Messages

pfSense CE or plus?

It is plus - 24.11.

I will try the patch when I get back on-site.

I see 25.1.3 just came out and has some ICMPv6 neighbour discovery fixes. Fingers crossed this will let me resume migrating :)

Trying to switch a site from pfSense to OPNsense. Fiber ISP sends a /60 when requested. In pfSense the settings were

"send prefix hint /60"
and "do not wait for RA"

This works, assigns an address to WAN and I can track interface on LAN and VLANs and assign /64s out of the /60 the ISP is sending.

Trying to replicate the same thing in OPNsense 25.1.2 I replicated the settings including the DUID but I get nothing on WAN, LAN or any VLANs.

One setting I am unsure about it the "Do not wait for RA". This one I was not able to replicate on OPNsense. Cannot find it. Everything else is the same.

I see dhcp6c logs try to send solicit to some link local address and get no reply:

Code Select Expand

<29>1 2025-03-04T22:56:10+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6091"] Sending Solicit
<29>1 2025-03-04T22:56:10+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6092"] set client ID (len 20)
<29>1 2025-03-04T22:56:10+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6093"] set identity association
<29>1 2025-03-04T22:56:10+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6094"] set elapsed time (len 2)
<29>1 2025-03-04T22:56:10+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6095"] set option request (len 4)
<29>1 2025-03-04T22:56:10+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6096"] set IA_PD prefix
<29>1 2025-03-04T22:56:10+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6097"] set IA_PD
<29>1 2025-03-04T22:56:10+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6098"] send solicit to ff02::1:2%ixl0
<29>1 2025-03-04T22:56:10+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6099"] reset a timer on ixl0, state=SOLICIT, timeo=1, retrans=2097
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6131"] Sending Solicit
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6132"] set client ID (len 20)
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6133"] set identity association
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6134"] set elapsed time (len 2)
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6135"] set option request (len 4)
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6136"] set IA_PD
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6137"] send solicit to ff02::1:2%igc0
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6138"] reset a timer on igc0, state=SOLICIT, timeo=2, retrans=3927
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6142"] Sending Solicit
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6143"] set client ID (len 20)
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6144"] set identity association
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6145"] set elapsed time (len 2)
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6146"] set option request (len 4)
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6147"] set IA_PD prefix
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6148"] set IA_PD
<29>1 2025-03-04T22:56:12+00:00 opn434324242.duckdns.com dhcp6c 25585 - [meta sequenceId="6149"] send solicit to ff02::1:2%ixl0

Is there a way to export the raw /var/etc/dhcp6c_wan.conf from pfSense and plug it into OPNsense to test. I am trying to find out what OPNsense 25.1x is doing different vs the legacy product.

Had two test instances on development branch. One was 25.1_b19 and the other was b20.

Set branch to community and let it do its thing. Both rebooted after the update and now reject GUI credentials and SSH keys.

Was I supposed to run another update while still on development branch ? What is the recommended process to get from a 25.1 beta revision to 25.1 release ? Simply toggling the branch definitely did not go well :)

Only encountered this on upgrades from beta. 24.7.12_4 -> 25.1 updates are going well, currently I am 5 over 5 successful updates.

Edit: 25.1.r_38 to 25.1 works fine just toggling to from dev to community branch. It's just the earlier betas that die.

Edit2: I simply reset root password in single user mode and found the system running 24.7.12_4. Ran the updater again and both instances came up on 25.1 successfully. Maybe coming from an early beta broke  something that was needed for "The access management was rewritten in MVC"

Now that I'm seeing this message, I don't know whether to wait for version 24

AFAIK the 23.7 license key will also work for 24.x so there is no need to wait. I just got an additional license checked out and it took 1 minute. Now on 23.7.x business I do not expect the key to die when 24.x business releases.

+1

Using both the dyndns plugin and the acme validation method for RFC2136. It is an important feature to us.

What part of the update process fails for you ?

Mine seems to work. Downloads all, unpacks and installs/reinstalls package but reboots back into 22.1.b_141 and then offers me the update again. Default repo, Development branch.


