Topics

Recently DHCP hosts stopped being registered in Unbound. I first noticed it last week after the previous update or the one before that (I am on OPNsense 24.7.9_1-amd64 and have not  yet updated to the latest fixes).

I found this thread:
https://forum.opnsense.org/index.php?topic=41376.msg204431#msg204431

Where my issue differs is that I don't find the log messages in unbound he talks about. I increased logging to level 5 and I still could not find that message, nor the hostname or ip address in question.

Last week I had the issue with two Macbooks, figuring it might be the recent updates on Macos I received and looked no further. This time its a new host I installed, standard Lenovo laptop with Archlinux. I forced a renew several times and while it keeps getting an IP address, I see no DNS registering.

To verify, I ssh into OPNsense and use dig with FQDN. This shows me SERVER: 127.0.0.1. While it can find static address reserverations, regular DHCP addresses no longer seem to be picked up.

If someone can help me troubleshoot would be much appreciated.

Thanks!

I have one install running in KVM (on Arch Linux if that matters) that has always updated fine but the last time when I clicked to check it said waiting for another process to finish, a little bit later it started to update but it seemed really, really slow. Eventually all it did was just output dots and never finished. I kind of forgot about that and updated the Arch Linux server and rebooted. Luckily, opnSense did come back up but it is still not updating properly. It still seems like it is really slow for some reason even though I don't think that's the root cause.

From the CLI it says this:

Code Select Expand


root@opnsense:~ # opnsense-update -c
root@opnsense:~ #
root@opnsense:~ # opnsense-update
Nothing to do.
root@opnsense:~ # opnsense-update -p
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: 100%
Nothing to do.


But the GUI is still outputting dots ... its working on something.

Code Select Expand


***GOT REQUEST TO UPDATE***
Currently running OPNsense 24.1.8 at Sun Jun  9 14:26:19 CEST 2024
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
Nothing to do.
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
Fetching base-24.1.8-amd64.txz: ...100 or more rows of dots ....
...


Any ideas? Do I need to run some checks to see whether something has been corrupted?

Thanks!

I don't know if it happened after upgrading Site A or Site B. I should have checked before upgrading Site B but I forgot after chasing this wild goose for a few hours.

In any case, Site A has several peers in a "road warrior" setup. These work without a hitch. There is a peer for another OPNsense box (Site B) for a S2S which is down.

I have a backdoor via SSH and port forward, so I'm still able to access the OPNsense interface on Site B that way.

I checked firewall rules on both ends, no changes here.
I checked and verified public keys between instance B and its peer on A and vice versa. Pasted them to be sure and confirmed, restarted Wireguard. No change.

I can see one error in the logging on both ends and it has been there since forever. It still appears:

Code Select Expand


2024-02-03T15:34:17 Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid interface gateway address: ''

I doubt that has anything to do with todays' issues.

Tcpdump shows packets on both sites on their outside interfaces but the handshake never completes.

What else can I do? I see nothing in the logging, keys are correct, packets are flowing?

I waited for the fixes on HAproxy with SNI to update. Seems like there's solution so I decided to backup and upgrade. The upgrade went fine, but OPNsense is so incredibly slow its crazy.

I have a ping open and when I click to go to the Dashboard this happens:

