Topics

[Configuration:]

Configuration:

WAN is connected to internet through vlan832 of igb2.
IPs are received with DHCPv4 and DHCPv6 (/56 prefix delegation).

WAN:

Code Select Expand


igb2_vlan832: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=4000000<NOMAP>
        ether xx:xx:xx:xx:xx:xx
        inet6 fe80::3eec:efff:fe22:3ec4%igb2_vlan832 prefixlen 64 scopeid 0xa
        inet6 xxxx:xxxx:xxxx:xx00::1 prefixlen 64
        inet x.x.x.x netmask 0xfffffc00 broadcast x.x.x.x
        groups: vlan
        vlan: 832 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>


LAN has a /24 IPv4 subnet, and a /64 IPv6 subnet (from the prefix).

LAN:

Code Select Expand


lagg0_vlan50: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: ADMIN (lan)
        options=4000000<NOMAP>
        ether xx:xx:xx:xx:xx:xx
        inet 172.16.72.254 netmask 0xffffff00 broadcast 172.16.72.255
        inet6 fe80::8261:5fff:fe08:642%lagg0_vlan50 prefixlen 64 scopeid 0xe
        inet6 xxxx:xxxx:xxxx:xx48:xxxx:xxxx:xxxx:xxxx prefixlen 64
        groups: vlan ADMIN_GROUP
        vlan: 50 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


I do have multiple interfaces other than LAN for DMZ and users, but their configuration is very similar to LAN.

Issue

After having a working internet connection for a bit more than 24 hour, I lose all access to the internet.

• Internal networking between subnets works fine
• WAN interface still have its IPv4 and IPv6
• Some Wireguard tunnels keeps working, although the client is on the internet
• Pinging 1.1.1.1 from the firewall returns "ping: sendto: No route to host"
• Pinging from LAN returns a similar error
• Console shows IPv6 errors: "cannot forward src fe80:x:x:x:x:x:x:x, dst [some internet IPv6], nxt 17, rcvif lagg0_vlan50, outif igb2_vlan832"
• Web UI: clicking on "Reload" for the WAN interface DHCP (in the "overview" tab) fixes the issue instantly for ~24 hour

A workaround would be to setup a crontab to reload the interface automatically every 24 hour, but It woundn't fix the issue itself.

The issue only occurs since I updated to 23.1.

Thank you

I am setting up a site-to-site VPN but I have issue to get Unbound to use the remote site's DNS server for it's local domain.
I configured Unbound to use the remote site dns server's IP for local.foo.com.

Alias my_alias: networks I want to be routed through the VPN (which includes the DNS server's IP).

I have 2 OpenVPN clients to connect to the same site, the second one being a failover.
I configured a gateway group with the 2 gateways created by the OpenVPN clients.

Configured 2 NAT outbound rules:
- interface=my_vpn_iface_1, src=any, dest=my_alias, nat address=interface address, static=no
- same with interface=my_vpn_iface_2

Added 1 floating rule to route my_alias through the VPN:
- quick, direction=in, protocol=ipv4*, src=*, dest=my_alias, gateway=my_vpn_gateway_group

This rule should route any traffic going to my_alias from any interface through the VPN gateway group.

I can access the remote site from LAN.
However, I cannot access it from the firewall itself.

I tried configuring a static route.
However, I cannot set the gateway to my_vpn_gateway_group, only single gateways can be selected.

Firewall logs shows "let out anything from firewall host itself".

I also tried enabling "Disable automatic rules which force local services to use the assigned interface gateway", but the same issue occur.

Any help would be appreciated.

Hi,

I wanted to install an OPNSense on a test server but I can't get Unbound to works.
This is a fresh install, default settings except for LAN/WAN config.
The Unbound service just starts and stops in an infinite loop.
Rebooting OPNsense solves the problem for less than 3 minutes, then immediately restart crashing. Sometimes Unbound works again for generally less than 3 minutes before crashing again.

Here are some logs: logs on level 0, level 3, level 5.
I cut the logs in order to see a complete cycle start/stop.

When I start Unbound from the shell with the command

Code Select Expand

# unbound -d -c /var/unbound/unbound.conf it works without issue.
I tried multiple Unbound configurations, with/without DNSSEC, with/without forwarding mode. Everything leading to the same problem.

Thank you

[Problem :]

Hi,
I want to share with you my internet speed problem between lan and wan.
I have OPNsense installed as a VM in Proxmox virtual environment.

Problem :
Normally my internet connection provides me 900down and almost 300up, but OPNsense only gives lan 250-300down and 300up.
Install is new, not a lot of configuration done except vlan, dhcp and unbound.
Iperf3 from lan device to firewall gives 2-3 gbps speed.
And the speed seems fine for the firewall itself (used iperf3 to public servers and got 900down/300up) so the problem is between lan and wan.

Proxmox version : pve-manager/5.3-11/d4907f84 (running kernel: 4.15.18-12-pve)
OPNsense version : 19.1.4

Host hardware :
CPU : AMD Threadripper 1950x (16 cores @ 3.7 GHz)
Memory : 64 GB

VM config :
Memory : 8 GiB (no balloon)
CPU : EPYC, numa, 8 cores (2 sockets 4 cores)
Hard disk : SCSI 64 GB
Network device : virtio linux bridge (for LAN, VLAN aware)
PCIe passthrough : Intel I210-T1 gigabit NIC (for WAN)
BIOS : OVMF (UEFI)
Qemu agent : disabled

OPNsense configuration :
WAN : DHCP and DHCPv6
LAN : Static ipv4 and ipv6 with DHCP and DHCPv6 server (no prefix delegation available), router advertisements set to assisted
LAN is configured on VLAN 10 of the virtio bridge
WAN is a direct PCIe passthrough of the Intel NIC

Firewall configuration :
- Floating rule : Allow DNS from anywhere to this firewall
- LAN : Anti-Lockout rule
- LAN : Default allow LAN to any rule
- LAN : Default allow LAN IPv6 to any rule

Other problems that can be related :
- IPv6 works fine on firewall but no ipv6 for lan
- Unbound only works in forward mode

Any help really welcome
Thanks