Messages

1

22.1 Legacy Series / Re: Firmware Connectivy Check

« on: May 16, 2022, 12:23:54 pm »

Thanks franco.  So yes, ping6 with a packet size of 1500 is not working. 

Is there something that I need to fix on my end or do I just let it go?

2

22.1 Legacy Series / Firmware Connectivy Check

« on: May 15, 2022, 06:45:25 am »

I'm trying to figure out why the Firmware Connectivity Check fails the IPV6 ping:

Code: [Select]

All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
PING6(1548=40+8+1500 bytes) [MY-IPV6_IP] --> 2001:1af8:4f00:a005:5::

--- 2001:1af8:4f00:a005:5:: ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/22.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 792 packages processed.
All repositories are up to date.
***DONE***
However from the OPNSense terminal:

Code: [Select]

root@opnsense:~ # ping6 2001:1af8:4f00:a005:5::
PING6(56=40+8+8 bytes) [MY_IPV6_IP] --> 2001:1af8:4f00:a005:5::
16 bytes from 2001:1af8:4f00:a005:5::, icmp_seq=0 hlim=52 time=280.033 ms
16 bytes from 2001:1af8:4f00:a005:5::, icmp_seq=1 hlim=52 time=278.851 ms
16 bytes from 2001:1af8:4f00:a005:5::, icmp_seq=2 hlim=52 time=278.849 ms
16 bytes from 2001:1af8:4f00:a005:5::, icmp_seq=3 hlim=52 time=279.302 ms
16 bytes from 2001:1af8:4f00:a005:5::, icmp_seq=4 hlim=52 time=279.415 ms
16 bytes from 2001:1af8:4f00:a005:5::, icmp_seq=5 hlim=52 time=278.946 ms
^C
--- 2001:1af8:4f00:a005:5:: ping6 statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 278.849/279.233/280.033/0.419 ms
root@opnsense:~ #

3

22.1 Legacy Series / Re: os-ddclient

« on: February 27, 2022, 12:22:56 am »

Has anyone figured out how to get ddclient to work with Digital Ocean?

I've tried using the api.digitalocean.com but it doesn't update the record.

4

21.7 Legacy Series / Spotify with DNS over TLS

« on: November 17, 2021, 11:57:17 pm »

I have been using DNS over TLS with Cloudflare IPv4 and IPv6 servers successfully for sometime.

I recently noticed that the Spot Apple TV and iOS apps reported 'Connecting' or 'No internet connection'.  I validated that none of the Unbound blocklists were blocking the Spotify servers and the moment I switched to an external DNS, Spotify would work.

Narrowing it down, I then removed all the DNS over TLS servers and only enabled 8.8.8.8 port 853.  This allowed Spotify to connect with no issues but the moment I re-added the Cloudflare IPs (both IPv4 and IPv6) Spotify wasn't happy. 

Not sure if the server list is used in a round robin fashion.  Does anyone know why Spotify is only playing nicely with Google's DNS when using DNS over TLS?

5

21.1 Legacy Series / Re: Gateway monitoring with IPV6 prefix only

« on: March 28, 2021, 01:10:41 am »

Not entirely strange, but what is strange was that it took up to 20min for the firewall to realise there was a IPv6 gateway and to add a route.

I do understand the issue with the ISP losing IPv6 connectivity and my firewall not knowing any different, but glad it is working now.

6

21.1 Legacy Series / Re: Gateway monitoring with IPV6 prefix only

« on: March 27, 2021, 11:00:59 pm »

Unfortunately that has not worked for me.

Just to recap what I'm seeing:

• My ISP does not provide an IPv6 address, only a /56 delegated prefix.
• Because I do not have an IPv6 address, dpinger does not start (address is invalid).  I am using Cloudflare's IPv6 address as the monitor address
• My IPv6 gateway is showing as down, but I have full IPv6 functionality as shown by the ping6 and netstat -r | grep default commands above. A gateway IP is not shown on the gateway screen although visible from the command line
• If I disable gateway monitoring, the gateway shows as Online however IPv6 routing stops and it is no longer a default route even though the gateway screen shows it as 'active'

Should I raise a bug for this?

Edit: I've put the gateway monitor address to the ISP link local. 20 minutes later, IPv6 functionality began to work and the Gateway is showing as Online.  Strange!

7

21.1 Legacy Series / Re: Gateway monitoring with IPV6 prefix only

« on: March 27, 2021, 08:03:19 am »

With IPv6 working (and the IPv6 gateway showing Offline)

Code: [Select]

root@opnsense:~ # ping6 www.google.com
PING6(56=40+8+8 bytes) 2001:8003:2810:****:**:***:***:2a11 --> 2404:6800:4006:810::2004
16 bytes from 2404:6800:4006:810::2004, icmp_seq=0 hlim=118 time=12.587 ms
16 bytes from 2404:6800:4006:810::2004, icmp_seq=1 hlim=118 time=12.412 ms
16 bytes from 2404:6800:4006:810::2004, icmp_seq=2 hlim=118 time=12.173 ms

Code: [Select]

root@opnsense:~ # netstat -r | grep default
default            cpe-121-209-127-25 UGS        igb0
default            fe80::3e94:d5ff:fe UG         igb0

8

21.1 Legacy Series / Gateway monitoring with IPV6 prefix only

« on: March 27, 2021, 05:36:45 am »

My IPv6 setup with my ISP is by prefix only.  I have all my VLANs correctly setup and clients are receiving a IPv6 address.  Gateway monitoring is enabled on the IPv6 Gateway and despite it showing as Offline, I have full IPv6 connectivity, confirmed with IPv6 test websites and ping6 to google.