Code Select Expand


64 bytes from 10.0.0.1: icmp_seq=548 ttl=64 time=331.020 ms
64 bytes from 10.0.0.1: icmp_seq=549 ttl=64 time=7.583 ms
64 bytes from 10.0.0.1: icmp_seq=550 ttl=64 time=54.139 ms
64 bytes from 10.0.0.1: icmp_seq=551 ttl=64 time=545.836 ms
64 bytes from 10.0.0.1: icmp_seq=552 ttl=64 time=459.255 ms
64 bytes from 10.0.0.1: icmp_seq=553 ttl=64 time=270.995 ms
64 bytes from 10.0.0.1: icmp_seq=554 ttl=64 time=61.969 ms
64 bytes from 10.0.0.1: icmp_seq=555 ttl=64 time=17.350 ms
64 bytes from 10.0.0.1: icmp_seq=556 ttl=64 time=35.384 ms
64 bytes from 10.0.0.1: icmp_seq=557 ttl=64 time=226.723 ms
64 bytes from 10.0.0.1: icmp_seq=558 ttl=64 time=70.730 ms
64 bytes from 10.0.0.1: icmp_seq=559 ttl=64 time=458.012 ms
64 bytes from 10.0.0.1: icmp_seq=560 ttl=64 time=25.976 ms
Request timeout for icmp_seq 561
64 bytes from 10.0.0.1: icmp_seq=562 ttl=64 time=614.986 ms
Request timeout for icmp_seq 563
Request timeout for icmp_seq 564
64 bytes from 10.0.0.1: icmp_seq=563 ttl=64 time=2459.566 ms
Request timeout for icmp_seq 566
Request timeout for icmp_seq 567
Request timeout for icmp_seq 568
Request timeout for icmp_seq 569
Request timeout for icmp_seq 570
Request timeout for icmp_seq 571
Request timeout for icmp_seq 572
Request timeout for icmp_seq 573
64 bytes from 10.0.0.1: icmp_seq=564 ttl=64 time=10620.278 ms
64 bytes from 10.0.0.1: icmp_seq=565 ttl=64 time=9665.505 ms
64 bytes from 10.0.0.1: icmp_seq=566 ttl=64 time=8736.085 ms
64 bytes from 10.0.0.1: icmp_seq=567 ttl=64 time=7975.989 ms
64 bytes from 10.0.0.1: icmp_seq=568 ttl=64 time=7223.718 ms
64 bytes from 10.0.0.1: icmp_seq=569 ttl=64 time=6320.197 ms
64 bytes from 10.0.0.1: icmp_seq=570 ttl=64 time=5447.343 ms
64 bytes from 10.0.0.1: icmp_seq=571 ttl=64 time=4457.011 ms
64 bytes from 10.0.0.1: icmp_seq=572 ttl=64 time=3555.876 ms
64 bytes from 10.0.0.1: icmp_seq=573 ttl=64 time=2556.972 ms
64 bytes from 10.0.0.1: icmp_seq=574 ttl=64 time=1566.402 ms
64 bytes from 10.0.0.1: icmp_seq=575 ttl=64 time=578.149 ms
64 bytes from 10.0.0.1: icmp_seq=576 ttl=64 time=8.687 ms
64 bytes from 10.0.0.1: icmp_seq=577 ttl=64 time=43.058 ms


I can login to SSH, barely. Takes more than 10 seconds and typing has like a second delay on each character, but there seem to be no CPU load and no other excessive use of RAM or processes. It looks like congestion on the interfaces but with the slowness its hard to troubleshoot.

I'll continue troubleshooting but if this sounds familiar to someone please share your insights.

Thank you.

Last changes I made are with regards to HA Proxy. Last night I left everything in a working state, this morning everything worked fine. During the day I noticed these lines in the logs on the dashboard:
pf_map_addr: selected address 10.26.14.1
pf: stack key attach failed on all: UDP in wire: 10.0.0.10 185.51.192.61:123 etc (see screenshot).

This didn't seem to matter much and Im pretty sure it can be ignored? I think it has to do with a NAT rule redirecting NTP to my firewall but it doesn't work right with the wireguard interface.

Then I made changes to HA Proxy today, added home assistant which isn't working. I tried some random things and left it to walk the dog. When I came back, OPNsense was down. It still responded to the ACPI shutdown via the power button so it wasn't really dead, just unreachable. It came back up with the second screenshot:
pf: state ID collision: id: 000000blablabla creator id: 884dcb1b

I searched for it, I have no idea what it is or what it means.

Also, I have no idea if these two messages are related, and I also don't know whether they are the cause for the outage, and I also don't know if its related to HAproxy. Turns out, I don't know much of anything  ::).

