Messages

We do have intel cards, and xeon cpus and most time QUIC/UDP443 not passing the gateway.
sometimes we get some handshake packets back, and then we have big problem. browsers or apps do not switch back to tcp, so everything locks up. if theres just absolute no response loading websites takes 2-3 seconds longer, but as soon as the client does receive some packets back its locked to QUIC.

New Hardware is not a Solution, since we do have kind of high end hardware.

Same here. no solution since three weeks.

didnt start right away from update to 24.1. A few weeks later. or we just didnt notice.

Youtube, Play Store, http3 websites, everything is laggy at first access, youtube suddenly stops playing.

We found a solution after many hours, days of searching, it was so simple.

go to your WAN interface, and make sure (if it is your only wan interface and you are having no multi-wan-system) IPv4 Upstream Gateway is set to "Auto-Detect". Another admin in our company set it manually to the default gateway given through our ISP. That never causes problems, since now we're on 24.1.

kind regards.

We do have some of the issues, too.

weird and strange behaviour. I opened another thread with that issues little time ago:
https://forum.opnsense.org/index.php?topic=39654.0

...
* DNS broke - no name resolution
* GW pings failed - declaring GW down
* tcpdump on wan indicate icmp packets leaving opnsense and were answered by remote successfully
* opensense shell ping however reported timeouts
* same signature on DNS - DNS leaving but unbound states server failure
* existing connections (flows in the connection table) were successfully held and also cached DNS records were served, so it was not entirely obvious things were going wrong
* tcpdump attached to pflogd0 did not indicate any drop
* for troubleshooting I added to WAN ingress permit ip any any statements - no fun
* pfctl -d - disabling pf made the opnsense shell ping to directly connected WAN default GW instantly work
* the issue persisted through multiple reboots including other HA node held artificially down do reduce noise
...

Hello there,

we're using opnsense as our main company router to the internet and VPN access for our employees.

last saturday we have upgraded from 23.7 to 24.1

after the upgrade internal dns server, openvpn and the firmware upgrade stopped working.
firmware upgrade itself ran without problems straight to 24.1.
Current installed version:
OPNsense 24.1.2_1-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13

selected mirror: https://pkg.opnsense.org/FreeBSD:13:amd64/24.1

I got openvpn to work by adding a floating rule for the 1197 Port incoming. as soon i add that rule to a specific interface it stops working with that error in the OpenVPN Logfile:
   Connection Attempt write UDPv4: Permission denied (fd=8,code=13)

It doesn't make any sense.

DNS i fixed it with a workaround: DNS Lookup does only work via LAN Interface, not for WAN Interfaces. We do have two corporate DNS servers on our active directory domain controllers. The router itsels should use 8.8.8.8 and 1.1.1.1 for quest wifi but it does not work, so i added these external resolvers directly in the dhcp config.
OPNsense cannot use external resolvers somehow. even if i add firewall rules to explicit allow dns.

after resolving the dns issue, firmware is not fixed, i got a new error when trying to check for updates:
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/24.1
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/24.1/latest/meta.txz: Permission denied
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/24.1/latest/packagesite.pkg: Permission denied
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/24.1/latest/packagesite.txz: Permission denied

i don't know why this is happening. looks like the internals of the router can not communicate with the outer world. only with things on LAN Interfaces. But rules are there. Communication from the router itself is permitted.

does anyone ran in to the same problems and could find a working solution (and not just a workaround)?

kind regards and thanks in advance.