Messages

I've just upgraded my instance to 25.1.5_4 and now works.
Thanks, well done!

If you have a captive portal and reflection enabled there is an issue that is going to be hotfixed in 25.1.5_4.

Yes, captive portal is enabled on one of vlans and 1:1 along with port reflection are enabled as well.
So, I guess this is the reason...

I run Opnsense (25.1.4) in Proxmox VM. After upgrading to 25.1.5, I couldn't connect to WAN services and local instance of AdguardHome (runs in Proxmox LXC and forwards all queries to Unbound). I couldn't find errors but I guess somehow I'd lost DNS resolution. I don't use Zenarmor - it is disabled.
After restoring Opnsense snapshot back to 25.1.4 all came back to normal...

Recently I migrated OpenVPN servers from legacy to instances; I changed UDP server from TUN to DCO. It's been working but all of sudden client (Viscosity - OpenVPN 2.6) stopped being able to download anything and in server log was:

Code Select Expand

Data Channel Offload doesn't support DATA_V1 packets. Upgrade your server to 2.4.5 or newer.
A bit strange (OpenVPN 2.6 - client and server), especially that Wireguard also stopped working (but handshakes were exchanged). It seems like setting DCO affects UDP connectivity also in Wireguard.
And once I set OpenVPN interface back to TUN, both Viscosity UDP client and Wireguard started working again.
So, that's experimental feature :-)?

That document is just all kinds of wrong. How stuff like that gets into the official OPNsense docs is beyond my comprehension. smh...

If you want to be able to use IPv6 from your LAN, you will need at least one firewall rule to allow it - similar to the "Default allow LAN to any rule", but for IPv6.

Yes, I changed my config completely:
- disabled dhcpv6
- set RAD to "unmanaged" and in vlan where I manually assign ipv6 I set to "router only"
- removed those extra ipv6 fw rules and that's where I'm not so sure of it. Is it ok to rely only on automatic rules(?):
You cannot view this attachment.
and

You cannot view this attachment.
Now it works, but do I need to create fw rule to be more on safe side?

What does "I can connect to WAN ip6 services" mean? Are you saying that LAN hosts can reach the internet via IPv6, but can't get DNS from, or ping, your OPNsense firewall's LAN IP address? What do your firewall rules for LAN look like?

I meant, in LAN:
 - I'm not able to connect to local services (tried "nc -vz...", mainly DNS) or ping them
in WAN:
- contrary to above, I can ping them or test with netcat

I followed opnsense howto: https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html so, I don't have very special firewall rules...

Hello,

I have had dual stack (with tunnel broker) working fine. Recently I've noticed that all devices in LAN can't communicate via IP6 in LAN (ip6 DNS, to ping gateway...) despite having assigned ip6 addresses ( /64). At the same time I can connect to WAN ip6 services.
What may had happened and how to troubleshoot it? OPNsense is up to date: 25.1.1.

Opnsense is in the latest version (24.7.4) and today I run into issue of completely filled disc.
After running following command I could have seen:

Code Select Expand


root@OPNsense:/ # du -mah | sort -rh | head -n 10
37G .
28G ./var
25G ./var/log
16G ./var/log/squid
9.5G ./var/log/squid/access.log
8.0G ./usr
7.8G ./var/log/c-icap/access.log
7.8G ./var/log/c-icap
7.4G ./usr/local
7.0G ./var/log/squid/store.log



So, squid and i-cap access logs were enormous; I had to manually delete them and restart services. I use squid + I-cap + clamav to scan web data.


What could cause creation of such a big access logs?

 I'm puzzled too - I don't understand implementing KEA when it doesn't match functionalities in ISC. Issues in 24.7 with OpenVPN UDP server (at least in my case) plus removing functionality in ISC dhcp in 24.7 made me reverting upgrade back. to version 24.1.10...

One more thing.
Openvpn TCP server (legacy) was fully running.
But UDP server (legacy) was running but there was no connectivity. I mean netcat was showing replies from hosts on various ports but nothing could go through browser.
I gave up and restored 24.1.10...

Thanks, but what keeps stopping me from migration is missing TLS authentication (TLS Shared Key) in instances config.
Will it be added there?

Not going to be in legacy client/server, sorry.

Thus I need to migrate to "instances"?

disable-dco

Yes, that restored UDP server...
But how to change config to use DCO?

After upgrading to 24.7 (for test purposes  :D ) openvpn UDP server (legacy) doesn't work anymore and throws following errors:

Code Select Expand

2024-07-25T19:06:21 Warning openvpn_server9 dco_set_ifmode: failed to set ifmode=00008002: Invalid argument (errno=22)
2024-07-25T19:06:21 Warning openvpn_server9 Failed to create interface ovpns9 (SIOCSIFNAME): File exists (errno=17)


Ho to fix it?

I have setup, in a few of my vlans, some time ago ipv6 through tunnelbroker.
It's been working fine until now. Still I can ping WAN hosts, unbound resolves AAAA queries:

% dig google.com AAAA       

; <<>> DiG 9.10.6 <<>> google.com AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4210
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.         IN   AAAA

;; ANSWER SECTION:
google.com.      40   IN   AAAA   2a00:1450:401b:804::200e

;; Query time: 2 msec
;; SERVER: X001:XXX:XXXX:4::1#53(X001:XXX:XXXX:4::1)
;; WHEN: Thu Feb 29 12:00:35 CET 2024
;; MSG SIZE  rcvd: 67

But any tests I do via browsers (Safari, Chrome), fail miserably. For example, https://test-ipv6.com/, says there's no ipv6 address discovered.
With exception of my OpenvPN road warrior connection. When I connect via VPN, all is ok. 
FW has of course ipv6 enabled and respective vlan also has rule allowing all "IN" ip4+ip6 traffic - as same as group openvpn interface. How to troubleshoot it???


EDIT:
It seems like I can think better when I write post :-). I had/have caching (squid, icap) enabled on couple of vlans. And this was filtering out my ipv6. Is it possible to configure caching for ipv6?