Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - gjarboni

Pages: [1]

General Discussion / Re: IPv6 Router Advertisements (RA) for SLAAC not working when gateway IPv6 static

« on: September 03, 2023, 08:40:34 pm »

Quote from: Maurice on September 03, 2023, 08:20:06 pm

Don't use a /65, this only means trouble (SLAAC doesn't work etc.). HE will give you a /48, just enable it in your account's settings

Thanks, Maurice! I'll do that.

General Discussion / Re: IPv6 Router Advertisements (RA) for SLAAC not working when gateway IPv6 static

« on: September 03, 2023, 07:58:46 pm »

First off, thanks to OP. I was definitely spinning my wheels before I read this. I was running into trouble trying to assign a /65 to two interfaces (instead of /64 to one). I switched back to a /64 and everything started working.

Was I doing something wrong, by trying to subnet like this? I have IPv6 connectivity via a tunnel with Hurricane Electric. I guess I could try asking them for another /64, but that seems somewhat ugly.

Thanks for reading!

Jason M.

19.7 Legacy Series / Re: How to automatically add a line to bgpd.conf and zebra.conf

« on: September 16, 2019, 09:12:13 pm »

Will do. Thanks for your help!

19.7 Legacy Series / Re: How to automatically add a line to bgpd.conf and zebra.conf

« on: September 12, 2019, 08:10:37 pm »

I hadn't tried that. It worked great, thanks!

Another frr question. Is it possible to start the frr daemons without enabling said daemons and (therefore) generating a config in the GUI? The need would be to use settings that aren't supported in the GUI yet (adding weights in BGP, for example). I'm not 100% sure that I'll need this functionality, but I might.

I see from: https://forum.opnsense.org/index.php?topic=8759.msg38959#msg38959 (number 12) how you can set up a shell scrupt in /usr/local/etc/rc.d/ to start software. So the question is then: does every file in /usr/local/etc/rc.d get run and if so, will a script placed there survive an update?

Thanks!

19.7 Legacy Series / How to automatically add a line to bgpd.conf and zebra.conf

« on: September 12, 2019, 04:24:08 am »

Hello,

I'm running OPNSense 19.7.3 with the frr plug-in. I'd like to be able to add a password to the end of zebra.conf & bgpd.conf.

The line would be either:

Code: [Select]

password <password>
or

Code: [Select]

no login
Either of these lines would give me access to the frr command line where it's a lot faster to type "show ip bgp" then look at Routing, Diagnostics, BGP (which sometimes doesn't show anything, unfortunately).

But I like the command line, so the above isn't a big deal. I just hate having to restart BGP (and potentially Zebra) every time I want to see what networks are being advertised to the OPNSense box via BGP.

Otherwise I have to restart bgpd every time I want to test things.

I looked at /usr/local/etc/rc.d/frr but couldn't see anything there. However shell scripting is not my forte, so I might have missed something.

Can this be done?

Thanks!

General Discussion / Re: Configuring a routed IPSec tunnel breaks connectivity

« on: September 01, 2019, 09:10:21 pm »

Unforatunely, it's enabled by default. I don't remember setting it, but I could have just forgotten. Not so nice to have a "history erasing" button in the gui

General Discussion / Re: Configuring a routed IPSec tunnel breaks connectivity

« on: August 31, 2019, 10:12:02 am »

Okay, it turns out it was the “Install policy” setting that was breaking things. Thanks.

General Discussion / Re: Configuring a routed IPSec tunnel breaks connectivity

« on: August 31, 2019, 08:21:54 am »

One more data point. Killing charon restores connectivity as well.

