Messages

Well, there is the answer before I asked the question  ;D

Downgrade works for me.

https://github.com/opnsense/core/issues/1806

Hi,

I use a Supermicro X11SBA-LN4F with a 500 GB SSD. Absolutely stable.

Power supply is a Meanwell 12V 60W desktop power supply. Case is a 1 HU supermicro chassis.

Did you check the cooling/case temperature?

Kind regards
Boris

Should I open a ticket on GitHub for this?

radvd should only serve the LAN IP of the OPNsense box via RDNSS if "Enable Forwarding Mode" is turned on in  "Unbound DNS: General" options and not the configured nameservers in "System: General"

Thanks, Franco.

"Directly send SOLICIT" on LAN interface is checked (on).
/var/etc/nameserver_v6* does not exist.
radvd.conf exists with the following content:

Code Select Expand

# Automatically Generated, do not edit                                                         
# Generated config for dhcp6 delegation from wan on lan                                         
interface igb1 {                                                                               
        AdvSendAdvert on;                                                                       
        MinRtrAdvInterval 3;                                                                   
        MaxRtrAdvInterval 10;                                                                   
        AdvLinkMTU 1500;                                                                       
        AdvOtherConfigFlag on;                                                                 
                prefix <prefix>/64 {                                               
                AdvOnLink on;                                                                   
                AdvAutonomous on;                                                               
                AdvRouterAddr on;                                                               
        };                                                                                     
        RDNSS <opensenseip6> 2001:4860:4860::8888 2001:4860:4860::8844 { };                                                                                             
        DNSSL <LANdomainname> { };                                                       
};                                                                                              

igb1 is WAN interface. <prefix> is the IPv6 prefix, <opensenseip6> is the IPv6 LAN address of the OPNsense box and <LANdomainname> the domain name for the hosts on the LAN.

Alright, that is where the Google nameservers come from in the IPv6 configuration of the hosts with no static DNS setup.

How can I turn this off?

Best regards
Boris

By what way are the DNS servers propagated at all to the hosts in the LAN? DHCPv6 and radvd are explicitly turned off, can't even be turned on on interfaces without static IPv6 address as it is the case for LAN tracking WAN.

Hi,

hosts in my LAN get IPv6 addresses from OPNsense LAN interface (track WAN). Besides they have
- either static IPv4 addresses and fixed IPv4 DNS servers configured
- or use the DHCP server on OPNsense to get a IPv4 lease and the IPv4 address of the DNS server.

DHCP correctly hands over the IPv4 address of OPNsense (configured to use resolver) as the DNS server. I have verified this with a tool (dhtest).

Unfortunately, the IPv6 addresses of both OPNsense and of the DNS servers entered in System: General setup are also present in the DNS configuration of the hosts that have no static DNS configured. This is undesirable because now e.g. my mobile devices use Google's name servers instead of my resolver on OPNsense as they give precedence to the IPv6 DNS server addresses.

IMHO, only the IPv6 address of OPNsense as DNS server should be propagated to the LAN and not all configured DNS servers. How can I turn this off?

Kind regards
Boris

do someone have a working configuration with a ppoe over modem connection? I still have a problem with ipv6 and opnsense:

Have you suricata (Intrusion Detection) turned on or off? If it is turned on, could you please turn it off and reboot and see if the prefix and IPv6 at the LAN interface come up?

- I will buy a Fritzbox, try it and report back.

Got my Fritzbox and got IPV6 on LAN working, finally. Only because of the additional insights and configuration options the Fritzbox provides in addition with a Ubuntu box added in parallel to the OPNSense box to make sure that the Fritzbox really can delegate prefixes (dhclient, wireshark, ...).

It still took quite some time to get it done. I ended up with the configuration that I have been trying out for weeks, in accordance with what Jochen proposed. Seemingly, the only difference is that I turned Intrusion Detection off. Please let me know if you like me to investigate if there is an issue with suricata.

