Messages

Hello:

I'm not sure why I noticed this between the 2nd and 3rd of July, as I thought I did the updates earlier. But there was a recent update that changed the syntax of my 1:1 NAT rules. There seems to be a mistake in the destination .. it was previously set to ANY but the auto-update changed it to be the same as the source IP. Here's before and after for one of them:

Code Select Expand

-    <onetoone>
-      <external>81.xxx.xxx.xxx</external>
-      <category/>
-      <descr>1:1 Nat for 3cx machine on lan</descr>
-      <interface>wan</interface>
-      <type>binat</type>
-      <source>
-        <address>192.168.1.10</address>
-      </source>
-      <destination>
-        <any>1</any>
-      </destination>
-    </onetoone>

Code Select Expand

+        <onetoone>
+          <rule uuid="362ae75b-xxxx-xxxx-a050-0a98fb27c888">
+            <enabled>1</enabled>
+            <log>0</log>
+            <sequence>1</sequence>
+            <interface>wan</interface>
+            <type>binat</type>
+            <source_net>192.168.1.10/32</source_net>
+            <source_not>0</source_not>
+            <destination_net>192.168.1.10/32</destination_net>
+            <destination_not>0</destination_not>
+            <external>81.xxx.xxx.xxx</external>
+            <natreflection/>
+            <categories/>
+            <description>1:1 Nat for 3cx machine on lan</description>
+          </rule>
+        </onetoone>

I had to manually modify the rule to change the destination back to ANY. I may have had to change the nat reflection setting also, but not sure as my debugging was not the most rigorous. Just letting you know that it seems like your script to update my rules needs a tweak. Thanks.

Just a point of reference, my FreeBSD email server received an update (14.1-RELEASE-p2). This did not set "LoginGraceTime 0" so it must have actually patched ssh.

This might be a bad idea ... but you might be able to export and modify the config file and re-import the required parts to change the DHCP server config.

WAN v4 IP on OPNsense is different to the actual public IP

I'd look into that!

...your issue could be similar to mine, https://forum.opnsense.org/index.php?topic=33057.0

Please let us know if you figure it out!

Hello:

I think someone is just going to know the answer once I state the problem. I have a PPPoE connection which requires (not sure why) static config for IPv6. The ISP (Andrews and Arnold in UK) gave me an IPv6 WAN IP to use through which they will route my actual v6 IP block (a /48 and a /64 within that). The WAN IP is not in my /48 or /64.  I may well have an incorrect network prefix set somewhere. Everywhere I have defined an address I used /64 except the WAN IP since it was not in my /64 or /48 I came up with /96 which was at least accepted by Opnsense.

On IPv4, the WAN IP and gateway come up fine automatically on the PPPoE interface. I have then put the IPv6 WAN IP they gave me (/96) on the PPPoE Interface (v6 Static address) and a gateway comes up automatically.

With this setting, when I try to ping6 to a host, I cannot do it from the default interface (WAN). But if I ping with source address of one of my LAN IPv6 addresses (I have three LANs, and statically assigned an IP within my /64 block to each) I can ping.

I wouldn't care about that, but I seem to be having other issues also. Like, only from one of my LANs am I able to communicate on IPv6 (a mac and a linux desktop on wifi through that LAN work fine) but on another LAN I cannot communicate even though the computer has a real IPv6 address (2001:etc) and can do IPv6 dns lookups.

Any suggestions?

What additional info should I show you?

The failed ping does attempt to work, does not show an error, but gets no replies.

Code Select Expand

# ping6 -v google.com
PING6(56=40+8+8 bytes) 2001:xxx:ffff:4d8:xxx --> 2a00:1450:4009:820::200e
(where that masked source address is the WAN IP the ISP gave me to use.)

Actually, now I see if I keep pinging longer in verbose I see some messages about Neighbor Solicitation and Neighbor Advertisement and Router Advertisement from other interfaces on my system.

Thanks!

This does seem to have solved it!