So, I reverted the HA proxy changes I made today manually. It made no difference.
I turned off HAproxy, no difference.
I restored the config from last night. No difference.

I am at a loss and my internet is down  :o.

I can restore from 2 days ago (before HAproxy) but at this point I doubt that matters?

If anyone has an idea what might be going on I'd love to hear about it.

Thanks!

Will this: https://forum.opnsense.org/index.php?topic=23339.0

work properly with NAT reflection and a s2s over wireguard (between 2 opnsense firewalls)?

Story:
Before I start fiddling for hours and banging my head against the wall, I started searching for an answer. I can't figure out whether what I want will actually work. Hopefully someone can help me with an answer?

I have a whole bunch of web services, mostly running from a single docker host. Its setup with nginx-proxy for automated certificate handling. It has become increasingly more important and I need to change it to a HA setup. Furthermore, I have split DNS and NAT reflection setup. Some of these services are meant to be reachable from the outside, others are internal only.

Then some services run from a Pi or some other host, and getting them to renew certificates is cumbersome, as I have to manually disable one port forward and enable another, run the renewal and set it back.

And then yet another few services are offsite, accessible via s2s wireguard. I currently have a second nginx-proxy container running there specifically for the services running over there.

If I would setup HA proxy following that guide, it would ease my life considerably if that worked for what I need. Will that work in my setup with NAT reflection and the s2s? I would remove nginx-proxy with acme sidecar everywhere, I could use some random high ports on the docker containers and setup firewall rules to prevent hitting those services directly. All traffic would then be handled by HA proxy on OPNsense. Does it complicate things considerably compared to the guide?

This is a new issue for me I have not seen before. I searched but I only seem to find issues about other issues concerning leases.

So what is happening is that I install a few new Rocky Linux systems (automated on ESX). They boot up with a kernel option "ip=dhcp". This required because during boot, it needs to pick up a kickstart file for silent install from an https-address.

The servers install, and reboot. They all get their lease and register their hostnames. But after short time (like, within an hour or so), some of the leases expire and their hostnames become unresolvable because they are also removed from Unbound (register dhcp clients). What I see in DHCP leases list is that the IP is still there and showing online, but expired. The host is reachable on IP and everything else seems to work fine (no connection issues).

The installations are mostly defaults, I only change the hostname, partitioning and I create a user with ssh key via the silent install script. I make no changes to network settings, I only tell it to use DHCP.

In debug logging in the dhcp server, I only see the requests and replies. I see reuse unaltered entries, but nothing about expiring or removing leases.

I also searched Unbound logging but that logs so much I might have missed something. I didn't find information about registrations being removed due to expired leases or something.

I tried increasing and changing some lease times like minimal and max, but the leases seem to expire anyway.

Basically I'm at a loss and I'm unsure what else to check? If anyone has an idea I would appreciate it!

Thanks!

I read:
https://forum.opnsense.org/index.php?topic=24084.0

Found the linked (and closed) github issue.

I read everything twice and searched again to make sure I didn't miss something obvious  :P.

So I think this should be solved and working now? I have several VLANs in their own domain, but my hosts from each of them are registered under the system domain in unbound.

I read in the link above there isn't a setting and should 'just work', but it isn't in my case.

Any ideas please what I am missing?

Thanks!

When I set unbound to listen to all internal interfaces, it seems this causes unbound to randomly return an interface address when I query opnsense hostname.

My opnsense GUI is (should be) only accessible on what I call LAN. I have several other networks with VLANs on them for different purposes. None of these should be able to access the webGUI. However, all of these networks should have access to opnsense as a gateway, DNS and NTP.

Unbound is set to listen to all internal networks
Unbound is listening on 53 as the main resolver (so it registers for DHCP defaults)
Each network has DHCP enabled.

When I am on LAN, and I ping opnsense, I often get an IP returned that does not belong to LAN network (ie, one of the other VLAN interface addresses). I cannot open the webGUI because its not accessible on that IP.

