Messages

[OPNsense 25.7-amd64]

Before I updated to OPNsense 25.7.10 (amd64) everything worked perfect, right after the update and a reboot, the IPv6 problem on the WAN interface appeared on my system as well.. In short words, I get the fixed IPv4 but neither a fixed IPv6 nor my fixed IPv6 /56 network.

I've a fixed IPv6 /56 network and the following settings worked very well before the update, please find my settings in the attached screenshot.

Currently it looks as if the dhcp6c.conf which to my understanding is needed for dhcp6c service isn't existing:

auser@theFirewall:~ # ls -l /usr/local/etc/dhcp6c.conf
ls: /usr/local/etc/dhcp6c.conf: No such file or directory
auser@theFirewall:~ # service dhcp6c onestart
/usr/local/etc/rc.d/dhcp6c: WARNING: /usr/local/etc/dhcp6c.conf is not readable.
/usr/local/etc/rc.d/dhcp6c: WARNING: failed precmd routine for dhcp6c
auser@theFirewall:~ # ps aux | grep dhcp6c
root      824  0.0  0.0  13744    2404  0  S+  00:54    0:00.00 grep dhcp6c
auser@theFirewall:~ # opnsense-version
OPNsense 25.7.10 (amd64)
auser@theFirewall:~ # ls -l /usr/local/opnsense/service/conf/actions.d | grep dhcp
-rw-r--r--  1 root wheel 1052 Dec 18 14:13 actions_dhcpd.conf
-rw-r--r--  1 root wheel 1090 Dec 18 14:13 actions_dhcpd6.conf

As said - everything worked perfect before the update.

I now installed OPNsense 25.7-amd64 - with NO patch.

Everything works smooth - which from my point of view indicates that something is wrong with the current OPNsense 25.7.10 (amd64) update.

Interestingly - when using a configuration backup I made with OPNsense 25.7.10 (amd64) in OPNsense 25.7-amd64 - the IPv6 issue reappears....

Note:

• igb0 is the WAN interface on my system
• the following is a fresh install - no further settings, except for correct settings for IPv6 on the WAN interface and track interface (0) on the LAN interface
• no Packages are installed in addition

ifconfig igb0 results in on OPNsense 25.7-amd64 (before the update)

Code Select Expand

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN (wan)
        options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 01:23:45:67:89:00
        inet 000.000.000.000 netmask 0xfffffffc broadcast 000.000.000.000
        inet6 fe80::a236:9fff:fea0:7d54%igb0 prefixlen 64 scopeid 0x3
        inet6 2a02:8109:8000:6a::144b prefixlen 128 pltime 86400 vltime 86400
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

ibg0 is configured (right after the update) to OPNsense 25.7.10 (amd64)

Code Select Expand

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN (wan)
        options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 01:23:45:67:89:00
        inet 000.000.000.000 netmask 0xfffffffc broadcast 000.000.000.000
        inet6 fe80::0000:0000:0000:0000%igb0 prefixlen 64 scopeid 0x3
        inet6 2a02:0000:0000:00::144b prefixlen 128 pltime 86400 vltime 86400
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

And without further configuration everything is fine and works.

However, as soon as I restore the full configuration from a backup before the update, a well working configuration though, the following happens:

Code Select Expand

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: ZONE0_0_WAN_KD (wan)
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 01:23:45:67:89:00
        inet 000.000.000.000 netmask 0xfffffffc broadcast 90.187.76.171
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,[b]IFDISABLED[/b],AUTO_LINKLOCAL>

As yo ucan see the IPv6 part of WAN is disabled - with a before well working configuration setting....

Checking the packages (which have been used with this configuration) I had to resolve the missing ones - which I did and I rebooted the system, just in case.

Code Select Expand

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: ZONE0_0_WAN_KD (wan)
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 01:23:45:67:89:00
        inet 000.000.000.000 netmask 0xfffffffc broadcast 000.000.000.000
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,[b]IFDISABLED[/b],AUTO_LINKLOCAL>

So it seems, one of the installed packages on my system is in combination with OPNsense 25.7.10-amd64, the problem.

I'll update this here as soon as I found out which...

... and we've two candidates: os-crowdsec and os-maltrail or both.

I am not sure which combination is the problem, however, if I install the one or the other and reboot (without doing any configuration) I come back to the problem as described here. So for my situation, I am happy to not use the one or the other and have a working OPNsense system running :)

Last and least (for now) I want to state: I had both installed and everything worked before the update to OPNsense 25.7.10-amd64.

