Topics

Hi,

I am running OPNsense behind a FritzBox (which get's new IPv4 and IPv6 addresses each night) and with 19.1.8 the dpinger always dies during IP renewal. The IPv6 address on WAN get's renewed via DHCPv6 and LAN follows WAN IPv6 address. In the log (gateways.log) I only see the following lines:

Code Select Expand

May 29 03:58:57 OPNvirt dpinger: WAN_DHCP6 2a03:f580:2:0:85:22:54:90: Alarm latency 1948us stddev 150us loss 22%
May 29 03:58:57 OPNvirt dpinger: GATEWAY ALARM: WAN_DHCP6 (Addr: 2a03:f580:2:0:85:22:54:90 Alarm: 1 RTT: 1948ms RTTd: 150ms Loss: 22%)

In system.log I only find the DHCP Reply before and after the renewal and OpenVPN complaining:

Code Select Expand

May 29 03:44:49 OPNvirt dhcp6c[46992]: Sending Renew
May 29 03:44:49 OPNvirt dhcp6c[46992]: unknown or unexpected DHCP6 option opt_86, len 16
May 29 03:44:49 OPNvirt dhcp6c[46992]: Received REPLY for RENEW
May 29 03:58:59 OPNvirt opnsense: /usr/local/etc/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP6.
May 29 03:58:59 OPNvirt opnsense: /usr/local/etc/rc.openvpn: OpenVPN: Resync server1 SpaceNet OpenVPN Server
May 29 04:14:49 OPNvirt dhcp6c[46992]: Sending Renew
May 29 04:14:49 OPNvirt dhcp6c[46992]: Received REPLY for RENEW
May 29 04:14:49 OPNvirt dhcp6c[46992]: status code: no binding

If I start the IPv6 dpinger it works fine until the next morning ...

Code Select Expand

May 29 14:36:23 OPNvirt opnsense: /status_services.php: Removing static route for monitor 2a03:f580:2:0:85:22:54:90 via fe80::eadf:70ff:fe59:bd49%igb1
May 29 14:36:23 OPNvirt opnsense: /status_services.php: Adding static route for monitor 2a03:f580:2:0:85:22:54:90 via fe80::eadf:70ff:fe59:bd49%igb1

Any idea how to troubleshoot?

Thanks and best regards,

    Space

Hi,

I tried to update to 19.1.r1 but somehow it fails. I did the following:

- switch to dev branch -> update
- now I am on OPNsense 19.1.r_33-amd64
- check for updates -> unlock 19.1.r1 -> upgrade

Code Select Expand


Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
Fetching meta.txz: 100%    1 KiB   1.5kB/s    00:01
Fetching packagesite.txz: 100%  150 KiB 153.4kB/s    00:01
Processing entries: 100%
OPNsense repository update completed. 587 packages processed.
All repositories are up to date.
Checking for upgrades (136 candidates): 100%
Processing candidates (136 candidates): 100%
uhub2: 6 ports with 6 removable, self powered
Checking integrity... done (0 conflicting)
The following 136 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
        pkg-1.10.5_5
        zip-3.0_1
        wpa_supplicant-2.7
        wireguard-go-0.0.20181222
        wireguard-0.0.20181218
...
Number of packages to be reinstalled: 136
[1/136] Reinstalling indexinfo-0.3.1...
[1/136] Extracting indexinfo-0.3.1: 100%
[2/136] Reinstalling readline-7.0.5...
[2/136] Extracting readline-7.0.5: 100%
...
Using existing user 'git_daemon'.
[136/136] Extracting git-2.20.1: 100%
Message from openssl-1.0.2q,1:

Edit /usr/local/openssl/openssl.cnf to fit your needs.
Message from python27-2.7.15:
... (all the other messages)
Checking integrity... done (0 conflicting)
Nothing to do.
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
pkg-static: Repository OPNsense cannot be opened. 'pkg update' required
Nothing to do.
Please reboot.
... (reboot messages)
>>> Invoking early script 'update'
>>> Invoking early script 'configd'
Starting configd.
uhub3: 6 ports with 6 removable, self powered
>>> Invoking early script 'php'
Configuring PHP: OK
>>> Invoking early script 'backup'
>>> Invoking backup script 'captiveportal'
>>> Invoking backup script 'dhcpleases'
>>> Invoking backup script 'duid'
>>> Invoking backup script 'netflow'
>>> Invoking backup script 'rrd'
OK
Launching the init system...done.
... (init messages)


- then after the final reboot I am back at 19.1.r_33

Do you have any idea what could have gone wrong? I have tried to switch to production again as well. Same messages, same result.

