Messages

Hi,

My OPNsense with Suricata baremetal box stopped passing traffic for about 10 minutes, my work vpn got dropped.  I can't ping my firewall as my gateway.  I started to check on my home switch and login to the opnsense.   It started to work again.   Please let me know what logs should I start to check for the cause. 

The firewall or my local switch did not reboot itself.  I already the system -> log files -> General.  The firewall was not able to contact my network UPS server via NUT.   No DHCP message, no interface up/down messages. 

Any helps/pointers will be much appreciated.

Hi IsaacFL,

Yes, thanks for pointing it out!  I need to get a pencil and paper to do some binary math.. 

I found that automatic floating rule under my wan interface. 

Can you go to Firewall > Aliases  and look for bogonsv6 , what is the number in the loaded column.  I have 140163.

Login to CLI, go to /tmp/bogons

drwxr-x---  2 root  wheel        6 Apr 16 03:13 .
drwxrwxrwt  8 root  wheel       40 Apr 20 12:52 ..
-rw-r-----  1 root  wheel    55232 Apr 12 01:15 bogons.txz
-rw-r-----  1 root  wheel     1332 Apr 12 01:15 bogons.txz.sig
-rw-r--r--  1 root  wheel    14910 Apr 11 21:55 fullbogons-ipv4.txt
-rw-r--r--  1 root  wheel  2306406 Apr 11 21:55 fullbogons-ipv6.txt

I got nothing begin with fe80 in fullbogons-ipv6.txt.

I also checked on Firewall > Diagnostics > Aliases > selected bogonsv6 from the drop down (top left).  I don't see any entries begin with fe80.

I am interested to take a closely look at the matching sample pcap and filter log, if possible.    What version of opnsense are you running?  the filter log you posted before looks different than the one on my firewall.

I found this in my filter log.

1 2023-04-07T20:16:46-07:00 opn.home.net filterlog 16947 - [meta sequenceId="151715"] 131,,,b8350fa47ada7fe6c07ace7650fc4dcc,vlan01,match,pass,in,6,0x00,0x00000,1,icmp,1,36,fe80::<redux>,ff02::16,truncated-ip6=36

I wonder if it is because truncated-ipv6 , the filter log just print out the protocol name incorrectly..

See if you can find the rule matched under Firewall: Log files: Live View and apply filter like interface contains igb0 and action is block?

Just need to make sure those automatically generated rules are logged.  (system > settings > Logging > Log packets matched from the default pass rules put in the ruleset is checked. )

Ok, seems I may have misunderstood something important... the `icmp,1` in the log is not ICMP type 1 but rather protocol 1 (which just means ICMP again).

The protcol is ICMPv6, not ICMP. ICMPv6 protocol number is 58. 

I also blocked all outbound ipv6 traffic and reset the state table, and still saw these packets inbound. So as far as I can tell this is "normal" traffic from my ISP, but opnsense is blocking it.

Time for a ticket to the provider?  or they are supporting multicast? 

I checked my filter log, I don't see the same type of log as describe.

Here is a guess,

Some IPv6 devices on your network is trying to reach another IPv6 device on Internet.  But the ISP router is not able to reach that destination and sending you a destination unreachable? 

If you are seeing the same "src, dst, and ICMPv6 type 1" repeatly in the filter log.   That session never got aged out.  Regardless if you uncheck "Block bogon networks" and save.  You may want to try the following,

Firewall > Diagnostics > States and filter that session and hit the trash can command to clear that session?

or you may need to reset the state table.  Firewall > Diagnostics > States > Actions.  That will drop the entire session table.  Anything are transferring, they will need to re-establish new connecitons.

It will be interesting to figure out what is causing the ICMPv6 destination unreachable, can you stop all IPv6 traffic from your lans/trust to wan/Internet and see if that stops those filter logs? 

ICMPv6 type 1 is destination unreachable.

ff02::1:ff00:1 is a solicited-node multicast address.

Which IPv6 device has the fe80::10 local address?   Can you login to opnsense cli and check ndp -a output against the arp -a output for your ISP IPv4 router mac address?   

See if the fe80::10 is coming from your ISP?

Since you do not have an external prefix assigned to the interface but only a /128 plus delegation, there is nothing to autodetect. Sorry not to have better news. Dynamic prefixes suck.

Thanks for the explanation on NPTv6!    I am happy that I don't need to use 6in4 tunnel anymore!

