Messages

I think you are doing it wrong.

Some links:

https://docs.ibracorp.io/opnsense

Seimus speaks sense:

https://forum.opnsense.org/index.php?topic=39046.0

As does Fenuxx (I'm an amateur):

https://forum.opnsense.org/index.php?topic=39046.15

White paper I bookmarked but don't totally understand:

https://datatracker.ietf.org/doc/html/rfc8290

I hope this helps.

Cheers,

The ping command that pops up when you google when you search about finding WAN MTU this is not very useful.

If anyone is wondering how to determine your MTU on OPNsense:

Code Select Expand

sudo ping -D -s 1472 1.1.1.1
"1472" is just right for me (and probably most people not on PPPoe ... but your mileage may vary; this is my hobby).

You need to adjust the number "1472" greater and or less than until you get:

Code Select Expand

sudo ping -D -s 1472 1.1.1.1                                                                                                                                                            ─╯
Password:
PING 1.1.1.1 (1.1.1.1): 1472 data bytes
1480 bytes from 1.1.1.1: icmp_seq=0 ttl=59 time=8.168 ms
1480 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=7.644 ms
1480 bytes from 1.1.1.1: icmp_seq=2 ttl=59 time=8.822 ms
1480 bytes from 1.1.1.1: icmp_seq=3 ttl=59 time=8.274 ms
^C
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.644/8.227/8.822/0.418 ms

For Example:

Code Select Expand

sudo ping -D -s 1473 1.1.1.1                                                                                                                                                            ─╯
PING 1.1.1.1 (1.1.1.1): 1473 data bytes
ping: sendto: Message too long
ping: sendto: Message too long
ping: sendto: Message too long
^C
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

"1473" is too high.

Please also note:

Code Select Expand

sudo ping -D -s 1471 1.1.1.1                                                                                                                                                            ─╯
PING 1.1.1.1 (1.1.1.1): 1471 data bytes
1479 bytes from 1.1.1.1: icmp_seq=0 ttl=59 time=11.158 ms
1479 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=14.895 ms
1479 bytes from 1.1.1.1: icmp_seq=2 ttl=59 time=8.327 ms
1479 bytes from 1.1.1.1: icmp_seq=3 ttl=59 time=11.253 ms
^C
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 8.327/11.408/14.895/2.331 ms

"1471" works but since "1472" works as well this is too low.

I hope this helps someone.

Cheers,

Last summer I stumbled upon the following post:

https://forum.opnsense.org/index.php?topic=34190.0

I added the RFC6890 blackhole routes to System > Routes > Configuration and everything seemed to work fine.

This was on 23.1.X.

Fast forward to 23.7.X and 24.1.1 and the radix4_lockless errors were consistently spammed in my logs.

Once I disabled all these blackhole routes all the errors disappeared.

I hope this will help someone.

I plan to see if I can figure out which route is responsible and will update this post if / when I do.

Cheers,

I have one WAN, 2 OpenVPN connections in a group with failover and a wireguard connection.

There is only one default gateway (WAN) and the VPN connections are used based on IP address.

I did the rfc6890 configuration as well... I have 30 of these configured (2 disabled because they are configured by default).

I have 73 total routes .... from the System: Routes: Status page.

Cheers,

Although I am not initiating it with the dhclient command, it seemed similar (the radix4 errors anyways).

This is where it starts on boot and then continues ad ininitum

Code Select Expand

<13>1 2024-02-10T13:30:10-06:00 dec850.semperubisububi.org opnsense 363 - [meta sequenceId="305"] /usr/local/etc/rc.bootup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(1)) │
│<13>1 2024-02-10T13:30:10-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="306"] <118>Setting up routes...done.                                                                │
│<13>1 2024-02-10T13:30:10-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="307"] <118>Starting DHCPv4 service...                                                               │
│<13>1 2024-02-10T13:30:10-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="308"] [fib_algo] inet.0 setup_fd_instance: radix4_lockless algo instance setup failed, failures=1   │
│<13>1 2024-02-10T13:30:10-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="309"] [fib_algo] inet.0 (radix4_lockless#55) rebuild_fd_flm: table rebuild failed                   │
│<13>1 2024-02-10T13:30:11-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="310"] <118>done.
..........................
<13>1 2024-02-10T13:32:21-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="195"] [fib_algo] inet.0 setup_fd_instance: radix4_lockless algo instance setup failed, failures=30  │
│<13>1 2024-02-10T13:32:21-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="196"] [fib_algo] inet.0 (radix4_lockless#55) rebuild_fd_flm: table rebuild failed                   │
│<13>1 2024-02-10T13:32:21-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="197"] [fib_algo] inet.0 (radix4_lockless#55) rebuild_fd: sync rebuild failed                        │
│<13>1 2024-02-10T13:32:21-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="198"] [fib_algo] inet.0 setup_fd_instance: radix4_lockless algo instance setup failed, failures=31  │
│<13>1 2024-02-10T13:32:21-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="199"] [fib_algo] inet.0 (radix4_lockless#55) rebuild_fd_flm: table rebuild failed                   │
│<13>1 2024-02-10T13:32:21-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="200"] [fib_algo] inet.0 (radix4_lockless#55) rebuild_fd: sync rebuild failed                        │
│<13>1 2024-02-10T13:32:21-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="201"] [fib_algo] inet.0 setup_fd_instance: radix4_lockless algo instance setup failed, failures=32  │
│<13>1 2024-02-10T13:32:21-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="202"] [fib_algo] inet.0 (radix4_lockless#55) rebuild_fd_flm: table rebuild failed                   │
│<13>1 2024-02-10T13:32:21-06:00 dec850.don'tworryabouthiswebsite.org kernel - - [meta sequenceId="203"] [fib_algo] inet.0 (radix4_lockless#55) rebuild_fd: sync rebuild failed


I am not trying to muddy the waters of lilsense's problem (if it is from something different then mine).

