Topics

1

20.7 Legacy Series / Kernel Panic with ICMPv6 echo request when IPv6 disabled

« on: October 22, 2020, 08:34:43 am »

I had quite a journey when I wanted to debug why my OPNSense appliance suddenly rebooted several times. So in the crash log I saw this:

Code: [Select]

Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address = 0x54
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80f5e626
stack pointer         = 0x28:0xfffffe00004c2140
frame pointer         = 0x28:0xfffffe00004c2190
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (swi4: clock (0))
trap number = 12
panic: page fault
cpuid = 3
time = 1603188380
__HardenedBSD_version = 1200059 __FreeBSD_version = 1201000
version = FreeBSD 12.1-RELEASE-p10-HBSD #0  517e44a00df(stable/20.7)-dirty: Mon Sep 21 16:21:17 CEST 2020
    root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00004c1df0
vpanic() at vpanic+0x1a2/frame 0xfffffe00004c1e40
panic() at panic+0x43/frame 0xfffffe00004c1ea0
trap_fatal() at trap_fatal+0x39c/frame 0xfffffe00004c1f00
trap_pfault() at trap_pfault+0x49/frame 0xfffffe00004c1f60
trap() at trap+0x29f/frame 0xfffffe00004c2070
calltrap() at calltrap+0x8/frame 0xfffffe00004c2070
--- trap 0xc, rip = 0xffffffff80f5e626, rsp = 0xfffffe00004c2140, rbp = 0xfffffe00004c2190 ---
in6_setscope() at in6_setscope+0xa6/frame 0xfffffe00004c2190
ip6_forward() at ip6_forward+0x359/frame 0xfffffe00004c22e0
pf_test6() at pf_test6+0x1c82/frame 0xfffffe00004c2470
pf_check6_out() at pf_check6_out+0x3f/frame 0xfffffe00004c24a0
pfil_run_hooks() at pfil_run_hooks+0x87/frame 0xfffffe00004c2530
ip6_output() at ip6_output+0x1a06/frame 0xfffffe00004c27c0
icmp6_reflect() at icmp6_reflect+0x2f0/frame 0xfffffe00004c2870
icmp6_error() at icmp6_error+0x4aa/frame 0xfffffe00004c28c0
nd6_llinfo_timer() at nd6_llinfo_timer+0x340/frame 0xfffffe00004c2940
softclock_call_cc() at softclock_call_cc+0x143/frame 0xfffffe00004c29f0
softclock() at softclock+0x79/frame 0xfffffe00004c2a10
ithread_loop() at ithread_loop+0x1d4/frame 0xfffffe00004c2a70
fork_exit() at fork_exit+0x83/frame 0xfffffe00004c2ab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00004c2ab0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
panic.txt0600001213743533234  7140 ustarrootwheelpage faultversion.txt06000022713743533234  7623 ustarrootwheelFreeBSD 12.1-RELEASE-p10-HBSD #0  517e44a00df(stable/20.7)-dirty: Mon Sep 21 16:21:17 CEST 2020
    root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP

OPNsense (c) 2014-2020 Deciso B.V.

So the kernel panic was related to IPv6. In my case I didn't use IPv6 due to another bug in 20.7 but I still receive those packets on my VDSL WAN interface. The reason for that is, that I have a static IPv6 network assigned to me, a /64 for the WAN side and a /54 for my own usage. So my provider did forward those packets still to my VDSL and through my PPPoE connection since it's static, my own and the provider doesn't know that I disabled IPv6 DHCP on my PPPoE connection.

So the fix was to enable the IPv6 on WAN side (the /64) but I could still keep it disabled on LAN side (the /56) to prevent another bug.

But nevertheless I would argue that this should be fixed in the FreeBSD Kernel so it doesn't trigger a panic, just ignoring/dropping those packets.

