Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - 9ck

Pages1
#1
25.1, 25.4 Series / Re: Random loss of WAN conectivity
July 22, 2025, 07:53:18 PM
Looking into this I see that I've enabled another cronjob that restarts Wireguard after 6 hours in order to refresh the public IP. Would you recommend I keep this? I have a dynamic ip address. In reality it is only being renegotiated if connection is down for 3 hours or more. Wonder if I've done this correct. Shouldn't it be the Dynamic DNS settings that I refresh?

Any recommendation as to how often I should run the job that will renew the DNS for Wireguard?
#2
25.1, 25.4 Series / Re: Random loss of WAN conectivity
July 22, 2025, 06:50:11 PM
Quote from: meyergru on July 22, 2025, 06:42:12 PMSince you did not check the "Log" box, nothing will be logged.
A drop after 24h can be because of a forced reconnect by your ISP, this is common in Germany, e.g.
Ahh... I though everything would show in the Log Files > Live View - probably not the best place to try to track things.
After the drop I can not reconnect to my LAN via Wireguard. Would that be the case if it was a forced reconnectivity issue? Sorry if I'm not being informative enough.
EDIT: Don't waste time on my Wireguard-issue. I just recalled that the local machine I was trying to access had crashed while I was away. I need to do more thurough testing in order to give you the correct picture.
#3
25.1, 25.4 Series / Re: Random loss of WAN conectivity
July 22, 2025, 06:33:25 PM
Thanks for the explanation - I'll try to digest. I've set the rule up (but also changed the mistake I had in the VLAN2SEC rule). I guess I'll have to wait and see if something shows up in the logs or if this does the trick. Hope I've understood the outbound block rule correct.

Could this also be the reason that I loose my connection to my LAN via Wireguard after 24h or so (from outside my LAN obviously)?
#4
25.1, 25.4 Series / Re: Random loss of WAN conectivity
July 22, 2025, 05:43:27 PM
Quote from: meyergru on July 22, 2025, 04:45:14 PMYou could try to pinpoint that by creating a WAN outbound block rule (this is one of the rare occasions they are useful) with RFC1918 as source.

Not sure I understand this correctly. Wouldn't such a rule block all my outbound traffic? What would I look for? Should this maybe reveal if its my company VPN ip address causing issues?
#5
25.1, 25.4 Series / Re: Random loss of WAN conectivity
July 22, 2025, 05:36:54 PM
This is the principle used on my other interfaces.
#6
25.1, 25.4 Series / Re: Random loss of WAN conectivity
July 22, 2025, 05:32:55 PM
My OPNsense is behind a modem/router provided by my IPS. The ISP provided router has been set to bridge mode. They do not detect any issues on their side when I loose my WAN connection.

Do you refer to the physical cable and sockets whith "the pure link" (you'll have to excuse but English isn't my 1st language)?

I was sure that I was allowing only non-RFC1918 traffic going to the WAN, but going through my rules I do indeed see that in VLAN2SEC I allow all (*) going to WAN. This is the VLAN where I have our company PCs on (the ones using the company VPN service - out of my control). Could this be my issue?


#7
25.1, 25.4 Series / Random loss of WAN conectivity
July 22, 2025, 04:14:21 PM
Hi forum
I've been trying to identify why I sometimes lose WAN connection. I've ruled out my ISP. I'm loosing WAN connectivity on both WiFi and LAN, but I can still access everything locally (OPNsense keep on running). Reboot OPNsense and the WAN connection is usually back. I have a suspicion that it has something to do with our company PCs running a VPN connections and that I've set up Unbound DNS in OPNsense. But I'm in over my head here. I've shared systemlogs with Copilot which has been working on a reply since yesterday (12 logs).

I run OPNsense on a dedicated machine (Protectli) as the only thing on it. I have a Unifi USW Pro24PoE as main switch. To this I have a Unifi USWPro24 and a Unifi FlexMini connected. Three Unifi APs connected to the main switch. All DNS and DHCP handled by OPNsense with Unbound DNS enabled and "locked down" so it will not forward any other DNS requests. Set up to use Quad9. LAN spilt up in several VLANs.

