Messages

Great, I appreciate the help!
-Ben

Thanks, that helped! It was user error, of course. The routes were created perfectly.

My next issue is that the firewall on the umbrella router is blocking the IPv6 traffic from the delegated subnets. I have a rule to pass IPv6 traffic from the LAN_A network to any (inbound on LAN_A interface). The delegated prefixes aren't a part of "LAN_A net". If I make a firewall rule (inbound on LAN_A) to pass all IPv6 traffic any to any, it works great. Is there a security risk in doing this? Or is there a way to add a rule allowing from the delegated prefixes?
My prefixes are dynamic (though rarely change), so I'd rather not make a hard-coded alias to them.

I have three OPNsense routers:
- one router ("umbrella"), connected to my modem, it receives a /60 IPv6 delegation from the ISP. It then delegates a /62 to each of the two downstream routers (::4 and ::8). It's using ISC DHCPv6.
- the 1st downstream router get's it's WAN address in the ::0/64 subnet, and is delegated the ::4/62 prefix, which is hands out 3 /64 subnets
- the 2nd downstream router get's it's WAN address in the ::1/64 subnet, and is delegated the ::8/62 prefix, which is hands out 3 /64 subnets
- The downstream routers are both using DNSmasq DHCP.

That part all looks like it works, both of the downstream routers are receiving their own IPv6 address, and a /62 delegated to them. Clients to those routers receive an IPv6 address that is in the right subnet, but they don't have any IPv6 connectivity.

I think the issue is the routes, the "umbrella" router doesn't have any routes for the /62 subnets in the routing table. I read a couple of threads (https://forum.opnsense.org/index.php?topic=7719.0) from a long time ago that made it seem that this was an issue then. I tried the fix that was listed there (manually add a gateway and route on the umbrella router), and that stopped the prefixes from delegating.

Any suggestions?

Gotcha, good to know, thanks! Any suggestions how I can figure out why it shut down?

My router (Protectli VP2410) stopped routing traffic this morning and was unresponsive. It wouldn't negotiate a link to my desktop or the WAP, so I couldn't load the webgui or ssh into it. When I powercycled it, it came up and is working fine. When I looked in `/var/log/dmesg.today`, I found a lot of messages that were along the lines of:

cannot forward src fe80:xxxx:xxxx:..., dst 2600:xxxx:xxxx:..., nxt 6, rcvif igb0, outif igb1

and

arp: 192.168.31.34 moved from e8:ea:6a:25:30:12 to 60:e3:2b:4b:ec:e5 on igb0
arp: 192.168.31.34 moved from 60:e3:2b:4b:ec:e5 to e8:ea:6a:25:30:12 on igb0
arp: 192.168.31.34 moved from e8:ea:6a:25:30:12 to 60:e3:2b:4b:ec:e5 on igb0
arp: 192.168.31.34 moved from 60:e3:2b:4b:ec:e5 to e8:ea:6a:25:30:12 on igb0
arp: 192.168.31.34 moved from e8:ea:6a:25:30:12 to 60:e3:2b:4b:ec:e5 on igb0
arp: 192.168.31.34 moved from 60:e3:2b:4b:ec:e5 to e8:ea:6a:25:30:12 on igb0

then:

Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining... 0 0 0 0 done
All buffers synced.
Uptime: 13d22h52m7s
uhub0: detached
---<<BOOT>>---

Am I looking in the right place to track down the cause of the crash? Can anyone point me the right direction?

Thanks,
Ben

I just upgraded and it all seems to be working great! This is on a Protectli VP2410 running Adguard Home on port 53 and Unbound on 8053, and it all continued to work after the update.

Thanks for the hard work.

You still can. Have the "on-demand activation" on in the iOS app, then exclude the SSIDs for your LAN network. So it will only activate when you are not on LAN (and deactivate when you get back on LAN)

Woah, I didn't realize you can configure that so granularly. That's perfect, an even better solution than I was looking for. Thanks!

Curious as to why you bother with the VPN when your device is already on the LAN network?

I'm hoping to not turn on and off my VPN as I leave my house and return. I just want to leave it on and have it always connected.

I am looking to setup WireGuard so that I can have my phone always connected to my LAN wherever I go. I was hosting a WireGuard endpoint on a server on the LAN, and it has been working great for years. I wanted to move that endpoint to my OPNsense router, so I followed the OPNsense Road Warrior WireGuard documentation. I'm having troubles:

My phone (iOS) initially connects just fine. However, after the phone is not used for a while (sometimes 20 min, sometimes 6hrs), the connection drops. To reconnect, I have to manually go into the wireguard app and toggle the tunnel off and back on. It seems to only happen when I'm on the LAN. I tried changing the firewall rule from the "WAN" interface to "Floating" on the rec of some youtube tutorial, which seemed to make it better, but it still disconnected overnight. I can't find anything in the logs that has helped me so far, but maybe I'm not looking in the right place. The WireGuard tunnel to the other endpoint (server on the LAN) works flawlessly with the same phone and setup, which makes me think its a configuration issue on the OPNsense router.

I thought it might be a DNS issue, so I made the DNS endpoint on my phone the WAN IP address of my OPNsense router. That didn't help.

I tried the keepalive packets (server side), but that didn't help either.

Any advice?