Messages

1

General Discussion / Re: Setting up - Cannot connect to Internet

« on: April 23, 2022, 10:14:25 pm »

It could also be something simple like, in my experience, after changing fundamental settings (like WAN interface), sometimes opnsense behaves weird and buggy until rebooted.

So try rebooting after setting the foundational settings as you like, and see if it makes a difference (if you haven't already done so)

2

General Discussion / Re: Setting up - Cannot connect to Internet

« on: April 23, 2022, 09:34:54 pm »

First off, you shouldn't need any WAN rules to make outbound connections work, so please remove them to save yourself from a terrible security problem.

Second, I would start off monitoring the firewall live log while pinging to see if things get dropped or pass, etc.

Also you can try pinging stuff like 8.8.8.8 or even the next gateway from your provider directly from opnsense with interface set to WAN, to rule out your LAN as the problem.

3

General Discussion / 1:1 NAT for "hiding" internal network for other internal networks

« on: April 23, 2022, 09:06:28 pm »

Hello there,

so we got a new fiber line from our provider, and a modem to go along with it.
Now since we have multiple sites and many internal networks per site, I am using the 10.0.0.0/8 address range.
This new modem that we got will only show its web interface on VLAN 0 in subnet 192.168.100.0/24 though.
While its not that much of a problem to just set the interface up that way, I figured maybe I could just "hide" that network such that, let's say 10.10.10.0/24 will be natted and routed to 192.168.100.0/24.
So instead of pinging the modem at lets say, 192.168.100.2, I could use 10.10.10.2.
This way it fits in with our addressing scheme better.
Also, if we get a second modem for a second line, this way address conflicts could be avoided.

Am I on the right track when I think that 1:1 NAT can help me here?
I tried to set it up but it didn't work, but before I post configs I want to know if I'm even going into the right direction here.

Everyone who read this far, thanks for your time and have a nice day,
Daniel

4

21.1 Legacy Series / Re: Slow connection on PPPoE via OPNsense

« on: May 05, 2021, 03:44:48 pm »

As a side note, why are you even running your main firewall on a VM when you could just use a physical machine? It is much more reliable in many ways and you will get better latencies as well.

5

21.1 Legacy Series / Re: [21.1.5] IPv6 unstable with DHCPv6 and RA "Managed"

« on: May 05, 2021, 03:20:49 pm »

The machines calculated their addresses correctly, but got the wrong router IP from the RA (from the wrong subnet), leading to no connectivity.

That's unexpected. By 'router IP' you mean the link-local source address of the RAs? I don't see how this could be affected by the RA flags. In other words, if this worked in 'Managed' mode but doesn't in 'Assisted', 'Stateless' or 'Unmanaged', something else must be going on. Anything else you changed during troubleshooting?

SLAAC is working rock solid here (multiple interfaces with a mix of 'Assisted', 'Stateless' and 'Unmanaged' RAs).

Cheers

Maurice

So what happened was actually that they calculated an IP within their respective subnet, and they probably got the correct DNS server, but when they tried to DNS resolve opnsense, it would return an IP from the wrong subnet (which is not really what I wrote, sorry), and also the machines had no outbound connectivity to the internet or to other v6 enabled local subnets (which they should be able to access due to fw rules). So something went wrong with the routing, which is weird. Also weird is that I could even see outbound packets on WAN when for example running "ping -6 google.de" from affected machines. But no answer was returned. As I said, I didn't troubleshoot it deeply, because I didn't want to interfere too much with workers.

6

21.1 Legacy Series / Re: [21.1.5] IPv6 unstable with DHCPv6 and RA "Managed"

« on: May 05, 2021, 12:23:18 am »

The "intermittently unresponsive" issue was introduced for both Router Advertisements (which broke SLAAC) and DHCPv6 when OPNsense switched to FreeBSD 12.1 in 20.7. For Router Advertisements, it was eventually solved by patching radvd. So SLAAC works again in 21.1. But for DHCPv6, no fix is available yet (that includes the 21.7 development version). If you depend on DHCPv6, you'll have to use a separate DHCPv6 server for the time being. Since you have Windows clients and might have a Windows Server: The Microsoft DHCP server works just fine.

Cheers

Maurice

Unfortunately, on the first system I tested, SLAAC also didn't work. The machines calculated their addresses correctly, but got the wrong router IP from the RA (from the wrong subnet), leading to no connectivity.
So now I have decided to turn off v6 on that interface entirely for now and wait it out until fixes appear. Hopefully, connectivity won't be affected too much by disabling v6 but I see no other sensible option for me right now.

7

21.1 Legacy Series / Re: [21.1.5] IPv6 unstable with DHCPv6 and RA "Managed"

« on: May 04, 2021, 11:14:33 pm »

I'm curious - if you set RA to "Assisted" instead of "Managed" does it survive any better?  Or perhaps it fails in the same way but typical user client traffic will flow because Windows falls back to SLAAC-obtained addresses?

The problem would be that in this case, connections would still fail because of the "bad" addresses coming and going, and TCP sessions going stale because of that. So I don't think I will experiment with that too much if SLAAC on its own avoids the problem for now.

8

21.1 Legacy Series / Re: [21.1.5] IPv6 unstable with DHCPv6 and RA "Managed"

« on: May 04, 2021, 10:27:01 pm »

The "intermittently unresponsive" issue was introduced for both Router Advertisements (which broke SLAAC) and DHCPv6 when OPNsense switched to FreeBSD 12.1 in 20.7. For Router Advertisements, it was eventually solved by patching radvd. So SLAAC works again in 21.1. But for DHCPv6, no fix is available yet (that includes the 21.7 development version). If you depend on DHCPv6, you'll have to use a separate DHCPv6 server for the time being. Since you have Windows clients and might have a Windows Server: The Microsoft DHCP server works just fine.

