: 5248
Remote address: a.a.a.a
Remote port: 5248
Multicast group: none
Device: none

I assigned (without IP address) and activated an interface using as device VXLAN_100200
On Firewall B I have no VLANs to associate with VXLAN 100200

On WAN interface:

Protocol: IPv4 UDP
Source: a.a.a.a
Destination: b.b.b.b (WAN Address)
Destination port: 5248

On both Firewall in rules for VXLAN interface I add only one rule, permit any to any

First of all, I think there is some missing configuration on Firewall B...

Thank you

Hi,

I need to configure VXLAN between two OPNsense. This is my situation
OPNsense A as a phisical Firewall in head office

IP Public: a.a.a.a
LAN 1: 192.168.100.1/24
VLAN 200: 192.168.200.1/24
VLAN 210: 192.168.210.1/24
VLAN 220: 192.168.220.1/24

OPNSense B as VM in a DC:

IP Public: b.b.b.b
LAN 1: 192.168.2.1/24

Mi goal is to transport VLANs 200, 210 and 220 of Firewall A to Firewall B in DC so as to allow VLANs 200, 210 and 220 to surf the Internet through Firewall B using its IP Public b.b.b.b .

For various reasons I cannot use any other VPN than VXLAN

I tried some configuration but without luck.

Could you help me, please?

Thank you

Hi,

the solution proposed by doktornotor works!

Thank you

Hello,

after some attempts I found a workaround. The problem is that OPNsense does not load the mlx4en module at startup even though the command mlx4en_load="YES" is present in the file /boot/loader.conf.local. A workaround is to create in

Code Select Expand

/usr/local/etc/rc.syshook.d/early/

the file

Code Select Expand

16-mlx4en-load

with the following content:

Code Select Expand


#!/bin/sh
kldload mlx4en


Now you have to set execute permissions to the file:

Code Select Expand

chmod +x 16-mlx4en-load

The last step is to reboot the system.

I hope this workaround can help someone

Hello,

I have a AOC-MCX312C-XCCT (2 x 10 Gb SPP+) installed on a Supermicro AS-5019D-FTN4 and after update to 24.7 the ports do not work anymore. I tried the following actions:

• Remove from /boot/loader.conf.local the only row with mlx4en_load="YES"
• Reboot
• Load mlx4en with kldload mlx4en
• Reload all interfaces with configctl interface reconfigure <interface_name>

My interfaces are lagg0 and 3 VLANs so to reload interfaces I run the following commands:

• configctl interface reconfigure lagg0
• configctl interface reconfigure lagg0_vlan20
• configctl interface reconfigure lagg0_vlan3
• configctl interface reconfigure lagg0_vlan9

After all these steps the interfaces do not work....

This is the message at boot time (before I load the module):

This is the messages at boot time:

mlx4_core0: <mlx4_core> mem 0xef800000-0xef8fffff,0x1fff8000000-0x1ffffffffff irq 54 at device 0.0 on pci4
mlx4_core: Mellanox ConnectX core driver v3.7.1 (November 2021)
mlx4_core: Initializing 0000:04:00.0
mlx4_core0: Unable to determine PCI device chain minimum BW
intsmb0: <AMD FCH SMBus Controller> at device 20.0 on pci0
smbus0: <System Management Bus> on intsmb0
ig4iic0: <Designware I2C Controller> iomem 0xfedc2000-0xfedc2fff irq 10 on acpi0
iicbus0: <Philips I2C bus (ACPI-hinted)> on ig4iic0
ig4iic1: <Designware I2C Controller> iomem 0xfedc3000-0xfedc3fff irq 11 on acpi0
iicbus1: <Philips I2C bus (ACPI-hinted)> on ig4iic1
ig4iic2: <Designware I2C Controller> iomem 0xfedc4000-0xfedc4fff irq 12 on acpi0
iicbus2: <Philips I2C bus (ACPI-hinted)> on ig4iic2
ig4iic3: <Designware I2C Controller> iomem 0xfedc5000-0xfedc5fff irq 13 on acpi0
iicbus3: <Philips I2C bus (ACPI-hinted)> on ig4iic3
ig4iic4: <Designware I2C Controller> iomem 0xfedc6000-0xfedc6fff irq 14 on acpi0
iicbus4: <Philips I2C bus (ACPI-hinted)> on ig4iic4
ig4iic5: <Designware I2C Controller> iomem 0xfedcb000-0xfedcbfff irq 15 on acpi0
iicbus5: <Philips I2C bus (ACPI-hinted)> on ig4iic5
driver bug: Unable to set devclass (class: ppc devname: (unknown))

Could you help me, please?

