Messages

1

20.1 Legacy Series / Re: IPv6RD broken again?

« on: February 13, 2020, 09:12:04 pm »

So i just tested this and it didn't work for me.

the wan_stf interface was created but not lined visibly anywhere in the GUI.
from the CLI i was able to see the wan_stf interface, but running

Code: [Select]

ping6 google.com resulted in

Code: [Select]

ping6: UDP connect: No route to host
adding the default route manually using

Code: [Select]

route add -inet6 default -interface wan_stf temporarily fixes the issue, but none of the 6RD settings or status are visible in the interface.

tested on 20.1 and 20.1.1

went ahead and opened a github issue here: https://github.com/opnsense/core/issues/3903

2

20.1 Legacy Series / Re: How to open ports on wan to internal ip

« on: February 11, 2020, 10:45:40 pm »

@lfirewall1243: You dont just have to allow it. You need to forward the Ports to the device you want to access from the outside.

This is the right advice

Try Firewall -> NAT -> Port Forward
Interface: WAN
Protocol: TCP+UDP
Destination: WAN Address
Destination Port Range:
    From: Other (Enter 5900)
    To: Other (Enter 5900)
Redirect Target IP: Single Host or Network (type in the internal IP address and select /32)
Redirect Target Port: 5900

Save and Apply.

For the range, do the same, but you'll only have to specify the starting port for "redirect target port", it'll automatically count the number of ports in the range you specified above and open the right number of ports.

3

20.1 Legacy Series / os-openconnect / all traffic stops when server forces disconnect

« on: February 11, 2020, 07:46:36 pm »

I already opened this as a github issue, but perhaps you guys have some insight:
https://github.com/opnsense/plugins/issues/1692

Here's the summary:

**Describe the bug**
Recently installed os-openconnect to connect to Cisco ASA firewall as a VPN Client. Configuration was working with associated NAT statement allowing LAN to PAT through the ocvpn interface to the company.  After a certain amount of idle time, the server forces disconnect and OPNsense stops responding to traffic on all interfaces until the LAN/WAN are physically UP/DOWN (by unplugging) since the firewall UI/SSH are no longer available.

**To Reproduce**
Steps to reproduce the behavior:

• Install os-openconnect
• Configure with server, username, password
• Start OpenConnect service
• Configure NAT statement to NAT LAN to OpenConnect interface IP
• Test working connection using ocvpn interface
• Wait some amount of time (varies based on server config)
• Server forces idle disconnect
• OPNsense stops responding to traffic on ALL interfaces.
• Physically up/down LAN and WAN interface
• Connectivity is restored.
• Log into OPNsense admin page
• Observe OpenConnect service is stopped.

**Expected behavior**

• Server forces disconnect
• ocvpn interface goes down
• all other interfaces continue to work as normal

Firewall should treat it as any other downed interface.

**Relevant log files**

Code: [Select]

