Topics

Weird problem. I've been experimenting with some patches, and have routinely successfully reverted them by "opnsense-revert opnsense".

But on the latest try, it is stuck at ">>> Invoking update script 'refresh.sh'"

Previously I interrupted the script at this point and then tried again, but it complained that the OPNsense package repo conf was not available. So I copied that back from the sample, but the script still gets stuck.

Any tips how to fix this?

I need to run a PostUp command when my Mullvad WG interface comes up (to implement quantum resistant tunnelling: https://mullvad.net/en/help/quantum-resistant-tunnels-with-wireguard#modify-config).

I've successfully built the Mullvad utility for FreeBSD, and it works fine on the command line to establish ephemeral peers over the established tunnel to negotiate a PSK.

However, this needs to be run each time the tunnel is established.

There isn't any PostUp (or PostDown, PreUp or PreDown) option in the WG UI in OPNsense to easily add this. I know OPNsense doesn't directly use wg-quick, but there is also no equivalent option.

Is there another good way to do so? Or do I need to look at implementing changes to the OPNsense code to add advanced options in the UI to facilitate this?

Getting the following repeatedly in the log after the update to 24.7:

Code Select Expand

2024-08-13T21:45:01 Notice kernel (nda0:nvme0:0:0:1): Error 5, Retries exhausted
2024-08-13T21:45:01 Notice kernel (nda0:nvme0:0:0:1): CAM status: Unknown (0x420)
2024-08-13T21:45:01 Notice kernel (nda0:nvme0:0:0:1): READ. NCB: opc=2 fuse=0 nsid=1 prp1=0 prp2=0 cdw=11e0c7d0 0 27 0 0 0
2024-08-13T21:45:01 Notice kernel nvme0: UNRECOVERED READ ERROR (02/81) crd:0 m:0 dnr:0 p:1 sqid:2 cid:118 cdw0:0
2024-08-13T21:45:01 Notice kernel nvme0: READ sqid:2 cid:118 nsid:1 lba:299943888 len:40

Would welcome suggestions for troubleshooting.

The install is on ZFS.

On a whim - geez I regret it now - I installed the wireguard-kmod package to test it out. After rebooting, all DNS resolution in my network failed.

I use a separate box running Pi-hole/unbound to provide DNS. I can ping the box from OPNsense, I can SSH to it. The IPs are being handed out as DNS. But resolution fails.

So I removed wireguard-kmod, rebooted, and even did a config restore from a backup. Still not fixed.

I have double-checked firewall rules and all looks OK (they haven't changed). I am at total loss as to what the issue is. Any clues anyone ... please?

I have an interesting little issue. I am trying to delete an Alias that I don't need anymore. However, OPNsense is telling me it can't be deleted because it is used by a firewall rule - but that firewall rule no longer exists.

Is there a manual way I can delete the Alias?

Thanks.

I've just started seeing the following error in my OPNsense logs. It repeats 2 times (close together) every hour:

Code Select Expand

configctl[2077] error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 68, in exec_config_cmd line = sock.recv(65536).decode() socket.timeout: timed out

Any ideas as to cause and cure?

So a couple of days ago my OPNsense installation (21.1.5) stopped resolving. I am getting something similar to this thread: https://forum.opnsense.org/index.php?topic=4403.0

For example if I try to check for updates:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Fetching changelog information, please wait... fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/sets/changelog.txz.sig: No address record
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:12:amd64/21.1/OpenSSL/latest/meta.txz: No address record
repository SunnyValley has no meta file, using default settings
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:12:amd64/21.1/OpenSSL/latest/packagesite.txz: No address record
Unable to update repository SunnyValley
Updating mimugmail repository catalogue...
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:12:amd64/meta.txz: No address record
repository mimugmail has no meta file, using default settings
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:12:amd64/packagesite.txz: No address record
Unable to update repository mimugmail
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

I've tried the various fixes in the thread above but nothing.

My DNS servers are set correctly (they are pointing to a RPi on my LAN) and /etc/resolv.conf is populated correctly.

This just seemed to occur randomly one morning two days ago at 3am (judging from the logs when some Alias domains stopped resolving).

Any hints about how to fix? Thanks.

I've been playing around with settings based on my WG selective routing tutorial, as I've been finding that the WG tools are causing some odd issues.

First I discovered that setting DNS servers in the WG local configuration on OPNsense breaks DNS resolution on OPNsense itself if OPNsense is not one of the hosts using the tunnel. This is, I've found, a known issue caused by WG tools taking over resolv.conf.

Next I found that setting an external monitor IP for the WG gateway, such as 1.1.1.1, means that IP is only accessible through the tunnel, as a static route is created for it. So I can't get to 1.1.1.1 on any host not using the tunnel. Obviously not desirable.

So I was thinking about potential other options for a monitor IP, which also led me to thinking about gateway IPs. My VPN provider (PIA) provides a tunnel IP for the PIA endpoint (in this instance 10.5.128.1). So I thought - why not use that as the monitor IP? It works. And given that I would only be trying to access that IP via the tunnel, it won't break access on non-tunnel hosts.

But that also led me to thinking about the gateway IP. The tutorial notes that essentially any unique IP for the gateway will do, and suggests using a number one below the tunnel IP of the local peer for convenience. I thought though - isn't the PIA endpoint tunnel IP effectively the gateway for the tunnel? So I also substituted that IP (10.5.128.1) as the gateway IP. And that worked too.

I do notice though some differences in the routes in OPNsense between the two scenarios that I don't quite understand. I've attached two screenshots of the routes.

The first is where the local tunnel IP is 10.5.233.120, the gateway IP is 10.5.233.119, and the monitor IP is 10.5.128.1.

The second is where the local tunnel IP is 10.5.233.120, the gateway IP is 10.5.128.1, and the monitor IP is 10.5.128.1.

What is the significance of the differences, and is one setup better/more desirable than the other?

@mimugmail and @FingerlessGloves, any thoughts from either of you in particular? Or am I just looking at stuff that doesn't matter?

