Topics

1

18.1 Legacy Series / Lost IPv6 on the router itself after upgrade

« on: February 09, 2018, 02:12:00 pm »

So I waited for 18.1.2 to be ready and upgraded my up-to-date 17.x box. It went to 18.1.1 only, but for LAN clients everything was working fine (including IPv6). Then I decided to upgrade to 18.1.2 and it was "aborted internally". opnsense-update was hanging on pkg-static invocations.

Well, I thought, I've seen something similar when I had my IPv6 misconfigured. And I tried the relevant pkg operations with -4 flag. It worked. Ooops.

Now, everything was working fine (especially regarding the IPv6 for LAN clients and router itself) on 17.x. But after upgrade only router itself has no IPv6 connectivity. The pings and traceroute6 seems to be working, but no actual data is going through (e.g. curl -6 http://google.com/ just times out without receiving anything).

Any advice appreciated on how to debug it further.

2

17.7 Legacy Series / OpenVPN tls-crypt

« on: October 13, 2017, 03:07:57 pm »

Hi!

I was recently forced to review my OpenVPN configuration, and I quickly realised that I have OpenVPN 2.4.x on all devices. I immediately thought about turning on tls-crypt, but I am not sure what would be the most elegant way to do so. It looks like the GUI supports tls-auth only.

I can surely dump the secret somewhere (using SSH) and just put tls-crypt /path/to/key in the "advanced" text box. But I was wondering if there is a more transparent way to achieve it? Ideally with all steps done via the web GUI and thus keeping the tls-crypt key as a part of the backup XML.

Thanks!

3

17.7 Legacy Series / [SOLVED] IPv6 via OpenVPN + NPT, incorrect source address for the router itself

« on: October 09, 2017, 02:53:37 pm »

Dear helpful opnsense users,

This is follow up question for my update-related question[1], which turned out to be an IPv6 connectivity issue. I suspect it might be something known and straightforward.

I have an OpenVPN tunnel set up on opnsense box, with all the traffic (IPv4 and IPv6) going through the tunnel. My ISP does not provide v6 connectivity, so v6 has only one way out - via VPN (for v4 I have "kill switch" floating rule). VPN server assigns routed X.Y.Z::/64 network to the opnsense. Opnsense box uses NPT to translate it to/from internal network A.B.C::/64 (not site local, a regular net for historical reasons, using the "OpenVPN" interface, I did not assign one manually via Interfaces -> Assignments). LAN boxes get their IPv4 and IPv6 connectivity, and all seems to be OK.

Now, I recently found that the opnsense box itself has no IPv6 connectivity (due to NPT?). Here is what happens:

When I ping6 google.com from a LAN machine I see the following going out (and in) via the vpn interface:

Code: [Select]

# tcpdump -i ovpnc2 icmp6
12:30:00.852675 IP6 X:Y:Z:0:b4f3:a128:d588:5fa6 > lhr35s07-in-x0e.1e100.net: ICMP6, echo request, seq 1, length 64
12:30:00.863742 IP6 lhr35s07-in-x0e.1e100.net > X:Y:Z:0:b4f3:a128:d588:5fa6: ICMP6, echo reply, seq 1, length 64

However, when I do the same from the opnsenses box, I see:

Code: [Select]

# tcpdump -i ovpnc2 icmp6
12:32:25.379827 IP6 A:B:C::1002 > lhr35s07-in-x0e.1e100.net: ICMP6, echo request, seq 0, length 16
12:32:26.442561 IP6 A:B:C::1002 > lhr35s07-in-x0e.1e100.net: ICMP6, echo request, seq 1, length 16

It looks like it takes the external address assigned to the ovpnc2 interface by the server (X.Y.Z::1002), do NPT for that address (which results in the internal A.B.C:: prefix) and then sends it out. Basically, address A.B.C::1002 does not exist anywhere, the ovpnc2 interface has address X.Y.Z::1002.

I appreciate any pointers, how do I debug it further?

Thanks a lot.

1. https://forum.opnsense.org/index.php?topic=6033.0

4

17.7 Legacy Series / [SOLVED] Update timeouts/delays since 17.7.2 is available

« on: September 25, 2017, 12:26:52 pm »

Folks,

There is a strange problem with my opnsense install. I was wondering if somebody has any ideas how to resolve or at least troubleshoot it further.

I've skipped 17.7.2, as I was away for a while. Since 17.7.3 became available, the update UI always fails with "Firmware status check was aborted internally. Please try again." Often the "Update"/"Plugins"/"Packages" tabs are unusually empty. In the logs I see "config.d.py [...] returned exit status 1"

Doing opnsense-update from the command line seems to work, but it is extremely slow, takes approximately 10 minutes (mostly while doing pkg-static update and pkg-static upgrade) to check the status and then it took hours to upgrade to 17.7.3.

Another strange thing: update UI "thinks" the system is stuck at 17.7.1 (that's the latest version shown), while upgrade to 17.7.3 seems to be successful and dashboard says "OPNsense 17.7.3-amd64"

Reboot doesn't change anything. I tried multiple update mirrors, but there is no difference in timing.

Thanks a lot.