Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - alfrisch

#1
Hi all,

in our setup we use jumbo frames through a wireguard VPN tunnel between two OPNsense instances together with OSPF. After the upgrade to 24.1 the dynamic routing stopped working and I could find in the logs

[XZZ9Y-NNTMQ][EC 134217741] Packet[DD]: Neighbor x.x.x.x MTU 8920 is larger than [wg2:x.x.x.x]'s MTU 1420

After switching temporarily to static routing and some hours of debugging I was able to trace down the problem to the MTU logic used in wireguard. In the pre 24.1 OPNsense instance it says in the help for MTU option

QuoteSet the interface MTU for this interface. Leaving empty uses the MTU from main interface which is fine for most setups.

But in the 24.1 instance it simply says

QuoteSet a specific device MTU for this instance.

Thus, the MTU from the parent device, which is set to 9000, seems not to be considered anymore with 24.1 and OSPF refused to work!

Is this change in the default logic in wireguard intended?

This was a nasty bug, because the MTU option is also hidden in "advanced mode", but setting MUT to 8920 made everything work again right away!

Cheers,
Albert

#2
High availability / access backup instance via VPN
September 05, 2022, 02:40:47 PM
Hi all,

I am using HA setups at three different locations which are connected via wireguard VPN tunnels using dynamic routing with OSPF.
For easier administration I would like to access the backup instances via the tunnels. Any ideas how this can be achieved?

I thought of maybe solving this with VRF, but the frr service is being disabled as soon as the instance is switched into backup mode.

Cheers,
Albert