Topics

Not sure if this only applies to my issue or larger, but after update to 25.7.1 all working well, I went to recycle strongswan and afterwards the config for all my ipsec tunnels were not reading / showing properly and would not connect.   As soon as I reverted back to 25.7 and recycled strongswan again, all appeared correctly and connected.   the widget showed no phase 1 when broken on 25.7.1, as it appears to be how it was parsing the config file, it may be larger than just the ipsec issue that I had.

after upgrade to 25.1 FRR config file shows empty and I get bgp and other errors, it does not connect to neighbors.

@Franco,

Is Strongswan 6 going to be in 25.1?

My radius is still working with this AP, i dont see where to set this option in opnsense. Any ideas?

Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
Error: Please set "require_message_authenticator = true" for client AP1   
Error: It looks like the client has been updated to protect from the BlastRADIUS attack.   
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
Error: Setting "require_message_authenticator = true" for client AP1   
Error: BlastRADIUS check: Received packet with Message-Authenticator.   
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

@franco

Updated from RC2 and dev kernel to 24.7 Release with no issues/crashes

Since 24.1.9 update,   Reflection for 1:1 seems to not be working, prior my internal clients hitting the NAT address would get the correct server, now they are landing on the firewall. I.e. https lands on the opnsense login page instead of the box that I want and that was working previously.

This is for 1 to 1 NAT rules that im having issues with since the upgrade.

Anyone else seeing/noticing issues with MSS? I have had my MSS set to 1300 for IPSEC and WG for years and it has been working well, but after the 24.1 update (including 24.1.1) its either not working or something else is going on, UDP I get full speed, but TCP very slow like alot of frag. Ive even tried lowering MSS to 1260 to no effect.  I can see in my transport graphs that this changed on 1/30/24 with the update to 24.1.



# iperf3 -c X.X.X.X -b 950M
Connecting to host X.X.X.X, port 5201
[  5] local X.X.X.X port 34276 connected to X.X.X.X port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  1.25 MBytes  10.5 Mbits/sec   16   9.75 KBytes
[  5]   1.00-2.00   sec   867 KBytes  7.11 Mbits/sec   10   13.4 KBytes
[  5]   2.00-3.00   sec   669 KBytes  5.48 Mbits/sec   12   12.2 KBytes
[  5]   3.00-4.00   sec   726 KBytes  5.94 Mbits/sec   16   6.09 KBytes
[  5]   4.00-5.00   sec   634 KBytes  5.19 Mbits/sec   13   9.75 KBytes
[  5]   5.00-6.00   sec   760 KBytes  6.23 Mbits/sec   17   6.09 KBytes
[  5]   6.00-7.00   sec   824 KBytes  6.75 Mbits/sec   13   12.2 KBytes
[  5]   7.00-8.00   sec   768 KBytes  6.29 Mbits/sec   17   4.88 KBytes
[  5]   8.00-9.00   sec   640 KBytes  5.24 Mbits/sec   15   6.09 KBytes
[  5]   9.00-10.00  sec   620 KBytes  5.08 Mbits/sec   15   3.66 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  7.61 MBytes  6.38 Mbits/sec  144             sender
[  5]   0.00-10.01  sec  7.43 MBytes  6.23 Mbits/sec                  receiver

iperf Done.
iperf3 -c X.X.X.X -b 950M -u
Connecting to host X.X.X.X, port 5201
[  5] local X.X.X.X port 58862 connected to X.X.X.X port 5201
[ ID] Interval           Transfer     Bitrate         Total Datagrams
[  5]   0.00-1.00   sec  77.4 MBytes   649 Mbits/sec  65016
[  5]   1.00-2.00   sec   114 MBytes   957 Mbits/sec  95900
[  5]   2.00-3.00   sec   118 MBytes   987 Mbits/sec  98870
[  5]   3.00-4.00   sec   113 MBytes   947 Mbits/sec  94853
[  5]   4.00-5.00   sec   114 MBytes   959 Mbits/sec  96052
[  5]   5.00-6.00   sec   115 MBytes   968 Mbits/sec  97000
[  5]   6.00-7.00   sec   115 MBytes   961 Mbits/sec  96237
[  5]   7.00-8.00   sec   104 MBytes   876 Mbits/sec  87765
[  5]   8.00-9.00   sec   116 MBytes   975 Mbits/sec  97616
[  5]   9.00-10.00  sec   117 MBytes   984 Mbits/sec  98529
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[  5]   0.00-10.00  sec  1.08 GBytes   926 Mbits/sec  0.000 ms  0/927838 (0%)  sender
[  5]   0.00-10.02  sec   646 MBytes   541 Mbits/sec  0.012 ms  381658/924217 (41%)  receiver

Warning   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The required GATEWAY NAME IPv6 interface address could not be found, skipping.

