Messages

1

23.1 Legacy Series / Re: How to disable IPv6 Autoconf on WAN permanently ?

« on: August 01, 2023, 03:35:13 pm »

Hello,

I've tried to do that but this breaks IPv6 on OPNSense with warnings about already configured IP addresses in the console that keeps getting spammed.

Almost back to square one...

2

23.1 Legacy Series / Re: How to disable IPv6 Autoconf on WAN permanently ?

« on: August 01, 2023, 08:42:17 am »

Hello,

That's weird, are you sure? SLAAC addresses are /64, DHCPv6 addresses are /128.

Well, I was wrong and you are correct.

When the DHCPv6 client is configured to only request a prefix, not an address, does IPv6 Internet access still work?

In that case, IPv6 internet does work for the machines behind the OPNSense box, but the OPNSense box does NOT have IPv6 internet access and thus cannot run firmware and OS updates checks.

Even though, there is a routable public IPv6 assigned from the prefix to the LAN interface for example.

I suspect that your provider might advertise SLAAC, but doesn't actually route SLAAC addresses. This would be a significant (but not unique) misconfiguration which they would have to fix.

Yeah that's likely.

I have found some kind of workaround but it needs an IPv6 from the prefix assigned on the WAN interface.

If do use the command bellow, then IPv6 start working on OPNSense :

#ifconfig vtnet0 inet6 <SLAAC IPv6 address> -alias

Then, I can get IPv6 working for OPNSense update checks because the /128 is taking precedence and is being used as the SOURCE IP address on the WAN interface for IPv6.

Now I'm checking how I can execute a script with this command on each startup...

3

23.1 Legacy Series / Re: How to disable IPv6 Autoconf on WAN permanently ?

« on: July 31, 2023, 04:53:49 pm »

Also :

On Linux you can fine tune the system in order to allow/deny Router Advertisements and allow/deny Autoconf via SLAAC on a per-interface basis :

root@machine:~# sysctl -a | grep "_ra =" | grep vmbr0
net.ipv6.conf.vmbr0.accept_ra = 0
root@machine:~# sysctl -a | grep vmbr0 | grep autoconf
net.ipv6.conf.vmbr0.autoconf = 0

On FreeBSD / OPNSense it looks like you can only allow/deny Router Advertisements system-wide using the following trick :

sysctl net.inet6.ip6.accept_rtadv=0

This can be set as a "Tunable" value in OPNSense GUI so the setting persists across reboots.

However, event with this variable set to 0, I still get a SLAAC address.

This is unfortunate to say the least.

4

23.1 Legacy Series / Re: How to disable IPv6 Autoconf on WAN permanently ?

« on: July 31, 2023, 04:24:26 pm »

Are you sure that the IPv6 is assigned via SLAAC? Did you try checking the "Request only an IPv6 prefix" on the WAN interface page?

Yes, both SLAAC and Prefix Delegation are advertised by the Provider router.

If I use the "Request only an IPv6 prefix", I still get an /128 IPv6 address because of SLAAC that I do not want.

If the prefix is static, it might be worth trying to configure everything statically

For security reasons, the Provider router will only route the IPv6 /48 prefix to OPNSense if I do Prefix Delegation with a private DUID-LL. No static routing is possible.

When I have both the SLAAC address and an IPv6 address carved out of the /48 block that are both assigned to the WAN interface, it looks like there is a "race condition" going on :

- If the /64 address that belongs to the /48 block can be seen on the GUI Dashboard of OPNSense, then everything works fine because the route to the v6 Internet is correctly set.

- If the GUI Dashboard display the /128 address from the SLAAC block, then IPv6 either fails or hangs ( like when I try to check the OPNSense updates in the GUI for example )

Thank you.

5

23.1 Legacy Series / How to disable IPv6 Autoconf on WAN permanently ?

« on: July 31, 2023, 10:12:37 am »

Hello,

My datacenter provider is providing me with a /48 IPv6 address block that I can request using DHCPv6 Prefix Delegation.