I was trying to figure this issue out again, this morning.

I saw his post and I thought it was similar to (though not the same) the problem I was having.

If these radix_lockless errors are something else, I apologize.

lilsense is the only other person who has posted about errors similar to what I have been getting since 23.7, on these forums.

Cheers,

[on reboot]

I don't use suricata or zenarmor.

I have both vlans and DHCPv6 setup (working).

This has been happening since 23.7.

Everything "seems" to work ... excepting openvpn; on reboot I have to run "sudo ps auxww | grep openvpn" and then kill my openvpn connections, they spam on reboot until exhausting all the connections my provider offers, this is due to DHCPv6 (Turn off DHCPv6 and it stop happening), I then have to restart them manually and then apply the gateway configuration to get the monitors to work ... but my logs are constantly spammed.

I was wondering if there is a fix for the radix4_lockless issue as well, but there have consistently been no responses, and google doesn't pull very much up.

I figure this must be an edge case.

Cheers,

I have confirmed mine is working with an AirVPN WireGuard server.

I had some rules out of order and my outbound rule was disabled .... but once I fixed everything it is working and there are no DNS leaks.

I think you are going to have to triple check your config / make sure you didn't not follow the guide somewhere.

Cheers,

You are not following the gateway IP set up that the Opnsense guide suggests in step 2 or the monitor IP in step 6?

Sorry man work soon so I was skimming pictures apologies if you did.

You definitely rebooted the router?

That guide didn't work for me; I spent better part of a Saturday / Sunday messing with it.

I had better luck with this one (just use AirVPN's information from the config you generate):

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

That being said I have been connected for over a week, but I haven't really set a computer on the IP that is supposed to be routed to test it (I have had a solid handshake for a little over a week but it randomly craps out and then come back up).

Just getting the connection to work (Have a handshake) took me forever and I want to have a decent amount of time (IE another weekend) to spend if it isn't work routing correctly.

Cheers,

Edit: Also I have had it fix itself (connect and resume handshaking) upon router reboot.  If you follow the guide and it isn't working try that before ripping your hair out (someone on these forums recommended it and it worked for me as it did for them...I have no idea why though)

Apologies.

I was working under the assumption you had set adguard up using unbound as a dns cache and to send all the dns queries per:

https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/

or

https://forum.opnsense.org/index.php?topic=22162.msg183543#msg183543.

If you are only using adguard home (unbound is disabled) what I was saying is utter gibberish.

Cheers,

So you have one machine with multiple ports and you want to use placeholder.example.com to direct to a specific port of multiple ports on the machine?

Haproxy and nginx would do the same thing in this instance.

I think you need to setup nginx to listen on port 80 on you router, then make virtual servers for each service.

You will need to use unbound to point to www.yourdomain.com at the router ip port 80 via a dns entry.

Then each service will be abler to be differentiated by service1.yourdomain.com, service2.yourdomain.com .. .etc.

You will need to figure out how to go about setting up the server definitions on nginx (I use nginx on Debian and they do it differently then other implementations).

It should look something like this:

Code Select Expand


server {
       
        listen 80;
        listen [::]:80;
        server_name service.yourdomain.com;
        return 404;

}

location / {

        proxy_pass http://192.168.1.123:345;

                }

The server_name is what will tell nginx what location / proxy pass to use.

The trick is with a reverse proxy it usually listens externally (internet facing) to port 80 and port 443 and then depending on the request FQDN directs traffic to whatever machine port.

Google reverse proxy for internal network, there are examples.

I actually have mine set up to come from the internet and then used split-dns to access everything inside the network....so your mileage may vary.

I hope this is helpful I am no expert, just use google to figure stuff out.

Cheers,

I don't think you need nginx for what you want.

You should be able to do it with unbound alone.

If you want to have https, then you use a reverse proxy with something like lets encrypt (you can manage everything from one spot).

I recommend experimenting with just unbound at first.

Cheers,

kamiewtype,

I setup nginx on a linux server with a internet facing services.

I have set it up so that I use the services from inside my network by following the guide (no need to go through internet everything stays inside my lan if it originates from inside lan).

https://homenetworkguy.com/how-to/configure-split-dns-opnsense-using-unbound/

I think you should be able to use it as well.

Cheers,

Franco, iMx

I used araxis merge to combine my configs.

I did noticed some of the formatting was a little janky at places (and high level I knew this might affect the xml), but for the most part everything seems to work.

I will check with pluginctl, but I am pretty sure it just as you say Franco.

Are there any tools that I could run the file through to check the formatting?

I still have all my backups worst case I mess with Araxis Merge and see about keeping source formatting / manually edit like iMx recommends.

Thanks for the help,

My router stopped working.

I woke up Friday and it was bricked.

I was able to plug in my old router and upgrade it / migrate a backup so as not to lose a year's worth of tweaks but some stuff is still acting weird.

I noticed I can't go into the tunables page.

I am getting this error:

Code Select Expand

Fatal error: Uncaught TypeError: gettext(): Argument #1 ($message) must be of type string, array given in /usr/local/www/system_advanced_sysctl.php:122 Stack trace: #0 /usr/local/www/system_advanced_sysctl.php(122): gettext(Array) #1 {main} thrown in /usr/local/www/system_advanced_sysctl.php on line 122

Is there any way to reset all tunables from the cli (I cannot see trash icon in gui)

Thanks in advance,