To find out the plugins, I stripped all PlugIns from the configuration file I had and used it as new configuration for a blank, fully updated, OPNsense 25.7.10-amd64. Then I added step by step all PlugIns I was sure they won't hurt and ended up with these two.

Since I've no time for further testing I've the following findings:

• the ISP got the DHCPv6 requests and delivered the information back to OPNsense - this could be seen in the logfiles and via tcpdump etc...
• it seems dhcp6c never got the result
• Rules for the ports (even unsecure ones) on the WAN interface don't fix this as well
• I am definitely not deep enough into firewalling with OPNsense or FreeBSD to find out the reason for my problem nor to fix it

So I hope someone here hat ideas - and a solution.

[OPNsense 25.7-amd64]

Before I updated to OPNsense 25.7.10 (amd64) everything worked perfect, right after the update and a reboot, the IPv6 problem on the WAN interface appeared on my system as well.. In short words, I get the fixed IPv4 but neither a fixed IPv6 nor my fixed IPv6 /56 network.

I've a fixed IPv6 /56 network and the following settings worked very well before the update, please find my settings in the attached screenshot.

Currently it looks as if the dhcp6c.conf which to my understanding is needed for dhcp6c service isn't existing:

auser@theFirewall:~ # ls -l /usr/local/etc/dhcp6c.conf
ls: /usr/local/etc/dhcp6c.conf: No such file or directory
auser@theFirewall:~ # service dhcp6c onestart
/usr/local/etc/rc.d/dhcp6c: WARNING: /usr/local/etc/dhcp6c.conf is not readable.
/usr/local/etc/rc.d/dhcp6c: WARNING: failed precmd routine for dhcp6c
auser@theFirewall:~ # ps aux | grep dhcp6c
root      824  0.0  0.0  13744    2404  0  S+  00:54    0:00.00 grep dhcp6c
auser@theFirewall:~ # opnsense-version
OPNsense 25.7.10 (amd64)
auser@theFirewall:~ # ls -l /usr/local/opnsense/service/conf/actions.d | grep dhcp
-rw-r--r--  1 root wheel 1052 Dec 18 14:13 actions_dhcpd.conf
-rw-r--r--  1 root wheel 1090 Dec 18 14:13 actions_dhcpd6.conf

As said - everything worked perfect before the update.

I now installed OPNsense 25.7-amd64 - with NO patch.

Everything works smooth - which from my point of view indicates that something is wrong with the current OPNsense 25.7.10 (amd64) update.

Interestingly - when using a configuration backup I made with OPNsense 25.7.10 (amd64) in OPNsense 25.7-amd64 - the IPv6 issue reappears....

Note:

• igb0 is the WAN interface on my system
• the following is a fresh install - no further settings, except for correct settings for IPv6 on the WAN interface and track interface (0) on the LAN interface
• no Packages are installed in addition

ifconfig igb0 results in on OPNsense 25.7-amd64 (before the update)

Code Select Expand

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN (wan)
        options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 01:23:45:67:89:00
        inet 000.000.000.000 netmask 0xfffffffc broadcast 000.000.000.000
        inet6 fe80::a236:9fff:fea0:7d54%igb0 prefixlen 64 scopeid 0x3
        inet6 2a02:8109:8000:6a::144b prefixlen 128 pltime 86400 vltime 86400
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

ibg0 is configured (right after the update) to OPNsense 25.7.10 (amd64)

Code Select Expand

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN (wan)
        options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 01:23:45:67:89:00
        inet 000.000.000.000 netmask 0xfffffffc broadcast 000.000.000.000
        inet6 fe80::0000:0000:0000:0000%igb0 prefixlen 64 scopeid 0x3
        inet6 2a02:0000:0000:00::144b prefixlen 128 pltime 86400 vltime 86400
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

And without further configuration everything is fine and works.

However, as soon as I restore the full configuration from a backup before the update, a well working configuration though, the following happens:

Code Select Expand

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: ZONE0_0_WAN_KD (wan)
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 01:23:45:67:89:00
        inet 000.000.000.000 netmask 0xfffffffc broadcast 90.187.76.171
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,[b]IFDISABLED[/b],AUTO_LINKLOCAL>

As yo ucan see the IPv6 part of WAN is disabled - with a before well working configuration setting....

Checking the packages (which have been used with this configuration) I had to resolve the missing ones - which I did and I rebooted the system, just in case.

Code Select Expand

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: ZONE0_0_WAN_KD (wan)
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 01:23:45:67:89:00
        inet 000.000.000.000 netmask 0xfffffffc broadcast 000.000.000.000
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,[b]IFDISABLED[/b],AUTO_LINKLOCAL>

So it seems, one of the installed packages on my system is in combination with OPNsense 25.7.10-amd64, the problem.