Thanks and best regards,

    Space

Hi,

once I activate the IPS button in the Intrusion Detection there is no IPv6 announced on the internal networks anymore. WAN is set to DHCPv6 and does get it's IPv6 address but the internal interfaces (LAN/OPT1) do not get any IPv6 address / prefix anymore. DHCPv6 Server does not start anymore.

I will check tomorrow if I find anything in the logs. Or is this issue already known?

Thanks and best regards,

    Space

Hello,

with 17.1.4 and 17.1.5 (at least) I do not have IPv6 working on the LAN interface. IPv6 is set to DHCPv6 on WAN and it get's an IP from my Fritzbox:

Code Select Expand

        inet6 fe80::1111:2222:3333:4444%em1 prefixlen 64 scopeid 0x2
        inet6 2002:aaaa:bbbb:0:1111:2222:3333:4444 prefixlen 64 autoconf


The "Interface List" in the dashboard only shows the fe80-address but not the one assigned by DHCPv6. The LAN interface is set to "Track Interface" but ifconfig still shows

Code Select Expand

        inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x1


and the clients on LAN are not able to access external IPv6 systems because they are not assigned any IPv6 ip.

Is this a known issue? Should I open an issue on github?

Thanks a lot and best regards,

    jochen

Hello,

I had IPsec running some time ago with 16.7 but I wanted to use OpenVPN since I wanted to add several clients / roadwarriors. I have OpenVPN running but the Android client is not as flexible as I would like. So I wanted to switch back to IPsec. I have setup IPsec according to the cookbook (https://docs.opnsense.org/manual/how-tos/ipsec-road.html but I can't get it to run. I get the following messages in logfile:

Code Select Expand

Apr 17 13:08:28 charon: 11[IKE] deleting IKE_SA con1[101] between <wan_ip>[IPsec]...<public_ip>[IPsec]
Apr 17 13:08:28 charon: 11[IKE] received DELETE for IKE_SA con1[101]
Apr 17 13:08:28 charon: 11[ENC] parsed INFORMATIONAL_V1 request 249 [ HASH D ]
Apr 17 13:08:28 charon: 11[NET] received packet: from <public_ip>[55749] to <wan_ip>[4500] (84 bytes)
Apr 17 13:08:28 charon: 08[IKE] received PAYLOAD_MALFORMED error notify
Apr 17 13:08:28 charon: 08[ENC] parsed INFORMATIONAL_V1 request 2559521190 [ HASH N(PLD_MAL) ]
Apr 17 13:08:28 charon: 08[NET] received packet: from <public_ip>[55749] to <wan_ip>[4500] (68 bytes)
Apr 17 13:08:28 charon: 10[NET] sending packet: from <wan_ip>[4500] to <public_ip>[55749] (100 bytes)
Apr 17 13:08:28 charon: 10[ENC] generating TRANSACTION response 960004112 [ HASH CPRP(ADDR SUBNET U_SPLITINC) ]
Apr 17 13:08:28 charon: 10[IKE] assigning virtual IP 10.10.10.2 to peer

I have no idea what setting to change or if this is a problem of 17.1.x series ... I know I had it running with 16.7.

Does anyone have an idea?