But also, radvd, dhcpv6, and gateway monitor, will all not start.  Previously I had a static entry in the interface, but removed it after the last update so that the WG tunnels would come up/online on boot.  Nothing changed and with ifconfig i do see the ipv6 addresses, but it appears the other services no longer think the int has an IP.

In gateways, when applying the config with 0 changes as before, the warning/error is: The following input errors were detected:

Cannot add IPv6 Gateway Address because no IPv6 address could be found on the interface.

But clearly the interface has an IP.

wg1: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet6 fd93:xx:xx:xx::6 prefixlen 126
        inet6 fe80::6%wg1 prefixlen 64 scopeid 0x12
        groups: wg wireguard
        nd6 options=103<PERFORMNUD,ACCEPT_RTADV,NO_DAD>

This just started happening on 23.7.7, WG still works after i restart the connections manually (recycle button on the dashboard) but just getting the red dot and this report on each system using WG, any other system not using WG does not receive a crash report. FYI


PHP Fatal error:  Uncaught Error: Call to undefined function system_routing_configure() in /usr/local/etc/inc/interfaces.inc:3636
Stack trace:
#0 /usr/local/opnsense/scripts/Wireguard/wg-service-control.php(125): interfaces_restart_by_device(false, Array, false)
#1 /usr/local/opnsense/scripts/Wireguard/wg-service-control.php(238): wg_start(Object(OPNsense\Base\FieldTypes\ContainerField), Resource id #54, 'up')
#2 {main}
  thrown in /usr/local/etc/inc/interfaces.inc on line 3636

So I have WG v4 and V6 tunnels working, V4 BGP works fine with the /30 network provided, but IPV6 with the /126 provided wont let a BGP neighbor establish even though both IPs ping across the WG tunnel.

The error i see in the frr logs is as follows.
Interface: wg1 does not have a v6 LL address associated with it, waiting until one is created for it


I found the following 2 links and they both state that the WG tunnel for V6 needs LL addresses but they are not getting assigned by default like they do on my IPSEC tunnels, does anyone know how/where to set it so the interface assigned for WG gets a Link Local address assigned?

https://www.reddit.com/r/OPNsenseFirewall/comments/10ch97m/wireguard_ipv6_ospfv4/

https://github.com/FRRouting/frr/issues/9544

So I have 1 subnet that I want to use 2 different outbound NAT rules at different times, I have tried setting the FW rule and the outbound nat rule using the Set local tag and Match local tag options, but it doesnt seem to work.

Ideas or thoughts, im trying to have it apply to ANY ANY in the nat rule based on the traffic selected by specific FW rules.

So I have this working fine for V4 and dynamic DNS names, but its giving me an error the identifier contains invalid characters in PSKs for V6 addresses.

Has anyone else experienced issues lately since the rel of 23.1.10? Im no longer getting my normal static IP. I called the cable company and my spoofed MAC is correct and has been working for years.  Only talking IPV4 currently.

When I run a packet capture, it shows the proper spoofed MAC from what I can tell/see.   Cable co says everything is fine on their end, but they also wrong often.

I know wrong forum sub, but as there isnt a 23.1 yet. 

Updated, all working correctly.  Rebooted. BGP Neighbor and Gateway Monitor for VTI interface failing for remote IP on my /30 for the tunnel.

Tunnel Up and can reach the other router via client (due to fw rule) but not on Opnsense.  Added static /30 route in system > routes > config to point to far end router. 

All working again. BGP Neighbor AS came up and Gateway Monitor started pinging/getting stats.

Never had to have a static for the VTI /30 prior. Unknown if by design or bug.

Just sharing info.

So since the middle of last month, around Oct 13, so was that 22.7.6 timeframe, including 27.7.7_1 and continuing.

I cant see logs / alerts in the IDS Alerts tab/page.  But looking at the eve.json in /var/log/suricata/eve.json there is data there.  At first it wasnt creating logs, so I deleted all old history and then it re-created the eve.json and logs are now showing up there, still not in the alerts tab.

Any ideas? anyone else have the same issue?