Best regards
Boris

Just a brief update on my potentially related issue (no prefix delegation from cable model to OPNSense box and LAN does not track WAN IPv6):
- ISP support is poor: helpline told me that prefix delegation may work or may not work.
- That information is consistent with what other clients of the ISP experience according to forum posts across the internet: for some it works and for some it doesn't.
- My neighbor uses a Fritzbox with same ISP but has a IPv4-only line; I have DSlite (dual stack lite), i.e. IPv6-only and IPv4 via CGN (carrier grade NAT); thus no chance to cross-check.
- I will buy a Fritzbox, try it and report back.

Cheers,
Boris

Thanks, Jochen, for citing your configuration. I had no luck with it either.

Franco, I read your note on the prefix and browsed the web for such issues with my ISP and cable modem brand. I start to believe that the root of the problem is the modem and/or ISP. In particular, if I reconfigure the cable modem's DHCPv6 server from Stateless to Stateful, I do not even get an IPv6 address on the WAN interface. In none of the configurations I tried I ever get anything else than "Sending solicit".

I will ask my ISP.

Best regards,
Boris

Jochen, this gives me hope that I can solve the issue as well.

I have a seemingly identical setup with respect to OPNSense which fails to hand out IPv6 addresses to LAN. Would you mind posting the relevant parts of your configuration?

sysctl net.pf.share_forward=1 did not help so far.

Kind regards,
Boris

After another day of investigations, I found out that the issue is related to IPv6.

If and only if WAN has a global IPv6 address, OpenVPN fails.

The server log (verbosity 6) gives:

Code Select Expand

Apr  2 21:49:21 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 PUSH: Received control message: 'PUSH_REQUEST'
Apr  2 21:49:21 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 send_push_reply(): safe_cap=940
Apr  2 21:49:21 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 SENT CONTROL [opnsense]: 'PUSH_REPLY,route-gateway 192.168.38.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.38.254 255.255.255.0' (status=1)
Apr  2 21:49:21 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 WRITE [50] to [AF_INET]xxx.xxx.28.18:30875: P_ACK_V1 kid=0 pid=[ #10 ] [ 6 ]
Apr  2 21:49:21 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 WRITE [187] to [AF_INET]xxx.xxx.28.18:30875: P_CONTROL_V1 kid=0 pid=[ #11 ] [ ] pid=7 DATA len=145
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [50] from [AF_INET]xxx.xxx.28.18:30875: P_ACK_V1 kid=0 pid=[ #13 ] [ 7 ]
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [133] from [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=132
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 MULTI: bad source address from client [::], packet dropped
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [133] from [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=132
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 MULTI: bad source address from client [::], packet dropped
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [117] from [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=116
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 MULTI: bad source address from client [::], packet dropped
Apr  2 21:49:24 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [149] from [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=148
Apr  2 21:49:31 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 WRITE [69] to [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=68
Apr  2 21:49:35 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [69] from [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=68
Apr  2 21:49:41 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 WRITE [69] to [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=68

Reading the OpenVPN forums, in principle, the dropped package from [::] should not be an issue, although I would like to understand why these packets are there in the first place.

On my new physical OPNSense OpenVPN client, OpenVPN connectivity breaks after 5 such messages on the server side. The identically configured virtual OPNSense OpenVPN client only produces 3 or 4 such messages and stays connected.

Searching the WWW, I found a few reports related to the message, and only one report of a user who also could track down the issue to having an IPv6 address on his internet-facing NIC.

Hi,

issue seems related to

https://forum.opnsense.org/index.php?topic=4816.msg18821#msg18821
https://github.com/opnsense/core/issues/1506

Best regards
Boris

I installed OPNSense from scratch and remained on 17.1.1. The issue exists there as well.

The issue appears on my new physical machine with SuperMicro X11SBA-LN4F mainboard. There is also another issue with ntp running amok (questioning time server until rate limit kicks in).

I had to go back to OPNSense on a virtual machine. There openvpn and ntp run fine.

What can I do? Any help is appreciated.