Check what process is using the CPU. I have been having problems when the PPPoE connection goes up and down Suricata pins the CPU. I'm on a quad core machine and it pins two of them, so I don't really notice. Restarting Suricata makes it stop (though Suricata does use high CPU for the first few tens of seconds as it goes through rules and sets itself up, then it settles).

If that solves it for you then I think we have found a bug.

I changed all the Virtual IPs to the [WanDummy] instead of the [PPPoE] interface and rebooted. It did come up with the right WAN address. Too early to tell if that solved the problem as it was a bit random, but it's a good sign.

Thanks for the links.

It was all working fine before I got the additional routed IP block. The instructions state to use static routes for the routed IPs, but I haven't tried that. The Virtual IPs are working except for this PPPoE bring-up issue. IPv6 isn't working either, but that also doesn't work when I connect a computer directly to the ONT and bring up PPPoE there.

I'll keep poking at it.

Thanks MoonbeamFrame, I appreciate the help. Could you possibly expand a bit more on what you wrote?

Anything I type under Interfaces > Point-to-Point > Devices in either the 'Local IP' space (which requires to be a /31 or less, a /32 is impossible, so I have no idea what netmask to use here) OR the 'Gateway' space, gets blanked out after being applied (applied or ignored, I'm not sure which).

So, when you say you "set the PPPoE gateway to the allocated /32" I'm not sure where you are setting that. I agree, I'd like to do that, I would use what AAISP told me was the 'WAN' address, not any of the routed /29 addresses.

Then when you say you assigned the /24 to the same physical interface as Virtual IPs, does that mean you have the Ethernet interface showing twice in the list of interfaces, once with PPPoE over it and once without? When I referred to my Wan Dummy, that's what I meant. I had to create it to run baby-jumbo packets, which did work.

Hello:

I'm on an Andrews & Arnold (UK) Fibre connection (uses BT backhaul). I have a connection with a certain static WAN IP but also have a routed /29. When Opnsense brings up the PPPoE connection it uses the first routeable IP of the /29 as its WAN IP address. This, and the other usable IPs are mapped as virtual IPs over the PPPoE/WAN interface. This results in nothing working, unsurprisingly. I do have a Dummy Wan interface (not PPPoE) I could perhaps try mapping the virtual IP over that interface.

When I connect my Mac computer directly to the fibre ONT and bring up the PPPoE connection, it gets the correct WAN IP every time.

I recall there used to be a function to REJECT certain IPs as the PPPoE 'leased' IP which might work, but I can't find that option anymore. Also, if I could assign Static IP to the PPPoE connection that would be fine as it won't change. But when I type that into the advance PPPoE options in OpnSense, it will start working, but the setting does not stick, just disappears and the problem will recur.

If I manually bring down and up the PPPoE connection one to two times, it will sort itself out and get the right WAN IP like the Mac did.

What can I do? Thanks.

I could not get opnsense to act as my wireguard vpn host/server by following the official docs.

At some point I was just trying anything I could think of, and it's possible that I had not restarted the service after changing something else. But, the last thing I changed that made it work was to specifically add the port for the endpoint.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html says, about configuring the endpoint(s):

Endpoint Port  (empty)  Not required for inbound connections - dynamic

I put the default port (51820) I was using in there and it started working. Before that I could get the connection to come up from a remote endpoint but no traffic would pass.

Again, perhaps I'm wrong and it was something else I initially set wrong then fixed and had not restarted the service yet.

Hello ... I noticed that if I have netflow set to capture to localhost, on my machine that means about every 15 seconds a Python2.7 process uses 100% cpu (of one core that is) for about 3 seconds. If I turn off 'Capture local' this stops.

My question is, if I set up a VM on another computer on my LAN and have that machine be the 'Destination' for the netflow capture, will that reduce significantly or eliminate that CPU usage? I guess this high CPU use is during the process of writing the cached data for the past 15 seconds to disk and thus the answer will be Yes.

Secondly, can you recommend a software package that is libre and free ($) I could set up on a VM to store the netflow data and also draw pretty graphs like OPNsense does?

Thanks.

...if I have found this setting correctly, to help others, it is:

Firewall -> Settings -> Advanced and look for "Firewall Maximum Table Entries".