Thank you

Hello,

I have the following configuration:

• Virtualized OPNSense in a DC witn 1 Static Public IP: a.b.c.d
• An Hardware OPNSense in the Customer Headquarter with 2 WAN (different ISPs) Connections and therefore 2 WANs IPs Addresses (say e.f.g.h and i.j.k.l)

Now in the Customer HQ the first WAN Connection is the primary and the second WAN is the backup. I configured a Wireguard tunnel between DC OPNSense and HQ OPNSense using as peer endpoint IP address (in DC OPNSense) e.f.g.h (primary WAN IP of the HQ OPNSense). Now if the primary WAN connection of the HQ goes down also the Wireguard tunnel goes down because, in the Virtual OPNSense in DC, Wireguard endpoint peer address is set to e.f.g.h (primary WAN  IP address of HQ Connection).
Now the question is: how can I configure, in Virtual OPNSense in DC, a second endpoint peer address ( i.j.k.l) as backup, so if the HQ primary WAN ISP goes down the Wireguard tunnel switch versus the secondary WAN using as peer endopint IP address i.j.k.l ?

Thank you

Hi Franco,

I sent you the unbound section of config.xml via email.

Thak you

@Franco

Hi,

I have the same issue, after upgrade to 23.7.3 Unboud was disabled so I enable it but all my overrides dosn't work.
I run the following command:

Code Select Expand

/usr/local/opnsense/mvc/script/run_migrations.php

** OPNsense\Unbound\Unbound Migration failed, check log for details


and then

Code Select Expand

opnsense-log | grep run_migrations

<147>1 2023-09-13T08:23:04+02:00 localhost config 2076 - [meta sequenceId="29"] #1 /usr/local/opnsense/mvc/script/run_migrations.php(54): OPNsense\Base\BaseModel->runMigrations()
<147>1 2023-09-13T08:27:54+02:00 opnsense-casa.proximanet.net config 80369 - [meta sequenceId="8"] #1 /usr/local/opnsense/mvc/script/run_migrations.php(54): OPNsense\Base\BaseModel->runMigrations()
<147>1 2023-09-13T09:56:22+02:00 opnsense-casa.proximanet.net config 50858 - [meta sequenceId="6"] #1 /usr/local/opnsense/mvc/script/run_migrations.php(54): OPNsense\Base\BaseModel->runMigrations()


Then I tried also to enable the access list and insert my subnets, but it still doesn't work...

Can you help me, please?

Thank you

Hi to all,

I know this topic has been covered before, but I would like to know if there is any forecast if this feature will be implemented and if so when. The functionality I'm talking about is that the DHCP Server is able to release, and reserve, IPs even for remote Subnets not directly connected to OPNSense. These requests all arrive over the same interface from remote routers, say cisco, which use the dhcp-relay feature. OPNsense, based on the IP of the cisco router that sends the request, responds to the latter by issuing a valid IP.

Thank you

Yes, I have read these two guides but, honestly, I have not understood how to adapt them to my needs. Also consider the fact that the VoIP Server is in the Cloud and its Public IP changes from time to time.

Thank you

Hi to all,

we have the following 4 VLANs:

• LAN - VLAN 10: 192.168.10.0/24
• WIFI 1 - VLAN 20: 192.168.20.0/24
• WIFI 2 - VLAN 30: 192.168.30.0/24
• VoIP - VLAN 40: 192.168.40.0/24

We need that the VoIP VLAN has the priority over the others. Our ISP connection is a 100/100 Mb/s. Our goal is that if the connection becomes saturated, the VoIP VLAN takes precedence over the others and, if possible, reserve for the VoIP VLAN, in case of band saturation, at least 15/15 Mb/s.

Thank you

Hi,

the configurations on both ends are exactly the same. If I restart the service on the local OPNsense (22.1.8_1) the IPSec Tunnel goes up and everything works perfectly for a certain period of time. If I generate traffic in the Tunnel (infinite ping versus a host in the remote network), the tunnel doesn't go down. It goes down after a period of time if there isn't traffic in the tunnel.
This issue is started when I updated local OPNsense to 22.1.8_1. The remote version of OPNsense is 22.1.2_1

I attach Phase 1 and Phase 2 configuration of the local OPNSense. They are exactly the same on remote OPNsense, except for "Remote Gateway" in Phase 1 and "Local Address" and "Remote Address" in Phase 2 that are inverted...

Thank you

No, it doesn't come up

Hi,

I tried the solution suggested by bugzptr but it didn't work. After about 15-20 minutes of incantivity the IPSec Tunnel goes down. Instead if there is traffic in the Tunnel (infinite ping) the link doesn't go down...   :'(

Thank you