Thanks and best regards,

    Jochen

Hello,

I have update to 17.1.3 and then 17.1.4 and I just noticed that IPv6 is not working anymore. My OPNsense box sits behind a Fritzbox which get's a /56 network from my provider. On the WAN interface I have enabled dhcpv6 and request a /62 prefix. But somehow the dhcpv6 does not get an IPv6 address. I checked the dhcpd.log and see the following errors:

Code Select Expand

Apr  1 12:56:05 OPNvirt dhcp6c[11967]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Apr  1 12:56:05 OPNvirt dhcp6c[11967]: failed initialize control message authentication
Apr  1 12:56:05 OPNvirt dhcp6c[11967]: skip opening control port
Apr  1 12:56:05 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Apr  1 12:56:05 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Apr  1 12:56:05 OPNvirt dhcpd: All rights reserved.
Apr  1 12:56:05 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Apr  1 12:56:05 OPNvirt dhcpd: Config file: /etc/dhcpd.conf
Apr  1 12:56:05 OPNvirt dhcpd: Database file: /var/db/dhcpd.leases
Apr  1 12:56:05 OPNvirt dhcpd: PID file: /var/run/dhcpd.pid
Apr  1 12:56:05 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Apr  1 12:56:05 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Apr  1 12:56:05 OPNvirt dhcpd: All rights reserved.
Apr  1 12:56:05 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Apr  1 12:56:05 OPNvirt dhcpd: Wrote 0 deleted host decls to leases file.
Apr  1 12:56:05 OPNvirt dhcpd: Wrote 0 new dynamic host decls to leases file.
Apr  1 12:56:05 OPNvirt dhcpd: Wrote 4 leases to leases file.
Apr  1 12:56:05 OPNvirt dhcpd: Listening on BPF/em0/52:54:00:93:c1:86/192.168.42.0/24
Apr  1 12:56:05 OPNvirt dhcpd: Sending on   BPF/em0/52:54:00:93:c1:86/192.168.42.0/24
Apr  1 12:56:05 OPNvirt dhcpd: Sending on   Socket/fallback/fallback-net
Apr  1 12:56:05 OPNvirt dhcpd: Server starting service.
Apr  1 12:56:06 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:06 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:56:07 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:07 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:56:09 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:09 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:56:13 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:13 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:56:21 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:21 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:56:37 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:37 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:57:09 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:57:09 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address


Is this a configuration issue?

Thanks and best regards,

    Jogi

Hi,

is it somehow possible to do monthly / weekly / daily schedules for the firewall like with cron? So far I only found the possibility to add specific date/times to the firewall schedule but not any possibilities to add a repeating schedule. Did I miss something or is it currently not possible?

PS: Using 17.1.2 and it's great so far.

Thanks and best regards,

    Space

Hi,

I have been using IPsec to connect some Android devices via VPN to my intranet and this worked fine with 16.7.4. But after the update it does not work any more. In the log file I see errors like these:

Code Select Expand

Oct 1 11:14:30 charon: 13[IKE] no shared key found for '192.168.21.1'[192.168.21.1] - 'user@spacenet'[192.168.21.102]
Oct 1 11:14:30 charon: 13[IKE] <con1|33> no shared key found for '192.168.21.1'[192.168.21.1] - 'intra@spacenet'[192.168.21.102]
Oct 1 11:14:30 charon: 13[CFG] selected peer config "con1"

But in Phase 1 Proposal a PSK is configured. I have not touched the IPsec config inbetween. Any idea what might cause this?

Thanks and best regards,

    Jochen

Hi Everyone,

I have setup my first real firewall with OPNsense 16.7 and almost everything is working fine except connection to *some* IPv6 hosts. I have done the following steps:

- FritzBox: enabled "DNS-Server und IPv6-Präfix (IA_PD)zuweisen" (assign DNS server + IPv6 prefix) + OPNsense configured as "exposed host" inside Fritzbox
- OPNsense: DHCPv6 enabled on WAN + Request only a IPv6 prefix, Directly send SOLICIT, DHCPv6 Prefix Delegation size: 62, Send IPv6 prefix hint, on LAN I am running with Track Interface +  IPv6 Interface: WAN and IPv6 Prefix ID 3

Situation is like this:

- from a tablet connected to FritzBox WLAN I can access the external IPv6 address (provided by Cable provider) without problem --> ssh + https connection (on high port) possible
- from OPNsense itself both ping and test port (same high port) are successful
- from linux system (on LAN) ping and telnet to that port are possible, but browser times out. I only see "Connected" and that's it ...

Does anyone have an idea what might cause this? When I connect the Linux box to FritzBox https connection is working immediately.

Thank you for any hints ... if you need further infos just let me know!

Best regards,

   Jogi