I'll update this here as soon as I found out which...

Before I updated to OPNsense 25.7.10 (amd64) everything worked perfect, right after the update and a reboot, the IPv6 problem on the WAN interface appeared on my system as well.. In short words, I get the fixed IPv4 but neither a fixed IPv6 nor my fixed IPv6 /56 network.

I've a fixed IPv6 /56 network and the following settings worked very well before the update, please find my settings in the attached screenshot.

Currently it looks as if the dhcp6c.conf which to my understanding is needed for dhcp6c service isn't existing:

auser@theFirewall:~ # ls -l /usr/local/etc/dhcp6c.conf
ls: /usr/local/etc/dhcp6c.conf: No such file or directory
auser@theFirewall:~ # service dhcp6c onestart
/usr/local/etc/rc.d/dhcp6c: WARNING: /usr/local/etc/dhcp6c.conf is not readable.
/usr/local/etc/rc.d/dhcp6c: WARNING: failed precmd routine for dhcp6c
auser@theFirewall:~ # ps aux | grep dhcp6c
root      824  0.0  0.0  13744    2404  0  S+  00:54    0:00.00 grep dhcp6c
auser@theFirewall:~ # opnsense-version
OPNsense 25.7.10 (amd64)
auser@theFirewall:~ # ls -l /usr/local/opnsense/service/conf/actions.d | grep dhcp
-rw-r--r--  1 root wheel 1052 Dec 18 14:13 actions_dhcpd.conf
-rw-r--r--  1 root wheel 1090 Dec 18 14:13 actions_dhcpd6.conf

As said - everything worked perfect before the update.

[only]

Actually, the system has only fixed IPs.

However, I haven't yet found out how to make it not acquiring an IPv6 in addition per interface - hence either there is the chance to set this (somewhere) and not in form of an OS configuration which is not saved, or at least from my point of view, the whole "Interface" selection is, in terms of IPv6, buggy.

[Network Interfaces]

If you configure Network Interfaces in Unbound DNS/General to use specific Interfaces and if you are using IPv6, Unbound DNS does not start...

When trying unbound -c /var/unbound/unbound.conf it appears that unbound can't bind (a) IP adress(es)...

The issue is the same as I described it under https://forum.opnsense.org/index.php?topic=33815.msg176314#msg176314. Due to the IPv6 configuration and (correct) protocol behavior and a - as I see it meanwhile bug in the current Interface, the Webconfigurator does, replicable, add a dynamic IPv6 address per interface to the configuration.

If, at reboot for example, the dynamic IPv6 changes (which is in default IPv6 configurations very likely and according to the protocol, wished / accepted), the configuration doesn't... unfortunate that the IP is then not existing on the specified interface and therefore the service can't bind it...

The issue does not appear if you leave Network Interfaces to reply on all interfaces. And again, the drop-down behavior is buggy, it does save 'changes' as described in the linked forum entry above :(

Temporarily work-around:
* fix the configuration file
* don't open the Webconfiguration Page of Unbound DNS

[/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf]

I had the same issue. Indeed I choose only a few interfaces from on Settings/Administration page (/system_advanced_admin.php) at "Listen Interfaces".

I configured my system with IPv4 and IPv6 as fixed IPs for (all) interfaces when possible and using virtual IPs on internal interfaces too, to realize at least one fixed IPv6 for each firewall interface. I haven't had IPv6 protocol behavior in mind if doing so which led to the above problem as I just found out.

What happened is, that the OPNSense interface did configure "/var/etc/lighty-webConfigurator.conf" and here the server sockets to these fixed addresses in IPv4 and IPv6 - and, sadly but correct, added the at the time of configuration given IPv6 address of that interface in addition to the configuration file ::)

If I am asked, I would suggest to at least ask the user, if virtual and or fixed IPs are configured, whether the dynamic IP address should be used as well - or alternatively, change that one each time the interface IP changes or the system reboots... (the first one would be proficient enough if it comes to me ;))

Correct behavior though ugly since from time to time, IPv6 adresses may change, e.g., during a system reboot after an update... Since the then expected IPv6 is not available to the specific interface, (re-)starting the WebGUI fails, it surely must fail.

In my case, I simply removed the entries in question from /var/etc/lighty-webConfigurator.conf, saved it and restarted the WebGUI according to @francos' answer in https://forum.opnsense.org/index.php?topic=9128.0 by using /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf afterwards.