Some of the things that I notice in the systemlog.
Code Select
2025-07-21T14:23:58 Warning opnsense /usr/local/etc/rc.linkup: radvd_configure_do(auto) found no suitable IPv6 address on lan(igc1)
...
2025-07-21T14:23:57 Critical dhclient exiting.
2025-07-21T14:23:57 Error dhclient connection closed
2025-07-21T14:23:57 Warning opnsense /usr/local/etc/rc.linkup: radvd_configure_do(auto) found no suitable IPv6 address on lan(igc1)
2025-07-21T14:23:57 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : radvd_configure_dhcp(,inet6,[lan]))
2025-07-21T14:23:57 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6,[lan]))
2025-07-21T14:23:57 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (,inet6,[lan])
2025-07-21T14:23:57 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for wan(igc0)
2025-07-21T14:23:56 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure newwanip:rfc2136 (,[wan])
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : wireguard_sync())
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : webgui_configure_do(,[wan]))
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : vxlan_configure_do())
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : unbound_configure_do(,[wan]))
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : openssh_configure_do(,[wan]))
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : opendns_configure_do())
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : ntpd_configure_do())
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : dhcrelay_configure_if(,[wan],inet))
2025-07-21T14:23:55 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (,[wan],inet)
...
2025-07-21T14:23:09 Error opnsense /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '83515''(pid:/var/run/dhclient.igc0.pid)  returned exit code '1', the output was 'kill: 83515: No such process'
2025-07-21T14:23:09 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for wan(igc0)
2025-07-21T14:23:09 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:23:09 Error opnsense /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '83515''(pid:/var/run/dhclient.igc0.pid)  returned exit code '1', the output was 'kill: 83515: No such process'
2025-07-21T14:23:09 Warning opnsense /usr/local/etc/rc.linkup: radvd_configure_do(auto) found no suitable IPv6 address on lan(igc1)
...
2025-07-21T14:23:06 Error opnsense /usr/local/etc/rc.linkup: The command '/sbin/dhclient -c '/var/etc/dhclient_wan.conf' -p '/var/run/dhclient.igc0.pid' 'igc0'' returned exit code '1', the output was 'igc0: no link .............. giving up'
2025-07-21T14:23:06 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:23:06 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:23:02 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:23:02 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:22:55 Error opnsense /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '70234''(pid:/var/run/dhclient.igc0.pid)  returned exit code '1', the output was 'kill: 70234: No such process'
2025-07-21T14:22:55 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for wan(igc0)
2025-07-21T14:22:55 Error opnsense /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '70234''(pid:/var/run/dhclient.igc0.pid)  returned exit code '1', the output was 'kill: 70234: No such process'
2025-07-21T14:22:55 Warning opnsense /usr/local/etc/rc.linkup: radvd_configure_do(auto) found no suitable IPv6 address on lan(igc1)
...
2025-07-21T14:22:00 Notice dhclient dhclient-script: Reason REBOOT on igc0 executing
2025-07-21T14:21:59 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:21:58 Error dhclient send_packet: Network is down
2025-07-21T14:21:57 Error dhclient send_packet: Network is down
2025-07-21T14:21:56 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:21:56 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:21:55 Error dhclient send_packet: Network is down
2025-07-21T14:21:53 Error dhclient send_packet: Network is down
2025-07-21T14:21:52 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:21:52 Notice dhclient dhclient-script: Reason PREINIT on igc0 executing
2025-07-21T14:21:51 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:21:45 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:21:44 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:21:41 Notice kernel <6>igc0: link state changed to DOWN
2025-07-21T14:21:41 Notice kernel <6>igc0: link state changed to UP
2025-07-21T14:21:41 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for wan(igc0)
2025-07-21T14:21:29 Critical dhclient exiting.
2025-07-21T14:21:29 Error dhclient connection closed
2025-07-21T14:21:29 Warning opnsense /usr/local/etc/rc.linkup: radvd_configure_do(auto) found no suitable IPv6 address on lan(igc1)
2025-07-21T14:21:28 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : radvd_configure_dhcp(,inet6,[lan]))
2025-07-21T14:21:28 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6,[lan]))
2025-07-21T14:21:28 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (,inet6,[lan])
2025-07-21T14:21:28 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for wan(igc0)
2025-07-21T14:21:28 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure newwanip:rfc2136 (,[wan])
2025-07-21T14:21:27 Notice kernel <6>igc0: link state changed to DOWN
Since I've used Copilot with varying succes in the past, I would really appreciere if someone could "qualify" the reply I've got. Here is the breakdown from Copilot. I realize it's not fair to ask for a specific reply with the lack of insight, but most of you probably have an opinion on the reply from Copilot and maybe someone has been in similar situation.