The issue is that the datacenter provider also provide the SLAAC method for WAN interface autoconfiguration.

SLAAC cannot be disabled from Provider side.

I have found a command that seems to be doing what I'm looking for :

# ifconfig vtnet0 inet6 -autoconf

However. according to FreeBSD ifconfig documentation ( https://man.freebsd.org/cgi/man.cgi?ifconfig(8) ) this kind of change is lost after a reboot.

So, my question is, how to apply permanently the "-autoconf" flag on my WAN vtnet0 interface ?

Thank you.

6

23.1 Legacy Series / Re: dhcp6c doesn't seems to start

« on: July 31, 2023, 09:55:16 am »

Solved, this was an issue with some undocumented configuration requirements for IPv6 from the Datacenter provider.

7

23.1 Legacy Series / Re: DVD ISO UEFI boot not working with Proxmox 8.0.3

« on: July 31, 2023, 09:54:07 am »

Hello,

Thank you for the tip about NOT using an EFI disk -> It works !

Best.

8

23.1 Legacy Series / dhcp6c doesn't seems to start

« on: July 15, 2023, 04:51:44 pm »

Hello,

I have installed the latest OPNSense version 23.1.11 and dhcpc6 doesn't seem to start when I configure DHCPv6 Prefix delegation on my WAN interface.

Please find the logs bellow :

<13>1 2023-07-15T16:46:11+02:00 OPNsense.mydomain.com configctl 58563 - [meta sequenceId="2"] event @ 1689432371.02 exec: system event config_changed
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com dhcp6c 24749 - [meta sequenceId="3"] RTSOLD script - Sending SIGHUP to dhcp6c
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="4"] /interfaces.php: ROUTING: entering configure using 'wan'
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="5"] /interfaces.php: ROUTING: configuring inet default gateway on wan
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="6"] /interfaces.php: ROUTING: setting inet default route to REDACTED
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="7"] /interfaces.php: ROUTING: configuring inet6 default gateway on wan
<11>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="8"] /interfaces.php: ROUTING: not a valid default gateway address: ''
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="9"] /interfaces.php: plugins_configure monitor (,WAN_GW)
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="10"] /interfaces.php: plugins_configure monitor (execute task : dpinger_configure_do(,WAN_GW))
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="11"] /interfaces.php: plugins_configure monitor (,WAN_DHCP6)
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="12"] /interfaces.php: plugins_configure monitor (execute task : dpinger_configure_do(,WAN_DHCP6))
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="13"] /interfaces.php: plugins_configure ipsec (,wan)
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="14"] /interfaces.php: plugins_configure ipsec (execute task : ipsec_configure_do(,wan))
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="15"] /interfaces.php: plugins_configure dhcp ()
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="16"] /interfaces.php: plugins_configure dhcp (execute task : dhcpd_dhcp_configure())
<11>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="17"] /interfaces.php: The command '/bin/kill -'TERM' '88971'' returned exit code '1', the output was 'kill: 88971: No such process'
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="18"] /interfaces.php: plugins_configure dns ()
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="19"] /interfaces.php: plugins_configure dns (execute task : dnsmasq_configure_do())
<13>1 2023-07-15T16:46:13+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="20"] /interfaces.php: plugins_configure dns (execute task : unbound_configure_do())
<13>1 2023-07-15T16:46:15+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="21"] /interfaces.php: ROUTING: entering configure using defaults
<13>1 2023-07-15T16:46:15+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="22"] /interfaces.php: ROUTING: configuring inet default gateway on wan
<13>1 2023-07-15T16:46:15+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="23"] /interfaces.php: ROUTING: keeping current inet default gateway 'REDACTED'
<13>1 2023-07-15T16:46:15+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="24"] /interfaces.php: ROUTING: configuring inet6 default gateway on wan
<11>1 2023-07-15T16:46:15+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="25"] /interfaces.php: ROUTING: not a valid default gateway address: ''
<13>1 2023-07-15T16:46:15+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="26"] /interfaces.php: plugins_configure monitor ()
<13>1 2023-07-15T16:46:15+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="27"] /interfaces.php: plugins_configure monitor (execute task : dpinger_configure_do())
<13>1 2023-07-15T16:46:16+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="28"] /interfaces.php: plugins_configure newwanip (,wan)
<13>1 2023-07-15T16:46:16+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="29"] /interfaces.php: plugins_configure newwanip (execute task : dnsmasq_configure_do())
<13>1 2023-07-15T16:46:16+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="30"] /interfaces.php: plugins_configure newwanip (execute task : ntpd_configure_do())
<13>1 2023-07-15T16:46:16+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="31"] /interfaces.php: plugins_configure newwanip (execute task : opendns_configure_do())
<13>1 2023-07-15T16:46:16+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="32"] /interfaces.php: plugins_configure newwanip (execute task : openssh_configure_do(,wan))
<13>1 2023-07-15T16:46:16+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="33"] /interfaces.php: plugins_configure newwanip (execute task : unbound_configure_do(,wan))
<13>1 2023-07-15T16:46:17+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="34"] /interfaces.php: plugins_configure newwanip (execute task : vxlan_configure_do())
<13>1 2023-07-15T16:46:17+02:00 OPNsense.mydomain.com opnsense 15676 - [meta sequenceId="35"] /interfaces.php: plugins_configure newwanip (execute task : webgui_configure_do(,wan))