So I have a S2S VTI vpn, 200M down / 10 up connection.

UDP I get full speed both directions, TCP i get full 10 up, but like 1M down.

I have tried with my shaping and queues on and off, no difference. Dont know when the issue started, but it was not like this prior to 21.7.4.   Currently on 21.7.6

IKEV2/IPSEC encryption set to
Phase 1 - 256 bit AES-GCM with 128 bit ICV + SHA512 + DH Group 21
Phase 2 - aes256gcm16 + + 21 (NIST EC 521 bits)

I am using / testing RSS, and have tried with it on and off. my nic is type is intel EM0 (Intel 82583V)


-----

root@OXNUNIFI001:~# iperf3 -c 192.168.1.245 -i 1 -t 30 -V -b 200M -u
iperf 3.6
Linux OXNUNIFI001 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
Control connection MSS 1348
Setting UDP block size to 1348
Time: Fri, 03 Dec 2021 21:18:46 GMT
Connecting to host 192.168.1.245, port 5201
      Cookie: np7wpu6zehkvi7znfaavwe72sipwwpq3nflm
[  5] local 10.80.203.53 port 54837 connected to 192.168.1.245 port 5201
Starting Test: protocol: UDP, 1 streams, 1348 byte blocks, omitting 0 seconds, 30 second test, tos 0
[ ID] Interval           Transfer     Bitrate         Total Datagrams
[  5]   0.00-1.00   sec  23.8 MBytes   200 Mbits/sec  18533
[  5]   1.00-2.00   sec  23.8 MBytes   200 Mbits/sec  18545
[  5]   2.00-3.00   sec  23.8 MBytes   200 Mbits/sec  18546
[  5]   3.00-4.00   sec  23.8 MBytes   200 Mbits/sec  18545
[  5]   4.00-5.00   sec  23.8 MBytes   200 Mbits/sec  18547
[  5]   5.00-6.00   sec  23.8 MBytes   200 Mbits/sec  18546
[  5]   6.00-7.00   sec  23.8 MBytes   200 Mbits/sec  18546
[  5]   7.00-8.00   sec  23.8 MBytes   200 Mbits/sec  18546
[  5]   8.00-9.00   sec  23.8 MBytes   200 Mbits/sec  18546
[  5]   9.00-10.00  sec  23.8 MBytes   200 Mbits/sec  18545
[  5]  10.00-11.00  sec  23.8 MBytes   200 Mbits/sec  18547
[  5]  11.00-12.00  sec  23.8 MBytes   200 Mbits/sec  18545
[  5]  12.00-13.00  sec  23.8 MBytes   200 Mbits/sec  18547
[  5]  13.00-14.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  14.00-15.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  15.00-16.00  sec  23.8 MBytes   200 Mbits/sec  18545
[  5]  16.00-17.00  sec  23.8 MBytes   200 Mbits/sec  18547
[  5]  17.00-18.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  18.00-19.00  sec  23.8 MBytes   200 Mbits/sec  18545
[  5]  19.00-20.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  20.00-21.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  21.00-22.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  22.00-23.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  23.00-24.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  24.00-25.00  sec  23.8 MBytes   200 Mbits/sec  18547
[  5]  25.00-26.00  sec  23.8 MBytes   200 Mbits/sec  18545
[  5]  26.00-27.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  27.00-28.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  28.00-29.00  sec  23.8 MBytes   200 Mbits/sec  18546
[  5]  29.00-30.00  sec  23.8 MBytes   200 Mbits/sec  18547
- - - - - - - - - - - - - - - - - - - - - - - - -
Test Complete. Summary Results:
[ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[  5]   0.00-30.00  sec   715 MBytes   200 Mbits/sec  0.000 ms  0/556366 (0%)  sender
[  5]   0.00-30.00  sec   669 MBytes   187 Mbits/sec  0.070 ms  36439/556361 (6.5%)  receiver
CPU Utilization: local/sender 14.1% (3.2%u/10.9%s), remote/receiver 18.2% (2.5%u/15.7%s)

iperf Done.



