Messages

Is anyone going to fix the version typo on the title of this thread?

Sorry ;)
Done

One question regarding DHCPv6 and RA.

In my LAN interface I track my WAN interface for IPv6 and just define a prefix for my 56-subnet I get from my provider.
If I then do not select the manual configuration (Allow manual adjustment of DHCPv6 and Router Advertisements).

What are then the defaults for DHCPv6 and RA?
My challenge is that, when the "manual configuration" is not ticked, I do not even see the Service->RA or the Service->ISC-DHCPv6 settings showing up.

OK thanks.
And just one (I think now rather stupid question).
I was always thinking, I am running a DHCPv6 server on my Opnsense.
But after a short ChatGPT consultation, I think I understood now that without the manual IPv6 configuration of the interface, I am only using router advertisement and the clients are using SLAAC to generate their IP. Is this correct?
This would explain why I cannot deactivate it and the only menu option below ISC DHCPv6 are the "Leases".

If I understood this right, I can ignore DHCPv6 in my current setup....?

OK, so this would mean before changing my setup waiting for 25.7. correct?

So if I understand right, then DNS would be still Unbound on port 53 and DNSMASQ on another port to answer queries for local hostnames?

And regarding ISC: I can dissable ISC for IPv4. But how does this work for IPv6? Can only view the leases there but find no further options.

Hi everybody,

honestly I am now a bit confused and need some advice.

In the past I was using unbound for DNS and ISC DHPC for DHCP.
I defined private IPV4 subnets in ISC-DHCP for my vlans.

For IPV6 i set DHCPv6 in my WAN interface (PPPOE - Deutsche Telekom) and in my LAN interfaces just tracked the WAN and set a prefix id.

Some time then, I switched to KEA for DHCPv4 (as it was supposed to be the new standard). Created my subnets there, set fixed IPs etc.

Now with Kea IPv6 and also everything in DNSMASQ: Which is the preferred setup?

Is it only DNSMASQ instead of ISC + KEA + UNBOUND?

I just installed the DNSCrypt plugin and I have the same problem with the logs

Reading the questions:
I just realized that I completely forgot about the DynDNS. I mean the time it needs to update.
I was super quick with testing. What a shame, if this would be the reason..... :-[

So I just rolled back to 24.1.1, updated again to 24.1.2 (without the patch).
I will now test again and having a look at the DynDNS topic....

So...
After a clean update to 24.1.2, a few minutes of just waiting and doing nothing, everyhting works nicely...  :)

So DynDNS could be an explanation....
However, there might have also been something else. Especialle because I was not able to start OPNsense yesterday at all.... no idea....

Thanks for the great support!
Just made a litte PayPal donation the the OPNsense project.

(1) Do you use DNS entries as endpoint addresses?

Yes, I have a dynamic IP, so I have a dyndns domain pointing to my OPNsense router.

(2) Do you use tunnel addresses on your instances?

Yes, this is the entry for the respective instance:    10.21.4.1/24,fd21:04::01/64
And allowed IPs for the peers. For example: 10.21.4.4/32,fd21:04::04/128
This addresses are then in the interface section of the client.

(3) Do you have allowed IPs on your peers?

Yes, different for split and full tunnel:
Full tunnel allowed IPs: 0.0.0.0/0,::/0
Split tunnel allowed IPS: 10.21.0.0/16

(4) Do you have the instances assigned as interfaces?

Yes

(5) If yes for (4) do you have an IPv4/IPv6 mode set in the interface?

IPv4 and IPv6 Configuration Type set to "none"

(6) If yes for (4) do you have VIPs assigned to these interfaces?

No


Reading the questions:
I just realized that I completely forgot about the DynDNS. I mean the time it needs to update.
I was super quick with testing. What a shame, if this would be the reason..... :-[

So I just rolled back to 24.1.1, updated again to 24.1.2 (without the patch).
I will now test again and having a look at the DynDNS topic....

OK. Following behaviour:

1. Updated again to 24.1.2 -> Wireguard did not work.
2. Applied the patch and rebooted. -> Wireguard did not work
3. Restarted Wireguard -> Wireguard worked
4. Reboot again -> Wireguard works

Until now. Everything was checked with my Android phone.

5. Reboot again -> Wireguard does not work on Android. However, iPad works.
A few connects and disconnects with both, Android and iPad. Suddenly both of them are working.


I tested Wireguard with the mobile LTE network but also out of my WLAN. Both showed the same behaviour.
Either both work, or both do not work.

Also both of my tunnes, split and full, showed the same behaviour.

This is difficult to nail down...

Anything that I could test now with the patched 24.1.2 installation?
Otherwise I would revert back to 24.1.1, reinstall 24.1.2 and continue testing to see if it is the same unstable behaviour....

# opnsense-patch 340a32473
or
# opnsense-patch 3340a32473

I guess it is the second to fit to the Github link correct? Just to be double-safe....

You could try reverting this one:

https://github.com/opnsense/core/commit/3340a32473

But it's basically a can of worms because it fixes a non-operational issue on the surface, which points to lack of proper setup if it causes breakage... perhaps meddling with VIPs or a left-over interface IPv4 configuration (this has been discontinued but some old configs may still have it) which is not optimal at the moment.

# opnsense-patch 3340a32473


Cheers,
Franco

I just created the 24.1.1 installation.
I was running OPNsense on bare metal and now switched to Proxmox.
I described the way I did it in this post https://forum.opnsense.org/index.php?topic=38942.msg190682#msg190682.

Anything I can check in my config that could be a potential problem?

i've had vpn stuck at boot only if dns race condition was a problem (e.g. adguard as a main dns; unbound can't resolve if not routed to wan).

I think this could also be the problem for my hang during boot.
However also only with 24.1.2.
I just have unbound, howver with "DNS over TLS" resolving to Cloudflare enabled.

Any way to dive into this? Do I just have to wait for a certain timeout? It seemd to completely stuck at "Configuring Wireguard VPN..." and I was not able to start OPNsense at all...

Another thing:

I rebooted a few times. It ended up with the following behaviour:

"Starting Unbound DNS" took several seconds.
If this is happening, the boot completely hangs with "Configuring Wireguard VPN..."

See attached screenshot.

I rolled back again to 24.1.1 and no problems.

I updated again and did some testing.

Outgoing Wireguard works. So selective routing to an external VPN provider.

Incoming Wireguard does not work. I see the connection in the OPNsense WebGui, but no data is transferred.

Then I disabled Wireguard and enabled it again. After this everything works normally.

When I reboot, it is broken again until I restart Wireguard.


One strange thing: I have two tunnel configurations. A full and a split tunnel.
Full tunnel allowed IPs: 0.0.0.0/0,::/0
Split tunnel allowed IPS: 10.21.0.0/16

After the reboot, the full tunnel does not work. From my Android phone and my iPad I cannot access an external site and also nothing of my private 10.21... network.
However with the split tunnel, I can access my private network.

I will try again tonight or tomorrow and then report here.