Messages

Don't use a /65, this only means trouble (SLAAC doesn't work etc.). HE will give you a /48, just enable it in your account's settings

Thanks, Maurice! I'll do that.

First off, thanks to OP. I was definitely spinning my wheels before I read this. I was running into trouble trying to assign a /65 to two interfaces (instead of /64 to one). I switched back to a /64 and everything started working.

Was I doing something wrong, by trying to subnet like this? I have IPv6 connectivity via a tunnel with Hurricane Electric. I guess I could try asking them for another /64, but that seems somewhat ugly.

Thanks for reading!

Jason M.

Will do. Thanks for your help!

I hadn't tried that. It worked great, thanks!

Another frr question. Is it possible to start the frr daemons without enabling said daemons and (therefore) generating a config in the GUI? The need would be to use settings that aren't supported in the GUI yet (adding weights in BGP, for example). I'm not 100% sure that I'll need this functionality, but I might.

I see from: https://forum.opnsense.org/index.php?topic=8759.msg38959#msg38959 (number 12) how you can set up a shell scrupt in /usr/local/etc/rc.d/ to start software. So the question is then: does every file in /usr/local/etc/rc.d get run and if so, will a script placed there survive an update?

Thanks!

Hello,

I'm running OPNSense 19.7.3 with the frr plug-in. I'd like to be able to add a password to the end of zebra.conf & bgpd.conf.

The line would be either:

Code Select Expand

password <password>

or

Code Select Expand

no login

Either of these lines would give me access to the frr command line where it's a lot faster to type "show ip bgp" then look at Routing, Diagnostics, BGP (which sometimes doesn't show anything, unfortunately).

But I like the command line, so the above isn't a big deal. I just hate having to restart BGP (and potentially Zebra) every time I want to see what networks are being advertised to the OPNSense box via BGP.

Otherwise I have to restart bgpd every time I want to test things.

I looked at /usr/local/etc/rc.d/frr but couldn't see anything there. However shell scripting is not my forte, so I might have missed something.

Can this be done?

Thanks!

Unforatunely, it's enabled by default. I don't remember setting it, but I could have just forgotten. Not so nice to have a "history erasing" button in the gui :)

Okay, it turns out it was the "Install policy" setting that was breaking things. Thanks.

One more data point. Killing charon restores connectivity as well.

Okay, this is even more curious. After disabling IPSec and SSHing to the OPNSense box I see the routing table:

root@OPNsense2:~ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          A.B.C.1          US         vmx0
default            A.B.C.1          UGS        vmx0
A.B.C.0/24         link#1             U          vmx0
A.B.C.3            link#1             UHS         lo0
G.H.I.195          A.B.C.1          UGHS       vmx0
G.H.I.198          A.B.C.1          UGHS       vmx0
127.0.0.1          link#3             UH          lo0
128.0.0.0/1        A.B.C.1          US         vmx0
D.E.23.1           link#7             UHS         lo0
D.E.23.2           link#7             UH     ipsec100
D.E.F.0/24         link#2             U           em0
D.E.F.3            link#2             UHS         lo0

I'm focusing on the 0.0.0.0/1 and 128.0.0.0/1 routes. They look odd so I delete them:

root@OPNsense2:~ # route delete -net 0.0.0.0/1 A.B.C.1
delete net 0.0.0.0: gateway A.B.C.1
root@OPNsense2:~ # route delete -net 128.0.0.0/1 A.B.C.1
delete net 128.0.0.0: gateway A.B.C.1
root@OPNsense2:~ # netstat -rn | more
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            A.B.C.1          UGS        vmx0
A.B.C.0/24         link#1             U          vmx0
A.B.C.3            link#1             UHS         lo0
G.H.I.195          A.B.C.1          UGHS       vmx0
G.H.I.198          A.B.C.1          UGHS       vmx0
127.0.0.1          link#3             UH          lo0
D.E.23.1           link#7             UHS         lo0
D.E.23.2           link#7             UH     ipsec100
D.E.F.0/24         link#2             U           em0
D.E.F.3            link#2             UHS         lo0

And now I can ping via the WAN:

root@OPNsense2:~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=13.144 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=13.146 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=13.238 ms

Any idea where those routes came from? My home OPNSense box doesn't have them. I'm mystified.

This probably won't surprise anyone but running:

/etc/rc.d/ipsec onestop

restores connectivity to the box. However once I did this, I could access the LAN, but couldn't ping anything reachable via the WAN. I previously put in rules to pass any traffic on LAN and WAN (for testing) and turned off NAT.

Okay, I've updated and no change. This is what I did.

Reset to factory default (so I could access the network again)
Ran opnsense-update -- rebooted when done
Copied backup of config to /conf/config.xml
Rebooted

The result is the same -- no network connectivity. I also redid the setup this time remembering to disable NAT, and added an additional interface for the WAN (even though it's not on the Internet). Still the same problem. When I finish the configuration for the routed IPSec tunnel, all network connectivity is lost.

Any ideas?

The console says 19.7 (no .3). Is that enough or should I look elsewhere? Thanks.

Hello,

I have a bit of an oddball situation. I'm using OPNSense (v19.7) as a router for IPSec VTI connections (or route-based tunnels), nothing else. I can't be on the public Internet due to restrictions at the site. So one physical network interface and, currently, one routed IPSec tunnel. The remote end is a Cisco router running 15.1-4M10 directly connected to the Internet.

Now, this is the strange part. On two separate firewalls enabling this set up has caused the firewall to copmletely lose connectiity. The OPNSense box isn't even getting ARP replies. Anyway, since this happened twice, I'm reasonably confident it's something I'm doing and not hardware related. BTW, the "hardware" for these boxes is virtual under VMWare. One box is using the VMWare NIC and the other is using e1000 emulation (em0)

I'm thinking this is related to NAT, but I'm not sure. Running pfctl -d doesn't help, though (I don't know if that makes sense or not).

Anyway, I'm hoping someone can give me some insight. Thanks in advance!

Jason M.