Messages

121

23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection

« on: November 27, 2023, 10:00:33 am »

I just had a look into my settings for Unbound / DoT / DNSSEC - and sure enough I use Quad and Cloudflare, two IPs from each. Now I use 4 Custom Forward, since I got into problems with only Quad active. So I used all four of them - but I guess the Quad IPs are never used since they are last in the list.

That being said, I will later today when I am alone on the network (trying to be nice here....) re-enable Unbound, but without DNSSEC. And see what happens.

And I also wonder which DoT servers one should use nowadays...
Is Googles the only ones that work?

122

23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection

« on: November 24, 2023, 12:22:49 pm »

Still without DNSSEC and DoT?

123

23.7 Legacy Series / Re: So I seem to have this: "[Error] dhclientunknown dhcp option value 0x78"

« on: November 18, 2023, 06:06:53 pm »

Ahh - that actually makes sense considering what I have on the WAN - ISP provider side. So I ignore that! Large Thanks!

124

23.7 Legacy Series / So I seem to have this: "[Error] dhclientunknown dhcp option value 0x78"

« on: November 18, 2023, 12:06:31 pm »

So I get from time to time this in my System:Log File:General

Code: [Select]

unknown dhcp option value 0x78
Does anyone have an idea what that option code is? It can not be vital because the systems works.... I am just a bit curios...

125

23.7 Legacy Series / Re: After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

« on: November 09, 2023, 10:17:57 am »

Okay, if you phrase it like that I need to change my answer:

Yes the interface is static (10.168.2.1/24 - Upstream GW = Auto detect) - however the client that is connected to that port aka "Surface Booke 2 PC with Windows 10" is DHCP (10.168.2.20). So yes the interface is static - I just assumed (assumption is the mother of all f*ckups and all that) you referernced my PC and not the interface port on my h/w running OPNsense. This is clearly my mistake, sorry for the confusion.

126

23.7 Legacy Series / Re: After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

« on: November 09, 2023, 09:26:28 am »

For what it is worth: Still working after that patch.

I have also done a few more diff on rules.debug - the one last night returned zero, this morning returned a lot more rows but some of those lines are not interesting (state, block country and stuff). Let me know if anyone needs them, but I say they do not bring any news to the table.

127

23.7 Legacy Series / Re: After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

« on: November 08, 2023, 05:08:37 pm »

> Oh and now I have behaved so I have also reapplied the patch (not edited the file) in a correct manner....

Hehe, that made me happy <3

Just for the record: I just returned back home, and the link has been down for at least 5 hours. No problem after reapplied the patch - works like it always has.

128

23.7 Legacy Series / Re: After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

« on: November 08, 2023, 05:06:07 pm »

Thanks for the debugging. Highly appreciated. igb2 is static IPv4, right?

igb2 is DHCP.

igb2 is actually my work PC (Microsoft Surface Book 2, connected over USB-C<->Thunderbolt to my Dell 4021Q screen, which has a Ethernet port connected to the igb2 interface). igb2 interface has DHCP since well from time to another I actually do use a Dlink switch when I need more connections at my work desk. So it needs to be DHCP for those very very limited and few occasions.

129

23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection

« on: November 08, 2023, 10:32:50 am »

Patrick, very large thanks for your help and suggestion. For the moment I will put this on hold, and rebuild my firewall from scratch. This is more of a ProxMox thing now - I will install ProxMox to get the ability to more easily revert back to previous version with snapshot and stuff like that - and when OPNsense is installed back ontop of ProxMox of course, I will start hunting whatever is giving me challenges. However as I rebuild with ProxMox alot of stuff will change, as interface port assignments - so there will not be any way for me to restore my config file....

However, I will store my old config just-in-case I decide to revert back to bare metal again. Better safe than sorry (and after all, I just did re-install of OPNsense bare metal....).

130

23.7 Legacy Series / Re: After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

« on: November 08, 2023, 09:34:52 am »

Oh and now I have behaved so I have also reapplied the patch (not edited the file) in a correct manner....

131

23.7 Legacy Series / Re: After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

« on: November 08, 2023, 09:32:42 am »

Okay, so this morning OPNsense was back in order - I had the same problem as before. I also am running the UNmodified file, the lines was completely removed. Just as it was last night when I rebooted, so why this extra time between link down - bunch of 12 hours or so - link up -> no connection to outside world on this particular direct connected PC (1.1.1.1 works, so raw IP traffic works perfect).

So I directly brought up my MobaXterm, and logged into OPNsense and cp the file. The I run the command suggested "/usr/local/etc/rc.filter_configure" - and Internet connection restored. I then cp the file again, and here is the result - it looks a bit like the one before (no there is no WAN or LTE down - all traffic goes over WAN):