Does the prefix change?

The prefix can change (ie, if I reboot opnsense.)

NPT6 only works with static prefixes.

ok.  I got confused by the Full help in NPTv6 setup. 

Enter the external (WAN) IPv6 prefix for the Network Prefix Translation. Leave empty to auto-detect the prefix address. The prefix size specified for the internal prefix will also be applied to the external prefix.

I thought it will auto-detect.

Thanks for the link to ipspace.  Let me read about it..

I have a Pi-hole as DNS server behind the LAN interface.  I will like to setup dual stack on pi-hole.   I will need to get static IPv6 address for the pi-hole.  The only way I can think of it by using ULA with NTPv6. 

the ifconfig does not include the prefix delegation information.

Interface -> overview > WAN

Code Select Expand

Status up
DHCP
DHCPv4 up   DHCPv6 up   
MAC address <redux> - Intel Corporate
MTU 1500
IPv4 address aa.bb.cc.44/21
IPv4 gateway auto-detected: aa.bb.cc.1
IPv6 link-local fe80::aaaa:ffff:ffff:1/64
IPv6 address 2001:<redux>::65cd/128
IPv6 delegated prefix 2001:<redux>::/56
IPv6 gateway auto-detected: fe80::5555:aaaa:fddd:6666

Hi,

I am trying to setup NPTv6 for my home with my ISP which provides IPv6-PD as /56.    I am running 23.1.5_4.

WAN interface is set to DHCPv6,  it is getting the IPv6 delegated prefix. 

I am able to ping6 out to the internet already from OPNSense console.

LAN interface is set to static IPv6, with fddd:xxxx:yyyy:z::1/64.

Setup DHCPv6 for LAN,  enabled, range fddd:xxxx:yyyy:z::100 to fddd:xxxx:yyyy:z::120.


Firewall > NAT > NPTv6

Interface WAN
Internal IPv6 prefix fddd:xxxx:yyyy:z:: / 64
External IPv6 prefix left it blank.

Save.

ping6 behind the firewall, no lucky.

Firewall > Log Files > Live view

Code Select Expand

__timestamp__ 2023-04-13T16:56:32-07:00
action [binat]
anchorname
class 0x00
dir [out]
dst 2607:f8b0:4005:813::2004
flow 0x00000
hoplimit 128
interface vlan07
interface_name wan
ipversion 6
label binat rule
length 40
protoname ipv6-icmp
protonum 58
reason match
rid
rulenr 0
src fd0f:xxxx:yyyy:3::100
subrulenr


Code Select Expand

__timestamp__ 2023-04-13T17:00:40-07:00
action [pass]
anchorname
class 0x00
dir [in]
dst 2607:f8b0:4005:813::2004
flow 0x00000
hoplimit 128
interface vlan01
interface_name lan
ipversion 6
label Allow Outbound
length 40
protoname ipv6-icmp
protonum 58
reason match
rid 8a899f5fb6680084e61474ff6a9575f9
rulenr 182
src fd0f:xxxx:yyyy:3::100
subrulenr

Please help,  what am I missing?

Thanks!

Just updated to 23.1.5.   LAG stays up after reboot.

See the information from reddit. 

https://www.reddit.com/r/opnsense/comments/1255xr8/2314_lagg_wont_come_up_after_reboot/

In my case,  I have a Brocade ICX6450.     I tested with 23.1.4_1. 

I tried to disconnect and reconnect the cables.  That did not restore the LAGG.

By go to interface -> Other Types : LAGG -> select the lag and toggle the fast timeout check box.  That will restore the LAGG.

Are there any log I can check on the opnsense end to determine the root cause and how to fix it?

Thanks,

E

I have a HP T730 with Intel T350-TX card.   It has two LAGG groups with LACP enabled.  After upgrade fom 22.7 to 23.1.  The Lagg won't come up, the switch end will report LAG block, LACP timeout.  I will need to login go to Interfaces > Other Types > LAGG and uncheck or check Fast timeout, save.  The LAGG will work again.

Any suggestion or log I can provide to help trouble this?

Thanks,

E

Hello,

On Dashboard traffic graph widget.  I have two interfaces selected.  Both interfaces are colored in red with different shade.  Is there a way to change the selected color?  If I click on traffic graph, that brings to Reporting: Traffic, each interface has an unique color instead..

Thanks for your time...