Messages

I have this working with 20.1.9_1, followed the steps listed below:

https://www.reddit.com/r/OPNsenseFirewall/comments/97vikk/opnsense_and_pihole_a_guide_to_obscuring_your_dns/

I probably need to update this

I was looking through the old changes and from what I could tell from the comments, the reason pfsense moved from rtadvd to radvd, was they were having problems with CARP and VIPs in ipv6 at the time with rtadvd.  Maybe rtadvd has solved the issues from back then.

It is possible that from FreeBSD 11 to 12, something else in the network stack introduced a dependency on rtadvd.

I was just having issues in a lab set up with rtadvd and carp vip's. Not sure it isn't kvm and virtualized network related but it definitely seemed to be a contributing factor.

Sent from my Pixel 4 XL using Tapatalk

For those just joining the party, see https://github.com/opnsense/core/issues/4338#issuecomment-732397405

we have a working fix and pull request. running

Code Select Expand

opnsense-patch 9a4a908 will replace radvd with rtadvd and seems to rectify the issue for everyone.

Late to the party but I'm having issues with this as well

unfortunately, the ipv6 implementation in opnsense seems to have various issues like this. I'm seeing much more attention brought to it however, so I'm hopeful it can be resolved by the next release.

Without looking at the logs I can't say for sure but I'm definitely still having what I assume is this problem. adding the cron job and we'll see how it goes.

Has anyone that had their setup break with the update been able to confirm a workaround or cause for this?

Sorry about the delay.  Life kinda got in the way.  In any case, I meant traditional in the sense that I am not using the extracted certificates from the gateway, which I do have, to do a full bypass, ie., ont to opnsense.
The only other thing I might point to is that at some point within the last upgrade the devs stopped loading the netgraph modules by default, so you have to ensure that you are adding them to your loader.conf or loader.conf.local .

Are you using the original script by aus or the one from MonkWho or others? If you're using the original script and it is working for you = then it's just a matter of seeing why the newer ones aren't working (changed locations for files and binaries perhaps?)

I am using the original script, or rather the last one I downloaded directly from aus's github before it evaporated.

Could you possibly provide a copy of that script so I can compare the Monkwho opnatt script and see what might be different?

I'd love to step in and say "Hell yes" lol

The game will only open the port it needs. Allowing the range suggested won't open all of the ports listed in the range, it will allow those ports to be opened by the IP address in the source field if/when needed. You can view the currently opened connections in the status page of the UPnP plugin.

Setting outbound nat with the static port setting for each device that needs to use upnp simply stops the firewall from overwriting the outbound port with a randomized one. You don't need to do any manual port forwarding. Setting the allow rule as I mentioned above in the upnp settings allows the device on a subnet or a specific device to use the ports that are allowed. By default upnp in OPNsense operates with a least access configuration and requires whitelisting whereas, in most consumer grade hardware, upnp is using "allow all".

Not a direct answer to your question but, would you be opposed to running these services in docker as containers and then utilizing something like traefik or nginx as a load-balancer/reverse proxy on the server itself? I'm currently running several wordpress sites and nextcloud in docker with traefik as my reverse proxy and it really simplifies the deployment of new sites and services. Nginx also has a large community for the docker version and can help configure everything. They have plenty of configs available that generally work out of the box.

What I would be interested in knowing is if I can set priorities for each member of the LAG, so certain vlans use certain LAG interfaces, thus effectively spreading the traffic across all LAG members?

If you use the Round-Robin LAGG Protocol, you can accomplish the same goal albeit without each vlan on a specific physical interface. LACP would work too, but you may see more traffic on a specific interface in that case. 

Look at your FW live logs in OPNsense and filter by "block" or by the device IP and see what rule is causing the issue, if any.

I encountered a similar issue when my logs filled the disk drive I was writing them to. Check your used space and make sure the disk isn't full.