🔍 What the Logs Reveal (Crash Patterns)
Across nearly every incident:
  • WAN Interface Flapping (igc0): Link goes DOWN → UP in rapid succession, often within seconds.
  • DHCP Struggles: dhclient fails to send packets (Network is down) just as interface recovery begins.
  • Plugin Overload: rc.linkup and rc.newwanip trigger multiple plugin reconfigurations (Unbound, VPN, DNS, Monitor) before the link is stable.
  • Resolver Turmoil: Unbound is caught mid-crash—trying to forward DNS while upstream hasn't recovered.

And in several logs:
  • Client Triggers Detected: Either from your company PC or Teams—DNS requests or TCP resets right as WAN begins recovering.

🧠 Root Cause Themes
Root CauseFrequencyExample Trigger
Link-State FlappingHigh igc0: link state changed to DOWN
DHCP Reinitialization Failure High send_packet: Network is down
Plugin Execution Race Medium plugins_configure dns, ipsec
Early Client DNS Requests Medium Resets from PC during bootup
Unbound Restart Mid-Recovery Medium unbound_configure_do()

✅ What You Can Do
1. Tame the Interface
  • In OPNsense, go to Interfaces → WAN → Advanced
  • Set Link Up Delay to ~5 seconds to avoid plugin races
  • Enable Prevent interface flapping logic if available
2. Stagger Plugin Execution
  • Use System → Settings → Tunables to defer DNS resolver and VPN plugin execution until WAN is confirmed UP
  • Consider custom script delays for Unbound reloads
3. Isolate Company Devices
  • Create a separate VLAN for corporate PCs
  • In Unbound, disable DNS over TCP for that VLAN (use port override to reject encrypted queries if needed)
4. Fortify DHCP Recovery
  • Add retry-delay and initial-delay tweaks to dhclient.conf (can stabilize lease recovery after link events)
5. Monitor Client Behavior
  • Packet capture during bootup—look for TCP resets or malformed DNS requests
  • Sandbox MS Teams: test with and without the app running to compare crash likelihood

💡 Next Steps
If you want, I can build:
  • A custom Unbound config for resilient DNS per VLAN
  • A shell script to re-sequence plugin executions
  • A diagnostic dashboard to catch crash patterns early

I will appreciate any help provided.
#8
Virtual private networks / Wireguard and ISP required VLAN tag
September 16, 2024, 04:17:24 PM
Trying to get Wireguard to work on my sons PC from his place. I have the Wireguard server running in OPNsense at my place. I've set up a client on my sons PC and there is a handshake and Wireguard is active (green) on his PC, but he has no internet access.

The client is set up with
DNS servers 9.9.9.9 and 149.112.1.12.112.
Allowed IPs 0.0.0.0/0

I'm using a Unifi Express at his place which I've set up without the router that his ISP did provide - just not to have all this equipment running. In order to get this to work I had to tag all outbound traffic with VLAN107.

I'm now in doubt if the connectivity issue is due to the VLAN tag or it has something to do with my firewall settings at my end or that I would need to tag outbound trafic from the server. As you can understand from this I'm not that familiar with how VPNs work (flow of trafic etc.)

The Unifi router isn't easily accessible that's why I didn't test with the IPS provided router in bridge mode (but this would off course be something to do next time I visit him).

