Messages

I initially posted this feature request in the 19.7 release but since its not really been ackowledged figured I'd post it again.

It would be good if DHCP scopes could be defined for address space outside of the locally connected subnets and the DHCP server respond to DHCP requests which are relayed up from a L3 switched core.

In small deployments where L3 switching is being used for internal routing, it would remove the need for a seperate DHCP server.

Thanks
Tom

I have just noticed when using Netflow into inSight that no traffic from my Office > Datacenter IPSEC tunnel shows under the IPSEC interface within Details. It all shows under the WAN interface?

Looks like a bug. Running 22.1.2

Apologies for posting on an old thread but I have this exact problem and can't work out whats going on.

Connecting to the office Wireguard on OPNSense from my home 4G EE (UK) connection and I can use RDP, FTP, SSH, ICMP etc.... But no HTTP or HTTPS traffic at all.

Interestingly I can hotspot from my phone and other connections no problems at all. This leads me to believe the problem is specific to this one connection which is an EE SIM card in a Teltonika RUTX09 4G router.

Any ideas?

Any thoughts on this?

An explanation as to why Unbound forwards don't traverse an IPSEC tunnel unless the outbound interface is set to one of the LAN interfaces would help?

Does this mean I still need to stop the RA daemon on the backup box until it is needed?

Or does CARP with IPv6 now function via the VIP as the gateway address?

What was the outcome of this? I see there was a lot of activity on GitHub?

Thinking about this, could this be because the backup does not own the VIP of the LAN interface when it's in backup state? So it's falling back to another interface or something else?

I have noticed the os-iperf plugin does not open up UDP ports for connection testing using UDP?

Hi all,

I recently changed the outbound interface setting of the unbound resolver to one of my LAN side interfaces in order to solve the problem of DNS domain override forward requests not traversing my IPSEC tunnel to the datacenter.

Since changing unbound to use one of my LAN interfaces, DNS requests to that overridden domain now successfully use the IPSEC tunnel to a remote DNS server. However, I have just noticed that during an update of my firewall pair, the box that is currently the BACKUP node suffers extremely slow DNS resolution. I noticed this when it was looking up the package repo etc....

Any ideas why this is?

Same issue here. Thanks to @pmhausen for confirming the problem.

https://forum.opnsense.org/index.php?topic=25243.msg121205#msg121205

Until the ability to specify the source address of radvdis implemented, the only way that this works is to keep the ra daemon on the backup stopped until it needs to become master. Then the RA Daemon may be started on the now master, and you must ensure it is stopped on the now backup.

Thanks for confirming. So, to facilitate auto failover in the event of a master crash. The best way to do this would be disable the sync of RA/DHCPv6 settings under HA. Then run the radvd daemon on both master & slave, with master set as a higher priority?

At least in my experiments that did not work. The Linux systems we run in that DMZ install both gateways with the same metric. This leads to out of state packets arriving at the "wrong" node and TCP connections being killed.
I thought pfsync should take care of that but at least in our tests it wasn't sufficient.

So I disabled radvd completely on the backup and documented that an operator needs to restore IPv6 in case of a failure of the primary.

See https://forum.opnsense.org/index.php?topic=25158 for my initial discussion of the topic. We really need to get that fixed.

I have tested and confirmed that I see the same.

The only way this works right now is to keep radvd STOPPED on the BACKUP. A manual note to IT/Network engineers that when failing over, the router advertisement daemon must ONLY be running on the CARP MASTER. Config sync for it can still be left enabled to keep config changes in check, but you just need to ensure radvd is stopped on the backup.

Would be real good if we can specify the source address in radvd.

When you set the RA interface to the VIP, that changes nothing. Both HA nodes announce their own link local address.

This github issue is about fixing the broken behavior and configuring radvd to announce the CARP address.

Unless the measures discussed in this issue are implemented there is simply no way to make it work in OPNsense at the moment. I disabled RA on the backup node. I hope this gets fixed soon.

Thanks for confirming. So, to facilitate auto failover in the event of a master crash. The best way to do this would be disable the sync of RA/DHCPv6 settings under HA. Then run the radvd daemon on both master & slave, with master set as a higher priority?

Clients should discover two default routes, one with a better metric this way? However it won't 'statefully' fail with CARP maintenance mode. The RADVD daemon must be stopped as well on the node in maintenance to force all clients to learn only the surviving route?

How to a vote for your git request?

[What is the expected behaviour of RADVD currently, when the RA is set to a CARP VIP?]

Please vote for this issue to be implemented and shipped:
https://github.com/opnsense/core/pull/5185

;)
Patrick

So what are we saying here? I have noticed setting my CARP VIP in the RA options does nothing. I'd sort of expect RADVD to be started on the master and stopped on slave. However it is started on both.

Should I select the static interface instead, and run both master and slave with different priorities? Which is not CARP at all?

What is the expected behaviour of RADVD currently, when the RA is set to a CARP VIP?

Hi all,

I have IPv6 deployed and working in a few VLAN's. RA managed mode + DHCPv6.

All works great except for the failover test I just performed to my second OpnSense box.

I am aware that when using dynamic addressing via RA/DHCP, clients typically get a link local gateway advertised to them, rather than the routable address. However on failover, anything using link local as its GW lost IP6 connectivity. Whereas static clients using my CARP v6 VIP for the respective VLAN GW worked fine.

What's the solution for this? I see no way to pass a gateway via DHCPv6 as this isn't how v6 works. But in that case, whats my option?

Hi all,

Just noticed that there is an error in the Multi Interface shaping guide here:

https://docs.opnsense.org/manual/how-tos/shaper_guestnet.html

The rule for the upload traffic entering via the guestnet interface should have its direction set to 'in', rather than 'out' as shown in the document.

Thanks.