Messages

@thomasE

Great that you finally got to the bottom of this.
Did you return the dec4280 to Deciso or did you find a job it can handle?

Kind reminder/bump

Hi, just wanted to share that i am having issues establishing IPSec connections with Globalprotect hosts under 25.1.7_4.
This appears to be very similar to an earlier problem early March with 25.1.1 and 25.1.2, which was fixed in 25.1.2_nd and 25.1.3.
If i can recall correctly the problem was due to opnsense fragmenting packets resulting in the hosts not accepting the connection.

If i use snapshot to revet back to 25.1.6 the issue goes away.
Under 25.1.7_4 i can ping these hosts fine, jst not establish an IPSec connection.

Can someone please look into this?

Hi,

I currently have a few local virtual IPv6 addresses created under 'interfaces', namely: fd07::1/128 and fd08::1/128 that i use to serve NTP time to WAN users.
This is instead of forwarding the WAN NTP requests to my physical LAN NTP servers.

However, even though i have put NAT and FW rules in place to route this traffic to these addresses as well as update chrony config i still need to include ::/0 as client address range in the chrony config to get them to work. What am i missing here?

I can confirm upgrade works flawlessly

Great!
Indeed "Track Interface" is also required.
Only then IPv6 address is assigned to LAN interface.

If you could do a few checks, dont think they atter much:
- Interfaces -> I have created separate interfaces for VLAN and Physical to be able to correctly set the MTU's for both. Physical WAN MTU =1512, VLAN MTU=1508, PPPoE WAN=1508
- Interfaces -> I have have "Send Prefix Hint" as "enabled"

Looking in Interfaces -> overview i also see a few interfaces working (green plug sign): Physical WAN and LAN. I see that the Physical WAN interface does not receive a IPv6 address, this is assigned to the LAN interface...

Hi Rene,

I'm also on KPN FttH and 25.1.5_5 and running well.
I'll take a look at my config and hopefully provide you with some ideas.

Just updated the BIOS on my dec3840 to latest.
Appears to be working sofar.
Thanks!

Thanks!
Will DEC800, DEC3800 & DEC4000 series also get an update soon?
Last update was mid-2024...

Current bios of dec3860 (with EPYC Embedded 3101) only seems to suport C2 as highest C-state as per sysctl.
Would like to have C3 enabled if possible to fursther lower power consumption.
Can this be enabled by an updated bios?

My issues were solved by either using kernel 25.1.2-nd or 25.1.3

This was solved by either using kernel 25.1.2-nd or 25.1.3.

Hi all.
@meyergru I see that kernel 25.1.3 is out.
Can you please confirm that this kernel contains all the fixes/changes that were part of 25.1.2-nd ?

Please let me clarify my earlier statements.
When running 25.1.1/25.1.2 versions i do not immediately lose connection  with globalprotect, but connecting get MUCH harder. Takes a long time to connect and when it does it connects to Beijing, China... After SSLTunnel establishes this is a very slow (unworkable) connection. I gues due to the distance/delays.

Ok, so next step is to try 25.1.x-nd as well as the MTU 1508 bytes pppoe connection setting.
Update: I've installed 25.1.2-nd and im testing it. Looks good sofar with easy GP connections to local GP gateways.

@meyergru
Did some further testing onder 25.1 and 25.1.2
As said previously, major issues with Globalprotect under 25.1.1/25.1.2, but no issues at all under 25.1.

- ifconfig from opnsense cli: show exactly the same output for both 25.1 and 25.1.1/25.1.2. No change in MTU values reported. Please see dump below for reference.
- ping to quad9 servers from non-globalprotect laptop max out at 1472 (as expected), which translates to an MTU of 1500 on pppoe. Same for both versions.
- ping to quad9 servers from globalprotect laptop max out at 1372, which translates to an MTU of 1400 set for the SSL Tunnel. Same for both versions.

So, i giess back to square one. No discernable differences in settings/attained MTU for all interfaces for both software versions.
Only thing it could be is that these set values are treated differently between 25.1 and 25.1.2 and settings need to be changed.

You mentioned earlier: "Does your ifconfig show the correct sizes (after a reboot) - i.e. my values, not asychevs? I mean 1508 bytes on pppoe0."
As you can see below iconfig reports my MTU on the pppoe (WAN) connection to be 1500 bytes. Should i increase this to 1508?

Unfortunately i cannot try to lower SSL tunnel MTU on globalprotect laptop since this requires admin privileges (which i dont have).
Any other ideas on what can bring improvement?
Are below ifconfig settings correct?

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: LAN (lan)
        options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether f4:90:ea:00:84:0e
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::f690:eaff:fe00:840e%igb0 prefixlen 64 scopeid 0x1
        inet6 [redacted] prefixlen 64
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

igb1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1512
        description: Phys_WAN (opt1)
        options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether f4:90:ea:00:84:0f
        inet6 fe80::f690:eaff:fe00:840f%igb1 prefixlen 64 scopeid 0x2
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

enc0: flags=0 metric 0 mtu 1536
        options=0
        groups: enc
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

pfsync0: flags=0 metric 0 mtu 1500
        options=0
        maxupd: 128 defer: off version: 1400
        syncok: 1
        groups: pfsync

pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33152
        options=0
        groups: pflog

igb1_vlan6: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1508
        description: vlan (opt2)
        options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
        ether f4:90:ea:00:84:0f
        inet6 fe80::f690:eaff:fe00:840f%igb1_vlan6 prefixlen 64 scopeid 0xb
        groups: vlan
        vlan: 6 vlanproto: 802.1q vlanpcp: 0 parent interface: igb1
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN_pppoe (wan)
        options=0
        inet [redacted] --> 195.190.228.6 netmask 0xffffffff
        inet6 [redacted]%pppoe0 prefixlen 64 scopeid 0xc
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>