1
22.1 Legacy Series / Re: Disabling GIF tunnel interface doesn't have an effect
« on: July 09, 2022, 06:42:04 pm »
Any news about this? Do we want to fix this before 22.7?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
22.1 Legacy Series / Re: Disabling GIF tunnel interface doesn't have an effect
« on: June 24, 2022, 07:55:13 pm »
Oh, I just lost whole finished post when trying to send it, because it log me out. I guess we go again, probably shorter version this time and less coherent...
Indeed I can work with snapshots. I didn't know it is such painless to move to dev version. So I moved to 22.7.a_413 (7fdc163bf).
Issue 1. from OP is fixed, enabling interface seems to work as expected.
But there are still issues. Sorry for being chaotic before I wasn't sure how it should work exactly.
Disabling gateway does not adjust routes correctly. To recap I have gif0 device assigned to WANv6 interface that is used as upstream gateway for IPv6.
I will be disabling WANv6 interface which also controls associated gateway.
1. Nominal case, after reboot (WANv6 interface enabled)
As we can see it is not consistent. 1 and 4 is expected. In 2 and 3 case I would expect there are no routes. Traffic is still routed through this gateway while I would expect there is no default route for IPv6. After disabling WANv6 interface firewall rules for this interface does not apply to traffic that is still routed there, but this is side effect. Also note that after reboot in case 3 MTU is set to default 1280, again side effect, because if device is associated to interface while this interface is disabled I would expect no routes created.
I hope I didn't forget anything, let me know if more detailed info is needed.
Thanks,
Kacper
Indeed I can work with snapshots. I didn't know it is such painless to move to dev version. So I moved to 22.7.a_413 (7fdc163bf).
Issue 1. from OP is fixed, enabling interface seems to work as expected.
But there are still issues. Sorry for being chaotic before I wasn't sure how it should work exactly.
Disabling gateway does not adjust routes correctly. To recap I have gif0 device assigned to WANv6 interface that is used as upstream gateway for IPv6.
I will be disabling WANv6 interface which also controls associated gateway.
Code: [Select]
netstat -6rWn | grep gif0$1. Nominal case, after reboot (WANv6 interface enabled)
Code: [Select]
Destination Gateway Flags Nhop# Mtu Netif
default <ipv6> UGS 13 1480 gif0
<ipv6> link#10 UH 10 1480 gif0
fe80::%gif0/64 link#10 U 12 1480 gif02a. After disabling gateway only (no change to 1)Code: [Select]
Destination Gateway Flags Nhop# Mtu Netif
default <ipv6> UGS 13 1480 gif0
<ipv6> link#10 UH 10 1480 gif0
fe80::%gif0/64 link#10 U 12 1480 gif02b. After disabling WANv6 interfaceCode: [Select]
Destination Gateway Flags Nhop# Mtu Netif
default <ipv6> UGS 13 1480 gif0
fe80::%gif0/64 link#10 U 12 1480 gif03. After reboot (WANv6 interface disabled or only gateway disabled)Code: [Select]
Destination Gateway Flags Nhop# Mtu Netif
<ipv6> link#10 UH 9 1280 gif0
fe80::%gif0/64 link#10 U 11 1280 gif04. After enabling WANv6 interfaceCode: [Select]
Destination Gateway Flags Nhop# Mtu Netif
default <ipv6> UGS 11 1480 gif0
<ipv6> link#10 UH 8 1480 gif0
fe80::%gif0/64 link#10 U 10 1480 gif0As we can see it is not consistent. 1 and 4 is expected. In 2 and 3 case I would expect there are no routes. Traffic is still routed through this gateway while I would expect there is no default route for IPv6. After disabling WANv6 interface firewall rules for this interface does not apply to traffic that is still routed there, but this is side effect. Also note that after reboot in case 3 MTU is set to default 1280, again side effect, because if device is associated to interface while this interface is disabled I would expect no routes created.
I hope I didn't forget anything, let me know if more detailed info is needed.
Thanks,
Kacper
3
22.1 Legacy Series / Re: Disabling GIF tunnel interface doesn't have an effect
« on: June 23, 2022, 04:28:35 pm »Quote
First we would ideally be able to confirm the fix worksCan I test it without much hassle? Can I do opnsense-patch on them? Not sure they would apply cleanly? You mentioned before that some other changes are required, so probably I need to wait for 22.7?
4
22.1 Legacy Series / Re: Disabling GIF tunnel interface doesn't have an effect
« on: June 19, 2022, 04:15:18 pm »As per design devices like GIF are stand-alone. Assignments can be used but are not required. That also means disabling assigned interfaces won't disable devices like you imply.
Ok, back to this then. I would like to understand. You said that "assignments are not required" and "disabling assigned interfaces won't disable devices like you imply"... ok. But in fact I don't care about the device itself. It can be active or not.
Shouldn't disabling gateway or setting it as not upstream remove the default route for this gateway (and therefore not route through GIF)? I don't see how it related to GIF, but disabling assigned interface disables the gateway and at this point why the routes are still there? I don't see how this is by design? How one handle multiple GIF tunnels if associated gateways/interfaces doesn't affect routing? Do you see my point? If not, let me know, I can rephrase my questions.
5
22.1 Legacy Series / Re: Disabling GIF tunnel interface doesn't have an effect
« on: June 16, 2022, 02:56:10 pm »
Indeed. If I save from "Interfaces: Other Types: GIF" gateway is enabled, but shows as offline, monitoring is not working (monitor ip is correct), I also need to go to "System: Gateways: Single" and save there also and then it works.