Dumb question. I have applied various patches over time to apply fixes or for testing. I want to reverse some of them but can't necessarily remember them all. Is there a way of listing what is currently applied so that I can figure out what to reverse? opnsense-patch -l only gives the content of the local cache, which as I understand it does not necessarily represent what is currently applied

[UPDATE: This tutorial has now been included in the official OPNsense documentation. Please submit any updates or improvements there (via GitHub).UPDATE #2 28 March 2021: This tutorial has been updated to remove reference to including the VPN provider's DNS servers in the Local configuration, as this can break DNS resolution on OPNsense itself. Also, if your network generally uses local DNS servers, you will likely experience DNS leaks unless you take further steps. Suggested solutions are proposed to be added to the official OPNsense documentation.]

UPDATE: This tutorial has now been included in the official OPNsense documentation. Please submit any updates or improvements there (via GitHub).

UPDATE #2 28 March 2021: This tutorial has been updated to remove reference to including the VPN provider's DNS servers in the Local configuration, as this can break DNS resolution on OPNsense itself. Also, if your network generally uses local DNS servers, you will likely experience DNS leaks unless you take further steps. Suggested solutions are proposed to be added to the official OPNsense documentation.

This tutorial is designed to assist with setting up WireGuard on OPNsense to connect only limited (not all) local hosts to an external VPN provider.

These circumstances may apply where only certain local hosts are intended to use the VPN tunnel. Or it could apply where multiple connections to the VPN provider are desired, with each connection intended to be used by different specific local hosts.

This tutorial draws heavily on the great work of @Jonny, in particular as shown here: https://m.imgur.com/gallery/JBf2RF6

This tutorial focuses on the configuration of OPNsense. You will also have to configure the peer at your VPN provider - consult your VPN provider's documentation as to how to do that.

Your OPNsense local public key will need to be registered with your VPN provider, and you will need to get your VPN provider's endpoint public key and the VPN tunnel IP provided for your local peer by your VPN provider. In some cases, you will not be able to get the endpoint public key and VPN tunnel IP until you register your local public key. In that case, create the OPNsense local configuration first, using a dummy tunnel IP and no peer selected, so that the public key is generated, and then update the configuration later once the other information is known.

This tutorial discusses IPv4 configuration only. It can be readily adapted for IPv6 as well.

Configure the endpoint

Go to VPN -> WireGuard -> Endpoints
Click + to add a new Endpoint
Configure the Endpoint as follows (if an option is not mentioned below, leave it as the default):

   Enabled: Checked
   Name: Call it whatever you want (eg VPNProviderName_Location)
   Public Key: Insert the public key from your VPN provider
   Allowed IPs: 0.0.0.0/0
   Endpoint Address: Insert the public IP address (desirably) or domain name of your VPN provider, as provided by it
   Endpoint Port: Insert the port of your VPN provider, as provided by it
   Keepalive: 25

Save the Endpoint configuration, and then click Save again

Configure the local peer

Go to VPN -> WireGuard -> Local
Click + to add a new Local configuration
Turn on "advanced mode"
Configure the Local configuration as follows (if an option is not mentioned below, leave it as the default):

   Enabled: Checked
   Name: Call it whatever you want (eg VPNProviderName)
   Public Key: This will initially be blank; it will be populated once the configuration is saved
   Private Key: This will initially be blank; it will be populated once the configuration is saved
   Listen Port: 51820 or a higher numbered unique port
   DNS Server: Leave this blank
   Tunnel Address: Insert the VPN tunnel IP provided by your VPN provider, in CIDR format, eg 10.24.24.10/32
   Peers: In the dropdown, select the Endpoint you configured above
   Disable Routes: Checked
   Gateway: Specify an IP that is 1 number below your VPN tunnel IP, eg 10.24.24.9. Note that the IP you choose is essentially arbitrary; pretty much any unique IP will do. The suggestion here is for convenience and to avoid conflicts

Save the local peer configuration, and then click Save again

Turn on WireGuard

Turn on WireGuard under VPN -> WireGuard -> General if it is not already on

Assign an interface to WireGuard and enable it

Go to Interfaces -> Assignments
In the dropdown next to "New interface:", select the WireGuard device (wg0 if this is your first one)
Add a description (eg WAN_VPNProviderName)
Click + to add it, then click Save

Then select your new interface under the Interfaces menu
Configure it as follows (if an option is not mentioned below, leave it as the default):

   Enable: Checked
   Lock: Checked if you wish to
   Description: Same as under Assignments, if this box is not already populated
   IPv4 Configuration Type: None
   IPv6 Configuration Type: None

Save the interface configuration and then click Apply changes

Restart WireGuard

Now restart WireGuard - you can do this from the Dashboard (if you have the services widget) or by turning it off and on under VPN -> WireGuard -> General

Create a gateway

Go to System -> Gateways -> Single
Click Add
Configure the gateway as follows (if an option is not mentioned below, leave it as the default):

   Name: Call it whatever you want, easiest to name it the same as the interface
   Description: Add one if you wish to   
   Interface: Select your newly created interface in the dropdown
   Address Family: Select IPv4 in the dropdown
   IP address: Insert the gateway IP that you configured under the WireGuard local peer configuration
   Far Gateway: Checked
   Monitor IP: Insert an external IP to monitor the gateway, such as 1.1.1.1 or 8.8.8.8

Save the gateway configuration and then click Apply changes

Create an Alias for the relevant local hosts that will access the tunnel

Go to Firewall -> Aliases
Click + to add a new Alias
Configure the Alias as follows (if an option is not mentioned below, leave it as the default):

   Enabled: Checked
   Name: Call it whatever your want, eg WG_VPN_Hosts
   Type: Select either Host(s) or Network(s) in the dropdown, depending on whether you want specific host IPs to use the tunnel, or an entire local network (such as a VLAN)
   Content: Enter the host IPs, or the network in CIDR format
   Description: Add one if you wish to

Save the Alias, and then click Apply

Create a firewall rule

This will involve two steps - first creating a second Alias for all local (private) networks, and then creating the firewall rule itself. The ultimate effect of these two steps is that only traffic from the relevant hosts that is destined for non-local destinations will be sent down the tunnel. This will ensure that the relevant hosts can still access local resources

First go to Firewall -> Aliases
Click + to add a new Alias
Configure the Alias as follows (if an option is not mentioned below, leave it as the default):

