Messages

Did both of you get in this situation after upgrading from 22.x to 23.x?

For me, that upgrade got IPv6 totally (and for me, unfixable) upset.

After installing 23.x from a clean slate, basic IPv6 works immediately. No problems with the GUI either. What not works for me: static DHCP6 leases (with recreating the rest of the configuration still a work in progress).

Hi Berserker, thanks for being patient with my not so helpful suggestions, glad you got it solved! Would you consider adding 'Solved' or any indicator to your topic title, to help others?

Seeing your account has been registered for a while, I expect your installation is an upgrade of previous versions to 23.x.

My IPv6 got totally upset between 22.x and 23.x. After weeks of trial and error in restoring connectivity, I took the plunge and started over with a clean install of 23.1 and got basic IPv6 working in an instant. If I were in your situation now, I would boot a live install and configure IPv6 to exclude any traces of migrations from previous versions; then make a plan depending of the outcome of that test.

Could there be an incorrect comment in one of the configuration files? Using % instead of an semicolon or # for example, or a missing quote for "any' rule in a literal option?

Is "ANY" private key a key you named yourself?

My line of thought was: see if it works 'the OPNsense way'; if it does, see what the difference in output is compared to the manual configuration. If it also does not, no idea. Breakage in FreeBSD seems far fetched.

Checking things, it might be easier than that.

I went that way, because I wanted WoL. I can give a description for an interface/ARP pair, but not an IP.

You want a static ARP/IP entry. Did you notice you can tick a box for that when you create a static DHCP lease? Perhaps if you start there and are successful, you can go from there to troubleshoot the ARP entry in case you don't need/want the DHCP entry.

Hi Thor,

The bits that you show are quite regular log entries.

One thing that caught my attention was that these requests flow over em1, which _usually_ is configured as the WAN interface, but you are free to use it as your LAN interface.

Your devices receive their normal IP's in the 192.168.23.* range? Than all seems normal!

Hi Berserker,

Did you try adding a static ARP entry via the GUI? There is the 'Wake on LAN' plugin that allows to set static ARP entries.

Hi whatever,

Here's the screenshot. The thing is, I understand how cron works. And my cron job should be running every minute but it runs every 6 minutes instead - that's what I don't get.

Any ideas as to why it runs every 6 minutes instead every minute?

I created your rule on my system and checked /etc/crontab to see if it got mangled in one way or another, but it is not added there.
Then there is /etc/cron.d/at , which executes /usr/sibexec/atrun every 5 minutes.

My first guess would be that GUI-configured cron does not end up in regular cron jobs, and that atrun runs the jobs from the GUI. I mostly speculate this, because that would match your observation of 6 minutes, which could be 5 minutes for atrun, + 1 minute for the GUI-configured interval.

The documentation does not make it clear to me where the configured jobs are saved and how they are executed, see https://docs.opnsense.org/manual/settingsmenu.html#cron

Hi, whatever,

Instead of letting people guess what you actually did by giving a description, why not give details/copypaste/screenshot of the actual cron line? :-P

Where did you configure it?

I think what you want is only */1 for the minute field, no list. Try https://cron.help/#*/1_*_*_*_* for an interactive explanation!

If the traffic originates from my local network, the traffic matches the correct firewall rule that has the IPv6 tunnel gateway set and followup traffic gets correctly routed back to its original source.

Can you see that happening when you follow the firewall log?

I have the luxery of both native (for lack of a better word; my ISP furnishes me with both) IPv4 and IPv6 on my connection, but I lack fluency in BSD. My routes for IPv4 and IPv6 seem, respectively:

Code Select Expand


# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            lo0-3.bras1.fi001. UGS      pppoe0
osba.nl            link#8             UHS         lo0
localhost          link#3             UH          lo0
172.26.0.0/16      link#1             U           em0
vpoort             link#1             UHS         lo0
dns1.freedom.nl    lo0-3.bras1.fi001. UGHS     pppoe0
lo0-3.bras1.fi001. link#8             UH       pppoe0
dns2.freedom.nl    lo0-3.bras1.fi001. UGHS     pppoe0

