Messages

Hello,

I had the same issue today; last night, my ISP reset the reconnection and updated the FritzBox OS and reset the connection. FritzOS is now 06.83
...
I fixed that by restarting the  dhcp6 client on opnsense. Then, radvd and rtsold restarted and all was fine again ...

Br br

Hello,

I have updated my FritzBox to same version as well. I got the following messages in routing.log when saving WAN interface again:

Code Select Expand

Apr  2 22:21:25 OPNvirt radvd[45592]: Exiting, sigterm or sigint received.
Apr  2 22:21:25 OPNvirt radvd[45592]: sending stop adverts
Apr  2 22:21:25 OPNvirt radvd[45592]: removing /var/run/radvd.pid
Apr  2 22:21:41 OPNvirt radvd[34797]: version 1.15 started
Apr  2 22:21:41 OPNvirt radvd[34797]: no auto-selected prefix on interface em0, disabling advertisements
Apr  2 22:21:41 OPNvirt radvd[35364]: sendmsg: Can't assign requested address
Apr  2 22:21:42 OPNvirt radvd[35364]: attempting to reread config file
Apr  2 22:21:42 OPNvirt radvd[35364]: no auto-selected prefix on interface em0, disabling advertisements
Apr  2 22:21:42 OPNvirt radvd[35364]: can't join ipv6-allrouters on em0
Apr  2 22:21:42 OPNvirt radvd[35364]: sendmsg: Can't assign requested address
Apr  2 22:21:42 OPNvirt radvd[35364]: resuming normal operation


Thanks for any tips and best regards,

    Jochen

LAN is meant to get a /64, it doesn't matter if the prefix from the isp is bigger. This allows you to divide the prefix up into multiple /64s, do you have the LAN interface set to track interface?

LAN is set to track WAN interface. I have already tried different IPv6 Prefix IDs without success.

Hello,

I have reinstalled every package via

Code Select Expand

opnsense-update -f and now at least the interface get's an IPv6 IP address again. But somehow the clients on the LAN interface still do not get an IP. Could this be related to the interface showing a prefix of /64?

Code Select Expand

inet6 2002:1234:1234:0:1234:5678:9012:3456 prefixlen 64 autoconf

According the AVM info page (https://avm.de/service/fritzbox/fritzbox-3270/wissensdatenbank/publication/show/1239_IPv6-Subnetz-in-FRITZ-Box-einrichten/) the FritzBox offers a /62 subnet and DHCPv6 Prefix Delegation size is set to /62 as well.

What am I doing wrong ...

Thanks for any help and best regards,

     jochen

Hello,

I have update to 17.1.3 and then 17.1.4 and I just noticed that IPv6 is not working anymore. My OPNsense box sits behind a Fritzbox which get's a /56 network from my provider. On the WAN interface I have enabled dhcpv6 and request a /62 prefix. But somehow the dhcpv6 does not get an IPv6 address. I checked the dhcpd.log and see the following errors:

Code Select Expand

Apr  1 12:56:05 OPNvirt dhcp6c[11967]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Apr  1 12:56:05 OPNvirt dhcp6c[11967]: failed initialize control message authentication
Apr  1 12:56:05 OPNvirt dhcp6c[11967]: skip opening control port
Apr  1 12:56:05 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Apr  1 12:56:05 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Apr  1 12:56:05 OPNvirt dhcpd: All rights reserved.
Apr  1 12:56:05 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Apr  1 12:56:05 OPNvirt dhcpd: Config file: /etc/dhcpd.conf
Apr  1 12:56:05 OPNvirt dhcpd: Database file: /var/db/dhcpd.leases
Apr  1 12:56:05 OPNvirt dhcpd: PID file: /var/run/dhcpd.pid
Apr  1 12:56:05 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Apr  1 12:56:05 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Apr  1 12:56:05 OPNvirt dhcpd: All rights reserved.
Apr  1 12:56:05 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Apr  1 12:56:05 OPNvirt dhcpd: Wrote 0 deleted host decls to leases file.
Apr  1 12:56:05 OPNvirt dhcpd: Wrote 0 new dynamic host decls to leases file.
Apr  1 12:56:05 OPNvirt dhcpd: Wrote 4 leases to leases file.
Apr  1 12:56:05 OPNvirt dhcpd: Listening on BPF/em0/52:54:00:93:c1:86/192.168.42.0/24
Apr  1 12:56:05 OPNvirt dhcpd: Sending on   BPF/em0/52:54:00:93:c1:86/192.168.42.0/24
Apr  1 12:56:05 OPNvirt dhcpd: Sending on   Socket/fallback/fallback-net
Apr  1 12:56:05 OPNvirt dhcpd: Server starting service.
Apr  1 12:56:06 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:06 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:56:07 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:07 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:56:09 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:09 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:56:13 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:13 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:56:21 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:21 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:56:37 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:56:37 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address
Apr  1 12:57:09 OPNvirt dhcp6c[12113]: Sending Solicit
Apr  1 12:57:09 OPNvirt dhcp6c[12113]: transmit failed: Can't assign requested address


Is this a configuration issue?

Thanks and best regards,

    Jogi

Hi,

is it somehow possible to do monthly / weekly / daily schedules for the firewall like with cron? So far I only found the possibility to add specific date/times to the firewall schedule but not any possibilities to add a repeating schedule. Did I miss something or is it currently not possible?

PS: Using 17.1.2 and it's great so far.

Thanks and best regards,

    Space

Hi,

I can confirm that it's working after applying the patch with removed workaround.

