Messages

1

General Discussion / Re: "No route to host": need to reload WAN every ~24 hour

« on: April 14, 2023, 07:48:06 pm »

I'm getting the same issue now. How are you doing the cron job? Is that defined in the WebUI or through cli?

I have the following crontab in /usr/local/etc/cron.d/custom.cron:

Code: [Select]

# Reload WAN interface
30      */12    *       *       *       root    sleep 10; /usr/local/etc/rc.configure_interface wan

The sleep is to prevent interfering with Monit ping monitoring.

If you don't need the sleep, you should be able to achieve the same with a cronjob in the web UI by selecting "Periodic interface reset".

2

General Discussion / Re: "No route to host": need to reload WAN every ~24 hour

« on: February 16, 2023, 07:11:30 pm »

Problem still occurs as of v23.1.1.

I have configured a workaround: a cron job from the UI: every 12 hours "Periodic interface reset" with parameter "wan".
This seems to prevent the issue from occuring.

Also, I do have another issue that was already occuring before upgrading to v23.1: radvd stops sending router advertisements after some time. Restarting the radvd daemon fixes the issue. Same workaround: cron job every 12 hours with a custom command "pluginctl -s radvd restart". I mention this as it could be related.

Also, I did some measurement of when the issue occurs: from 22 to 26 hours after reloading WAN or rebooting, which is why I configured the cron job every 12 hours.

3

General Discussion / Re: "No route to host": need to reload WAN every ~24 hour

« on: February 03, 2023, 09:06:20 pm »

Occurred again, nothing new except:

• IPv6 still works, only IPv4 is affected by the problem
• I restarted the "routing" service in anticipation of the issue 4 hour ago, still occured

Fixed after restarting "routing" service.

4

General Discussion / Re: "No route to host": need to reload WAN every ~24 hour

« on: February 02, 2023, 08:36:26 pm »

The problem occured again today, I did some experiments:

• The internet can access the firewall: I can access my webserver through HAProxy
• Restarting the "routing" service also solves the issue
• Unbound can still resolve DNS properly (tried with random queries to avoid cache) (configured with DNS over TLS)

For a short time after restarting the "routing" service, I could ping any IP except 8.8.8.8 ->"ping: sendto: No buffer space available".

5

General Discussion / "No route to host": need to reload WAN every ~24 hour

« on: February 01, 2023, 09:42:31 pm »

Configuration:

WAN is connected to internet through vlan832 of igb2.
IPs are received with DHCPv4 and DHCPv6 (/56 prefix delegation).

WAN:

Code: [Select]

igb2_vlan832: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=4000000<NOMAP>
        ether xx:xx:xx:xx:xx:xx
        inet6 fe80::3eec:efff:fe22:3ec4%igb2_vlan832 prefixlen 64 scopeid 0xa
        inet6 xxxx:xxxx:xxxx:xx00::1 prefixlen 64
        inet x.x.x.x netmask 0xfffffc00 broadcast x.x.x.x
        groups: vlan
        vlan: 832 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

LAN has a /24 IPv4 subnet, and a /64 IPv6 subnet (from the prefix).

LAN:

Code: [Select]

lagg0_vlan50: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: ADMIN (lan)
        options=4000000<NOMAP>
        ether xx:xx:xx:xx:xx:xx
        inet 172.16.72.254 netmask 0xffffff00 broadcast 172.16.72.255
        inet6 fe80::8261:5fff:fe08:642%lagg0_vlan50 prefixlen 64 scopeid 0xe
        inet6 xxxx:xxxx:xxxx:xx48:xxxx:xxxx:xxxx:xxxx prefixlen 64
        groups: vlan ADMIN_GROUP
        vlan: 50 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I do have multiple interfaces other than LAN for DMZ and users, but their configuration is very similar to LAN.

Issue

After having a working internet connection for a bit more than 24 hour, I lose all access to the internet.

• Internal networking between subnets works fine
• WAN interface still have its IPv4 and IPv6
• Some Wireguard tunnels keeps working, although the client is on the internet
• Pinging 1.1.1.1 from the firewall returns "ping: sendto: No route to host"
• Pinging from LAN returns a similar error
• Console shows IPv6 errors: "cannot forward src fe80:x:x:x:x:x:x:x, dst [some internet IPv6], nxt 17, rcvif lagg0_vlan50, outif igb2_vlan832"
• Web UI: clicking on "Reload" for the WAN interface DHCP (in the "overview" tab) fixes the issue instantly for ~24 hour

A workaround would be to setup a crontab to reload the interface automatically every 24 hour, but It woundn't fix the issue itself.

The issue only occurs since I updated to 23.1.

Thank you

6

Virtual private networks / Site-to-site VPN: route DNS traffic from the firewall itself

« on: April 06, 2021, 08:20:24 pm »

I am setting up a site-to-site VPN but I have issue to get Unbound to use the remote site's DNS server for it's local domain.
I configured Unbound to use the remote site dns server's IP for local.foo.com.