Code: [Select]

diff -u /root/rules.bad /root/rules.good
--- /root/rules.bad     2023-11-08 09:14:25.069074000 +0100
+++ /root/rules.good    2023-11-08 09:15:13.266804000 +0100
@@ -68,6 +68,7 @@
 no nat proto carp all
 no rdr proto carp all
 # [prio: 200]
+nat on igb7 inet from (igb2:network) to any port 500 -> (igb7:0) static-port # Automatic outbound rule
 nat on igb7 inet from (vlan01:network) to any port 500 -> (igb7:0) static-port # Automatic outbound rule
 nat on igb7 inet from (igb0:network) to any port 500 -> (igb7:0) static-port # Automatic outbound rule
 nat on igb7 inet from (igb5:network) to any port 500 -> (igb7:0) static-port # Automatic outbound rule
@@ -76,6 +77,7 @@
 nat on igb7 inet from (igb4:network) to any port 500 -> (igb7:0) static-port # Automatic outbound rule
 nat on igb7 inet from (igb6:network) to any port 500 -> (igb7:0) static-port # Automatic outbound rule
 nat on igb7 inet from 127.0.0.0/8 to any port 500 -> (igb7:0) static-port # Automatic outbound rule
+nat on igb7 inet from (igb2:network) to any -> (igb7:0) port 1024:65535 # Automatic outbound rule
 nat on igb7 inet from (vlan01:network) to any -> (igb7:0) port 1024:65535 # Automatic outbound rule
 nat on igb7 inet from (igb0:network) to any -> (igb7:0) port 1024:65535 # Automatic outbound rule
 nat on igb7 inet from (igb5:network) to any -> (igb7:0) port 1024:65535 # Automatic outbound rule
@@ -84,6 +86,7 @@
 nat on igb7 inet from (igb4:network) to any -> (igb7:0) port 1024:65535 # Automatic outbound rule
 nat on igb7 inet from (igb6:network) to any -> (igb7:0) port 1024:65535 # Automatic outbound rule
 nat on igb7 inet from 127.0.0.0/8 to any -> (igb7:0) port 1024:65535 # Automatic outbound rule
+nat on igb1 inet from (igb2:network) to any port 500 -> (igb1:0) static-port # Automatic outbound rule
 nat on igb1 inet from (vlan01:network) to any port 500 -> (igb1:0) static-port # Automatic outbound rule
 nat on igb1 inet from (igb0:network) to any port 500 -> (igb1:0) static-port # Automatic outbound rule
 nat on igb1 inet from (igb5:network) to any port 500 -> (igb1:0) static-port # Automatic outbound rule
@@ -92,6 +95,7 @@
 nat on igb1 inet from (igb4:network) to any port 500 -> (igb1:0) static-port # Automatic outbound rule
 nat on igb1 inet from (igb6:network) to any port 500 -> (igb1:0) static-port # Automatic outbound rule
 nat on igb1 inet from 127.0.0.0/8 to any port 500 -> (igb1:0) static-port # Automatic outbound rule
+nat on igb1 inet from (igb2:network) to any -> (igb1:0) port 1024:65535 # Automatic outbound rule
 nat on igb1 inet from (vlan01:network) to any -> (igb1:0) port 1024:65535 # Automatic outbound rule
 nat on igb1 inet from (igb0:network) to any -> (igb1:0) port 1024:65535 # Automatic outbound rule
 nat on igb1 inet from (igb5:network) to any -> (igb1:0) port 1024:65535 # Automatic outbound rule

Some interface info:
igb1 = WAN (Primary)
igb7 = LTE (failover for WAN that is)

igb2 = PC that has this link-down/link-up problem

igb0 = Home Assistant server
igb5 = Laser printer with built in scanner
igb4 = Extra server interface, currently not connected at all
igb6 / vland1 = Unifi AP, where vlan1 is IoT
igb3 = Media with things like Kef speakers, Chromecast and projector

I find some strange things in the above. Like well any of the "Automatic outbound rule". Why do they appear when the WAN link is stable? Do note that the box has been rebooted after WAN problem, and well the WAN has been up since then...

Anyways, the thing to accept is that the command:

Code: [Select]

/usr/local/etc/rc.filter_configure
Solves my problem with link-down/<a large amount of time it seems>/link-up and no internet connection (which looks a lot like DNS problem, but since all other interfaces has DNS resolution it is more likely to be something not DNS related - like filter....)

132

23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection

« on: November 07, 2023, 03:34:35 pm »

I might be able to get them tomorrow. However, be assured that browsing on IP address intranet and internet (1.1.1.1) work perfect. Name resolution does not - and it is firewall wide, no unit has name resolution no matter what segment or VLAN for that matter.

133

23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection

« on: November 07, 2023, 03:21:20 pm »

Since link down/up seem to resolved itself somehow I decided to return to my Unbound issue.

After disable of DNSmasq, and enable Unbound - no name resulotion on any device. Did for the sake of testing a reboot of OPNsense h/w. No difference. Disabled Unbound, turned on DNSmasq - everything works like a charm. Go figure.

134

23.7 Legacy Series / Re: After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

« on: November 07, 2023, 02:51:39 pm »

Nope, I have no way of triggering the problem anymore. :'(

I partly like to have this problem gone, but I also like to know why/what and so on. So even if I am partly okay with everything is back to normal, I would very much like to know what and why.

What I have tried is reboot, cold restart, all cables out, and some more. There is nothing I can do to trigger this.
Except maybe reinstall everything from 23.7 and then upgrade, restore config - maybe that might re-trigger this. I might have to look into that, just need some more time....

135

23.7 Legacy Series / Re: After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

« on: November 07, 2023, 01:51:19 pm »

Okay now I have kind of a inverted problem: I can not recreate the problem.

And to be very clear: The filter lines are commented, so they are not executed, and YES I have rebooted my OPNsense Bare metal firewall hardware. And now it works, and yes, WAN is back up.