This configuration worked fine on older OPNSense versions.

Thank you.

9

23.1 Legacy Series / DVD ISO UEFI boot not working with Proxmox 8.0.3

« on: July 15, 2023, 02:58:46 pm »

Hello,

I have tried to boot the DVD ISO installer in UEFI mode when creating the VM for OPNSense on my Proxmox server and I've noticed that only Legacy boot is working.

Steps to reproduce :
Try to boot the DVD ISO in UEFI mode from Proxmox 8.0.3 using a VM in UEFI mode.

Older Proxmox and OPNSense ISO files do not have this issue.

Thank you.

10

22.7 Legacy Series / Re: Cannot select multime items in Unbound DNS configuration panel

« on: January 19, 2023, 11:59:49 pm »

Thank you for the feedback.

I will check your link.

Cheers.

11

22.7 Legacy Series / Cannot select multime items in Unbound DNS configuration panel

« on: January 13, 2023, 11:01:09 pm »

Hello,

I'm running OPNsense 22.7.10_2-amd64 and I have an issue with the firewall GUI.

I cannot select multiple items in the Host Overrides section of the Unbound configuration panel

Is this a known issue ?

Thanks.

12

22.7 Legacy Series / New IPSec status page displays connected tunnel if tunnel SA not active

« on: August 01, 2022, 04:53:12 pm »

Hello,

I have upgraded to the latest 22.7 version.

In the new IPSec status page, the status of the tunnels shows "Connected" regardless of the real status of the tunnels.

Step to reproduce :
- Bring one side of an IPSec tunnel down and check the status page

Expected result :
- Tunnel should not be displayed as Connected.

Thank you.

13

Virtual private networks / Re: IPSec Libreswan to OPNSense cannot ping from OPNSense LAN

« on: June 30, 2022, 07:35:47 pm »

Solution to the issue :

Add NAT rule using nftables on the Debian Libreswan box because there's no way to configure custom routing on my ISP box.

Tweak Windows 10 firewall to allow ICMPv4 Echo replies and requests from any subnet.

Everything works OK now.

14

Virtual private networks / Re: IPSec Libreswan to OPNSense cannot ping from OPNSense LAN

« on: June 30, 2022, 05:15:41 pm »

After doing a tcpdump on the Debian machine, I can see the remote ping comming from the IPSec tunnel.

This is my sysctl config :

net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.ip_forward = 1

Maybe some of these settings are the issue, or maybe I need NAT ?

15

Virtual private networks / Re: IPSec Libreswan to OPNSense cannot ping from OPNSense LAN

« on: June 30, 2022, 05:04:25 pm »

Libreswan logs :

https://hastebin.milkywan.fr/diwibobisi.apache