Topics

Hi All,

I have followed the steps Here LAN Bridge and DHCP works but I cannot access a device on one bridge port from another port.

igc0 is my entire network
igc5 is my WAN

If I plug a PC int0 igc1 it gets DHCP and has access to the internet. I cannot ping a PC/device on igc0.  pinging the PC on igc1 from a PC on igc0 yields the same results.  No ping.

It's like these settings have no effect:

Code Select Expand

net.link.bridge.pfil_member = 0
net.link.bridge.pfil_bridge = 1

Code Select Expand

root@rtr:~ # ifconfig
igc0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: OPT1 (opt1)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
        ether 34:1a:4c:03:bc:79
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igc1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: OPT2 (opt2)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
        ether 34:1a:4c:03:bc:7a
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igc2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: OPT3 (opt3)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
        ether 34:1a:4c:03:bc:7b
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igc3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: OPT4 (opt4)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
        ether 34:1a:4c:03:bc:7c
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igc4: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: OPT5 (opt5)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
        ether 34:1a:4c:03:bc:7d
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igc5: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN (wan)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
        ether 34:1a:4c:03:bc:7e
        inet 69.76.39.223 netmask 0xfffffc00 broadcast 255.255.255.255
        inet6 fe80::361a:4cff:fe03:bc7e%igc5 prefixlen 64 scopeid 0x6
        inet6 2605:a000:dfc0:1d:903a:4278:8616:d7b6 prefixlen 128 pltime 521872 vltime 521872
        media: Ethernet autoselect (2500Base-T <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=1000041<UP,RUNNING,LOWER_UP> metric 0 mtu 1536
        options=0
        groups: enc
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pfsync0: flags=0 metric 0 mtu 1500
        options=0
        maxupd: 128 defer: off version: 1400
        syncok: 1
        groups: pfsync
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33152
        options=0
        groups: pflog
wg1: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1390
        description: TorGuardVPNw1 (opt6)
        options=80000<LINKSTATE>
        inet 10.13.128.121 netmask 0xffffff00
        groups: wg wireguard
        nd6 options=9<PERFORMNUD,IFDISABLED>
wg2: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1390
        description: TorGuardVPNw2 (opt7)
        options=80000<LINKSTATE>
        inet 10.13.110.213 netmask 0xffffff00
        groups: wg wireguard
        nd6 options=9<PERFORMNUD,IFDISABLED>
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: LAN (lan)
        options=100000<NETMAP>
        ether 58:9c:fc:10:ff:80
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::5a9c:fcff:fe10:ff80%bridge0 prefixlen 64 scopeid 0xd
        inet6 2603:6011:e300:8adb:5a9c:fcff:fe10:ff80 prefixlen 64
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: igc4 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000000
        member: igc3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 2000000
        member: igc2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 2000000
        member: igc1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 2000000
        member: igc0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 55
        groups: bridge
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 192.168.1.224 netmask 0xfffffff8
        groups: wg wireguard
        nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD>

Thanks for any help.

Hi all,

I have followed the steps Here LAN Bridge and DHCP works but I cannot access a device on one bridge port from another port.  I have set the tunables and checked the spelling. Anybody have any ideas?

The simplest description is that i cannot pint the router using ipv6.  needless to say I cannot contact the internet via ipv6. 23.1.4 worked, other prior versions also had the same problem.

Code Select Expand

Pinging rtr.bs.net [xxxx:xxxx:xxxx:xxxx:201:2eff:fea3:a866] with 32 bytes of data:
Destination host unreachable.
Request timed out.
Destination host unreachable.
Destination host unreachable.

Ping statistics for xxxx:xxxx:xxxx:xxxx:201:2eff:fea3:a866:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Hi All,

Here is my log.  This is all I get, logging is set to debug but seems the same as info. is the system log the only place to look?  Can anyone tell me where to go from here?

