Messages

1

22.1 Legacy Series / OPNSense has a wrong packagesite, need to recreate database

« on: November 26, 2021, 03:11:01 pm »

Just finished a fresh install to test beta 2 and the repos are pretty much jacked up. Or so it seems.  Cannot add plugins and the system seems to be checking the changelog forever.  Does not seems to prevent basic functionality, but without plugins it is a pretty much one step removed from an off the shelf consumer box.

2

22.1 Legacy Series / Re: Problems with IXGBE driver

« on: November 14, 2021, 02:34:22 pm »

Snapshot kernel does mitigate the issue, plus some strange slowness on GUI post upgrade.

3

22.1 Legacy Series / Re: Safely upgrade to 22.1 beta and possibly roll back - boot environments FTW!

« on: November 14, 2021, 05:13:37 am »

I didn't use BE but update went fine and I updated the community repo for FreeBSD13 so your AdGuard Home should upgrade and run too

Finally also Kibana and Elastic compile again.

Upgraded to the beta with your repo configured ,but getting this :

Updating mimugmail repository catalogue...
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: Not Found
repository mimugmail has no meta file, using default settings
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: Not Found
Unable to update repository mimugmail
Error updating repositories!

What would be the best way to fix it ?

4

22.1 Legacy Series / Re: Problems with IXGBE driver

« on: November 14, 2021, 12:28:28 am »

Thanks for helping me out with this, bud!

5

22.1 Legacy Series / Re: Problems with IXGBE driver

« on: November 13, 2021, 07:46:11 pm »

I am not currently shaping, so no need for ipfw.  Would it work to disable shared forwarding prior to the upgrade to dev, complete the upgrade, and then apply the new kernel ?

6

22.1 Legacy Series / Problems with IXGBE driver

« on: November 13, 2021, 05:19:16 pm »

Fresh install of OPNsense.  Upgraded to latest stable 21.7.5_2.  Changed to dev branch after completion and reboot.  Upgraded to 22.1b .   Whenever the network adapter is connected,  boot does not complete.  Network flaps constantly.  Unplug  network cables,  firewall completes boot, get beep and all that.  Connect network cables and links start flapping.   Reverted back to production.  Any clues ?  Saw an issue on the GitHub that seems related from a few days ago, but it was closed and marked upstream.

7

Documentation and Translation / Re: AdGuard Home setup guide

« on: May 07, 2021, 03:57:24 pm »

Sorry for the hijack, but just wondered if anyone has any idea of how I can solve a particular problem with my Adguard Home Plugin setup:

My LAN interface is a bridge made up of all the ports on a 4 port intel x540, and my WAN is on a different interface altogether (duh).  I can successfully install the plugin and configure it, make it the default dns server by changing the port unbound uses to 5353 and leaving AdguardHome on 53.  Problem is that first time resolution takes about 30 seconds!  I am guessing it has to do with Adguard being bound to all existing interfaces.  I tried to bind it to the bridge address editing the Adguard Yaml config file and restarting the service, but it did not solve the issue.  Unbound works fine in its place, and I have adguard running on a secondary box in lan and unbound forwarding to it, as a workaround, and that works fine.  If anyone knows how to fix that, and can share, I would appreciate it.  Just in case, bridge is built following wiki directions, including tunables, and works as expected.  I am aware of the disadvantages of bridging ports, but it is an experiment and I would like to make it work as is.

Thanks.

8

General Discussion / Re: Gateway failover / Manual NAT

« on: February 12, 2021, 02:43:03 pm »

Following the same instructions for the Failover and using Policy based routing should work, based on what I can interpret from your request.
You can create an alias group or VLAN for the VoIP stuff and then create a LAN rule that uses the desired gateway and not the failover gateway group.  Put the SIP/VoIP rule above your main LAN rule.