   Enabled: Checked
   Name: RFC1918_Networks
   Type: Select Network(s) in the dropdown
   Content: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
   Description: All local (RFC1918) networks

Save the Alias, and then click Apply

Then go to Firewall -> Rules -> [Name of the interface for the network in which the hosts/network resides, eg LAN for LAN hosts]
Click Add to add a new rule
Configure the rule as follows (if an option is not mentioned below, leave it as the default):

   Action: Pass
   Quick: Checked
   Interface: Whatever interface you are configuring the rule on
   Direction: in
   TCP/IP Version: IPv4
   Protocol: any
   Source / Invert: Unchecked
   Source: Select the relevant hosts Alias you created above in the dropdown (eg WG_VPN_Hosts)
   Destination / Invert: Checked
   Destination: Select the RFC1918_Networks Alias you created above in the dropdown
   Destination port range: any
   Description: Add one if you wish to   
   Gateway: Select the gateway you created above (eg WAN_VPNProviderName)

Save the rule, and then click Apply Changes

Then make sure that the new rule is above any other rule on the interface that would otherwise interfere with its operation. For example, you want your new rule to be above the "Default allow LAN to any rule"

Create an outbound NAT rule

Go to Firewall -> NAT -> Outbound
Select "Hybrid outbound NAT rule generation" if it is not already selected, and click Save and then Apply changes
Click Add to add a new rule
Configure the rule as follows (if an option is not mentioned below, leave it as the default):

   Interface: Select the interface for your WireGuard VPN (eg WAN_VPNProviderName)
   TCP/IP Version: IPv4
   Protocol: any
   Source invert: Unchecked
   Source address: Select the Alias for the hosts/networks that are intended to use the tunnel (eg WG_VPN_Hosts)
   Source port: any
   Destination invert: Unchecked
   Destination address: any
   Destination port: any
   Translation / target: Interface address
   Description: Add one if you wish to

Save then rule, and then click Apply changes

You should now be done!

Note that @Jonny's tutorial (linked above) also include instructions for the optional step of adding a kill switch - so that if the VPN tunnel is down, the relevant hosts will be blocked from using your normal WAN

Appreciate that 21.1 is taking a lot of focus atm but was wondering about anticipated timing for the sudo patch for the above (significant) vulnerability making it into OPNsense? FreeBSD's patch is out: https://svnweb.freebsd.org/ports?view=revision&revision=562997

Thanks for the great work as always

I run the OPNsense webserver behind a nginx reverse proxy. I have configured the X-Forwarded-For header in nginx to pass the real IP of the client connecting to the reverse proxy, but OPNsense does not register that.

To get OPNsense to do so, I understand from research that I need to enable the "mod_extforward" module in lighttpd and specify the IP(s) of the reverse proxy. Something like this:

Code Select Expand

server.modules += ( "mod_extforward" )
extforward.forwarder = (
     "xxx.xxx.xxx.xxx" => "trust",
     "xxx.xxx.xxx.xxx" => "trust"
)

My question is where is best to do this in OPNsense, so that it will survive updates. I suspect it is best not to do it in /usr/local/etc/lighttpd/lighttpd.conf? Should I:

• add it to /usr/local/etc/lighttpd/modules.conf?
• create a separate conf file in /usr/local/etc/lighttpd/conf.d/? In that case what is the best way to load it, eg adding an include directive to modules.conf?

Thanks

I've noticed a quirky issue that I'm hopeful someone has seen before or can suggest troubleshooting steps for. I've searched online but can't find any similar situations.

Almost exactly every 48 hours (around 3am every second day), I see a LAN detached event in OPNsense's logs, for example:

Code Select Expand

2020-12-25T03:00:14 opnsense[939] /usr/local/etc/rc.linkup: DEVD Ethernet detached event for lan

This causes dhcp6c to restart, so it goes through its process of sending a release, soliciting for an IPv6 address/prefix on the WAN, and getting an advertise of WAN GUA and prefix. Sometimes it gets to the point of requesting the address/prefix. It is interrupted though by another detached event, this time on one of the VLAN interfaces (say OPT1) that is on the same interface as the LAN.

The process then repeats, cycling through every VLAN (OPT2, OPT3 etc).

Then there is a series of attached events, again for the LAN interface and every VLAN in sequence. For each attached event, dhcp6c restarts and goes through its process (or part of its process).

This whole process of detached and attached events then repeats itself, sometimes once, sometimes two or more times.

This all lasts maybe 30 to 45 seconds in the logs. Most times it stops after a while and everything seems to return to normal.

But on occasion it causes dhcp6c to fail. A few minutes after the attached/detached events cycle stops, dhcp6c reports an "XID mismatch", and then dhclient goes into a cycle of "Creating resolv.conf" every 15 minutes.

The end result is that the WAN GUA and prefix disappear, and there is no external IPv6 connectivity. IPv4 is unaffected.

Any ideas?

Versions:
OPNsense 20.7.7_1-amd64
FreeBSD 12.1-RELEASE-p11-HBSD
OpenSSL 1.1.1i 8 Dec 2020

Small issue, but a useful UI tweak - instead of showing UTC time for handshakes in the WireGuard widget on the dashboard, would it be possible for the widget to be updated so that it shows times in the time zone that the server/OPNsense is set to?

Thanks

Hopefully sometime can give me a tip to fix a little problem I have with IPv6.

Up until yesterday, I had IPv6 configured properly in OPNsense. My various VLANs were getting /64 networks, and all was good.

My ISP developed some IPv6 routing issues yesterday due to some router config changes at their end, and while they were fixing it I turned off IPv6 on the WAN interface (didn't touch the VLANs though).

Today I turned it back on. However, my VLANs are no longer getting /64s.

The WAN is happily getting an /128 address and /56 prefix. But dhcp6c says in the logs for each VLAN, for example: "failed to add an address on igb1: File exists".

Reloading IPv6 on the WAN does not fix it. Nor does restarting radvd. Nor does rebooting OPNsense.

Anyone got any tips for fixing this easily? Thanks.

I was hoping to get a sense of whether a wide-dhcpv6 patch that was introduced in the upstream in 2015 will make it into OPNsense. Hopefully this is the right place to ask, rather than, eg, on GitHub.