root@OXNUNIFI001:~# iperf3 -c 192.168.1.245 -i 1 -t 30 -V -b 200M
iperf 3.6
Linux OXNUNIFI001 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
Control connection MSS 1348
Time: Fri, 03 Dec 2021 21:19:30 GMT
Connecting to host 192.168.1.245, port 5201
      Cookie: fortwut5v3yy4xzlwgovxzwaz274xvzoybvj
      TCP MSS: 1348 (default)
[  5] local 10.80.203.53 port 50624 connected to 192.168.1.245 port 5201
Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 30 second test, tos 0
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   149 KBytes  1.22 Mbits/sec    2   10.5 KBytes
[  5]   1.00-2.00   sec  48.7 KBytes   399 Kbits/sec    4   3.95 KBytes
[  5]   2.00-3.00   sec  39.5 KBytes   324 Kbits/sec    2   5.27 KBytes
[  5]   3.00-4.00   sec  38.2 KBytes   313 Kbits/sec    1   5.27 KBytes
[  5]   4.00-5.00   sec  40.8 KBytes   334 Kbits/sec    2   5.27 KBytes
[  5]   5.00-6.00   sec  46.1 KBytes   377 Kbits/sec    3   1.32 KBytes
[  5]   6.00-7.00   sec  36.9 KBytes   302 Kbits/sec    0   6.58 KBytes
[  5]   7.00-8.00   sec  46.1 KBytes   377 Kbits/sec    2   7.90 KBytes
[  5]   8.00-9.00   sec  43.4 KBytes   356 Kbits/sec    1   9.21 KBytes
[  5]   9.00-10.00  sec  47.4 KBytes   388 Kbits/sec    3   3.95 KBytes
[  5]  10.00-11.00  sec  38.2 KBytes   313 Kbits/sec    2   3.95 KBytes
[  5]  11.00-12.00  sec  43.4 KBytes   356 Kbits/sec    1   5.27 KBytes
[  5]  12.00-13.00  sec  42.1 KBytes   345 Kbits/sec    0   9.21 KBytes
[  5]  13.00-14.00  sec  46.1 KBytes   377 Kbits/sec    5   5.27 KBytes
[  5]  14.00-15.00  sec  42.1 KBytes   345 Kbits/sec    2   6.58 KBytes
[  5]  15.00-16.00  sec  38.2 KBytes   313 Kbits/sec    2   6.58 KBytes
[  5]  16.00-17.00  sec  48.7 KBytes   399 Kbits/sec    4   2.63 KBytes
[  5]  17.00-18.00  sec  0.00 Bytes  0.00 bits/sec    4   3.95 KBytes
[  5]  18.00-19.00  sec  39.5 KBytes   324 Kbits/sec    2   3.95 KBytes
[  5]  19.00-20.00  sec  39.5 KBytes   324 Kbits/sec    2   2.63 KBytes
[  5]  20.00-21.00  sec  0.00 Bytes  0.00 bits/sec    1   3.95 KBytes
[  5]  21.00-22.00  sec  75.0 KBytes   615 Kbits/sec    1   3.95 KBytes
[  5]  22.00-23.00  sec  0.00 Bytes  0.00 bits/sec    2   3.95 KBytes
[  5]  23.00-24.00  sec  38.2 KBytes   313 Kbits/sec    1   2.63 KBytes
[  5]  24.00-25.00  sec  36.9 KBytes   302 Kbits/sec    2   2.63 KBytes
[  5]  25.00-26.00  sec  40.8 KBytes   334 Kbits/sec    0   7.90 KBytes
[  5]  26.00-27.00  sec  50.0 KBytes   410 Kbits/sec    2   7.90 KBytes
[  5]  27.00-28.00  sec  38.2 KBytes   313 Kbits/sec    3   3.95 KBytes
[  5]  28.00-29.00  sec  0.00 Bytes  0.00 bits/sec    3   3.95 KBytes
[  5]  29.00-30.00  sec  36.9 KBytes   302 Kbits/sec    1   5.27 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
Test Complete. Summary Results:
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-30.00  sec  1.20 MBytes   336 Kbits/sec   60             sender
[  5]   0.00-30.00  sec  1.16 MBytes   324 Kbits/sec                  receiver
CPU Utilization: local/sender 2.0% (0.6%u/1.5%s), remote/receiver 0.2% (0.2%u/0.1%s)
iperf Done.

so in 20.7.8 ntopng shows v4.x and in 21.1 it shows 3.4.0

but in the packages it says 4.2 for ntopng and 3.4 for ndpi.

am i seeing it incorrectly and it is current? or why does the interface say there is a newer version than installed and it showed 4.x in 20.7.8 and in 21.1 it is older 3.4.x

ntopng -V
v.3.4.0 [Community build]
GIT rev:        :4.2.210125