Messages

I'll ask the obvious dumb question - what does the config of the offending VIPs look like on each box? Are base and skew set correctly and match the "good" VIPs? I know you said the config didn't change, but old configs that worked despite themselves until a bug is fixed is not unheard of.

i'm dumb, mDNS has this same pattern.

Currently Wireguard has no CARP awareness meaning a few things:

* Wireguard that is stopped on a firewall that is BACKUP start after an XMLRPC config sync when the enable flag is set.
* Wireguard starts on a firewall that is BACKUP after a reboot.

This causes issues where two firewalls are connected to the same VPN endpoint and thus have the same tunnel IP. The far end thrashes packets all over as the two tunnels fight for dominance.

There is a good CARP script out there to deal with failover but not the XMLRPC sync issue.

It occurs to me that there should be an option within the WG plugin to make it "CARP aware" OR a change in the default behavior to always be CARP aware similar to DHCP.

My ask here is does a pattern for such a thing exist? Are there other plugins that have such functionality? I'd like to dig into the problem, but I want to use any established patterns if they exist so I don't make a pull request and find "hey dude, do it this way over here as that's how we always do it." I don't think any plugins ARE CARP aware, thus my question and perhaps a new pattern would need to be created. Thanks!

After thinking about this for a few days and poking at docs, I don't think OPNSense offers an explicit way to do this. What I ended up doing that gets me most of the way there....

Wireguard will use the default gateway and has no concept of a gateway group. Therefore I simply set the priority of the WAN link I wanted to use for Wireguard to have priority and enabled "Allow default gateway switching."

I am wondering how I can pin Wireguard to a gateway and/or cause it to fail over in a multi-WAN setup. This is only for outbound considerations as inbound - create the NAT and off I go.

Thanks, yup, I tracked that down and see how the plumbing connects now.

Thank you, but see my edit above... somehow the DHCP lease time was set to a week. (I think I know how this happened - someone trying to match Windows DHCP defaults... grumble.)

Running 22.1.2_1. Seemingly Unbound never deletes/cleans up A records created by DHCP. As an example and how I can reproduce it - I spin up a new VM and it uses DHCP in its initial boot. Once it boots the first time, I create a static reservation and refresh the lease on the VM to use the new IP reservation. Now Unbound reports the original IP and the new reservation IP. Fast forward a few days and the original DHCP lease which has long expired literally days ago is still being served by Unbound along with the reservation IP. No amount of service restarts or reboots cleans it up. Is this a bug? By design and I am missing a config option? Something else?

EDIT: Ignore me... somehow the default lease time was set to a WEEK. Well, that explains that. It was a DHCP issue and not Unbound as when I deleted the entries from /var/unbound/dhcpleases.conf, they would reappear when I restarted Unbound. That was my clue. I r dum.

When using dd-client, can I get some clarity on "Use interface IP"?  If your in a multi-wan environment, and set this to none, will it use the IP of the WAN interface with the highest priority?

I have been playing a bit and it seems the "General Settings" selection is the global default. Then, you can override this in the Account configuration. If you do not choose anything, I believe it will be the source IP that contacts the service under "Check ip method" which will depend on how your multi-WAN is configured which in your example, yes, the interface with the highest priority. If you have Round Robin, I would expect unpredictable results.

EDIT: This was somewhat helpful to compare what the OPNSense GUI was doing compared to what shows up in /usr/local/etc/ddclient.conf. I think this may help others using Cloudflare wanting to use a Global API key. https://github.com/ddclient/ddclient/blob/master/ddclient.conf.in and https://sourceforge.net/p/ddclient/mailman/message/20383414/  < this discusses the local IP overrides.

I have an odd problem where my WAN MTU gets set to weird values like 596 even though the interface is hard coded to 1500. While I try to track down what the root cause is I want to monitor the interface's MTU. The API seems very limited in this regard or I am not understanding something fundamental. I know the API works as I use it to enable/disable aliases and some other firewall rules. Any hints or better ways to get this value out of the box?

curl -k -u "user":"key" 'https://someip/api/interfaces/vxlan_settings/get'   

As well as /loopback_settings/get and getItem give me 401s. I figure I need to query and find a UUID to then use the UUID to get current state parameters as I do with other items. Any thoughts?

See my screenshot here: https://imgur.com/a/GfhtIB0

The question is why don't the two graphs correlate? If one looks at 10:40:55 you see there is a top talker using 4Mb yet the aggregate graph at the top shows only 620Kb. This makes no sense to me. I would expect the top aggregate graph to be at least 4Mb and likely more when considering other hosts talking at this same time over and above the top talker.

Unbound is spinning into space with crazy high CPU about once every hour. Kill -9 kills the process and the new process is perfectly happy for a bit until it too spins into space eating a ton of CPU and becoming unresponsive. The release notes don't show changes to Unbound, but this started happening after I updated this AM.

I'm dumb, Mods, please delete

Wow, thanks for the info!

I put in a pull request and would love a pair of very qualified eyes to confirm my verbiage/understanding is correct:

https://github.com/opnsense/plugins/pull/2481

Can you screen shot the entire WG configs inside Local and EndPoint? (Redact keys of course). It's just really hard to understanding what's going on when you have so many parts missing.

All that said, the fact the service isn't starting at all is very bizarre and leads me to believe that is where the issue is. Is there any other logging in syslog that is a hint? In your original log snippet it appears the service starts then immediately crashes.

Code Select Expand

Jul 24 16:56:33 router kernel: tun0: link state changed to UP
Jul 24 16:56:33 router kernel: tun0: changing name to 'wg0'
Jul 24 16:56:33 router kernel: wg0: link state changed to DOWN