The issue is this (as explained to me by my ISP). Whenever dhcp6c on OPNsense sends a release to my ISP, and then (as is usual) tries to send a solicit straight after the release to obtain a new lease, the ISP's BNG responds with a DHCPv6 UnspecFail advertise. Apparently, somewhere between the DHCPv6 proxy and DHCPv6 server running on the BNG, the release process has not been finalised (and so the lease is not considered available to the client again) when dhcp6c sends the new solicit, hence the UnspecFail response.

However, dhcp6c does not interpret this correctly and instead assumes the BNG is trying to advertise the prefix, and so dhcp6c sends a DHCPv6 request for a blank prefix back to the BNG. The BNG of course drops this as invalid. dhcp6c then eventually gives up trying to get a DHCPv6 lease, and accordingly no WAN GUA or IPv6 PD is received, until dhcp6c is reloaded or restarted.

The behaviour can be seen in these logs (anonymised):

Code Select Expand

2020-12-07T09:27:04 dhclient[59442] My address (xxx.xxx.xxx.140) was deleted, dhclient exiting
2020-12-07T09:27:04 dhclient[78405] Starting delete_old_states()
2020-12-07T09:27:04 dhclient[72525] Comparing IPs: Old: xxx.xxx.xxx.xxx New:
2020-12-07T09:27:04 dhclient[44634] Removing states from old IP 'xxx.xxx.xxx.140' (new IP '')
2020-12-07T09:27:04 dhclient[59442] connection closed
2020-12-07T09:27:04 dhclient[59442] exiting.
2020-12-07T09:27:04 dhclient[16850] Starting delete_old_states()
2020-12-07T09:27:04 dhclient[94879] Comparing IPs: Old: xxx.xxx.xxx.140 New:
2020-12-07T09:27:04 dhclient[42526] Removing states from old IP 'xxx.xxx.xxx.140' (new IP '')
2020-12-07T09:27:04 dhclient[72953] DHCPREQUEST on igb0 to 255.255.255.255 port 67
2020-12-07T09:27:04 dhclient[72953] DHCPACK from xxx.xxx.xxx.1
2020-12-07T09:27:04 dhclient[23989] Starting delete_old_states()
2020-12-07T09:27:04 dhclient[72164] Comparing IPs: Old: xxx.xxx.xxx.140 New: xxx.xxx.xxx.140
2020-12-07T09:27:04 dhclient[39437] New IP Address (igb0): xxx.xxx.xxx.140
2020-12-07T09:27:04 dhclient[52716] New Subnet Mask (igb0): 255.255.252.0
2020-12-07T09:27:04 dhclient[95879] New Broadcast Address (igb0): xxx.xxx.xxx.255
2020-12-07T09:27:04 dhclient[31371] New Routers (igb0): xxx.xxx.xxx.1
2020-12-07T09:27:04 dhclient[79817] route add default xxx.xxx.xxx.1
2020-12-07T09:27:04 dhclient[99820] Creating resolv.conf
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb0'
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: On (IP address: xxx.xxx.xxx.140) (interface: WAN[wan]) (real interface: igb0).
2020-12-07T09:27:04 opnsense[6163] plugins_configure hosts ()
2020-12-07T09:27:04 opnsense[6163] plugins_configure hosts (execute task : dnsmasq_hosts_generate())
2020-12-07T09:27:04 opnsense[6163] plugins_configure hosts (execute task : unbound_hosts_generate())
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to xxx.xxx.xxx.1
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway 'xxx.xxx.xxx.1'
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: ROUTING: IPv6 default gateway set to wan
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
2020-12-07T09:27:04 opnsense[6163] plugins_configure monitor ()
2020-12-07T09:27:04 opnsense[6163] plugins_configure monitor (execute task : dpinger_configure_do())
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: The WAN_DHCP6 monitor address is empty, skipping.
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: The WAN_DHCP monitor address is empty, skipping.
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: The OpenVPNv6 monitor address is empty, skipping.
2020-12-07T09:27:04 opnsense[6163] /usr/local/etc/rc.newwanip: The OpenVPNv4 monitor address is empty, skipping.
2020-12-07T09:27:05 opnsense[6163] plugins_configure vpn (,wan)
2020-12-07T09:27:05 kernel pflog0: promiscuous mode disabled
2020-12-07T09:27:05 kernel pflog0: promiscuous mode enabled
2020-12-07T09:27:05 opnsense[6163] plugins_configure vpn (execute task : ipsec_configure_do(,wan))
2020-12-07T09:27:05 opnsense[6163] plugins_configure vpn (execute task : openvpn_configure_do(,wan))
2020-12-07T09:27:05 opnsense[6163] /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
2020-12-07T09:27:05 opnsense[6163] plugins_configure newwanip (,wan)
2020-12-07T09:27:05 opnsense[6163] plugins_configure newwanip (execute task : dyndns_configure_do(,wan))
2020-12-07T09:27:05 opnsense[6163] plugins_configure newwanip (execute task : ntpd_configure_defer())
2020-12-07T09:27:05 opnsense[6163] plugins_configure newwanip (execute task : opendns_configure_do())
2020-12-07T09:27:05 opnsense[6163] plugins_configure newwanip (execute task : openssh_configure_do(,wan))
2020-12-07T09:27:05 opnsense[6163] plugins_configure newwanip (execute task : unbound_configure_do(,wan))
2020-12-07T09:27:05 opnsense[6163] plugins_configure newwanip (execute task : vxlan_configure_interface())
2020-12-07T09:27:05 opnsense[6163] plugins_configure newwanip (execute task : webgui_configure_do(,wan))
2020-12-07T09:27:05 dhclient[72953] bound to xxx.xxx.xxx.140 -- renewal in 900 seconds.
2020-12-07T09:27:05 opnsense[17528] /usr/local/etc/rc.configure_interface: Accept router advertisements on interface igb0
2020-12-07T09:27:05 dhcp6c[7137] RTSOLD script - Sending SIGHUP to dhcp6c
2020-12-07T09:27:05 dhcp6c[41467] restarting
2020-12-07T09:27:05 dhcp6c[41467] Start address release
2020-12-07T09:27:05 dhcp6c[41467] release an IA: NA-0