Restarting the WebGUI via command line from /usr/local/etc/rc.restart_webgui
which I found at https://forum.opnsense.org/index.php?topic=1188.03, also by @franco, does work if the webConfigurator configuration file is valid. Same for using root console menu option (11).

As said, the problem by doing it the rc.restart or root console menu option (11) way is, there is, except for Starting web GUI...failed. or alternatively no hint at all :( no further note nor error message. You need either to dig yourself through the log-structures or start it as described above.

One last thing I found during my research and find it at least 'a bit annoying', if it should not be considered a bug is:

• Click on the Settings/Administration page (/system_advanced_admin.php) at "Listen Interfaces" drop-down is enough to change the configuration file, you do not need to change anything, just having a look on the configured stuff
• Independent whether you click Save at the end of the form or don't it saves the 'changes' you made from Listen Interfaces... I would bet that is on other pages the same thing - and it can be extremely frustrating when searching for reasons for issues like the here described.

I find this issue annoying since OPNsense 23.x.y-amd64 and it is still the case for OPNsense 23.7.5-amd64 with today's updates.

Temporarily work-around:
* fix the configuration file
* don't open the Webconfiguration Page of the service

Have you installed IDS plugin?

I had similar issue and noticed plugin wasn't installed.

As to my understanding, Suricata (IDS) is installed by default, except for the et_telemetry.token and the corresponding plugin for telemetry, I didn't also find a way to re-install it. However, as to my understanding from the answer that followed yours, this seems to be a known bug and should be fixed in 20.7.3 according to @mimugmail.

However, I did re-install the telemetry install after your answer here, it however didn't change the behavior.

Even though this is an older error, I do have, with OPNsense version (OPNsense 20.7.2-amd64
FreeBSD 12.1-RELEASE-p8-HBSD OpenSSL 1.1.1g 21 Apr 2020), a similar issue, except I do see the rulesets I wish to download, but can't with an error message (see screenshot) that is as worthy as saying nothing: Error reconfiguring IDS, Error (1)...

I do have the same issue - here it is even getting worse thanks to Multi-WAN, which is obviously an additional problem. A backup connection seems not to be part of the concepts in OPNsense if it comes to IPv6 - works however great in IPv4...

When I used pfSense before I decided to go to OPNsense due to its, from my point of view, better security policy when it comes to updates, etc., I was warned that - whysoever - IPv6 is in many cases a problem with OPNsense. And I must say, indeed, it seems to be still a problem.

I tried everything here, also I am in the situation to have different opportunities to test:
* Single WAN with Vodafone Cable in Germany
* Multi-WAN with Vodafone Cable and T-DSL business in Germany
* Single WAN within a Hetzner DC on different system configurations (e.g. HW and SW)
* Multi-WAN with COLT and Telekom (both fibre) in Germany

Where I use Multi-WAN, to figure out the issues, I tried a single-WAN configuration and found that it is more likely to work with Telekom and Colt than with Vodafone Cable. The ladder is due to some configuration obstacles with Vodafone Cable installations. The Single WAN Vodafone Cable works, however meanwhile stable and the Multi-WAN Vodafone Cable is at least steady providing IPv6/56 as well.

As here described, IPv6 works always from the FW itself, except for Hetzner where a number of more configuration things had to happen and some problems between COLT and OPNsense machines, with same HW the things here worked however like a charme with PF as FW system....

The routing of packages from the internal network to external network(s) in IPv6 is like playing Roulette, it works from time to time without clear evidence why, it is independent whether I
* reboot the FW
* restart only the services
* clear all states
* or do all this together  :o

I also tried at all places just Single-WAN, single internal network. This worked with Telekom connections like a charme, multiple internal networks as well. All testes with IPv4/IPv6 lazy networking rule (all allowed).

Exchanging the Telekom connection with any other connection, works in so far from time to time if a reboot isn't happening... a reboot is like 'rien ne va plus' in Roulette... the outcome is as with Roulette, you seldom win.

So I investigated the Telekom connection and tried to figure out whether there are 'significant' differences in the protocols - not at all there is something I could find; which doesn't say anything since I am far, far away from being a networking or firewall expert.

Same configuration works with pfSense as expected; both OPNsense and pfSense where tested with most recent updates, versions etc...

I had such issues with pfSense a year ago, including some security related issues - which where the reason to give OPNsense a chance before going to the 'established' Enterprise stuff, and costs... and security issues,....

So I still hope that OPNsense get's the issue solved.

I am happy to provide any information, configuration etc. needed - even test access for one location for the developers - to finally get the IPv6 issue solved.