General Discussion / Re: Configuring a routed IPSec tunnel breaks connectivity

« on: August 31, 2019, 07:36:03 am »

Okay, this is even more curious. After disabling IPSec and SSHing to the OPNSense box I see the routing table:

Quote

root@OPNsense2:~ # netstat -rn
Routing tables

Internet:
Destination Gateway Flags Netif Expire
0.0.0.0/1 A.B.C.1 US vmx0
default A.B.C.1 UGS vmx0
A.B.C.0/24 link#1 U vmx0
A.B.C.3 link#1 UHS lo0
G.H.I.195 A.B.C.1 UGHS vmx0
G.H.I.198 A.B.C.1 UGHS vmx0
127.0.0.1 link#3 UH lo0
128.0.0.0/1 A.B.C.1 US vmx0
D.E.23.1 link#7 UHS lo0
D.E.23.2 link#7 UH ipsec100
D.E.F.0/24 link#2 U em0
D.E.F.3 link#2 UHS lo0

I'm focusing on the 0.0.0.0/1 and 128.0.0.0/1 routes. They look odd so I delete them:

Quote

root@OPNsense2:~ # route delete -net 0.0.0.0/1 A.B.C.1
delete net 0.0.0.0: gateway A.B.C.1
root@OPNsense2:~ # route delete -net 128.0.0.0/1 A.B.C.1
delete net 128.0.0.0: gateway A.B.C.1
root@OPNsense2:~ # netstat -rn | more
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default A.B.C.1 UGS vmx0
A.B.C.0/24 link#1 U vmx0
A.B.C.3 link#1 UHS lo0
G.H.I.195 A.B.C.1 UGHS vmx0
G.H.I.198 A.B.C.1 UGHS vmx0
127.0.0.1 link#3 UH lo0
D.E.23.1 link#7 UHS lo0
D.E.23.2 link#7 UH ipsec100
D.E.F.0/24 link#2 U em0
D.E.F.3 link#2 UHS lo0

And now I can ping via the WAN:

Quote

root@OPNsense2:~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.: 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=13.144 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=13.146 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=13.238 ms

Any idea where those routes came from? My home OPNSense box doesn't have them. I'm mystified.

General Discussion / Re: Configuring a routed IPSec tunnel breaks connectivity

« on: August 31, 2019, 07:06:47 am »

This probably won't surprise anyone but running:

/etc/rc.d/ipsec onestop

restores connectivity to the box. However once I did this, I could access the LAN, but couldn't ping anything reachable via the WAN. I previously put in rules to pass any traffic on LAN and WAN (for testing) and turned off NAT.

General Discussion / Re: Configuring a routed IPSec tunnel breaks connectivity

« on: August 31, 2019, 05:54:14 am »

Okay, I've updated and no change. This is what I did.

Reset to factory default (so I could access the network again)
Ran opnsense-update -- rebooted when done
Copied backup of config to /conf/config.xml
Rebooted

The result is the same -- no network connectivity. I also redid the setup this time remembering to disable NAT, and added an additional interface for the WAN (even though it's not on the Internet). Still the same problem. When I finish the configuration for the routed IPSec tunnel, all network connectivity is lost.

Any ideas?

General Discussion / Re: Configuring a routed IPSec tunnel breaks connectivity

« on: August 30, 2019, 10:47:33 am »

The console says 19.7 (no .3). Is that enough or should I look elsewhere? Thanks.

General Discussion / Configuring a routed IPSec tunnel breaks connectivity

« on: August 30, 2019, 09:25:38 am »

Hello,

I have a bit of an oddball situation. I'm using OPNSense (v19.7) as a router for IPSec VTI connections (or route-based tunnels), nothing else. I can't be on the public Internet due to restrictions at the site. So one physical network interface and, currently, one routed IPSec tunnel. The remote end is a Cisco router running 15.1-4M10 directly connected to the Internet.

Now, this is the strange part. On two separate firewalls enabling this set up has caused the firewall to copmletely lose connectiity. The OPNSense box isn't even getting ARP replies. Anyway, since this happened twice, I'm reasonably confident it's something I'm doing and not hardware related. BTW, the "hardware" for these boxes is virtual under VMWare. One box is using the VMWare NIC and the other is using e1000 emulation (em0)

I'm thinking this is related to NAT, but I'm not sure. Running pfctl -d doesn't help, though (I don't know if that makes sense or not).

Anyway, I'm hoping someone can give me some insight. Thanks in advance!

Jason M.

Pages: [1]