When I change unbound to listen to only on LAN interface, it now seems that hosts in other than LAN network no longer resolve, as if they do not get registered because Unbound is not set to listen on those interfaces?

I've been trying to catch what happens in the logs of unbound, but the GUI is slow (large logs?) and when searching, the window never shows a result (it just sits there searching infinitely).

Please ask if you're missing information, I hope I can solve this soon with a bit of help!

Thanks!

I suspect I am missing something obvious but I don't see it yet  :-[.

My ISP offers ipv6 /48. I enabled dhcpv6 on WAN and set my LAN to track interface. Everything is getting ipv6 addresses on my LAN. I can ping and connect to local services over ipv6. DNS seems to work as well, I can ping6 hostname and it returns replies with the ipv6 address.

I created a firewall rule on LAN to allow ipv6 from LAN net to all. Basically I cloned my ipv4 rule and changed it to ipv6.

When I go to test-ipv6.net and some other test websites, its not detecting ipv6 at all.

When I `curl https://\[2a02:2e0:3fe:1001:302::\]` I get:
curl: (7) Failed to connect to 2a02:2e0:3fe:1001:302:: port 443 after 4006 ms: Couldn't connect to server

When I do `curl -k https://\[opnsense lan ipv6 address\]` it connects to my opnsense.

In the logging I don't see any blocks. I tried several hosts and nothing is able to connect to the outside on ipv6.

I have not setup outbound NAT because I don't think it requires that.
I checked dhcp6 gateway has been created, its up and green.

I checked my local ipv6 default routes for a gateway and internet6 default route is set to the pfsense address using its fe80:: address. This the only thing that has me wondering wether that is actually correct?

No ipv6 expert here I admit. Any ideas what I am missing?

Thanks a bunch!

Hey all!

I have wireguard setup on opnsense for my laptops and phone to connect to and use local services and internet. This is working fine. Lets call wireguard setup 1; opnsense is wireguard server, the peers are its clients.

In addition, I also have a second wireguard setup, on a remote server to which my opnsense is a peer. A locally running server uses it to push encrypted backups to the remote server over the wireguard tunnel. Lets call this wireguard setup 2.

I got curious whether I could reach client A from client B over wireguard setup 1. This seemed to work. It seems that these tunnels are bidirectional. Without additional setup I doubt that traffic can go beyond the peer itself, but that is beyond the scope of my question.

So what is my question then ...

Well, I wonder whether I can change the Wireguard setup 2 to setup 1. So the remote server becomes a peer in setup 1.

Figured I wanted to ask to be sure because I risk locking myself out and I don't want to drive 240 km's to fix a remote server haha!

Would it be possible to test this without bringing down the already working setup 2?

Thanks in advance!

I have a fixed external IP, I own a domain name and I have setup several services I run from home, almost all of them behind an nginx reverse proxy with SNI setup based on sub domains.

My current port forwarding rules are set to destination WAN address, port 80/443 with a forward to nginx.

It gets hammered, obviously and nginx stops it, so no real issues. I could possibly setup fail2ban as well but I was wondering if I could setup opnsense to stop direct hits on IP address only? Same way nginx identifies fqdn's via SNI could opnsense possibly do the same and stop it if the destination domain is not allowed?

Thanks!

I need to add the following to unbound config:

Code Select Expand


forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 1.2.3.4#bla.dns.nextdns.io
  forward-addr: 1234:1234::#bla.dns.nextdns.io
  forward-addr: 1.2.3.5#bla.dns.nextdns.io
  forward-addr: 1234:1235::#bla.dns.nextdns.io


I tried to create the file /var/unbound/etc/custom-config.conf and add the above, but the file gets deleted.
I tried to add it to /var/unbound/unbound.conf, and that config gets removed.

How do I add the above, which file do I edit or create?

