Messages

Still struggling with this. I know I could use 'This Firewall' for my Local Route DNS rules, but I did it manually for my own sanity. Any insight would be great!

I am setting up an HA Multi-WAN config, and I'm running into an issue where I cannot access the internet from my WAN1 (WAN2 works fine). I noticed that pings are working if I do a ping test on the firewall over the WAN interface, but not when I do the same thing using the WAN VIP (no matter which IP address I'm using for the VIP). I suspect that this is some sort of routing issue, though that doesn't really explain why WAN2 works with the same LAN rules applied. I've attached an image of all of my LAN rules. At the very least, I'm hoping to eliminate this as a potential issue.

I have default GW switching on, and disable reply-to is checked as well. In the screenshot, .16.252 is my physical LAN addr, and .16.251 is my VIP LAN addr.

Any help would be appreciated!

It seems like it was something like that. I switched to having the VIP's MAC be used by my physical WAN interfaces, and things are working somewhat smoothly right now. I am seeing intermittent 8-11% packetloss on each firewall's WAN GW, though. I'm assuming this because of my switches having to relearn paths and such. I called my ISP and they said they don't block anything like that and others with my use case have encountered no issues. My second ISP on WAN2 has had no issues dealing with this, though.

I'm currently setting up a firewall pair with HA and Multi-WAN configurations using the OPNsense documentation. I'm having an issue on both firewalls with one WAN interface. (i've disabled any HA and shut off the 2nd firewall for the time being, so this is essentially a typical multi-wan set up ATM). When an outgoing NAT rule is set to use WAN1's VIP, I cannot connect to/ping anything. A packet analysis shows that the packets are going out through the firewall, but never receiving a response. My gateway/firewall can still successfully ping out, though.

I thought it was an issue with my NAT rule, but it's set up the same as my WAN2 rule which functions properly. I have "Automatic outbound NAT for Reflection" checked, and am using sticky connections to help rule out any issues with my ISP. I also confirmed that both addresses given to me from my ISP work fine, just not when they're set to be used as the VIP/Outgoing NAT. I have floating firewall rules to allow CARP on all interfaces, and I haven't found anything different between my WAN1 and WAN2 configurations yet.

Any help would be appreciated

Sorry for the late reply. The issue ended up being that I didn't apply the DNS allow rule before the default LAN rule. That's why all of my DNS traffic was being sent strangely; it defaulted to using the LAN rule and sent the traffic thru the gateway group I had set up.

I recently began having issues with Unbound, seemingly out of nowhere. I'm on the latest version of OPNsense. I reloaded to a config which I had unbound working on to no avail. I have a bare-bones Unbound config, and have kept nothing in the advanced tab enabled while I'm troubleshooting. This is not too far off from my usual working config, as Unbound essentially serves as a forwarder for me. If I switch a client's DNS servers to 8.8.8.8, 8.8.4.4, DNS works fine. Logs reveal nothing useful, I've also tried following this Unbound config without any results. I've reinstalled Unbound a few times as well to hopefully clear any corrupt files.

EDIT: After looking over a packet capture on one of my WAN Interfaces, I can see that the firewall is forwarding traffic back to itself. The WAN interface gets the query, and sends it back to the LAN interface IP. No packets show any forwarding to 8.8.8.8 or 8.8.4.4 which I have Unbound set to forward traffic to.

Any help would be appreciated.

I'm having this same issue when configuring a second WAN for the first time. When I pull the second WAN connection, it fails over to the second firewall (typically all interfaces will failover, but several times i've seen this to not be the case, and only the downed interface will transfer). Regardless of who is master of the second WAN after failover, a client on the LAN stop being able to ping a client on the WAN until I do a tracert between the clients, which will succeed and I am able to ping again. All of my VIPs are uniq, and assigned to the same interfaces, my advskew is set correctly as well. It seems like some sort of gateway/routing issue to me? I have no static routes configured on either firewalls. I have the gateways configured so that WAN1 GW is the default (I've been testing the 2nd WAN HA with the first WAN uninitialized, so this gateway shouldn't be used at all during this scenario). I've tried setting up gateway groups, changing priorities, etc., but I can't seem to find something that works.

I have read a lot on the previous issues that have popped up with this controller since it was baked into FreeBSD and I have been researching kernel tunables to try and increase throughput. I have noticed in my pursuit that it seems like opnsense is not loading the igc driver. When I run kldstat, I am not seeing a module loaded for the card but somehow the card is still identified:

When I run 'pciconf -a igc0', it only shows that it is attached and no driver information. Am I missing something here? I know that the freebsd man page for IGC4 says that the driver was not implemented until 14.0, but how is this card working under freebsd 13.2 base? The reason I am asking about this is that I found a driver pack that references the I225-V card that was updated on 12/23/2023 here (https://www.intel.com/content/www/us/en/download/15084/intel-ethernet-adapter-complete-driver-pack.html) and was wondering if maybe this could be helpful to alleviate the rampant issues with this controller. Other reason that I am curious is because I found this paper "Tuning FreeBSD for routing and firewalling" (https://papers.freebsd.org/2018/asiabsdcon/cochard-tuning_freebsd_for_routing_and_firewalling.files/cochard-tuning_freebsd_for_routing_and_firewalling-paper.pdf referenced in another post under this forum and it makes mention of setting the receive process limit to unlimited on Intel controllers; however, 'sysctl -a | grep rx_process_limit' only returns an oid of "hw.vtnet.rx_process_limit: 1024".
Am I missing something on this whole thing?

I'm having this exact issue. Did you ever find a fix to this?