So my question would be, is this something that needs to be adressed by the OPNSense folks or rather on FreeBSD side or even HardenedBSD side?
So I would like to have some guidance where to report which details.
While it might be a corner case (static IPv6 but disabled on PPPoE) it was really hard to figure it out.

2

19.7 Legacy Series / Debug IPv6 issues after PPPoE reconnect (LAN loses IPv6)

« on: July 31, 2019, 12:58:01 am »

I updated to 19.7 and so far everything quite nice, thanks. But this issue is still the same for me, so quoting myself from  (https://forum.opnsense.org/index.php?topic=13375.0):

Hi,

I have a VDSL Telekom uplink with a static IPv4 and IPv6 where the latter offers me a /56 IPv6 network. This works very well if I start the OPNSense or after I configure the LAN interface. So the LAN interface takes care of requesting the IPv6 network information and forwards this to the client.
Sometimes when the VDSL uplink is gone (power outage, other issues) and reconnects the VDSL uplink interface receives the IPv4 and also the IPv6 for the WAN side but it doesn't update the LAN interface which has lost the IPv6 information in the meantime.

My workaround for now is to go to the LAN interface in the WebUI, don't change anything, just click save and apply changes (although none have happened) and thus the interface is reconfigured again and IPv6 works again.

So there seems to be an issue with the LAN interface noticing the WAN interface gone and back online. Can you give me any hints how I could further debug this, increase log messages or which parts are involved?
If anyone know a solution even better
But I guess I need to dig into this deeper to provide you with necessary details to properly fix this issue.
So it would be helpful for me to know which parts/scripts/services are involved so I can try if I can fix it myself.

Thanks

So any hints how to solve/fix/patch it myself are welcome

3

19.7 Legacy Series / Use DNS servers just from one uplink or add priority

« on: July 31, 2019, 12:57:11 am »

I updated to 19.7 and so far everything quite nice, thanks. But this issue is still the same for me, so quoting myself from (https://forum.opnsense.org/index.php?topic=13374.0):

Hi,

I have two uplinks, one via PPPoE (VDSL) and one via DHCP (Cable). The issue is that I just want to use the DNS servers provided by the VDSL uplink since those are the only ones which have the correct DNS entries for VoIP. The option Allow DNS server list to be overridden by DHCP/PPP on WAN is global and thus I end up with a mixed resolv.conf. This results in VoIP issues.
I also don't want to hardcode the DNS servers for VDSL as they could change.
Is there a way to handle this, at least somewhere if not in the Web UI?
Or any other solution to solve this.

Thanks

So any hints how to solve/fix/patch it myself are welcome

4

19.1 Legacy Series / Debug IPv6 issues after PPPoE reconnect (LAN loses IPv6)

« on: July 02, 2019, 01:54:40 pm »

Hi,

I have a VDSL Telekom uplink with a static IPv4 and IPv6 where the latter offers me a /56 IPv6 network. This works very well if I start the OPNSense or after I configure the LAN interface. So the LAN interface takes care of requesting the IPv6 network information and forwards this to the client.
Sometimes when the VDSL uplink is gone (power outage, other issues) and reconnects the VDSL uplink interface receives the IPv4 and also the IPv6 for the WAN side but it doesn't update the LAN interface which has lost the IPv6 information in the meantime.

My workaround for now is to go to the LAN interface in the WebUI, don't change anything, just click save and apply changes (although none have happened) and thus the interface is reconfigured again and IPv6 works again.

So there seems to be an issue with the LAN interface noticing the WAN interface gone and back online. Can you give me any hints how I could further debug this, increase log messages or which parts are involved?
If anyone know a solution even better
But I guess I need to dig into this deeper to provide you with necessary details to properly fix this issue.
So it would be helpful for me to know which parts/scripts/services are involved so I can try if I can fix it myself.