2020-02-10T13:01:18 dhcp6c[62879]: Sending Solicit
2020-02-10T12:59:30 dhcp6c[62879]: Sending Solicit
2020-02-10T12:58:22 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:48 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:30 dhcp6c[62879]: Sending Solicit
## internet is now working again  ##
2020-02-10T12:57:28 opnsense: plugins_configure newwanip (execute task : webgui_configure_do(,wan))
2020-02-10T12:57:28 opnsense: plugins_configure newwanip (execute task : vxlan_configure_interface())
2020-02-10T12:57:26 opnsense: plugins_configure newwanip (execute task : unbound_configure_do(,wan))
2020-02-10T12:57:26 opnsense: plugins_configure newwanip (execute task : openssh_configure_do(,wan))
2020-02-10T12:57:26 opnsense: plugins_configure newwanip (execute task : opendns_configure_do())
2020-02-10T12:57:26 opnsense: plugins_configure newwanip (execute task : ntpd_configure_defer())
entry.
2020-02-10T12:57:22 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: (Success) IP address updated successfully (XXXXXXXXXX)
2020-02-10T12:57:22 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /var/cache/dyndns_wan_XXXXXXXXX_1.cache: XXXXXXXXX
2020-02-10T12:57:22 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:20 opnsense: /usr/local/etc/rc.dyndns: Dynamic DNS (XXXXXXXXX): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
2020-02-10T12:57:20 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: (Success) IP address updated successfully (XXXXXXXXXXX)
2020-02-10T12:57:20 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /var/cache/dyndns_XXXXXXXXXXX_0.cache: XXXXXX
2020-02-10T12:57:17 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:15 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:14 opnsense: plugins_configure newwanip (execute task : dyndns_configure_do(,wan))
2020-02-10T12:57:14 opnsense: plugins_configure newwanip (,wan)
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
2020-02-10T12:57:14 opnsense: plugins_configure vpn (execute task : openvpn_configure_do(,wan))
2020-02-10T12:57:14 opnsense: plugins_configure vpn (execute task : ipsec_configure_do(,wan))
2020-02-10T12:57:14 kernel: pflog0: promiscuous mode enabled
2020-02-10T12:57:14 opnsense: plugins_configure vpn (,wan)
2020-02-10T12:57:14 kernel: pflog0: promiscuous mode disabled
2020-02-10T12:57:14 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: The WAN_PPPOE monitor address is empty, skipping.
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: The WAN_DHCP6 monitor address is empty, skipping.
2020-02-10T12:57:14 opnsense: plugins_configure monitor (execute task : dpinger_configure_do())
2020-02-10T12:57:14 opnsense: plugins_configure monitor ()
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv6 default gateway set to wan
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway 'XXXXXXXX'
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to XXXXXXXXX
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
2020-02-10T12:57:14 opnsense: plugins_configure hosts (execute task : unbound_hosts_generate())
2020-02-10T12:57:14 opnsense: plugins_configure hosts (execute task : dnsmasq_hosts_generate())
2020-02-10T12:57:14 opnsense: plugins_configure hosts ()
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: On (IP address: XXXXXXXXX) (interface: WAN[wan]) (real interface: pppoe0).
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'pppoe0'
2020-02-10T12:57:14 opnsense: plugins_configure dns (execute task : unbound_configure_do())
2020-02-10T12:57:14 opnsense: plugins_configure dns (execute task : dnsmasq_configure_do())
2020-02-10T12:57:14 opnsense: plugins_configure dns ()
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.linkup: Warning! dhcpd_radvd_configure(auto) found no suitable IPv6 address on bce3
2020-02-10T12:57:14 opnsense: plugins_configure dhcp (execute task : dhcpd_dhcp_configure())
2020-02-10T12:57:14 opnsense: plugins_configure dhcp ()
2020-02-10T12:57:14 opnsense: plugins_configure ipsec (execute task : ipsec_configure_do(,wan))
2020-02-10T12:57:14 opnsense: plugins_configure ipsec (,wan)
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.linkup: ROUTING: skipping IPv6 default route
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.linkup: ROUTING: IPv6 default gateway set to wan