6
22.1 Legacy Series / Re: Disabling GIF tunnel interface doesn't have an effect
« on: June 16, 2022, 02:07:18 pm »So which version it is then?Version: 22.1.8_1
That also means disabling assigned interfaces won't disable devices like you imply.Ok, if it by design like that, you can discard point 1. But still 2. seems like a bug, no?
So, I cannot disable gif tunnel without removing it? I can block traffic in firewall on given interface, but was intuitive for me to just disable it.
7
22.1 Legacy Series / Disabling GIF tunnel interface doesn't have an effect
« on: June 16, 2022, 01:46:16 pm »
Hi,
I have HE Tunnel Broker configured (gif tunnel). I noticed two problems.
1. Disabling interface (assigned to gif tunnel) doesn't have an effect, routes are still there and traffic is routed through this interface. (gateway is disabled and not shown, but still works)
2. Re-enabling interface doesn't work correctly. Gateway is still "disabled" and from GUI there is no way to enable it, it never goes up. I need to reboot to get to valid state.
I want the ability to enable/disable interface, because I don't want to use it all the time. But currently I cannot do that apparently.
Thanks,
Kacper
I have HE Tunnel Broker configured (gif tunnel). I noticed two problems.
1. Disabling interface (assigned to gif tunnel) doesn't have an effect, routes are still there and traffic is routed through this interface. (gateway is disabled and not shown, but still works)
2. Re-enabling interface doesn't work correctly. Gateway is still "disabled" and from GUI there is no way to enable it, it never goes up. I need to reboot to get to valid state.
I want the ability to enable/disable interface, because I don't want to use it all the time. But currently I cannot do that apparently.
Thanks,
Kacper
8
22.1 Legacy Series / Firewall logging and the size
« on: April 04, 2022, 05:02:06 pm »
Hi,
All traffic is logged as
It makes logs huge and after a while, when `/var` is full, I need to restart machine, because opnsense is basically hung at this point.
It seems quite strange and inconvenient to have all traffic logged and since it is default rule I cannot disable logging for it. I workaround the issue of hanging with limiting logs to 3 days, but still it is a problem to unnecessary log everything without ability to disable the logs without hacks.
Is is really intended default behavior? Maybe it is the VLANs? What are you doing to mitigate this log spam?
Thanks,
Kacper
All traffic is logged as
Code: [Select]
let out anything from firewall host itself after NAT.It makes logs huge and after a while, when `/var` is full, I need to restart machine, because opnsense is basically hung at this point.
It seems quite strange and inconvenient to have all traffic logged and since it is default rule I cannot disable logging for it. I workaround the issue of hanging with limiting logs to 3 days, but still it is a problem to unnecessary log everything without ability to disable the logs without hacks.
Is is really intended default behavior? Maybe it is the VLANs? What are you doing to mitigate this log spam?
Thanks,
Kacper
9
22.1 Legacy Series / Re: Slow download thoughput from WAN on ESXi 7.0 after update to 22.1, upload OK
« on: February 04, 2022, 02:13:57 am »
Related to ESXi and VMX driver. Tunables like
You can read here what values are expected for this override. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237166
This apply to all hw.vmx tunables that you might have had before.
I still have higher CPU usage and as a result reduces throughput, but didn't manage to find the culprit yet.
Code: [Select]
hw.vmx.txndesc
hw.vmx.rxndesc doesn't work anymore. Need to set it up per device Code: [Select]
dev.vmx.0.iflib.override_nrxds
dev.vmx.0.iflib.override_ntxdsYou can read here what values are expected for this override. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237166
This apply to all hw.vmx tunables that you might have had before.
I still have higher CPU usage and as a result reduces throughput, but didn't manage to find the culprit yet.
10
21.1 Legacy Series / Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
« on: July 19, 2021, 12:46:14 am »
Thanks guys for suggestions, but it turns out my ISP on mobile is a culprit. Actually it was working perfectly some time ago, but with pfsense, I made a switch to opnsense and it stopped working, so I assumed this is the problem. But it turns out in the same time my mobile ISP changed something on their end. I didn't have time to diagnose it further, but basically looks like the traffic is filtered...
11
21.1 Legacy Series / WireGuard doesn't work over HE IPv6 Tunnel Broker
« on: July 09, 2021, 08:30:19 pm »
Hi,
I have fairly simple setup, but cannot make WireGuard work over IPv6.
Interfaces:
WAN: My ISP provided IPv4
WANv6: HE IPv6 Tunnel Broker
WG: WireGuard
Now when I use IPv4 endpoint on client peer it works flawlessly. But when I use IPv6 it doesn't work. Handshake packets come through from client as I see peer IPv6 address on opnsense and I see both TX/RX traffic. But on client peer I see only TX, never got any packet back. Looks like WG server responses are lost.
Any idea how to diagnose/resolve this?
Thanks,
Kacper
I have fairly simple setup, but cannot make WireGuard work over IPv6.
Interfaces:
WAN: My ISP provided IPv4
WANv6: HE IPv6 Tunnel Broker
WG: WireGuard
Now when I use IPv4 endpoint on client peer it works flawlessly. But when I use IPv6 it doesn't work. Handshake packets come through from client as I see peer IPv6 address on opnsense and I see both TX/RX traffic. But on client peer I see only TX, never got any packet back. Looks like WG server responses are lost.
Any idea how to diagnose/resolve this?
Thanks,
Kacper
Pages: [1]