Messages

Last week i found out there was ONE "gateway" entry having the wrong interface.
This might have caused the issue with the newer kernel.
Appearently this error wasn't seen before.

Although there was an error in the gateway, it still did work in the correct direction. ???

Public/private keys should be unique to each device communicating using a single wireguard instance.. (You can have mulitple instances aka wg interfaces).
The Public/private key is  the identifier for a configuration.

The tunnel endpoint (server side) should be a known address, also .0 (the Me address on a network) should not be used as an address.

After this start an endpoint and see if traffic arrives on the firewall. and go from there.

I am seeing similar issues:
can't allocate llinfo for <IP on VLAN020> on vlan06..

(pppoe on ) vlan06, vlan04 are all on one interface, DMZ and others are on a lagg0 on 2 different interfaces.

pings to the IP address do succeed.
bouncing vlan60 makes no difference, bouncing vlan20 neither

(Current kernel as of dec. 25)

System was rebooted after upgrade.  Appearantly if mDNS-repeater is started before IGMP-proxy IGMP-proxy fails this way.
if IGMP-proxy is started first then it does work as advertised.

Recently (probably after latest December update) IGMP traffic stopped working.
Is there again any solution?
AFAIK the rules have been setup as pointed out in various documentation on the PF firewall.

IPTV now stays black, "play error" only on live streams.  (OTT traffic still works).


Router/Network:
Setup: VLAN 4 = Entry point for Multicast traffic (=Upstream) DHCP interface.
       VLAN 12 = TVLAN : STB is connected here (=Downstream)
       (WAN is interface for OTT)...
       [ Other VLANS exist, not relevant for Mcast ].

IGMP:
For upstream the 100.64.0.0/20 address block is used. this is mentioned in the upstream block
For downstream the 192.168.TVLAN.0/24 is used, STB requests DHCP address.

Firewall:
Floating rule:
    Interface    VLAN04, VLAN012
    Protocol:    IPv4 IGMP
    Source:      any
    Destination: any
    Direction:   in
    Options:     allow all
    Verdict:     pass
Floating rule:
    Interface    VLAN04, VLAN012
    Protocol:    IPv4 IGMP
    Source:      any
    Destination: any
    Direction:   out
    Options:     allow all
    Verdict:     pass
Floating rule:
    Interface    VLAN04, VLAN012
    Protocol:    IPv4 IGMP
    Source:      This Firewall
    Destination: any
    Direction:   out
    Options:     allow all
    Verdict:     pass
(+ similar for MC packets )

# pfctl -s rules |grep igmp |  grep vlan04
pass out quick on vlan04 inet proto igmp from (self) to any no state allow-opts label "94c660efceff2ab83dc70703cb0c9a75"
pass in quick on vlan04 inet proto igmp all no state allow-opts label "814db0b05f4e6b06d600a2090c22024e"
pass in quick on vlan04 inet proto igmp from any to (self) no state allow-opts label "ed02681de5b1e6111e114f5c4314b46e"
# pfctl -s rules |grep igmp |  grep vlan012
pass out quick on vlan012 inet proto igmp from (self) to any no state allow-opts label "94c660efceff2ab83dc70703cb0c9a75"
pass in quick on vlan012 inet proto igmp all no state allow-opts label "814db0b05f4e6b06d600a2090c22024e"
pass in quick on vlan012 inet proto igmp from any to (self) no state allow-opts label "ed02681de5b1e6111e114f5c4314b46e"

When running:

# igmpproxy -n -vv -d /usr/local/etc/igmpproxy.conf

The followin shows:

sendto to 224.0.0.1 on 192.168.TVLAN.1; Errno(13): Permission denied
SENT Membership query   from 192.168.TVLAN.1     to 224.0.0.1
Sent membership query from 192.168.TVLAN.1 to 224.0.0.1. Delay: 10
Created timeout 721 (#0) - delay 10 secs
(Id:721, Time:10)
Created timeout 722 (#1) - delay 115 secs
(Id:721, Time:10)
(Id:722, Time:115)
RECV Membership query   from 192.168.TVLAN.1     to 224.0.0.1
RECV V2 member report   from 192.168.TVLAN.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.TVLAN.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.

# About to call timeout 721 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
No routes in table...
-----------------------------------------------------

Most recent update was installed somewhere last week.

After thought.. after seeing non-movement on this issue after a week i gave up on it (OpnSense) then.
As being no alternative for what i had then.

Looking into OpnSense again, this issue is closed.

[/etc/dhcpdv6.conf line 75: option definitions may not be scoped. option host-name code; ^ Configuration file errors encountered -- exiting]

using: dhcpv6 with a hostname: code  fails  with the following message...

/status_services.php: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid vlan013 vlan010 vlan012 vlan011 vlan014' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.4.3-P1 Copyright 2004-2022 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpdv6.conf line 75: option definitions may not be scoped. option host-name code; ^ Configuration file errors encountered -- exiting If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging. exiting.'

Changing the hostname to 'codex' or 'cod' makes it restart.... except the node is named 'code'
That isn't a problem in the dhcpd where the config derives from.  Only hostnames are in " terminated strings in that config.
This doesn't work in OPNsense as " are illegal in the hostname.

I am exploring what suits my needs, and IDS (suricata) just doesn't work...

When logging on the command line, running suricate tells libnetmap.so.5 is missing.
Also there seems to be no library libnetmap to be available to install.

This was a fresh install from ISO + update.

opnsense is 21.7.6
suricata is 6.0.4

root@OPNsense:~ # suricata
ld-elf.so.1: Shared object "libnetmap.so.5" not found, required by "suricata"