Messages

Can confirm this is still not allowed by the GUI, any use of quic in Listen Addresses is blocked by the syntax rules (doesnt allow quic4@ or quic6@)

Is there any hope of CLAT support for 25.1? Without it atm a true IPv6 deployment isn't possible without compatibility issues

HAProxy 2.6+ has support for using Quic and HTTP/3 and checking 'haproxy -vv' it is compiled with support for it in OPNSense, however the GUI atm blocks the use of these protocols. It seems simple to fix but the xml just needs to be edited. Can the GUI restrictions be adjusted for 24.7 by chance? More extended support and such could definitely come later, just would be nice to be able to type this options in without a block.

Example is given here: https://www.haproxy.com/blog/how-to-enable-quic-load-balancing-on-haproxy

Code Select Expand


frontend fe
  mode http
  bind :80
  bind :443  ssl crt /etc/haproxy/certs/foo.com/cert.crt alpn h2
  bind quic4@:443 ssl crt /mycert.pem alpn h3

  http-request redirect scheme https unless { ssl_fc }

  http-after-response add-header alt-svc 'h3=":443"; ma=60'

so for OPNSense, looking at this: https://github.com/opnsense/plugins/blob/master/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml

Code Select Expand

                <bind type="CSVListField">
                    <Required>Y</Required>
                    <multiple>Y</multiple>
                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u</mask>
                    <ChangeCase>lower</ChangeCase>
                    <ValidationMessage>Please provide a valid listen address, i.e. 127.0.0.1:8080, [::1]:8080, www.example.com:443 or unix@socket-name. Port range as start-end, i.e. 127.0.0.1:1220-1240.</ValidationMessage>
                </bind>
In here it needs to support quic4@ and quic6@ alongside unix@. This alone would allow binding Quic connections, then the only other core piece is the following

Code Select Expand

                    <OptionValues>
                        <h2>HTTP/2</h2>
                        <http11>HTTP/1.1</http11>
                        <http10>HTTP/1.0</http10>
                    </OptionValues>

The correct route is to have <h3>HTTP/3</h3> added as a valid option as well. Then have h3 only appear on bind lines starting with quic and not appear on lines that dont start with quic. if substring = QUIC, h3. If NOT quic, ALPN options. Might not even need h3 as a typable option that way actually. That + quic4/6 would allow a config matching what they provided by adding the rest of the example as conditions/option pass-through.

Though that can be done later, even simply having quic4/6 be supported syntax wise would be a great start to configuring a working QUIC setup.

Definitely understand, at the least after getting the 24.7.b kernel installed the RACK stack is compiled, BBR isnt but they in chats seem to be moving to just RACK anyway. So all is good, thanks for the reply and understand it being a breaking change if it wasnt

FreeBSD adds the build options for the BBR and RACK modules to 14.1 as per this commit https://cgit.freebsd.org/src/commit/?id=3a338c534154164504005beb00a3c6feb03756cc

Is it possible to add these new FreeBSD default build options in OPNSense for 24.7? The commiter themselves stated there's no real harm with these options, as they have to be enabled by sysctl. Would it be possible to compile the kernel with these options so that we can utilise these via sysctl (of course not enabled by default, they both require changing sysctl defaults).

Alot of it is described here: https://freebsdfoundation.org/wp-content/uploads/2024/02/scheffenegger.pdf