2020-12-07T09:27:05 dhcp6c[41467] reset a timer on igb0, state=RELEASE, timeo=0, retrans=1033
2020-12-07T09:27:05 dhcp6c[41467] Sending Release
2020-12-07T09:27:05 dhcp6c[41467] a new XID (d304b7) is generated
2020-12-07T09:27:05 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:27:05 dhcp6c[41467] set server ID (len 14)
2020-12-07T09:27:05 dhcp6c[41467] set IA address
2020-12-07T09:27:05 dhcp6c[41467] set identity association
2020-12-07T09:27:05 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:27:05 dhcp6c[41467] send release to ff02::1:2%igb0
2020-12-07T09:27:05 dhcp6c[41467] remove an IA: NA-0
2020-12-07T09:27:05 dhcp6c[41467] remove an address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:8671
2020-12-07T09:27:05 dhcp6c[41467] failed to remove an address on igb0: Can't assign requested address
2020-12-07T09:27:05 dhcp6c[41467] reset a timer on igb0, state=INIT, timeo=0, retrans=174
2020-12-07T09:27:05 dhcp6c[41467] Start address release
2020-12-07T09:27:05 dhcp6c[41467] release an IA: PD-0
2020-12-07T09:27:05 dhcp6c[41467] reset a timer on igb0, state=RELEASE, timeo=0, retrans=930
2020-12-07T09:27:05 dhcp6c[41467] Sending Release
2020-12-07T09:27:05 dhcp6c[41467] a new XID (1527b4) is generated
2020-12-07T09:27:05 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:27:05 dhcp6c[41467] set server ID (len 14)
2020-12-07T09:27:05 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:27:05 dhcp6c[41467] set IA_PD prefix
2020-12-07T09:27:05 dhcp6c[41467] set IA_PD
2020-12-07T09:27:05 dhcp6c[41467] send release to ff02::1:2%igb0
2020-12-07T09:27:05 dhcp6c[41467] remove an IA: PD-0
2020-12-07T09:27:05 dhcp6c[41467] remove a site prefix xxxx:xxxx:xxxx:xxxx::/56
2020-12-07T09:27:05 dhcp6c[41467] remove an address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:3261/64 on igb1_vlan66
2020-12-07T09:27:05 dhcp6c[41467] remove an address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:3261/64 on igb1
2020-12-07T09:27:05 dhcp6c[41467] remove an address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:3261/64 on igb1_vlan10
2020-12-07T09:27:05 dhcp6c[41467] remove an address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:3261/64 on igb1_vlan99
2020-12-07T09:27:05 dhcp6c[41467] remove an address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:3261/64 on igb1_vlan49
2020-12-07T09:27:05 dhcp6c[41467] reset a timer on igb0, state=INIT, timeo=0, retrans=16
2020-12-07T09:27:05 dhcp6c[41467] removing an event on igb0, state=INIT
2020-12-07T09:27:05 dhcp6c[41467] removing an event on igb0, state=INIT
2020-12-07T09:27:05 dhcp6c[41467] <3>[interface] (9)
2020-12-07T09:27:05 dhcp6c[41467] <5>[igb0] (4)
2020-12-07T09:27:05 dhcp6c[41467] <3>begin of closure [{] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>[send] (4)
2020-12-07T09:27:05 dhcp6c[41467] <3>[ia-na] (5)
2020-12-07T09:27:05 dhcp6c[41467] <3>[0] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>end of sentence [;] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>comment [# request stateful address] (26)
2020-12-07T09:27:05 dhcp6c[41467] <3>end of sentence [;] (1)
2020-12-07T09:27:05 dhcp6c[41467] <5>[igb1_vlan10] (11)
2020-12-07T09:27:05 dhcp6c[41467] <3>begin of closure [{] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>[sla-id] (6)
2020-12-07T09:27:05 dhcp6c[41467] <3>[16] (2)
2020-12-07T09:27:05 dhcp6c[41467] <3>end of sentence [;] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>[sla-len] (7)
2020-12-07T09:27:05 dhcp6c[41467] <3>[8] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>end of sentence [;] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>end of closure [}] (1)
2020-12-07T09:27:05 dhcp6c[41467] called
2020-12-07T09:27:05 dhcp6c[41467] called
2020-12-07T09:27:05 dhcp6c[41467] duplicated interface: igb0
2020-12-07T09:27:05 dhcp6c[41467] <3>[interface] (9)
2020-12-07T09:27:05 dhcp6c[41467] <5>[igb0] (4)
2020-12-07T09:27:05 dhcp6c[41467] <3>begin of closure [{] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>[send] (4)
2020-12-07T09:27:05 dhcp6c[41467] <3>[ia-na] (5)
2020-12-07T09:27:05 dhcp6c[41467] <3>[0] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>end of sentence [;] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>comment [# we'd like some nameservers please] (35)
2020-12-07T09:27:05 dhcp6c[41467] <3>[id-assoc] (8)
2020-12-07T09:27:05 dhcp6c[41467] <13>[na] (2)
2020-12-07T09:27:05 dhcp6c[41467] <13>[0] (1)
2020-12-07T09:27:05 dhcp6c[41467] <13>begin of closure [{] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>end of closure [}] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>end of sentence [;] (1)
2020-12-07T09:27:05 dhcp6c[41467] <3>[id-assoc] (8)
2020-12-07T09:27:05 dhcp6c[41467] <13>[pd] (2)
2020-12-07T09:27:05 dhcp6c[41467] <13>[0] (1)
2020-12-07T09:27:05 opnsense[17528] /usr/local/etc/rc.configure_interface: ROUTING: entering configure using 'wan'
2020-12-07T09:27:05 dhcp6c[41467] receive reply from fe80::2a2:ff:feb2:c2%igb0 on igb0
2020-12-07T09:27:05 dhcp6c[41467] get DHCP option client ID, len 14
2020-12-07T09:27:05 dhcp6c[41467] DUID: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:60
2020-12-07T09:27:05 dhcp6c[41467] get DHCP option server ID, len 14
2020-12-07T09:27:05 dhcp6c[41467] DUID: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:d0
2020-12-07T09:27:05 dhcp6c[41467] get DHCP option identity association, len 63
2020-12-07T09:27:05 dhcp6c[41467] IA_NA: ID=0, T1=0, T2=0
2020-12-07T09:27:05 dhcp6c[41467] get DHCP option status code, len 47
