Messages

Hi, I'm pretty stuck right now so I hope someone here can help me.

We have a site-to-site VPN with IPSec and I can ping the site B box from the site A box, but not vice-versa. Site B clients can ping the site A box and everything beyond, site A clients can ping anything beyond the site B box and the box itself.

On site A the routes to site B's subnets point to site A LAN and as far as I understand it doesn't even matter which interface I choose since the tunnel will notice the traffic is for it and forward it to the other site. Same setup on the other box as well.
Now on to IPSec, both boxes have one phase-1 connection and a few phase-2 connections (one phase-2 connection per subnet).

We DID have an additional problem that not all of site B's clients could connect to servers on site A but that somehow vanished after removing the PPPoE-endpoint we had to put in front of site B because of the PPPoE crash in earlier 17.7 releases. If someone could shed some light onto why that might have happened I'd be quite happy as well. I know it might just be en educated guess, but it might help me understand IPSec a bit better.

I just updated to 17.7.3, but as I said I cannot just test it. Thank you for the information, I seem to have missed that. So I will schedule a visit after 17.7.4 is released. :)

We had a very strange issue a few day ago. We were connecting a new office with an OPNSense box (I think 17.7 at that point) via Ethernet on WAN port to a Switch and from there it went via fiber to whereever exactly. It is not DSL, but uses PPPoE. The very moment we plugged in the cable the whole box goes unresponsive, nothing at all, no GUI, no ping - lights on though. It comes back only if we hard reboot it with the cable unplugged.
Sadly there is not much I can do regarding debugging, as we're not on site very often. Currently we're using a different box as a PPPoE endpoint and port forward etc. to our OPNSense box. Next time we're there I can try some things if anyone has ideas, as I would very much prefer to loose the intermediate endpoint, but it might take a while.

I need to butt in here as I have the same issue regarding IPsec after updating from 17.7 to 17.7.2, but setting the gateway to dynamic doesn't help me. ping comes back with "sendto: permission denied"  :-\
Hosts behind the opnsense box can reach the other end just finde, just the box itself cannot. Which is pretty bad for some services running on that box connecting to servers on the other side of the tunnel.

btw. I cannot set routes with a dynamic gateway, the page comes back with
"The following input errors were detected:
The gateway 'dynamic' is a different Address Family as network '10.20.0.0'."
If I change the gateway back to a static ip I can then change the route and change the gateway back to dynamic

Alright, Iĺl look into this every now and then to see if you have something ready

You're welcome. Same thing again though.

What does work though is to use an installer on another system, write to an sd card and use that card in the APU1D4.

Yields the exact same result.

Regards,
Vince

Hi Franco :)

thank you for putting in all that effort! I just tested your image and it appears to be the same error, shown over and over again:

Code Select Expand


WARNING - Timeout at ehci_wait_td:517!
ehci pipe=0x000eee80 cur=000efdc0 tok=801f0c81 next=1 td=0x0000fdc0 status=1f0c80
USB transmission failed


I don't know if that helps, I just thought I might post it since I do not remember that warning from my earlier tests.

Regards, Vince

I just solved it myself. The WAN interface was not set as the default gateway, instead our coreswitch was selected which uses another wan connection as his default route.

Hi, we have a dual stack (IPv4 + IPv6) connection, a modem in bridge mode and pppoe0 on the OPNsense box.
WAN is configured as PPPoE for IPv4 and None for IPv6 since we currently do not make use of IPv6 anyway.
From 17.1 to 17.7 DynDNS was removed from core and is available as a plugin, wich we installed, but it does not work for us anymore.

Service SelfHost:

Code Select Expand


Aug 22 09:17:23 opnsense: /services_dyndns_edit.php: Curl error occurred: bind failed with errno 47: Address family not supported by protocol family
Aug 22 09:17:23 opnsense: /services_dyndns_edit.php: Dynamic DNS (xxxxxx.dyndns.eu): Current Service: selfhost
Aug 22 09:17:23 opnsense: /services_dyndns_edit.php: Dynamic DNS (xxxxxx.dyndns.eu): _checkStatus() starting.
Aug 22 09:16:23 opnsense: /services_dyndns_edit.php: SelfHost: DNS update() starting.
Aug 22 09:16:23 opnsense: /services_dyndns_edit.php: Dynamic DNS (xxxxxx.dyndns.eu): _update() starting.
Aug 22 09:16:23 opnsense: /services_dyndns_edit.php: Dynamic DNS (xxxxxx.dyndns.eu): running get_failover_interface for wan. found pppoe0
Aug 22 09:16:23 opnsense: /services_dyndns_edit.php: Dynamic DNS (xxxxxx.dyndns.eu): YYY.YYY.YYY.YYY extracted
Aug 22 09:16:22 opnsense: /services_dyndns_edit.php: Dynamic DNS: updatedns() starting


Service freeDNS:

Code Select Expand


Aug 22 09:28:27 opnsense: /services_dyndns_edit.php: Curl error occurred: Failed to connect to freedns.afraid.org port 443: Operation timed out


It seems to have something to do with IPv6 (see the last, topmost, log message from curl for selfhost) but that's as far as I get

Before.

Floating -> Group -> Interface

It seems to have something to do with the specific hardware we use, as I remember reading quite a few posts about problems with it.

About writing the image, well, dd of course. I think we used bs=1M instead of the bs=16k though.

Hi Franco,

sure, right now we have a few spare boxes around that I can test with.
It's the same thing with this image as well though: first boot works fine and then on reboot I get "USB transmission failed". On our devices the internal sd-card reader is attached via USB.

Regards, Vince

We are using PC Engines APU1D4 and we did have problems with usb flash drives quickly getting corrupted and using sd cards solved that for one of them somehow. We might have started with a 16.7 install as well, I'm not sure anymore, but we did successfully upgrade it to 17.1 and lately to 17.7. We did have some more problems, however I'm not sure they're version specific.
Now we've started setting up a new set of boxes and they all fail after the first boot. Using the vga installer on another system seems to have solved that, but I dont' have the best feeling about using those boxes in production anymore.
What might be the way to go here? Use 16.7 for now, as I remember it being FreeBSD 10.0 based, and wait for a FreeBSD >11 based image? Order different hardware? And if so is there a vendor you can recommend? (at least 2 Gbit NICs required, 3 would be preferrable) What's the issue with FreeBSD 11.0 here anyway?

Thanks for your quick reply! That auto-growth seems to be the thing giving us trouble, always corrupting our sd card if we use anything newer than 16.7 for installation. We will probably switch to a different installation type then.

edit: does it make a difference if we install onto the sd card from a different system than the one it will be used with later? (e.g. hw-specific optimizations etc.)