Code Select Expand

<29>1 2022-06-25T18:32:31-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="1"] set client ID (len 14)
<29>1 2022-06-25T18:32:31-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="2"] set identity association
<29>1 2022-06-25T18:32:31-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="3"] set elapsed time (len 2)
<29>1 2022-06-25T18:32:31-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="4"] set option request (len 4)
<29>1 2022-06-25T18:32:31-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="5"] set IA_PD prefix
<29>1 2022-06-25T18:32:31-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="6"] set IA_PD
<29>1 2022-06-25T18:32:31-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="7"] send solicit to ff02::1:2%re1
<29>1 2022-06-25T18:32:31-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="8"] reset a timer on re1, state=SOLICIT, timeo=10, retrans=117984
<29>1 2022-06-25T18:34:29-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="1"] set client ID (len 14)
<29>1 2022-06-25T18:34:29-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="2"] set identity association
<29>1 2022-06-25T18:34:29-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="3"] set elapsed time (len 2)
<29>1 2022-06-25T18:34:29-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="4"] set option request (len 4)
<29>1 2022-06-25T18:34:29-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="5"] set IA_PD prefix
<29>1 2022-06-25T18:34:29-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="6"] set IA_PD
<29>1 2022-06-25T18:34:29-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="7"] send solicit to ff02::1:2%re1
<29>1 2022-06-25T18:34:29-04:00 rtr.condor2711.net dhcp6c 58250 - [meta sequenceId="8"] reset a timer on re1, state=SOLICIT, timeo=11, retrans=117972


Thanks

Hi All,

I jus upgraded from 21.1.7 to 21.1.8 and my openvpn server faild to start with the below log.

My subnet is a /29 so the startup command should be

Code Select Expand

/sbin/ifconfig ovpns1 192.168.1.241 192.168.1.246 mtu 1500 netmask 255.255.255.255 up

But this is what is happening.

Code Select Expand

2021-07-08T20:16:53 openvpn[5628] /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown ovpns1 1500 1622 192.168.1.241 192.168.1.242 init
2021-07-08T20:16:53 openvpn[5628] Exiting due to fatal error
2021-07-08T20:16:53 openvpn[5628] IPv4 pool size is too small (1), must be at least 2
2021-07-08T20:16:53 openvpn[5628] UDPv4 link remote: [AF_UNSPEC]
2021-07-08T20:16:53 openvpn[5628] UDPv4 link local (bound): [AF_INET]65.185.18.45:1194
2021-07-08T20:16:53 openvpn[5628] Could not determine IPv4/IPv6 protocol. Using AF_INET
2021-07-08T20:16:51 openvpn[5628] /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpns1 1500 1622 192.168.1.241 192.168.1.242 init
2021-07-08T20:16:51 openvpn[5628] /sbin/ifconfig ovpns1 192.168.1.241 192.168.1.242 mtu 1500 netmask 255.255.255.255 up
2021-07-08T20:16:51 openvpn[5628] TUN/TAP device /dev/tun1 opened
2021-07-08T20:16:51 openvpn[5628] TUN/TAP device ovpns1 exists previously, keep at program end
2021-07-08T20:16:51 openvpn[5628] NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-07-08T20:16:51 openvpn[94954] library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021-07-08T20:16:51 openvpn[94954] OpenVPN 2.5.3 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 6 2021
2021-07-08T20:16:51 openvpn[94954] DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2021-07-08T20:16:51 openvpn[94954] WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
2021-07-08T20:16:51 openvpn[94954] WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

Please note the 192.168.1.241 instead of 192.168.1.246.

Thanks

I there a way to get windows dynamic DNS update to occur on the local LAN using UNBOUND or some other setup?  I just want windows clients to register IP address to the local domain.

Rule 13 according to logs.  Firewall has access to internet.  Ping from ssh works.  All outgoing lan traffic is blocked.

I have switched for dnscrypt-proxy v1 to v2.  I can not get dnscrypt-proxy2 to start on boot.  this prevents the fire wall from completing boot.  after the web ui comes up I can ssh in and issue "service dnscrypt-proxy restart".  it tells me it can't stop the service and the starts it.  at this point the firewall finishes the boot.  below are my rcvars.

Code Select Expand

root@router:/usr/local/etc/rc.d # cat /etc/rc.conf
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_suexec="YES"
dnscrypt_proxy_uid="root"


[ALL]

dnsmasq is missing localhost, all interfaces to bind to.  Only LAN and WAN are available.  the default LAN binding seems to be ALL.  This prevents packages such as dnscrypt from working as it needs to be bound to 127.0.0.2.  dnscrypt will not bind because dnsmasq is already bound.

For now I switched to unbound which I can set the interface binding correctly.

do we have an expected date?

Can this be done by typing "17.1.2" at the console upgrade instead of typing "17.1"?  I have Realtek ports and don't want to risk a time out while going from 17.1 to 17.1.2