I did find this:
https://forum.opnsense.org/index.php?topic=13978.0

But the custom box (as found in previous versions and in pfsense) is nowhere to be found.

Thanks

Ive seen and read https://docs.opnsense.org/manual/opnsense_tools.html

I understand which tool does what, but I need to revert all updates I received this morning and go back to last night state.

If this is possible, can someone please help me out?

OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

Since the updates I installed this morning, clients that renew no longer receive settings other than an IP address, subnet mask and default gateway. No DNS servers or search domains seem to get passed on to clients.

I've noticed this behavior on mobile phones, macos clients, linux clients and windows.

I've seen some other issues recently mentioned on the forums, about dynamic dns, unbound restarting.

Perhaps we can add this to the pile of issues ;).

if theres a quick fix I'd love to hear it, for now Im setting DNS manually.

Thanks.

I am running opnsense on dedicated hardware with 4 intel nics. 2 are for wan/lan and 1 is used for an iptv settop box. All AV hardware in the livingroom is powered off (standby killer), and with that, the stb which brings down the link on the firewall. When that link goes down, igmpproxy stops as well as that subnet is a configured downstream. Igmpproxy does not start when the link comes back up, so every time I need to manually start igmpproxy.

For now, I have taken the stb out of the group that powers off so it stays on standby.

I am looking for a solution that allows me to power off the stb and brings igmpproxy back up when the link comes back up.

- is it possible to configure actions on link activation? Like in an ifup script or something?
- is there a watchdog service to monitor crashed/stopped services and bring them back up?
- Is monit cabable of monitoring a network link, and start igmpproxy when a link comes alive? It looks like it but I couldnt figure it out?

Im not sure if one the above is possible, if there are other/better ways I'm all ears.

Thanks!

Hi, I am moving my pfsense over to OPNsense.

I am using another primary DNS service, which listens on LAN on 53 and forwards internal domain queries to 127.0.0.1:5353.

I can configure unbound on 5353, but I can only select my LAN or WAN interfaces, I cannot select (as with pfsense) localhost. Screenshot should make clear what I mean. pfsense then does not listen on other interfaces.

In OPNsense, when I select LAN, it listens on both the LAN and localhost, but I would really prefer it does not listen on LAN as well.

Any chance I can set this the same in OPNsense?

Thanks!

Hello everyone,

I read https://forum.opnsense.org/index.php?topic=7149.0 and the links it refers to. My situation is a little different. Ive setup dhcpv6 on pfsense before but then it pfsense was the router and firewall as well.

My router is a Unifi UDM pro. I don't like how it does dhcp/dns so I disabled that. Its WAN interface has a provider ipv6 address in a /56. Lets say its ipv6 address is 2001:abcd:1234:0:0443:7e37:7caa:4acb.

I have opnsense running in a vm with a single interface, firewall is disabled and I am only using LAN with DHCP, DHCPv6, Unbound and NTP server.

I configured the LAN interface with a fixed ipv6 in a /64 within the /56 of the WAN interface.
Let's say its 2001:abcd:1234:1:192:168:1:1 :D

I configured DHCPv6, enabled it and it picks up the subnet /64 and shows the correct available range. I configured the range as:
2001:abcd:1234:1:192:168:1:ff - 2001:abcd:1234:1:192:168:1:ffff

Prefix delegation range is empty, delegation size is 64.
I entered a DNS server, NTP server with ipv6 addresses. The rest is default.

For router advertisement I chose:
RA: Assisted
Prio: High
Source address: auto
advertise: enabled
DNS servers: 1 address
The rest is default.

The problem is, my clients get an ipv6 address, but its outside the range of what I configured. Opnsense never shows a lease and the logs are empty. I suspect its getting an address from my ISP via the router WAN interface, but I don't have logging to confirm that.

On the UDM, there is no DHCP running, no ra daemon.

Im not sure whats happening, I can ping the router and opnsense on v6  but how do I get it to use opnsense dhcpv6?

Thanks for the help!