2020-12-07T09:27:05 dhcp6c[41467] status code: success
2020-12-07T09:27:05 dhcp6c[41467] get DHCP option status code, len 41
2020-12-07T09:27:05 dhcp6c[41467] status code: success
2020-12-07T09:27:05 dhcp6c[41467] Received REPLY for RELEASE
2020-12-07T09:27:05 dhcp6c[41467] status code: success
2020-12-07T09:27:05 dhcp6c[33283] dhcp6c RELEASE on igb0
2020-12-07T09:27:05 dhcp6c[80681] dhcp6c RELEASE on igb0 - running newipv6
2020-12-07T09:27:05 opnsense[99831] /usr/local/etc/rc.newwanipv6: IPv6 renewal is starting on 'igb0'
2020-12-07T09:27:05 opnsense[17528] /usr/local/etc/rc.configure_interface: ROUTING: IPv4 default gateway set to wan
2020-12-07T09:27:05 opnsense[17528] /usr/local/etc/rc.configure_interface: ROUTING: setting IPv4 default route to xxx.xxx.xxx.1
2020-12-07T09:27:05 opnsense[99831] /usr/local/etc/rc.newwanipv6: On (IP address: ) (interface: WAN[wan]) (real interface: igb0).
2020-12-07T09:27:05 opnsense[99831] /usr/local/etc/rc.newwanipv6: Failed to detect IP for WAN[wan]
2020-12-07T09:27:05 opnsense[17528] /usr/local/etc/rc.configure_interface: ROUTING: keeping current default gateway 'xxx.xxx.xxx.1'
2020-12-07T09:27:05 opnsense[17528] /usr/local/etc/rc.configure_interface: ROUTING: IPv6 default gateway set to wan
2020-12-07T09:27:05 opnsense[17528] /usr/local/etc/rc.configure_interface: ROUTING: skipping IPv6 default route
2020-12-07T09:27:05 dhcp6c[41467] script "/var/etc/dhcp6c_wan_script.sh" terminated
2020-12-07T09:27:05 dhcp6c[41467] removing an event on igb0, state=RELEASE
2020-12-07T09:27:05 dhcp6c[41467] got an expected reply, sleeping.
2020-12-07T09:27:05 opnsense[17528] plugins_configure ipsec (1,wan)
2020-12-07T09:27:05 opnsense[17528] plugins_configure ipsec (execute task : ipsec_configure_do(1,wan))
2020-12-07T09:27:05 opnsense[17528] plugins_configure dhcp (1)
2020-12-07T09:27:05 opnsense[17528] plugins_configure dhcp (execute task : dhcpd_dhcp_configure(1))
2020-12-07T09:27:06 dhcp6c[41467] Sending Solicit
2020-12-07T09:27:06 dhcp6c[41467] a new XID (2efce5) is generated
2020-12-07T09:27:06 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:27:06 dhcp6c[41467] set identity association
2020-12-07T09:27:06 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:27:06 dhcp6c[41467] set option request (len 4)
2020-12-07T09:27:06 dhcp6c[41467] set IA_PD prefix
2020-12-07T09:27:06 dhcp6c[41467] set IA_PD
2020-12-07T09:27:06 dhcp6c[41467] send solicit to ff02::1:2%igb0
2020-12-07T09:27:06 dhcp6c[41467] reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1085
2020-12-07T09:27:06 dhcp6c[41467] receive advertise from fe80::2a2:ff:feb2:c2%igb0 on igb0
2020-12-07T09:27:06 dhcp6c[41467] get DHCP option server ID, len 10
2020-12-07T09:27:06 dhcp6c[41467] DUID: xx:xx:xx:xx:xx:xx:xx:xx:xx:28
2020-12-07T09:27:06 dhcp6c[41467] get DHCP option client ID, len 14
2020-12-07T09:27:06 dhcp6c[41467] DUID: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:60
2020-12-07T09:27:06 dhcp6c[41467] get DHCP option status code, len 2
2020-12-07T09:27:06 dhcp6c[41467] status code: unspec failure
2020-12-07T09:27:06 dhcp6c[41467] server ID: xx:xx:xx:xx:xx:xx:xx:xx:xx:28, pref=-1
2020-12-07T09:27:06 dhcp6c[41467] reset timer for igb0 to 0.992740
2020-12-07T09:27:06 dhcp6c[41467] receive advertise from fe80::2a2:ff:feb2:c2%igb0 on igb0
2020-12-07T09:27:06 dhcp6c[41467] get DHCP option server ID, len 10
2020-12-07T09:27:06 dhcp6c[41467] DUID: xx:xx:xx:xx:xx:xx:xx:xx:xx:28
2020-12-07T09:27:06 dhcp6c[41467] get DHCP option client ID, len 14
2020-12-07T09:27:06 dhcp6c[41467] DUID: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:60
2020-12-07T09:27:06 dhcp6c[41467] get DHCP option status code, len 2
2020-12-07T09:27:06 dhcp6c[41467] status code: unspec failure
2020-12-07T09:27:06 dhcp6c[41467] server ID: xx:xx:xx:xx:xx:xx:xx:xx:xx:28, pref=-1
2020-12-07T09:27:06 dhcp6c[41467] duplicated server (ID: xx:xx:xx:xx:xx:xx:xx:xx:xx:28)
2020-12-07T09:27:06 opnsense[17528] plugins_configure dns (1)
2020-12-07T09:27:06 opnsense[17528] plugins_configure dns (execute task : dnsmasq_configure_do(1))
2020-12-07T09:27:06 opnsense[17528] plugins_configure dns (execute task : unbound_configure_do(1))
2020-12-07T09:27:06 dhcp6c[41467] Sending Release
2020-12-07T09:27:06 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:27:06 dhcp6c[41467] set server ID (len 14)
2020-12-07T09:27:06 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:27:06 dhcp6c[41467] set IA_PD prefix
2020-12-07T09:27:06 dhcp6c[41467] set IA_PD
2020-12-07T09:27:06 dhcp6c[41467] send release to ff02::1:2%igb0
2020-12-07T09:27:06 dhcp6c[41467] reset a timer on igb0, state=RELEASE, timeo=1, retrans=1770
2020-12-07T09:27:06 dhcp6c[41467] receive reply from fe80::2a2:ff:feb2:c2%igb0 on igb0
2020-12-07T09:27:06 dhcp6c[41467] get DHCP option client ID, len 14
2020-12-07T09:27:06 dhcp6c[41467] DUID: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:60
2020-12-07T09:27:06 dhcp6c[41467] get DHCP option server ID, len 14
2020-12-07T09:27:06 dhcp6c[41467] DUID: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:d0
2020-12-07T09:27:06 dhcp6c[41467] get DHCP option status code, len 2
2020-12-07T09:27:06 dhcp6c[41467] status code: no binding
2020-12-07T09:27:06 dhcp6c[41467] Received REPLY for RELEASE
2020-12-07T09:27:06 dhcp6c[41467] status code: no binding
2020-12-07T09:27:06 dhcp6c[41467] executes /var/etc/dhcp6c_wan_script.sh
2020-12-07T09:27:06 dhcp6c[44127] dhcp6c RELEASE on igb0