As my ISP is not providing a IPv6 address, dpinger does not start:

Code: [Select]

/system_gateways.php: The WAN_DHCP6 IPv6 gateway address is invalid, skipping.
If I disable Gateway monitoring, my IPv6 connection stops working, until I re-enable Gateway monitoring.  Can anyone explain what is happening here?

9

21.1 Legacy Series / Re: Multi WAN & Unbound

« on: March 25, 2021, 01:57:07 am »

If I put a local DNS server against a gateway group I get:

You can not assign a gateway to DNS server "192.168.1.1" which is on a directly connected network.

10

21.1 Legacy Series / Multi WAN & Unbound

« on: March 25, 2021, 01:52:55 am »

I have followed the instructions of setting up Multi WAN, including the steps of adding DNS Servers to each Gateway group.

How does this work when using Unbound?  Does all traffic that is destined for a Gateway Group use the gateway DNS?  Is there anyway to use Unbound instead of external DNS Servers when using Multi WAN?

11

20.1 Legacy Series / Re: DNS on Multi-WAN failover does not work - any tips? Now with logfile...

« on: March 24, 2021, 09:46:16 pm »

We’re you able to resolve this? I’m facing similar issues, DNS is not working when a gateway group is set on my firewall rules despite allowing DNS as the first rule per the WAN failover docs

12

21.1 Legacy Series / Re: MacOS sntp errors

« on: March 08, 2021, 01:55:47 am »

OK so the way I resolved this (and cross checking against a previous pfSense install) was to add the below to the Advanced input box to permit my VLANs to query the ntp service. 

Code: [Select]

restrict 192.168.10.0 mask 255.255.255.0

restrict 192.168.20.0 mask 255.255.255.0

13

20.7 Legacy Series / Re: Why no WAN_DHCP6 gateway?

« on: March 08, 2021, 01:53:21 am »

Still experiencing this issue in 21.1.2.  Is there an open bug?

14

21.1 Legacy Series / MacOS sntp errors

« on: March 06, 2021, 07:45:50 am »

I'm trying to verify that my MacOS client is connecting to OPNSense for NTP requests but I'm receiving 'Exchange failed: Kiss of death and Exchange failed: Time out" errors.

Checking Apple's time servers, all seems OK:

Code: [Select]

❯ sudo sntp -sS time.apple.com
+0.236213 +/- 0.000137 time.apple.com 17.253.116.253
Now, checking the OPNSense firewall:

Code: [Select]

❯ sudo sntp -sS 192.168.1.1
sntp: Exchange failed: Kiss of death
sntp: Exchange failed: Timeout
sntp: Exchange failed: Timeout
sntp: Exchange failed: Timeout
+0.235124 +/- 0.131470 192.168.1.1 192.168.1.1
Running with the debug flag:

Code: [Select]

sudo sntp -d opnsense.home.lan
  leap:                     0
    t1:    E3EDA340.A5B18548  (bytes)
    t1:  3824001856.647240000 (fixed)
    t1:  3824001856.647240162 (float)
    t2:    E3EDA340.E2B9256F  (bytes)
    t2:  3824001856.885637607 (fixed)
    t2:  3824001856.885637760 (float)
    t3:    E3EDA340.E2C01759  (bytes)
    t3:  3824001856.885743579 (fixed)
    t3:  3824001856.885743618 (float)
    t4:    E3EDA340.A67EA5F8  (bytes)
    t4:  3824001856.650370000 (fixed)
    t4:  3824001856.650370121 (float)
offset:    00000000.3CA488C4  (bytes)
offset:           0.236885593 (fixed)
offset:           0.236885593 (float)
 delay:    00000000.00C62EC6  (bytes)
 delay:           0.003024028 (fixed)
 delay:           0.003024028 (float)
ipaddr:          192.168.20.1
sntp: Exchange failed: Kiss of death
sntp: Exchange failed: Timeout
sntp: Exchange failed: Timeout
sntp: Exchange failed: Timeout
selected:
  leap:                     0
    t1:    E3EDA340.A5B18548  (bytes)
    t1:  3824001856.647240000 (fixed)
    t1:  3824001856.647240162 (float)
    t2:    E3EDA340.E2B9256F  (bytes)
    t2:  3824001856.885637607 (fixed)
    t2:  3824001856.885637760 (float)
    t3:    E3EDA340.E2C01759  (bytes)
    t3:  3824001856.885743579 (fixed)
    t3:  3824001856.885743618 (float)
    t4:    E3EDA340.A67EA5F8  (bytes)
    t4:  3824001856.650370000 (fixed)
    t4:  3824001856.650370121 (float)
offset:    00000000.3CA488C4  (bytes)
offset:           0.236885593 (fixed)
offset:           0.236885593 (float)
 delay:    00000000.00C62EC6  (bytes)
 delay:           0.003024028 (fixed)
 delay:           0.003024028 (float)
ipaddr:          192.168.20.1
+0.236886 +/- 0.132248 opnsense.home.lan 192.168.20.1
  gtod:  1615013059.668058
adjust:           0.236885
   set:  1615013059.904943
 ~

15

21.1 Legacy Series / Re: Custom Telegraf conf

« on: February 11, 2021, 09:27:41 am »

Thanks Franco. I’ll try the manual approach first but your suggestion of raising a feature request is great, I’m sure others may benefit too.