Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - deadman

Pages1
#1
24.7, 24.10 Production Series / Re: Multi-WAN NPTv6 seems to be dropping incoming packets after 24.1->24.7 upgrade
December 05, 2024, 08:07:15 PM
I realized I had to use an older kernel ( 14.1-RELEASE-p3 FreeBSD 14.1-RELEASE-p3 stable/24.7-n267778-bb2c86773c1b SMP amd64) for OPNsense to be able to boot up, otherwise the entire machine, including the parent ESXi hypervisor loses networking.

I chose to stick with the older kernel for now since I can't think of a way to debug the kernel version issue (no way to look into the machine since ESXi loses all network connectivity)

Could this be somewhat related?

Edit: I updated to 24.7.10 with kernel 24.7-n267981-8375762712f and things boot up fine. However clients are still unable to use v6 but the router itself is able to.
#2
24.7, 24.10 Production Series / Multi-WAN NPTv6 seems to be dropping incoming packets after 24.1->24.7 upgrade
December 01, 2024, 08:12:13 PM
I have a V6 Multi-WAN setup that was working fine on 24.1 but stopped working when I recently upgraded to 24.7.

Technically there is only one WAN, but I was running IPv6 via the HE.net tunnel before my ISP started supporting v6 using 6rd. To minimize any network address changes, I set up NPTv6 to translate HE.net prefixes to my ISP's and configure a gateway group prioritizing my ISP's connection.

Code Select

WAN 6rd prefix: 2400:xxxx:xxxx:xxxx::/64
WAN HE.net prefix: 2001:yyyy:yyyy::/48

LAN prefix: 2001:yyyy:yyyy:zzzz::/64

NPTv6
Internal: 2001:yyyy:yyyy:zzzz::/64
External: 2400:xxxx:xxxx:xxxx::/64


After upgrading to 24.7, IPv6 works fine on OPNsense itself. I can ping both local and global IPv6 addresses no problem. Local machines can ping OPNsense and other local machines, but global addresses receive no reply.

I did a packet capture and I see the ping response reaching OPNsense via the WAN interface, but there is no response emitted from OPNsense (address translated or not) via LAN (or any interface for that matter).

Code Select

E.g. Pinging 2606:4700:4700::1111

Ping:
Local Machine (2001:yyyy:yyyy:zzzz::4) --(LAN)--> OPNsense (2001:yyyy:yyyy:zzzz::1)
OPNsense (2400:xxxx:xxxx:xxxx::4) --(WAN)--> Target (2606:4700:4700::1111)

Reply:
Target (2606:4700:4700::1111) --(WAN)--> OPNsense (2400:xxxx:xxxx:xxxx::4)
(Nothing thereafter)


I thought it might be a firewall rule, but searching through the firewall logs, nothing is blocked. So the packet has just... disappeared?

Can anyone point to where I should look into to figure out where the packet is dropped?

Pages1