Messages

Did this break for anyone with the 24.7 update? It was working perfectly up till yesterday when I wanted to install tailscale, and was told that 24.1 is too old - so I ran the upgrade and everything broke. Now the GIF tunnel no longer auto starts and I have to go back to my manual hack solution.  Did anything change?

Entirely unsure. I cannot test this easily. Sorry.


Cheers,
Franco

Hahaha no worries, I will revert back!

Great, all feedback welcome. Maybe just as a reminder it needs a reboot to make use of the newer dhcp6c or you have to kill the previous one and then apply the interface configuration again.

# killall dhcp6c


Cheers,
Franco

Anything I should change about the GIF tunnel etc? I'm assuming I should undo the static config I put into 10-wanip but anything else I should change?

Command to test was posted here: https://github.com/opnsense/core/issues/5630#issuecomment-2154825737


Cheers,
Franco

Oops I totally missed that thread. I will check it, patch, and see how it goes. Thanks!

Cool. That's good to hear. Can I deploy that via the beta tree or it's not published yet?

Ah, another expected, but unwelcome, side effect of the status quo: WAN interface does not get a IPv6 IP, so if you want a dynamic IPv6 host alias for firewall rules, that does not work. Have to use LAN interface as "source" under Firewall > Aliases, and I don't know if that's safe to use or not, but it seems to work for now.

Sweet! Thank you very much. I'll watch that thread and this one also for when it makes it into beta so I can switch branches and test.

Adding it to a _new_ script did not work

No executable permission most likely.

Haha. That would've been too easy. No, exec perms are on. I have the GIF tunnel as part of 10-newwanip and 93 for ipsec restart (I have an ipsec tunnel I absolutely must have on boot). If I put the gif code with a 30 sec sleep followed by strongswan restart into 93, it does not work. If I put the GIF config code into 10 with a 30 sec sleep and then separately leave the strongswan restart in 93, it works. No idea why.

Understood, thanks. I'm going to guess that with all the stuff yall have to do, pandering to weird Japanese setups isn't going to be _too_ high on the list, hehe ... Is there anything I can do in the meantime as far as a manual hack goes? I suppose I could write some kind of a script that runs as a cron job or something, but ideally I want to just patch into the boot process somewhere.

[edit] browsing through forums, I came across a, what I think, was a similar issue:
https://forum.opnsense.org/index.php?topic=35876.0

and there was a patch issued,
https://github.com/opnsense/core/commit/315153a07

Was this ever deployed into subsequent releases? I looked through src/etc/inc/interfaces.inc and I don't think I see the code referenced in that patch, and it's for an older version, so I don't know if I should risk it or not.

[edit] one more edit. i managed to make it come up on boot by editing 10-newwanip, adding a sleep timer of 30 seconds (to allow WAN to come up), doing the gif config, and then adding a new script all the way at the end of the boot, doing another 10 second sleep, and adding a configctl service restart strongswan to restart the IPSec tunnel. This survived the last two reboots, so it might be an OK hack at the moment. :)

Updating my own post. Adding it to 10-newwanip survived reboots, but didn't survive a firmware update (duh, I suppose), and I forgot that I did it, so everything fell apart again. Adding it to a _new_ script did not work, I have no idea why.

So I fortunately remembered to revisit this thread and see my notes on it, but I guess I will stop updating the firmware because it's just going to break everything again.

FWIW I am happy to test as well in the weird environment that Japanese IPv6 is, if that is helpful. Especially since I'm the one who revived this thread  ;D

You do not need a GUA on WAN. And you can NAT outbound packets on WAN to e.g. "LAN address" so the firewall itself can use IPv6.

Sure, but how to set that up? At the moment it does not seem like any way of configuring it makes it work other than manually configure the GIF interface like I posted above - and that doesn't work automatically. Sorry, I might also be a little slow as I'm not used to v6 networking. I miss the old days of plugging a wire into a wall port and just having DHCP give you an IP that never changed, with no ports blocked. sigh.

But if we leave this as is, then (in the extreme) nobody in Japan can use Opnsense directly attached to an ONU device (and if behind an ISP-provided router, then you need to do IPv6 NAT, since only a /64 subnet is assigned to each device), so anything we can do to solve this?

I fixed my issue in the meantime with some really rough hacks (sleep()'ing on boot and bouncing the interface a few times), but this is a really lame hack, not to mention that I make the assumption my subnet won't change, so as soon as it does (and obviously I will happen to be away from my router RIGHT at that moment, lol) it will not come up. Would really love something more reliable as far as a solution goes.

Understood, thanks. I'm going to guess that with all the stuff yall have to do, pandering to weird Japanese setups isn't going to be _too_ high on the list, hehe ... Is there anything I can do in the meantime as far as a manual hack goes? I suppose I could write some kind of a script that runs as a cron job or something, but ideally I want to just patch into the boot process somewhere.

[edit] browsing through forums, I came across a, what I think, was a similar issue:
https://forum.opnsense.org/index.php?topic=35876.0

and there was a patch issued,
https://github.com/opnsense/core/commit/315153a07

Was this ever deployed into subsequent releases? I looked through src/etc/inc/interfaces.inc and I don't think I see the code referenced in that patch, and it's for an older version, so I don't know if I should risk it or not.

[edit] one more edit. i managed to make it come up on boot by editing 10-newwanip, adding a sleep timer of 30 seconds (to allow WAN to come up), doing the gif config, and then adding a new script all the way at the end of the boot, doing another 10 second sleep, and adding a configctl service restart strongswan to restart the IPSec tunnel. This survived the last two reboots, so it might be an OK hack at the moment. :)

Thanks very much. Tried this, and it did configure an IP for my ix0 WAN side:

Code Select Expand


ix0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1460
        description: WAN (wan)
        options=4803828<VLAN_MTU,JUMBO_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,NOMAP>
        ether ac:bd:ca:fe:de:ad
        inet 127.0.0.2 netmask 0xffffffff broadcast 127.0.0.2
        inet6 fe80::9e69:b4ff:fe63:6437%ix0 prefixlen 64 scopeid 0x2
        inet6 2001:f74:xxxx:yyyy:zzzz:aaaa:dead:cafe prefixlen 128
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>



But sadly, gif0 did not come up - even tried rebooting, but still got the same error about missing required local address. Went back to the settings and tried to save, and same error.

Is there any way to stuff the gif0 script into /usr/local/etc/rc.syshook.d/start/ or something? I don't mind hacking this in a less-than-beautiful way as long as it works (I do have an ipsec tunnel that needs to come up, though - and currently, because gif0 doesn't come up, ipsec is forever idle, so if I do a manual hack, it would need to be in the boot process after ix0 comes up but before ipsec does).

Sadly, you're quite right - nobody really knows how things are done in Japan (believe me, not just ISPs :D). My /56 never changes - I'm sure it's "dynamic" but it's quite sticky. I don't mind assigning an IP manually even if I have to put a PostIt note to "in case of outage, check subnet" - but is it a question of just setting to static IP from the same /56, or assigning a fake one, or what should I try?