2020-12-07T09:27:06 dhcp6c[60627] dhcp6c RELEASE on igb0 - running newipv6
2020-12-07T09:27:06 opnsense[56651] /usr/local/etc/rc.newwanipv6: IPv6 renewal is starting on 'igb0'
2020-12-07T09:27:06 opnsense[56651] /usr/local/etc/rc.newwanipv6: On (IP address: ) (interface: WAN[wan]) (real interface: igb0).
2020-12-07T09:27:06 opnsense[56651] /usr/local/etc/rc.newwanipv6: Failed to detect IP for WAN[wan]
2020-12-07T09:27:06 dhcp6c[41467] script "/var/etc/dhcp6c_wan_script.sh" terminated
2020-12-07T09:27:06 dhcp6c[41467] removing an event on igb0, state=RELEASE
2020-12-07T09:27:06 dhcp6c[41467] got an expected reply, sleeping.
2020-12-07T09:27:07 dhcp6c[41467] picked a server (ID: xx:xx:xx:xx:xx:xx:xx:xx:xx:28)
2020-12-07T09:27:07 dhcp6c[41467] Sending Request
2020-12-07T09:27:07 dhcp6c[41467] a new XID (2f1201) is generated
2020-12-07T09:27:07 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:27:07 dhcp6c[41467] set server ID (len 10)
2020-12-07T09:27:07 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:27:07 dhcp6c[41467] set option request (len 4)
2020-12-07T09:27:07 dhcp6c[41467] send request to ff02::1:2%igb0
2020-12-07T09:27:07 dhcp6c[41467] reset a timer on igb0, state=REQUEST, timeo=0, retrans=907
2020-12-07T09:27:07 dhcp6c[41467] Sending Request
2020-12-07T09:27:07 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:27:07 dhcp6c[41467] set server ID (len 10)
2020-12-07T09:27:07 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:27:07 dhcp6c[41467] set option request (len 4)
2020-12-07T09:27:07 dhcp6c[41467] send request to ff02::1:2%igb0
2020-12-07T09:27:07 dhcp6c[41467] reset a timer on igb0, state=REQUEST, timeo=1, retrans=1895
2020-12-07T09:27:09 dhcp6c[41467] Sending Request
2020-12-07T09:27:09 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:27:09 dhcp6c[41467] set server ID (len 10)
2020-12-07T09:27:09 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:27:09 dhcp6c[41467] set option request (len 4)
2020-12-07T09:27:09 dhcp6c[41467] send request to ff02::1:2%igb0
2020-12-07T09:27:09 dhcp6c[41467] reset a timer on igb0, state=REQUEST, timeo=2, retrans=3731
2020-12-07T09:27:13 dhcp6c[41467] Sending Request
2020-12-07T09:27:13 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:27:13 dhcp6c[41467] set server ID (len 10)
2020-12-07T09:27:13 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:27:13 dhcp6c[41467] set option request (len 4)
2020-12-07T09:27:13 dhcp6c[41467] send request to ff02::1:2%igb0
2020-12-07T09:27:13 dhcp6c[41467] reset a timer on igb0, state=REQUEST, timeo=3, retrans=7516
2020-12-07T09:27:21 dhcp6c[41467] Sending Request
2020-12-07T09:27:21 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:27:21 dhcp6c[41467] set server ID (len 10)
2020-12-07T09:27:21 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:27:21 dhcp6c[41467] set option request (len 4)
2020-12-07T09:27:21 dhcp6c[41467] send request to ff02::1:2%igb0
2020-12-07T09:27:21 dhcp6c[41467] reset a timer on igb0, state=REQUEST, timeo=4, retrans=14760
2020-12-07T09:27:35 dhcp6c[41467] Sending Request
2020-12-07T09:27:35 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:27:35 dhcp6c[41467] set server ID (len 10)
2020-12-07T09:27:35 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:27:35 dhcp6c[41467] set option request (len 4)
2020-12-07T09:27:35 dhcp6c[41467] send request to ff02::1:2%igb0
2020-12-07T09:27:35 dhcp6c[41467] reset a timer on igb0, state=REQUEST, timeo=5, retrans=28144
2020-12-07T09:28:03 dhcp6c[41467] Sending Request
2020-12-07T09:28:03 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:28:03 dhcp6c[41467] set server ID (len 10)
2020-12-07T09:28:03 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:28:03 dhcp6c[41467] set option request (len 4)
2020-12-07T09:28:03 dhcp6c[41467] send request to ff02::1:2%igb0
2020-12-07T09:28:03 dhcp6c[41467] reset a timer on igb0, state=REQUEST, timeo=6, retrans=31284
2020-12-07T09:28:35 dhcp6c[41467] Sending Request
2020-12-07T09:28:35 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:28:35 dhcp6c[41467] set server ID (len 10)
2020-12-07T09:28:35 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:28:35 dhcp6c[41467] set option request (len 4)
2020-12-07T09:28:35 dhcp6c[41467] send request to ff02::1:2%igb0
2020-12-07T09:28:35 dhcp6c[41467] reset a timer on igb0, state=REQUEST, timeo=7, retrans=32607
2020-12-07T09:29:07 dhcp6c[41467] Sending Request
2020-12-07T09:29:07 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:29:07 dhcp6c[41467] set server ID (len 10)
2020-12-07T09:29:07 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:29:07 dhcp6c[41467] set option request (len 4)
2020-12-07T09:29:07 dhcp6c[41467] send request to ff02::1:2%igb0
2020-12-07T09:29:07 dhcp6c[41467] reset a timer on igb0, state=REQUEST, timeo=8, retrans=31383
2020-12-07T09:29:39 dhcp6c[41467] Sending Request
2020-12-07T09:29:39 dhcp6c[41467] set client ID (len 14)
2020-12-07T09:29:39 dhcp6c[41467] set server ID (len 10)
2020-12-07T09:29:39 dhcp6c[41467] set elapsed time (len 2)
2020-12-07T09:29:39 dhcp6c[41467] set option request (len 4)
2020-12-07T09:29:39 dhcp6c[41467] send request to ff02::1:2%igb0
2020-12-07T09:29:39 dhcp6c[41467] reset a timer on igb0, state=REQUEST, timeo=9, retrans=30951
2020-12-07T09:30:10 dhcp6c[41467] no responses were received
2020-12-07T09:30:10 dhcp6c[41467] removing an event on igb0, state=REQUEST
2020-12-07T09:30:10 dhcp6c[41467] removing server (ID: xx:xx:xx:xx:xx:xx:xx:xx:xx:28)