Alias my_alias: networks I want to be routed through the VPN (which includes the DNS server's IP).

I have 2 OpenVPN clients to connect to the same site, the second one being a failover.
I configured a gateway group with the 2 gateways created by the OpenVPN clients.

Configured 2 NAT outbound rules:
 - interface=my_vpn_iface_1, src=any, dest=my_alias, nat address=interface address, static=no
 - same with interface=my_vpn_iface_2

Added 1 floating rule to route my_alias through the VPN:
 - quick, direction=in, protocol=ipv4*, src=*, dest=my_alias, gateway=my_vpn_gateway_group

This rule should route any traffic going to my_alias from any interface through the VPN gateway group.

I can access the remote site from LAN.
However, I cannot access it from the firewall itself.

I tried configuring a static route.
However, I cannot set the gateway to my_vpn_gateway_group, only single gateways can be selected.

Firewall logs shows "let out anything from firewall host itself".

I also tried enabling "Disable automatic rules which force local services to use the assigned interface gateway", but the same issue occur.

Any help would be appreciated.

7

20.1 Legacy Series / Unbound loop start/stop, works when started by shell

« on: February 20, 2020, 01:08:15 am »

Hi,

I wanted to install an OPNSense on a test server but I can't get Unbound to works.
This is a fresh install, default settings except for LAN/WAN config.
The Unbound service just starts and stops in an infinite loop.
Rebooting OPNsense solves the problem for less than 3 minutes, then immediately restart crashing. Sometimes Unbound works again for generally less than 3 minutes before crashing again.

Here are some logs: logs on level 0, level 3, level 5.
I cut the logs in order to see a complete cycle start/stop.

When I start Unbound from the shell with the command

Code: [Select]

# unbound -d -c /var/unbound/unbound.conf it works without issue.
I tried multiple Unbound configurations, with/without DNSSEC, with/without forwarding mode. Everything leading to the same problem.

Thank you

8

19.1 Legacy Series / Re: Slow bandwidth from lan to wan (OPNsense on Proxmox VE)

« on: April 13, 2019, 03:56:27 am »

Thanks for your reply

However, I resolved the problem, it happened to be a configuration error of mine :
I changed a configuration in TCP configuration autotuninglevel from disabled to auto (default) and it instantly solved my problem.

Thank you for your help

N.B. Should I create a topic for my ipv6 problems ?

9

19.1 Legacy Series / Re: Slow bandwidth from lan to wan (OPNsense on Proxmox VE)

« on: April 09, 2019, 09:56:33 pm »

Did you try the "new" netmap enabled kernel? Should perform better with virtual nics.

See here:
https://forum.opnsense.org/index.php?topic=11477.0

Thank you for your reply, I have just installed the netmap enabled kernel and restarted, but no speed change unfortunately

10

19.1 Legacy Series / Slow bandwidth from lan to wan (OPNsense on Proxmox VE)

« on: April 09, 2019, 03:58:28 pm »

Hi,
I want to share with you my internet speed problem between lan and wan.
I have OPNsense installed as a VM in Proxmox virtual environment.

Problem :
Normally my internet connection provides me 900down and almost 300up, but OPNsense only gives lan 250-300down and 300up.
Install is new, not a lot of configuration done except vlan, dhcp and unbound.
Iperf3 from lan device to firewall gives 2-3 gbps speed.
And the speed seems fine for the firewall itself (used iperf3 to public servers and got 900down/300up) so the problem is between lan and wan.

Proxmox version : pve-manager/5.3-11/d4907f84 (running kernel: 4.15.18-12-pve)
OPNsense version : 19.1.4

Host hardware :
CPU : AMD Threadripper 1950x (16 cores @ 3.7 GHz)
Memory : 64 GB

VM config :
Memory : 8 GiB (no balloon)
CPU : EPYC, numa, 8 cores (2 sockets 4 cores)
Hard disk : SCSI 64 GB
Network device : virtio linux bridge (for LAN, VLAN aware)
PCIe passthrough : Intel I210-T1 gigabit NIC (for WAN)
BIOS : OVMF (UEFI)
Qemu agent : disabled

OPNsense configuration :
WAN : DHCP and DHCPv6
LAN : Static ipv4 and ipv6 with DHCP and DHCPv6 server (no prefix delegation available), router advertisements set to assisted
LAN is configured on VLAN 10 of the virtio bridge
WAN is a direct PCIe passthrough of the Intel NIC

Firewall configuration :
- Floating rule : Allow DNS from anywhere to this firewall
- LAN : Anti-Lockout rule
- LAN : Default allow LAN to any rule
- LAN : Default allow LAN IPv6 to any rule

Other problems that can be related :
- IPv6 works fine on firewall but no ipv6 for lan
- Unbound only works in forward mode

Any help really welcome
Thanks