Messages

Sorry I meant MTU on WAN is set to 1500

On LAN it's default/blank

"The IPv6 MTU should be much loser, often 1280."
Are you saying there is a seperate value for ipv6 vs ipv4? - I only see one opportunity to enter MTU on each interface and it's under general.

Re test sites:
https://test-ipv6.com - 10/10
https://ip6.biz - All green with the exception of reverse dns - which is not relevant

Disabling ipv6 on the client-side does appear to fix the issue yes.

How would I know if UDP is impaired? On the blocked side - shouldn't be anything and there are no logs to suggest any traffic to these addresses is being blocked.

MTU-wise not sure how I diagnose that - it's set to 1500 and if I send a payload over that it appears to fragment correctly.

Ever since enabling dual stack on my network, I am encountering an infuriating problem where intermittently web pages will fail to load. This is particularly bad on YouTube - where every other video I click on I get Youtube's 'you are offline message'. When I look in the browser console - I simply see the message "the network connection was lost". Not sure what this means specifically, but I am fairly certain my connection is not dropping; this seems to be isolated to browsers only and continually pinging an address when this occurs results in no packet loss.

I really really tried to figure out what was going on with this - I ran a packet dump and filtered that down to the time/google's ip ranges. What I am able to observe is that for HTTP/3 traffic to google's servers at the time of the issues occurring - there are numerous tcp retransmissions. I am going to be the first to say that I am out of my depth on this one - something I had read suggested that this type of issue might be caused by MTU issues and retransmissions are a tell tale sign of this, but in the same sentence I read that under 1% of traffic in this state is normal?

Please help - I'm completely lost on this one and the problem is so infuriating.

Had my first proper go with IPv6, and I've got to say I'm not a fan. As you suggested, I skipped DNS entries - aside from my DNS server, for which I assigned a ULA to give it a static address for advertisement.

What I've discovered is that if you're relying on dynamic prefix delegation, you're essentially stuck when it comes to static addressing. Even ULAs seem to be deprioritised in favour of IPv4 by most operating systems.

It does make you wonder—why do ISPs issue dynamic prefixes when one of the main selling points of IPv6 is having enough address space to eliminate the need for NAT?

After much pain I have finally managed to get ipv6 working in OPNSense and I am now looking to get DNS working properly.

Currently I am creating overrides and aliases to take care of my internal services and this is very much geared towards ipv4 at the moment. My question is what is best practice here for dual stack?

It seems that a constraint of the GUI is that a single host override can either be of type A or AAAA and that a single alias can only point to a single host override.

Should I be duplicating my host override and then duplicating every alias to point to it? Something about that doesn't seem right to me as there will be a tonne of duplication.

I updated OPNSense to 24.7.11_2 last week and ever since WAN is dropping out about the same time every day, it will reconnect but it will end up on a cycle of drop and reconnect until I reboot the firewall.

Looking at the logs I think that OPNsense is trying to force a renewal of the WAN address:

Code Select Expand

2024-12-21T20:56:55 Notice opnsense /usr/local/etc/rc.newwanip: IP renewal starting (new: X.X.X.109, old: X.X.X.109, interface: wan, device: pppoe0, force: yes)
2024-12-21T20:56:55 Notice dhcp6c RTSOLD script - Sending SIGHUP to dhcp6c
2024-12-21T20:56:55 Notice dhcp6c RTSOLD script - Sending SIGHUP to dhcp6c
2024-12-21T20:55:57 Notice opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for interface wan

I'm connected to my ISP over PPoE so should not be trying to do a forced renew.

Any ideas?

Turned out to be a Phillips Hue bridge which runs an UPNP server (for reasons?) - it would seem if the firewall comes up after the bridge is powered on these issues occur, but if the firewall comes up before it seems to be stable.

Did a fresh install of OPNSense on a new box yesterday and have been grappling with UPNP. I have it working, but it only works for a couple of minutes before not responding. I can restart the miniupnpd service and it will start responding again, but will ultimately stop responding.

Here's my config:

Code Select Expand

ext_ifname=pppoe0
port=2189
listening_ip=bridge0
ext_perform_stun=yes
ext_stun_host=stun.l.google.com
ext_stun_port=19302
secure_mode=yes
packet_log=yes
system_uptime=yes
presentation_url=https://10.210.1.1/
uuid=528c8e6c-4a3c-6598-999a-0e9df15ad32
serial=528C8E6C
model_number=24.7.9_1
allow 88-65535 10.210.1.230/32 88-65535
allow 88-65535 10.210.1.231/32 88-65535
allow 88-65535 10.210.1.48/32 88-65535
allow 88-65535 10.210.1.66/32 88-65535
deny 0-65535 0.0.0.0/0 0-65535
enable_upnp=yes
enable_pcp_pmp=yes
clean_ruleset_interval=600
min_lifetime=120
max_lifetime=86400

After a couple of minutes of miniupnpd being active:

Code Select Expand

dominic@Dominics-MacBook-Pro ~ % upnpc -s             
upnpc: miniupnpc library test client, version 2.2.8.
(c) 2005-2024 Thomas Bernard.
More information at https://miniupnp.tuxfamily.org/ or http://miniupnp.free.fr/

List of UPNP devices found on the network :
desc: http://10.210.1.20:80/description.xml
st: urn:schemas-upnp-org:device:basic:1

desc: http://10.210.1.20:80/description.xml
st: uuid:2f402f80-da50-11e1-9b23-ecb5fa24d6cf

desc: http://10.210.1.20:80/description.xml
st: upnp:rootdevice

UPnP device found. Is it an IGD ? : http://10.210.1.20:80/
No valid UPNP Internet Gateway Device found.

After a restart of the service:

Code Select Expand

dominic@Dominics-MacBook-Pro ~ % upnpc -s
upnpc: miniupnpc library test client, version 2.2.8.
(c) 2005-2024 Thomas Bernard.
More information at https://miniupnp.tuxfamily.org/ or http://miniupnp.free.fr/

List of UPNP devices found on the network :
desc: http://10.210.1.20:80/description.xml
st: urn:schemas-upnp-org:device:basic:1

desc: http://10.210.1.20:80/description.xml
st: uuid:2f402f80-da50-11e1-9b23-ecb5fa24d6cf

desc: http://10.210.1.20:80/description.xml
st: upnp:rootdevice

desc: http://10.210.1.1:2189/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://10.210.1.1:2189/ctl/IPConn
Local LAN ip address : 10.210.1.231
Connection Type : IP_Routed
Status : Connected, uptime=3211s, LastConnectionError : ERROR_NONE
  Time started : Sun Dec  1 22:35:43 2024
MaxBitRateDown : 64000 bps (64 Kbps)   MaxBitRateUp 64000 bps (64 Kbps)
ExternalIPAddress = REDACTED
Bytes:   Sent:  8211684 Recv: 167733177
Packets: Sent:    45845 Recv:   139374

I'm not seeing any blocks in the logs, in fact I only see upnp requests prior to the service not responding. I am not sure what could be happening here. Looks like other people may be experiencing the same (not many): https://redmine.pfsense.org/issues/15732

Help please  :)