Topics

1

21.1 Production Series / [FIXED] Policy based routing with "dynamic gateway policy" type gateways

« on: March 29, 2021, 06:47:49 pm »

When creating a dynamic gateway and enabling "Dynamic gateway policy" on its interface, can it be used for policy based routing? The "gateway" has no IP address, the destination is directly reachable.

I can't get this working. Before digging deeper, some input whether this is actually supported would be nice.

"Doesn't work" means: When selecting the dynamic gateway in a firewall rule, the rule shown in pfInfo doesn't have a "route-to" option. When enabling "Skip rules when gateway is down" in the advanced firewall settings, the rule doesn't show up in pfInfo at all. That would suggest the gateway is considered down, but gateway monitoring is disabled and it is shown as online.

man pf.conf(5) suggests route-to doesn't require an IP address:

Code: [Select]

The route-to option routes the packet to the specified interface with an optional address for the next hop.https://www.freebsd.org/cgi/man.cgi?query=pf.conf

Background: I'm trying to get WireGuard PBR working without the "fake gateway IP address hack" suggested in the docs: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
@mimugmail once mentioned that dynamic gateway policy should work, but I couldn't find a confirmation that it actually does: https://forum.opnsense.org/index.php?topic=15105.msg86564#msg86564

Thanks!

Maurice

<edit>
This was indeed a missing feature and it's now fixed: https://github.com/opnsense/core/commit/cdf328078bd3e16e1f4beb9b0d6956595fb59c67
</edit>

2

21.1 Production Series / [SOLVED] Console menu gone in 21.1.3 / 21.7.a_159?

« on: March 10, 2021, 01:51:48 pm »

When connecting via ssh, I'm now directly presented with the command prompt. No more menu which shows interface information, allows a config restore etc.

Anyone else seeing this? Is this the firmware UI rework mentioned in the release notes?

Cheers

Maurice

3

20.7 Legacy Series / Virtual IPs not shown on dashboard any more?

« on: May 13, 2020, 07:30:20 pm »

I'm now on 20.7.b_136 and noticed that the Interfaces widget doesn't show Virtual IPs any more. Is this intentional? I liked it with the VIPs. :-)

Cheers

Maurice

4

19.7 Legacy Series / Link-local gateway addresses missing zone index, breaks gateway monitoring

« on: July 18, 2019, 01:32:26 am »

Hi,

After upgrading from 19.1 to 19.7, OPNsense has issues dealing with gateways which have an IPv6 link-local address:

I have two gateways with a statically configured link-local address (fe80::42%hn1, fe80::42%hn2). After the upgrade, the IP addresses were completely gone for both gateways. Re-entering the addresses was not possible: After clicking "save", the address is gone again. Only after entering the addresses without the zone index was I able to save them. But without the zone index gateway monitoring doesn't work.

Similar issue with the WAN_DHCP6 gateway (where the gateway IP address is assigned automatically via RAs from the ISP): The zone index is missing so gateway monitoring doesn't work.

This might be the same issue, although the description is a bit vague:
https://forum.opnsense.org/index.php?topic=13506.0

[Edit]
The following PHP error seems to be related to this:
PHP Warning:  vsprintf(): Too few arguments in /usr/local/etc/inc/util.inc on line 986
[/Edit]

Cheers

Maurice

5

19.1 Legacy Series / IPv6 Dual WAN / Policy Based Routing issue

« on: March 10, 2019, 03:53:44 pm »

Hi all,

I'm trying to get a simple Dual WAN / Dual LAN setup running:
Two WAN interfaces (DHCPv6), two LAN interfaces (LAN1 tracks WAN1, LAN2 tracks WAN2). The WAN1 gateway (WAN1_DHCP6) is the default one. To get traffic originating from LAN2 being routed via WAN2, the gateway is set to WAN2_DHCP6 in the allow-all firewall rule for LAN2 (Policy Based Routing).

No success. LAN1 works just fine, but there is no Internet access from LAN2. This is not a DNS issue (DNS servers are set to external public servers in Router Advertisements). A traceroute from a host in LAN2 to a public IPv6 address doesn't get further than the first hop (router). As expected, switching the default gateway to WAN2_DHCP6 gets LAN2 working and breaks LAN1 Internet connectivity.

Ideas? This should be pretty straight forward, but maybe I am missing something.

Cheers

Maurice

6

18.1 Legacy Series / IPv6 Prefix Delegation: routes missing

« on: March 25, 2018, 08:34:13 pm »

This is not about requesting a prefix from an upstream router / ISP, but about delegating prefixes to downstream routers in the LAN.

I have a static /48 from my ISP. OPNsense is used as a distribution router and should delegate /56 prefixes to other routers connected to its LAN interface.

Prefix Delegation Range and Prefix Delegation Size are properly configured in Services / DHCPv6 / LAN and downstream routers successfully request prefixes (visible in Services / DHCPv6 / Leases / Delegated Prefixes).
However, OPNsense doesn't seem to add routes for the delegated prefixes to its routing table. So clients connected to the downstream routers can't access the Internet.

Is this working for someone? If so, am I missing something? Or could this be a bug?

7

17.7 Legacy Series / [SOLVED] Stateless DHCPv6 support missing?

« on: November 20, 2017, 01:03:53 am »

Hello all,

This is my first post! I'm currently virtualizing a router by migrating from an old embedded Linux box to a fresh install of OPNsense 17.7.7_1 in a Hyper-V VM. Pretty straightforward so far, but now I'm stuck at setting up stateless DHCPv6 for the LANs.

In the existing setup, clients use SLAAC for address autoconfiguration. Clients which don't support the RDNSS / DNSSL options in RAs (like older Windows versions) use stateless DHCPv6 for DNS server and domain information.

In OPNsense, the Router Advertisement "Assisted" mode seems to be the only one which sets the required A and O flags in RAs. But it also sets the M flag which indicates stateful DHCPv6. There seems to be no "A + O flag only" mode. Also, the DHCPv6 server can not be enabled unless you specify an address range.

I've never used an IPv6 router which doesn't support this, so I'm not sure whether this is really missing or I just can't figure out how to configure it (these are my first steps with OPNsense).

Thanks

Maurice