Messages

Anecdotally after the most recent update, WireGuard seems to be having issues after a reboot of OPNsense now. WG clients aren't able to connect, I restart the WG service, and they're able to connect again. Easy to mitigate, but it's very manual intervention, and not sure why it started happening. Just thought I'd mention it.

I've tracked down what is happening on my simple setup (address only, no prefix) and created a PR for discussion:-

https://github.com/opnsense/dhcp6c/pull/36

Wondering if my situation over the past couple of weeks could be related, this was working before:

1. WAN pulls IPv6 fine via DHCPv6 client.
2. LAN has a static IPv6 address. Clients pull an IPv6 address via routing advertisement (managed mode) and DHCPv6 server (so I can control the address they receive). This stopped working though I noticed one day on my phone when I saw it didn't pull an IPv6 address.
3. So I dropped back versions of dhcpv6c and opnsense proper ( 24.1.8 ) as stated in the thread. This only allowed me to serve out clients via unmanaged routing advertisements and not via the DHCPv6 server I have running.

So with that background, the question is does anyone think this issue would affect the ability to use the DHCPv6 server to serve out static-mapped addresses with routing advertisements set to managed (not working) instead of unmanaged (working) as it is now?

Thanks for the quick reply! That was definitely it.

Upgraded to 24.1_1, cannot ping out to the internet now. Not sure what changed.

Pinging from OPNsense command line:

PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host

Has anyone else seen this?

I have stopped suricata, zenarmor, crowdsec, and nothing seems to help.

Upgraded yesterday and I must say: superb job! I've been up almost 24 hours and it's smooth sailing so far.

Yeah I updated mid-typing.

Update: whatever was fixed regarding IPv6, DHCPv6 and delegated prefixes in the 23.1.8 update seems to have resolved my IPv6 dropping issues. I rebooted afterward and at the very least, so far, have not had to touch it. It just works.  ;D

Understood.

Question on ZenArmor config: Do I need to use the Emulated driver for this or can I use Native?

Ohhh. Geez man, I'm slow. Hmm, well I'm wondering then why I'm still getting these drop issues when I switch ZenArmor out of monitoring-only mode. :\ Oh well, thanks for the help.

We are looking for internal approval between participating parties on the last published state for 23.1.6. Overall it looks like we are better off with the patches than without and we likely won't get broader feedback otherwise. If not I expect 23.1.7 to have it in a few weeks.

Based on this comment, I was thinking the patches for netmap issues were going to be a part of the 23.1.7 release. Guess that's not the case.

Hi @dfw3xam1n3r
Did you test Zenarmor with Routed (L3 Mode, Reporting and Blocking available) with emulated netmap driver on OPNsense 23.1.6 and have any issues? Some users reported that their problems are resolved with this configuration.

Yeah I did and the same thing happened, so I'm just in monitoring mode until 23.1.7 comes out.

We have the exact same issue running 23.1 with an Watchguard M370 appliance.

Lan port appears up but the connectivity is lost and it is not visible from the lat network even with arp -a.

The problem happens infrequently every 7-14 days and is very difficult to track down. VPN and WAN interface work and the firewall management is acccessible when this happens (Through VPN). Zenarmor is activated, but it is not really doing much besides reporting: Routed Mode (L3 Mode, Reporting + Blocking) with native netmap driver.

Will try with the emulated driver if that will fix the issue. The logs have nothing noteworthy from the time of the issue happening.

Just installed the latest 23.1.6 patches but not feeling optimistic since this has happened multiple times already.

Any ideas on tracking down the issue?

This issue will be fixed in 23.1.7 coming out in a couple of weeks, re: netmap/ZenArmor issue. Here is a thread on it. https://forum.opnsense.org/index.php?topic=32114.75. In the thread there were patches you can apply in the interim. I just have my ZenArmor set to monitoring only for now.

[EDIT: Franco: Just realized you said it will be in 23.1.7, not .6. Nevermind!]

My connection still dropped. I don't know why. I was away when it happened and was able to bring it back up remotely. Restarting ZenArmor didn't help though, only a reboot. Currently have ZenArmor set to monitor only for now.

Just for my confirmation, I've upgraded to 23.1.6, and re: ZenArmor (when I take it out of monitoring only) I'm supposed to be using the emulated netmap driver not the native correct? Do I need to do anything with IDS/IPS/Suricata since I'm running that as well?

Thanks Franco.

Hate to report though that with all of the right things in place, I still dropped early this morning and had to restart ZenArmor to resolve it. It was a longer uptime duration this time, but it still wound up dropping packets on LAN. :/

I'm up four days now after applying the patch (correctly, don't think I did the first time) and using netmap emulator for ZenArmor config. This is the longest I've been running since upgrading to 23.1. Things have been, dare I say it, stable? Fingers crossed. :)