Internet6:
Destination        Gateway            Flags     Netif Expire
default            fe80::6a22:8eff:fe UGS      pppoe0
localhost          link#3             UHS         lo0
dns1.freedom.nl    fe80::6a22:8eff:fe UGHS     pppoe0
dns2.freedom.nl    fe80::6a22:8eff:fe UGHS     pppoe0
2d49-3781-2a10.con localhost          UGSB        lo0
2a10-3781-2d49.con link#1             U           em0
vpoort             link#1             UHS         lo0
fe80::%em0/64      link#1             U           em0
fe80::6c34:c2ff:fe link#1             UHS         lo0
fe80::%lo0/64      link#3             U           lo0
fe80::1%lo0        link#3             UHS         lo0
fe80::%pppoe0/64   link#8             U        pppoe0
fe80::4003:eb6:a62 link#8             UHS         lo0
fe80::6c34:c2ff:fe link#8             UHS         lo0


In the above:

• em0 is my LAN
• pppoe0 is my IPv4 connection through vlan6 on em1
• IPv6 probably uses IPv4 connectivity (through pppoe0, but things break when I tick the box 'use IPv4 connectivity' in the IPv6 configuration

I'd expected some metric listed here, as does ip route in Linux, but these things work just a bit different. The metric on pppoe0 is 0:

Code Select Expand

# ifconfig  pppoe0
pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
        description: WANpoort (wan)
        inet6 fe80::4003:eb6:a62:d503%pppoe0 prefixlen 64 scopeid 0x8
        inet6 fe80::6c34:c2ff:feb8:147c%pppoe0 prefixlen 64 scopeid 0x8
        inet 45.138.52.95 --> 185.93.175.233 netmask 0xffffffff
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>


For Linux the most specific route with the lowest metric has priority. I'd imagine the same goes for FreeBSD.

I have no guess why outgoing traffic that originates in your LAN can find its way out of the IPv6 tunnel, while replies to traffic outside of your LAN try to get out of your regular connection.

On closer inspection, I notice a difference between the DUID in the screenshot of the static lease configuration, and the DUID that is announced in the log:

00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7
00:01:00:01:27:c1:02:55:20:08:cc:b0:a8:b7

Peculiar, because I used the +button on the dynamic lease to create the static lease in the first place.

I now updated the static lease condiguration, and tried again, with no success:

Code Select Expand


<190>1 2023-03-19T21:42:55+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="503"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:42:55+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="504"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:42:55+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="505"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:42:56+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="506"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:42:56+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="507"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:42:56+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="508"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:42:58+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="509"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:42:58+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="510"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:42:58+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="511"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:43:01+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="512"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0x8CD54000
<191>1 2023-03-19T21:43:01+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="513"] Picking pool address 2a10:3781:2d49:172:26:90:0:2962
<190>1 2023-03-19T21:43:01+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="514"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:2962 to client with duid 00:01:00:01:27:c1:02:55:20:08:cc:b0:a8:b7 iaid = -860837705 valid for 7200 seconds
<190>1 2023-03-19T21:43:01+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="515"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:43:02+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="516"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:43:02+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="517"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:43:02+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="518"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:43:10+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="519"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:43:10+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="520"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:43:10+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="521"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:43:15+01:00 vpoort.osba.nl dhcpd 86487 - [meta sequenceId="522"] DHCPREQUEST for 172.26.79.111 from 1c:cc:d6:41:b7:8b via em0
<190>1 2023-03-19T21:43:15+01:00 vpoort.osba.nl dhcpd 86487 - [meta sequenceId="523"] DHCPACK on 172.26.79.111 to 1c:cc:d6:41:b7:8b via em0
<190>1 2023-03-19T21:43:26+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="524"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:43:26+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="525"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:43:26+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="526"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:43:29+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="527"] Solicit message from fe80::f465:9aff:fee0:18e9 port 546, transaction ID 0x7728B000
<191>1 2023-03-19T21:43:29+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="528"] Picking pool address 2a10:3781:2d49:172:26:90:0:a9ef
<190>1 2023-03-19T21:43:29+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="529"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:a9ef to client with duid 00:01:00:01:26:ff:cd:f9:f6:65:9a:e0:18:e9 iaid = -1696589591 valid for 7200 seconds
<190>1 2023-03-19T21:43:29+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="530"] Sending Advertise to fe80::f465:9aff:fee0:18e9 port 546