Thanks

5

19.1 Legacy Series / Use DNS servers just from one uplink or add priority

« on: July 02, 2019, 01:49:58 pm »

Hi,

I have two uplinks, one via PPPoE (VDSL) and one via DHCP (Cable). The issue is that I just want to use the DNS servers provided by the VDSL uplink since those are the only ones which have the correct DNS entries for VoIP. The option Allow DNS server list to be overridden by DHCP/PPP on WAN is global and thus I end up with a mixed resolv.conf. This results in VoIP issues.
I also don't want to hardcode the DNS servers for VDSL as they could change.
Is there a way to handle this, at least somewhere if not in the Web UI?
Or any other solution to solve this.

Thanks

6

18.7 Legacy Series / DHCPv6 runs although not needed with PPPoE and RA/PD

« on: January 04, 2019, 11:32:11 pm »

Hi,

since I'm happy that my rather old IPv6 Bug (see https://forum.opnsense.org/index.php?topic=6613.msg28400#msg28400) doesn't occure anymore I have another minor issue.

I have a Deutsche Telekom VDSL business uplink with a static /56 IPv6 net which works quite fine thanks to RouterAdvertisment and PrefixDelegation. But on some of my machines I wondered why there are two IPv6 adresses and saw that one came via DHCPv6 and I saw the DHCP daemon running. So for now my workaround is just to disable the DHCPv6 but wouldn't it be better to have a better setup for this case?

And even if it's enabled I would like to configure it by the UI, when I enter the "Services->DHCPv6" I don't have relay enabled and under leases I see my leases and can stop the service.

I found the config file "/var/dhcpd/etc/dhcpdv6.conf" which looks like this:

Code: [Select]

option domain-name "localdomain";

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;

subnet6 20XX:a:14XX:de24::/64 {
  range6 20XX:a:14XX:de24::1000 20XX:a:14XX:de24::2000;
  option dhcp6.name-servers 20XX:a:14XX:de24:f690:eaff:fe00:25ce;
  prefix6 20XX:a:14XX:de80:: 20XX:a:14XX:def0::/62;
}

ddns-update-style none;

Which even uses the correct prefix I configured (24). But I can't change any of those options and thus one of my systems has two IPv6 adresses:

Code: [Select]

    inet6 20XX:a:14XX:de24::2000/128 scope global dynamic noprefixroute
       valid_lft 6221sec preferred_lft 3521sec
    inet6 20XX:a:14XX:de24:43bb:36aa:a555:de5/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 86400sec preferred_lft 14400sec

Which is rather confusing. But matches the range configured.

Is this intented to have the DHCPv6 running in that scenario and further more that it can't be configured?

Besides that it runs very smooth now with IPv6!

Thanks so far

7

17.7 Legacy Series / IPv6 not working on non-WAN interfaces

« on: December 11, 2017, 01:00:26 am »

Hi,

I have tried to get IPv6 working but I can't get it working (stable) on the non-WAN interfaces. I receive a static /64 for my WAN interface from my ISP (Deutsche Telekom) and a static /56 for internal (LAN) usage. I have to use pppoe with DHCPv6 and I tried all the possible options within "DHCPv6 client configuration". What I always enable is "Send IPv6 prefix hint" and "DHCPv6 Prefix Delegation size" with "56" (also tried 60 and 64). The IPv6 connection from opnsense itself to the internet works fine and I get the correct /64 on WAN. I added "Track interface" to the WAN interface on my LAN and DMZ interfaces and also added different prefix IDs for each of them. But there are no IPv6 subnetworks deligated to those interfaces.

Funny thing is, after I didn't touch it for one day it suddenly worked but as soon as I change something on any interface it breaks again. The ISP settings are fine, I tested the same with a LEDE (openwrt fork) Linux system and the whole IPv6 system worked perfectly. So it's either config issue from me, opnsense issue or even with freebsd itself. Also tested with pfsense 2.4.2, works too :/

Another bug is that after reboot the IPv4 on the pppoe interface comes up but not ipv6, i need to reconnect again :/

Can you give me some hints how I can debug it? I enabled debug log for dhcp but where do I find that log on the system so I can tail on it?

Thanks