The BNG's behaviour (my ISP uses Cisco routers) is actually RFC compliant, according to my ISP. Per RFC 3315 (https://tools.ietf.org/html/rfc3315#section-15):

If a server receives a message that contains options it should not contain (such as an Information-request message with an IA option), is missing options that it should contain, or is otherwise not valid, it MAY send a Reply (or Advertise as appropriate) with a Server Identifier option, a Client Identifier option if one was included in the message and a Status Code option with status UnSpecFail.

Same for the updated RFC 8415 (https://tools.ietf.org/html/rfc8415#section-16):

If a server receives a message that it considers invalid, it MAY send a Reply message (or Advertise message, as appropriate) with a Server Identifier option (see Section 21.3), a Client Identifier option (see Section 21.2) (if one was included in the message), and a Status Code option (see Section 21.13) with status UnspecFail.

The issue of wide-dhcpv6 / dhcp6c not responding correctly to UnspecFail advertises was, I am told, addressed in the upstream. My research suggests that occurred in 2015: https://sourceforge.net/p/wide-dhcpv6/bugs/34/. Specifically, item 4:

4) dhcpv6: ignore advertise messages with none of requested data and missed status codes.

This patch was implemented in Debian in March 2018: https://metadata.ftp-master.debian.org/changelogs//main/w/wide-dhcpv6/wide-dhcpv6_20080615-23_changelog. Specifically, patch 0018:

- Add patch 0018 to ignore advertise messages with none of requested data and missed status codes.
  Thanks to Roman Mamedov for the report and Evgeniy Manachkin for the patch (Closes: #765453).

What I understand to be the content of the patch is attached.

But this patch does not appear to have made it into FreeBSD or OPNsense.

Curiously, some of the items addressed by the upstream patch in 2015 have been implemented - in FreeBSD in Jan 2016 (based on the descriptions in https://www.freshports.org/net/dhcp6 for version 20080615_4) and in OPNsense in December 2016 (based on the commit descriptions in https://github.com/opnsense/dhcp6c/commits/master). But not item 4.

Is there any prospect of this patch being implemented in OPNsense?

I was wondering whether it would be possible for the predefined network variables that can be used in firewall rules (eg WAN address, WAN net, LAN address, LAN net etc) to also be made available as options to use for Hosts or Networks when creating an Alias. At the moment, only other Aliases appear as options to select in the dropdown.

Thanks

I was wondering if there is an existing way to implement RFC7217 (stable privacy IPv6 addresses) in OPNsense. I couldn't see anything in the web interface. I did find a reference online to it being configurable in a BSD environment through /etc/dhcpcd.conf, although I am not entirely sure how to translate that to the OPNsense scenario.

I am aware of the tunables for temporary addresses (privacy extensions to SLAAC), but that is different (RFC4941).

Thanks

I've been investigating adding an IPv6 global unicast address to my OPNsense box's loopback.

I've achieved it by creating a new loopback device, assigning a new interface to that device, and then assigning a static IPv6 address to that interface using my prefix and an unused prefix ID. That works fine.

But that results in a new loopback interface being created (lo1, separate to the existing lo0), and also means that if my prefix changes, I need to manually update the static IP. That's not the end of the world, but:

• is there a way to add the GUA to the existing lo0 instead - I couldn't see a way in the web interface
• is it possible to generate the address by SLAAC instead of creating a static IP - I tried to use Track Interface and configure the interface to use SLAAC, but that seemed to kill dhcp6c

In the end, it probably doesn't really matter if I can't change my current approach, but I was curious if I could streamline it.

Thanks

I know this is not a new topic, but I'm really struggling to get mDNS repeated/relayed across VLANs, after spending days searching the forum and the web and trying various setups.

I recently replaced the UniFi Security Gateway in my network with an OPNsense box. I've managed to set up everything to replicate the network topology I had with the USG and have now introduced the box into the network.

My network includes a number of VLANs. Of relevance here are VLAN10 and VLAN49. VLAN10 includes my trusted devices and VLAN49 includes IoT type devices, including an AirPrint printer and AppleTVs.

Generally VLAN49 is prevented from communicating with VLAN10 (but not vice versa). With the USG I had implemented a mDNS repeater that meant VLAN10 could find all the Bonjour devices in VLAN49.

I am trying to replicate that with OPNsense. I have used both the os-mdns-repeater and os-udpbroadcast-relay plugins (separately), but without success. I have tried those plugins with firewall rules accepting traffic on port 5353 in both VLANs, but without success.

I just cannot figure out what I am doing incorrectly. If anyone has a setup similar to mine and has mDNS successfully being repeated/relayed across VLANs - particularly for AirPrint and AirPlay - could they please let me know how they have achieved it?

Thanks