Messages

Any news about this? Do we want to fix this before 22.7?

Oh, I just lost whole finished post when trying to send it, because it log me out. I guess we go again, probably shorter version this time and less coherent...

Indeed I can work with snapshots. I didn't know it is such painless to move to dev version. So I moved to 22.7.a_413 (7fdc163bf).

Issue 1. from OP is fixed, enabling interface seems to work as expected.

But there are still issues. Sorry for being chaotic before I wasn't sure how it should work exactly.

Disabling gateway does not adjust routes correctly. To recap I have gif0 device assigned to WANv6 interface that is used as upstream gateway for IPv6.

I will be disabling WANv6 interface which also controls associated gateway.

Code Select Expand

netstat -6rWn | grep gif0$

1. Nominal case, after reboot (WANv6 interface enabled)

Code Select Expand

Destination                       Gateway                       Flags   Nhop#    Mtu    Netif
default                           <ipv6>                        UGS        13   1480     gif0
<ipv6>                            link#10                       UH         10   1480     gif0
fe80::%gif0/64                    link#10                       U          12   1480     gif0
2a. After disabling gateway only (no change to 1)

Code Select Expand

Destination                       Gateway                       Flags   Nhop#    Mtu    Netif
default                           <ipv6>                        UGS        13   1480     gif0
<ipv6>                            link#10                       UH         10   1480     gif0
fe80::%gif0/64                    link#10                       U          12   1480     gif0
2b. After disabling WANv6 interface

Code Select Expand

Destination                       Gateway                       Flags   Nhop#    Mtu    Netif
default                           <ipv6>                        UGS        13   1480     gif0
fe80::%gif0/64                    link#10                       U          12   1480     gif0
3. After reboot (WANv6 interface disabled or only gateway disabled)

Code Select Expand

Destination                       Gateway                       Flags   Nhop#    Mtu    Netif
<ipv6>                            link#10                       UH          9   1280     gif0
fe80::%gif0/64                    link#10                       U          11   1280     gif0
4. After enabling WANv6 interface

Code Select Expand

Destination                       Gateway                       Flags   Nhop#    Mtu    Netif
default                           <ipv6>                        UGS        11   1480     gif0
<ipv6>                            link#10                       UH          8   1480     gif0
fe80::%gif0/64                    link#10                       U          10   1480     gif0

As we can see it is not consistent. 1 and 4 is expected. In 2 and 3 case I would expect there are no routes. Traffic is still routed through this gateway while I would expect there is no default route for IPv6. After disabling WANv6 interface firewall rules for this interface does not apply to traffic that is still routed there, but this is side effect. Also note that after reboot in case 3 MTU is set to default 1280, again side effect, because if device is associated to interface while this interface is disabled I would expect no routes created.

I hope I didn't forget anything, let me know if more detailed info is needed.

Thanks,
Kacper

First we would ideally be able to confirm the fix works

Can I test it without much hassle? Can I do opnsense-patch on them? Not sure they would apply cleanly? You mentioned before that some other changes are required, so probably I need to wait for 22.7?

As per design devices like GIF are stand-alone. Assignments can be used but are not required. That also means disabling assigned interfaces won't disable devices like you imply.

Ok, back to this then. I would like to understand. You said that "assignments are not required" and "disabling assigned interfaces won't disable devices like you imply"... ok. But in fact I don't care about the device itself. It can be active or not.

Shouldn't disabling gateway or setting it as not upstream remove the default route for this gateway (and therefore not route through GIF)? I don't see how it related to GIF, but disabling assigned interface disables the gateway and at this point why the routes are still there? I don't see how this is by design? How one handle multiple GIF tunnels if associated gateways/interfaces doesn't affect routing? Do you see my point? If not, let me know, I can rephrase my questions.

Indeed. If I save from "Interfaces: Other Types: GIF" gateway is enabled, but shows as offline, monitoring is not working (monitor ip is correct), I also need to go to "System: Gateways: Single" and save there also and then it works.

So which version it is then?

Version: 22.1.8_1

That also means disabling assigned interfaces won't disable devices like you imply.

Ok, if it by design like that, you can discard point 1. But still 2. seems like a bug, no?

So, I cannot disable gif tunnel without removing it? I can block traffic in firewall on given interface, but was intuitive for me to just disable it.

Hi,

I have HE Tunnel Broker configured (gif tunnel). I noticed two problems.

1. Disabling interface (assigned to gif tunnel) doesn't have an effect, routes are still there and traffic is routed through this interface. (gateway is disabled and not shown, but still works)
2. Re-enabling interface doesn't work correctly. Gateway is still "disabled" and from GUI there is no way to enable it, it never goes up. I need to reboot to get to valid state.

I want the ability to enable/disable interface, because I don't want to use it all the time. But currently I cannot do that apparently.

Thanks,
Kacper

Hi,

All traffic is logged as

Code Select Expand

let out anything from firewall host itself after NAT.

It makes logs huge and after a while, when `/var` is full, I need to restart machine, because opnsense is basically hung at this point. 

It seems quite strange and inconvenient to have all traffic logged and since it is default rule I cannot disable logging for it. I workaround the issue of hanging with limiting logs to 3 days, but still it is a problem to unnecessary log everything without ability to disable the logs without hacks.

Is is really intended default behavior? Maybe it is the VLANs? What are you doing to mitigate this log spam?

Thanks,
Kacper

Related to ESXi and VMX driver. Tunables like

Code Select Expand

hw.vmx.txndesc
hw.vmx.rxndesc doesn't work anymore. Need to set it up per device

Code Select Expand

dev.vmx.0.iflib.override_nrxds
dev.vmx.0.iflib.override_ntxds

You can read here what values are expected for this override. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237166

This apply to all hw.vmx tunables that you might have had before.

I still have higher CPU usage and as a result reduces throughput, but didn't manage to find the culprit yet.

Thanks guys for suggestions, but it turns out my ISP on mobile is a culprit. Actually it was working perfectly some time ago, but with pfsense, I made a switch to opnsense and it stopped working, so I assumed this is the problem. But it turns out in the same time my mobile ISP changed something on their end. I didn't have time to diagnose it further, but basically looks like the traffic is filtered...

Hi,

I have fairly simple setup, but cannot make WireGuard work over IPv6.

Interfaces:
WAN: My ISP provided IPv4
WANv6: HE IPv6 Tunnel Broker
WG: WireGuard

Now when I use IPv4 endpoint on client peer it works flawlessly. But when I use IPv6 it doesn't work. Handshake packets come through from client as I see peer IPv6 address on opnsense and I see both TX/RX traffic. But on client peer I see only TX, never got any packet back. Looks like WG server responses are lost.

Any idea how to diagnose/resolve this?

Thanks,
Kacper