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.linkup: ROUTING: entering configure using 'wan'
2020-02-10T12:57:14 dhcp6c[62879]: restarting
2020-02-10T12:57:14 dhcp6c: RTSOLD script - Sending SIGHUP to dhcp6c for interface wan(bce2_vlan201)
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.linkup: Accept router advertisements on interface bce2_vlan201
2020-02-10T12:57:14 kernel: ng0: changing name to 'pppoe0'
2020-02-10T12:57:14 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/ifconfig 'pppoe0' inet6 -accept_rtadv' returned exit code '1', the output was 'ifconfig: interface pppoe0 does not exist'
2020-02-10T12:57:13 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
2020-02-10T12:57:13 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
2020-02-10T12:57:11 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
2020-02-10T12:57:11 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:09 kernel: bce2_vlan201: link state changed to UP
2020-02-10T12:57:09 kernel: bce2: link state changed to UP
2020-02-10T12:57:09 kernel: bce2: Gigabit link up!
2020-02-10T12:57:06 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:04 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:03 kernel: bce2_vlan201: link state changed to DOWN
2020-02-10T12:57:03 kernel: bce2: link state changed to DOWN
2020-02-10T12:57:03 dhcp6c[62879]: Sending Solicit
## LAN interface is now accessible ##
2020-02-10T12:57:03 opnsense: plugins_configure dns (execute task : unbound_configure_do())
2020-02-10T12:57:03 opnsense: plugins_configure dns (execute task : dnsmasq_configure_do())
2020-02-10T12:57:03 opnsense: plugins_configure dns ()
2020-02-10T12:57:03 opnsense: /usr/local/etc/rc.linkup: Warning! dhcpd_radvd_configure(auto) found no suitable IPv6 address on bce3
2020-02-10T12:57:03 opnsense: plugins_configure dhcp (execute task : dhcpd_dhcp_configure())
2020-02-10T12:57:03 opnsense: plugins_configure dhcp ()
2020-02-10T12:57:03 opnsense: plugins_configure ipsec (execute task : ipsec_configure_do(,lan))
2020-02-10T12:57:03 opnsense: plugins_configure ipsec (,lan)
2020-02-10T12:57:03 opnsense: /usr/local/etc/rc.linkup: ROUTING: skipping IPv6 default route
2020-02-10T12:57:03 opnsense: /usr/local/etc/rc.linkup: ROUTING: IPv6 default gateway set to wan
2020-02-10T12:57:03 opnsense: /usr/local/etc/rc.linkup: ROUTING: skipping IPv4 default route
2020-02-10T12:57:03 opnsense: /usr/local/etc/rc.linkup: ROUTING: IPv4 default gateway set to wan
2020-02-10T12:57:03 opnsense: /usr/local/etc/rc.linkup: ROUTING: entering configure using 'lan'
2020-02-10T12:57:03 dhcp6c[62879]: restarting
2020-02-10T12:57:03 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface lan
2020-02-10T12:57:03 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for lan
2020-02-10T12:57:02 kernel: bce3: link state changed to UP
2020-02-10T12:57:02 kernel: bce3: Gigabit link up!
## LAN Comes back up ##
2020-02-10T12:57:01 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:00 dhcp6c[62879]: Sending Solicit
2020-02-10T12:57:00 kernel: in_scrubprefix: err=51, prefix delete failed
2020-02-10T12:57:00 dhcp6c[62879]: restarting
2020-02-10T12:57:00 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for lan
2020-02-10T12:57:00 kernel: bce3: link state changed to DOWN
## Two minutes later I physically DOWN the LAN/WAN interfaces ##
2020-02-10T12:55:37 dhcp6c[62879]: Sending Solicit
## Unable to pass any traffic through any interface ##
2020-02-10T12:54:33 openconnect[30051]: Session terminated by server; exiting.
2020-02-10T12:54:33 kernel: ocvpn0: link state changed to DOWN
2020-02-10T12:54:32 openconnect[30051]: Received server disconnect: b0 'Idle Timeout'
## Server Sends Disconnect ##
2020-02-10T12:53:36 dhcp6c[62879]: Sending Solicit
2020-02-10T12:51:37 dhcp6c[62879]: Sending Solicit
## Traffic is running normally ##

**Additional context**
Firewall is configured with 3 physical interfaces, configured as follows:

• WAN (PPPoE0 on VLAN201) bce2
• LAN (untagged) on bce3
• Servers (untagged) on bce1
• Servers (VLAN 30) on bce1
• Server (VLAN 40) on bce1

bce2 not connected.

**Environment**

• OPNsense 20.1-amd64
• FreeBSD 11.2-RELEASE-p16-HBSD
• OpenSSL 1.1.1d 10 Sep 2019
• Intel(R) Core(TM) i3-2120 CPU @ 3.30GHz (4 cores)
• Dell R210 ii