Thanks and best regards,

    Jochen

Correction: workaround is too simple to wait ... I added the key and it works.

Thanks and best regards,

   Jochen

Hi Ad,

I had checked that thread but obviously missed the solution ... ok, it's not urgent for me so I will probably wait for the next release.

Thanks and best regards,

   Jochen

Hi,

I have been using IPsec to connect some Android devices via VPN to my intranet and this worked fine with 16.7.4. But after the update it does not work any more. In the log file I see errors like these:

Code Select Expand

Oct 1 11:14:30 charon: 13[IKE] no shared key found for '192.168.21.1'[192.168.21.1] - 'user@spacenet'[192.168.21.102]
Oct 1 11:14:30 charon: 13[IKE] <con1|33> no shared key found for '192.168.21.1'[192.168.21.1] - 'intra@spacenet'[192.168.21.102]
Oct 1 11:14:30 charon: 13[CFG] selected peer config "con1"

But in Phase 1 Proposal a PSK is configured. I have not touched the IPsec config inbetween. Any idea what might cause this?

Thanks and best regards,

    Jochen

Hi,

The other setup issue is using a bridged interface, which doesn't work for IPS because it requires real NIC driver to attach to.

is IPS attaching to both interfaces (WAN/LAN) if enabled? Because I tried to setup OPNsense inside a VM (WAN: physical interface passed through into VM, LAN: bridged with host interface) and it did not work -- the VM crashed if I remember correctly. Is that caused by this?

Thanks,

   Space

Hi,

I took the simple road ... since this was the only host (so far) that is not reachable from the backend systems directly via https (maybe because of the high port + https combination) I just use the proxy of OPNsense to access it ... works fine ... Case closed :)

Best regards,

   Space

Hi,

ok, I am confused now ... I have run a trace on the Fritzbox (my  internet GW) and I do not see *any* traffic of this connection in the package trace ... could this issue be causes by some 6to4 tunnel that is used by my provider? Do I have to configure OPNsense differently then?

Thanks,

   Space

Hi,

it looks like this:

Code Select Expand

No. Time Source Destination Protocol Length Info
1 0 opnsense fritzbox TCP 94 47942  >  49214 [SYN] Seq=0 Win=28800 Len=0 MSS=1440 SACK_PERM=1 TSval=265396100 TSecr=0 WS=128
2 60522 fritzbox opnsense TCP 94 49214  >  47942 [SYN, ACK] Seq=0 Ack=1 Win=14280 Len=0 MSS=1440 SACK_PERM=1 TSval=26226420 TSecr=265396100 WS=16
3 60662 opnsense fritzbox TCP 86 47942  >  49214 [ACK] Seq=1 Ack=1 Win=28800 Len=0 TSval=265396118 TSecr=26226420
4 60989 opnsense fritzbox TCP 298 47942  >  49214 [PSH, ACK] Seq=1 Ack=1 Win=28800 Len=212 TSval=265396118 TSecr=26226420
5 100945 fritzbox opnsense TCP 86 49214  >  47942 [ACK] Seq=1 Ack=213 Win=15360 Len=0 TSval=26226426 TSecr=265396118
6 364398 fritzbox opnsense TCP 97 [TCP Previous segment not captured] 49214  >  47942 [PSH, ACK] Seq=1409 Ack=213 Win=15360 Len=11 TSval=26226451 TSecr=265396118
7 364582 opnsense fritzbox TCP 98 [TCP Window Update] 47942  >  49214 [ACK] Seq=213 Ack=1 Win=29952 Len=0 TSval=265396209 TSecr=26226426 SLE=1409 SRE=1420
8 10362150 opnsense fritzbox TCP 98 [TCP Keep-Alive] 47942  >  49214 [ACK] Seq=212 Ack=1 Win=29952 Len=0 TSval=265399209 TSecr=26226426 SLE=1409 SRE=1420
9 10406805 fritzbox opnsense TCP 86 [TCP Keep-Alive ACK] 49214  >  47942 [ACK] Seq=1420 Ack=213 Win=15360 Len=0 TSval=26227456 TSecr=265396209

The connection is setup but then nothing happens...

Best regards,

   Space

Hi fabian,

no, the default pass rules for LAN are available both for IPv4 and IPv6. Also strange is that e.g. https://ipv6.google.com works just fine. There are no entries in FW log and no entries in IDS alerts.

How can I trace this down?

Thanks for your help!

Best regards,

   Space

Hi Everyone,

I have setup my first real firewall with OPNsense 16.7 and almost everything is working fine except connection to *some* IPv6 hosts. I have done the following steps:

- FritzBox: enabled "DNS-Server und IPv6-Präfix (IA_PD)zuweisen" (assign DNS server + IPv6 prefix) + OPNsense configured as "exposed host" inside Fritzbox
- OPNsense: DHCPv6 enabled on WAN + Request only a IPv6 prefix, Directly send SOLICIT, DHCPv6 Prefix Delegation size: 62, Send IPv6 prefix hint, on LAN I am running with Track Interface +  IPv6 Interface: WAN and IPv6 Prefix ID 3

Situation is like this:

- from a tablet connected to FritzBox WLAN I can access the external IPv6 address (provided by Cable provider) without problem --> ssh + https connection (on high port) possible
- from OPNsense itself both ping and test port (same high port) are successful
- from linux system (on LAN) ping and telnet to that port are possible, but browser times out. I only see "Connected" and that's it ...

Does anyone have an idea what might cause this? When I connect the Linux box to FritzBox https connection is working immediately.

Thank you for any hints ... if you need further infos just let me know!

Best regards,

   Jogi