Log records and forum viewers are not a fortunate couple, sorry for that. There is a number of times a sollicit message from the updated DUID, followed by an advertisement, and *one* sollicit from the incorrect DUID, followed by an advertisement.

The client just hangs on the dhclient -6 command, and searching the leases overview above for the part of the string that is identical (namely, the MAC of the client) only reveals the one static, inactive, assignment.

I have no clue what causes this behaviour, any idea?

You also have to set a range in >SERVICES: DHCPV6: [LAN]
that is in your subnet range

Thanks for the added pointer; DHCP6 works for dynamic assignments within the DHCP6-range:


It is the static leases that fail. Here is an example of such a static assignment; note the MAC address that is visible in the logging below on the second line from below, for hostname 'test':



Now when I dhclient -6 the client side, it just hangs in the terminal.

Code Select Expand


root@test:~# hostname -I
172.26.3.107
root@test:~# dhclient
root@test:~# hostname -I
172.26.3.107
root@test:~# dhclient -6
^C
root@test:~# ip a |grep ether
    link/ether 20:08:cc:b0:a8:b7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
root@test:~# dhclient -6

(nothing for 10+ minutes)


At first there is a bit of activity in tail -f /var/log/dhcp/latest.log on OPNsense (this is from the last command, not the two previous 'dhclient' commands in the box above:

Code Select Expand


<190>1 2023-03-19T21:07:03+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="83"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0x520E7F00
<191>1 2023-03-19T21:07:03+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="84"] Picking pool address 2a10:3781:2d49:172:26:90:0:9148
<190>1 2023-03-19T21:07:03+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="85"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:9148 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 valid for 7200 seconds
<190>1 2023-03-19T21:07:03+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="86"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:07:05+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="87"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0x520E7F00
<191>1 2023-03-19T21:07:05+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="88"] Picking pool address 2a10:3781:2d49:172:26:90:0:9148
<190>1 2023-03-19T21:07:05+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="89"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:9148 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 valid for 7200 seconds
<190>1 2023-03-19T21:07:05+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="90"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:07:07+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="91"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0x520E7F00
<191>1 2023-03-19T21:07:07+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="92"] Picking pool address 2a10:3781:2d49:172:26:90:0:9148
<190>1 2023-03-19T21:07:07+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="93"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:9148 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 valid for 7200 seconds
<190>1 2023-03-19T21:07:07+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="94"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:07:11+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="95"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0x520E7F00
<191>1 2023-03-19T21:07:11+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="96"] Picking pool address 2a10:3781:2d49:172:26:90:0:9148
<190>1 2023-03-19T21:07:11+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="97"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:9148 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 valid for 7200 seconds
<190>1 2023-03-19T21:07:11+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="98"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546

This behaviour is different than in my opening post (where there would be two simoultanous DHCP6 advertisemnets, one correct followed by one bad). Two things are particular now:

• A pool address is advertised, instead of the static lease
• The client does not accept the lease

By the way, I configured my OPNsense following your screenshots, except for one : " DHCP Static Mappings    v Register DHCP static mappings
If this option is set, then DHCP static mappings will be registered in Unbound, so that their name can be resolved. You should also set the domain in System: General setup to the proper value. "
If I understand correctly, this option is part of the reason for me to jump through these hoops in the first place.

Hi Peter,

Thank you for reading and replying :-)

Let me match my config to your screenshots and test a bit before I post back!

Great! :-)

Consider editing the topic title to include 'solved', or something, so others can skip it or find in case they have a similar problem!