Cheers

Maurice

Nice to know, thanks. The Windows machines are actually not in a local domain at all, they are cloud managed with azure, so Microsoft DHCP is not an option (and I probably wouldn't even do it with a local domain tbh). But I will simply switch the machines to SLAAC since that should work. We never "depended" on dhcp6 anyway, I just used it since it seems more convenient to be able to somewhat control the addresses, and we were already using it successfully on other subnets.

9

21.1 Legacy Series / Re: Update uses less space?

« on: May 04, 2021, 04:26:30 pm »

Anything less than 120GB or so has terrible IOPS and longevity so I would avoid it. Also smaller SSDs are not much cheaper because nobody buys them.
The disk util will go up a little with logs growing and package caches filling up. Also there should always be a few gigabytes of free space for installing of upgrades.
Additionally, some plugins will lead to a much higher disk util, e.g. ntop

10

21.1 Legacy Series / Re: [21.1.5] IPv6 unstable with DHCPv6 and RA "Managed"

« on: May 04, 2021, 03:39:41 pm »

Possibly related to this?:

DHCPv6 server intermittently unresponsive, not responding to solicits
https://github.com/opnsense/core/issues/4691

That sounds unnervingly similar to what I encounter, I will try to check using a packet capture like suggested if it is the case.
Though I must say even not having checked it, the intermittent nature of the error leads me to believe it is a software bug and not a misconfiguration.

EDIT: I just made a quick packet capture and it seems to be true. I can see ip6 dhcp6 request that remain unanswered by the server. They just get ignored. I will post on github about my findings, because AFAIK this problem *should* have been 21.7.x only

11

21.1 Legacy Series / Re: [21.1.5] IPv6 unstable with DHCPv6 and RA "Managed"

« on: May 04, 2021, 03:37:52 pm »

Probably need more details as to how you have allocated IPv6 subnets to each VLAN, eg a /64? Maybe post relevant configs

Correct, I have assigned /64 subnet, using a subrange of that as the dhcp range, it is set as <prefix>:1:: - <prefix>:1::ffff so the range has 16^4 addresses in it. The ip6 address is set manually on the interface, too,, because I had trouble with the automatic options. I don't want to post screenshots to keep the prefix private.

12

21.1 Legacy Series / [21.1.5] IPv6 unstable with DHCPv6 and RA "Managed"

« on: May 04, 2021, 12:26:26 pm »

I've been getting complaints from workers in both our offices that sometimes their network on their win10 machines was unstable.
Upon further inspection, I found that the problem was IPv6, which Windows uses as default if available.
The interface for the office machines is configured with DHCPv6 and the RAs set to "Managed" mode.
The behaviour is weird in that it often gives out IPv6 addresses, but they don't persist for long and keep coming back and going away, which results in unstable connectivity.
In that network, IPv4 is perfectly stable, so I don't suspect a physical problem with the network.
Is this a known problem with this version?
I am looking around for a solution but I think everything is configured right and I don't know what to do besides disabling DHCP6 and trying SLAAC.

EDIT: I forgot to mention that there doesn't seem to be a general problem with ipv6 on the network, because on both locations, we have statically configured ipv6 machines that have stable connectivity, also there is another subnet here that doesn't run in a VLAN which uses DHCP6 + RA "Managed" and it is stable.
So maybe it only happens on the VLAN networks.
Also I tried both the setting "dynamic" and "static" RA but it doesn't seem to make much of a difference regarding stability. Both locations use DHCP static assigned ::56 subnets from the ISP, so both settings should work if I understand right.

13

21.1 Legacy Series / Re: Wireguard changes from 21.1.3 to 21.1.4?

« on: April 08, 2021, 05:44:58 am »

I just upgraded the first machine and noticed 2 things:
1) the version change of the wireguard package was shown wrong, it is indeed what you showed
2) the wireguard-kmod package was only shown as a new package in the upgrade overview, but not actually installed
so indeed, it should just be running normally with the user space code.
Thanks again!

14

21.1 Legacy Series / Re: Wireguard changes from 21.1.3 to 21.1.4?

« on: April 08, 2021, 05:12:47 am »

Thank you for the information!
I will probably test out the update then.
The version jump is just what the updater told me would happen, I just copied the strings, might be showing it wrong but I still haven't upgraded so I can't say what it'll look like after the fact.
Also the updater told me it would install wireguard-kmod - so in the worst case I could just uninstall it and wireguard should still work fine, if I understand right.

15

21.1 Legacy Series / Wireguard changes from 21.1.3 to 21.1.4?

« on: April 07, 2021, 05:40:21 am »

Hello there,

can somebody summarize the changes that the wireguard implementation in Opnsense went through from 21.1.3 to 21.1.4 and how they affect existing setups?
I just saw that new wireguard related things like wireguard-kmod (kernel module I presume) will be installed during the update, alongside a very huge version jump in the wireguard package (1.0.20210223 -> 2,1) and I am worried regarding the latest stories about the FreeBSD wireguard kernel code quality.
Our wireguard setup has been working very reliably over the past year or so and I just want to know that it will stay that way in the new version.
Does the new version use a kernel module? Is that the same code with the abysmal quality that caused discussions? Can the old user-mode implementation still be used in the new version?