Package name    Current version    New version    Required action    Repository
packages   22.1.b_141   22.1.b3   upgrade   OPNsense

The port was not changed. The only thing in the hotfix was a little issue in a diagnostics page.

On the topic of diagnostics page: For 21.1.8 the Diagnostics and info pages are blank for me.

Super strange... I checked the

Code Select Expand

/usr/local/etc/tor/torrc

And it is right there as it should be:

Code Select Expand

DirPort 8080

Strange. I update two more Opnsense 21.1.7 -> 21.1.8 and they also stopped publishing DirPort.

I now have 3 out of 4 TOR relays on 21.1.8, one is still on 21.1.7. Settings in OPNsense are:

(see attached)

You can see here the upgraded nodes all stopped publishing DirPort:

(see attached)

I changed settings by changing to a different port number and back to 8080 to try force it to rewrite the config. Also rebooted. No dice. All nodes that upgraded to 21.1.8 lost DirPort.

Edit: Somehow the screenshots I embedded had weird scaling issues. Attached the .png instead

Upgrading from 21.1.7 to 21.1.8 updates the tor plugin. After updating and rebooting I notice that the Directory Port is no longer advertised. Has anyone else seen this today ?

I can see that metrics.torproject.org shows "0" for my directory port. In the config in OpnSense it is set correctly. Did not touch the config. Only change I initiated was 21.1.7 to 21.1.8 update.

And the change to OPNsense is every little trouble worth...

100%. Enjoying it so far. Only thing holding me back is https://github.com/opnsense/plugins/issues/1972 BGP and it is a bit worrying that under "Advanced Options" in places where you could put a configuration blob to overcome UI limitations they state

This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.

But there are things that would break horribly the moment you take away that box, i.e. https://github.com/opnsense/core/issues/2048

Firewall > Settings > Advanced > Disable reply-to [check]

Dude!!! I am up!

The crossover from pfSense to OPNsense is full of pitfalls LOL. Thank you so much!

Why is this a thing though and why only in some environments ? I set up a few OPNsense migrations this month and only now came across this.

Just noticed there is a 21.1.7_1 point release out.

Release notes don't show anything that could be related to my issue but I thought I might get lucky. 

I applied it and although it didn't ask me to I rebooted for good measure. Issue persists.

Hey all,

Super weird. I have installed OPNsense 21.1.7 on bare metal. IPv4 and IPv6 WAN assignments are static /29  and /64. IPv6 gateway is the ::1 of my /64. IPv6 WAN address is the ::2 of my IPv6 prefix.

I.e. WAN address: 2001:DB8:1212:3000::2/64, Gateway address 2001:DB8:1212:3000::1

OPNsense can make outbound connections over IPv6 just fine. But inbound only ICMP works.

For testing, I disabled Block Bogons and Block Private on WAN. Now I made some inbound rules on WAN:

allow ICMP (v4/v6) from any
allow TCP/22, TCP/443 IPv4 from an alias and log it.
allow TCP/22, TCP/443 IPv6 from an alias and log it.

I checked the alias table and it has been populated with the expected IPv6 addresses.

Now when I connect from a whitelisted address to OPNsense over IPv6 on tcp/443 or tcp/22 I can see the firewall logging the allow. But no connectivity can take place.

It just times out.

For testing I took everything out of the equation, no blocking of RFC1918, no blocking of BOGON, and put an allow rule as my very first firewall rule on WAN to allow IPV6 proto any from any.

Not sure how to scale this screenshot for the forum, so have attached the jpg below, too:


Again I can now ping OPNsense but NOT connect ssh or https over IPv6.

As a final measure to see if this is perhaps an upstream issue of sorts I ssh in (via IPv4) and do

Code Select Expand

pfctl -d

At that point IPv6 connections are accepted. I can SSH / https to the box over IPv6! How ? Why ? Whiskey Tango Foxtrot?

Attached a sanitized packet capture where I try to ssh from 2604:aa10:9211:2:68c2:f15e:579d:af88 to the WAN address. It shows the pass rule on WAN is working but then things break when OPNsense is trying to reply.

Gateway status shows up, OPNsense can initiate IPv6 conversations successfully. I do not get it.