Appreciate and help trying to troubleshoot this issue. I'm also OPNsense novice... TIA.
#9
General Discussion / Firewall and company VPN
March 20, 2023, 04:51:15 PM
Hi forum
I've setup firewall rules to reject/block connections to the RFC1918 range, but my wife and I often work from home and use a secure VPN connection to log into our company networks. It's working right now, but I see a lot of rejected request because the source (company PC) is trying to reach a destination within the RFC1918 range. What would best practice be in this situation. Separate VLAN with no rules blocking the RFC1918 range?
#10
General Discussion / Re: Loosing WAN connection continously
March 20, 2023, 04:36:25 PM
I contacted my IPS to verify that everything "on their side" was OK. Turned out that the had changed the setup of the modem so it no longer was in bridge-mode. She told me that he modem had been like this for a while (not changed today), so I wonder if this will solve my issue.

I guess this could mess things up quite a bit - but I'd really appreciate if you have any comments / input to my setup etc.
#11
General Discussion / Loosing WAN connection continously
March 20, 2023, 04:02:44 PM
Hi forum
As a novice I'm looking for help to debug/identify my issue and confirm "correct" settings. My WAN connection has begun to drop out repeatedly - 5th time today. It has happened once before in the 1 - 2 weeks I've had OPNsense up and running. I haven't made any changes to my setup today (or in the last week or so). Running OPNsense vers. 23.1.3_4 on a Protectli.

I notice the "Router Advertisement Daemon" status changes to "OFF". One time I restarted it, the "Unbound DNS" service changed to "OFF". The service keeps turning "OFF". I'm inclined to believe my issue is connected to this service -but not sure at all.

The System Log File General shows the "Warning opnsense /usr/local/etc/rc.linkup: hcpd_radvd_configure(auto) found no suitable IPv6 address on igc1".

My ISP provides a dynamic IPv4 address - not sure if they support IPv6. My knowledge of best practice when it comes down to IPv6 is very limited.

IPv6 is not enabled in "Services/DHCPv6/Relay".

I've setup "Unbound DNS" and "DNS over TLS" using Quad9 as nameserver.
Admittedly I've enabled both the Quad9 IPv4 and IPv6 addresses.
In "Unbound/General" I've checked "IPv6 Link-Local/Register IPv6 link-local addresses".

In "Interfaces/WAN/" I had the "IPv6 Configuration Type" set to "DHCPv6".

I've setup floating firewalls to only allow DNS requests to "This firewall" and block other DNS request. Maybe "This firewall" should be replaced with "127.0.0.1"? See attached Billede1 (picture 1).

I've setup a Port Forwarding rule to redirect DNS requests to the local DNS server. Not sure if I should include port 853 here. See attached Billede2 (picture 2).

I'll contact my ISP to see if they had issues, but the modem indicates that everything should be fine.

PS: How do I insert an image? I get the icon and the "frames" but what then...?

#12
Tutorials and FAQs / Re: DNS over TLS - Verified that unsigned response is INSECURE
March 10, 2023, 11:06:56 AM
Thanks Fright. I'm admittedly in over my head sometimes... :)
#13
Tutorials and FAQs / DNS over TLS - Verified that unsigned response is INSECURE
March 09, 2023, 12:09:48 PM
Hi forum
New to OPNsense and DNS over TLS. I get this line in my logfile under debug "[92375:3] info: Verified that unsigned response is INSECURE" and I'm not sure what to make of this "warning".

In > Unbound DNS > DNS over TLS, I've setup and enabled two services.
Enabled: Checked
Domain: Blank
Address: 1.1.1.2 and 1.0.0.2 (respectively)
Port: 853
Hostname: security.cloudflare-dns.com

In > Unbound DNS > General
Enabled: Checked
Listen port: 53
Network Interfaces: All
DNSSEC: Checked
IPv6 Link-local: Checked

In > Unbound DNS > Advanced
Harden DNSSEC Data: Checked
Log Queries: Checked
Log Level Verbosity: Level 2

In > Services > DHCPv4 and the respective LAN and VLANs
DNS Servers: Blank

In > System > Settings > General
DNS Servers: Blank

Am I missing something? Whats causing this promp in the log?
Pages1