9

General Discussion / Re: NPTv6 for Multi-WAN

« on: February 12, 2021, 02:38:21 pm »

Indeed.  It seems this is the preferred method, followed by the ULA assignments.  There are no obvious shortcomings and the LB setup is, so far, working as advertised (60/40 in my case).

10

General Discussion / Re: NPTv6 for Multi-WAN

« on: February 11, 2021, 03:48:44 pm »

In the interest of relaying a complete documented account, here are my findings :

Configuring the IPv6 Load Balancing with NPT worked as follows :

Generate Unique ULA subnet prefix
Configure LAN interface with static ULA IP on said prefix
Configure Gateway groups for IPv6 for the GUA of the providers
Configure NPT rules corresponding to each of the GUA prefixes from providers
Configure DHCPv6 for the ULA prefix on Lan
Configure RA to your convenience, in my case Assisted

Caveats :
So far the only issue is that some clients, Windows clients in particular, tend to prefer connecting on IPv4 when getting a ULA address.  There are workarounds (netsh command, GPO(!), etc), but it might not be convenient for folks with lots of problematic clients.  This does not hinder most functionality, but underutilizes IPv6 ?

If anyone has any feedback on this I would very much appreciate it.

Update:

So, for posterity, the best way to implement NPTv6, if you are fortunate enough to have consistent prefixes, is to track the one interface with set prefix (or set lan static on it + dhcpv6 + RA)and have a single NPTv6 rule for the prefix on the failover/second WAN).  This will give a GUA address for your clients and should mitigate ICMPv6 and IPSEC issues.  Works quite well, and failover to ipv4 is flawless(seemingly).

11

General Discussion / Re: NPTv6 for Multi-WAN

« on: February 11, 2021, 01:49:26 am »

It seems that devices will prefer IPv4 Address when presented with a ULA IPv6 Address.
Is there a way to for the LAN interface to track 2 WAN IPv6 prefixes and forgo NPT completely ?

12

General Discussion / Re: NPTv6 for Multi-WAN

« on: February 11, 2021, 12:59:35 am »

I've made a small to the config.  I grabbed a ULA prefix from the ultratools ULA generator and set it up as my DHCPv6 range. Configured the LAN IPv6 as a static in the ULA range. Added NPT rules for both GUA prefixes from XFINITY and UVERSE, and configured my RA as assisted.  Everything appears to work as desired with the exception of IPv4 fallback.  It seems too slow and the IPv6 test sites tend to fail the test about 80% of the time.  Does anybody have any ideas as to how to resolve that ?

Thanks.

13

General Discussion / Re: NPTv6 for Multi-WAN

« on: February 10, 2021, 03:00:47 pm »

I realize this is not a normal setup by any means, and I do appreciate any help you all can give.

I've done the following, which seems to be working, but I am unsure if it is correct :

I configured the IPv6 Gateway group same as the IPv4 :  Weighted 5/4 (WAN1/WAN2)

Created an NPT rule for my XFINITY connection with the source prefix being UVERSE IPv6, and destination being XFINITY prefix.

Modified default LAN IPv6 gateway to the IPv6 GW Group.

I tested a few times and did see addresses in the XFNITY prefix identified. 

Does that seem correct ?  Is there any additional config needed ?

Thanks.

UPDATE: 
Forgot to mention that LAN is Tracking UVERSE, so all my clients are getting v6 Addresses on that prefix which is why I only have the one NPT rule.

14

General Discussion / NPTv6 for Multi-WAN

« on: February 08, 2021, 04:06:53 pm »

I am not well versed in IPv6 and am trying to configure load Balancing and FailOver for UVERSE and XFINITY, which are both dual-stack ISPs with PDs.  Is there an example configuration for NPTv6 and MultiWan IPv6 configuration ?  The default documentation is written from the POV of previous understanding of the underlying issue.

Thanks in advance.

15

General Discussion / Re: Announce: new OPNsense community repository

« on: January 21, 2021, 04:50:12 pm »

Thank you so much for the quick response, MiggityMuggity.  Will try this update when I get back home later.