Topics

1

24.7 Production Series / intel PC 24.7.2 install stopped routing/switching last night

« on: August 24, 2024, 05:54:40 pm »

I updated to 24.7 shortly after it was released, then .1 and .2 on August 21st. Things have been fine, however last night at some point it simply stopped switching VLANs (at least) but maybe routing too. All I know is that all my VLAN trunks and routing stopped working. A reset started it up again.

I couldn't reasonably do console access as my password is stupid long, and I don't have an easy to use console and I didn't want to try troubleshooting using my phone LTE connection.

I'm not experienced in looking for/parsing logs. Is there a way to find out when and why it stopped last night? I've already rebooted, so does that mean logs are gone?

2

General Discussion / delete firewall state after delay after reboot based on criteria

« on: September 22, 2023, 08:24:12 pm »

When I reboot my opnsense box, my Cisco ATA seems to have issues with opnsense, in that the ATA somehow gets a stuck state in the firewall and the state never times out (after days for example) or otherwise clears. Once I delete that stuck state, the ATA connects and it is good to the next reboot.

1) Can someone describe or point me to how I would script the removal of a firewall state based on source IP (and maybe destination port)
2) Can someone describe how I might apply this to run after a delay after opnsense starts up?

I do believe it is related to FreeBSD or opnsense, as I have a similar issue (I think) with wireguard tunnels that run on a host behind opnsense. I don't have the skills or knowledge to debug this myself, but would be open to work with someone to resolve the root issue. I did note have these issues with these exact devices behind my UI EdgeRouter.

3

23.7 Legacy Series / ssh login shell switched to /sbin/nologin

« on: September 06, 2023, 04:58:56 pm »

We had a power outage today and upon reboot the WebUI wasn't loading. I tried to SSH to restart the WebUI, but I was getting a keyboard-interactive prompt despite knowing the password was correct. After restarting opnsense, I could get back into the UI and noticed the result in the attached image. After returning it to /bin/sh for my user, I could login as usual.

Could this have happened during the 23.7 update? I rarely SSH in so it's possible it was due to an issue from a while ago. Anyone else have this problem?

Update: I just found this post https://forum.opnsense.org/index.php?topic=35415.msg171845

4

23.1 Legacy Series / issue when adding static IPv6 to interface, but IP exists as virtual

« on: March 30, 2023, 05:40:13 pm »

I was running into issues with radvd not starting, after I made some IPv6 changes. After debug I discovered that there will be no error or warning presented when attempting to set a static IPv6 address that already exists as a virtual IP (on the same interface).

I accept this is 100% user error, but perhaps checking the virtual IP list when adding an interface static IP could prevent similar issues. I was switching between IPv6 subnets, so I had my new subnet IP as a virtual IP while I was attempting to debug other connectivity issues.

5

General Discussion / bad firewall states for VOIP and WG tunnels after opnsense reboot

« on: March 30, 2023, 05:37:09 pm »

If I reboot the OPNsense host, the wireguard and SIP VOIP encounter issues with what appear to be stale or bad states in the firewall table. I can clearly see the states, delete them, and instantly restore connectivity. This only happens after a reboot.

My wild guess is that the stuck states are there from connection attempts during OPNsense boot. For some reason, the firewall still sees the state as valid, but neither WG or my SIP VOIP work.

No other services have issues.

Thoughts?

6

General Discussion / WG tunnel firewall state going stale, requires delete to restore connectivity

« on: February 27, 2023, 04:57:55 pm »

Since I switched to opnsense I've had issues with my WireGuard tunnels. I connect several tunnels from a host on my LAN to a few servers on the public internet. It seems these tunnels go stale, and stop passing traffic after a while. I have a 10 second keep alive, but that doesn't seem to keep the tunnel open. Searching for the destination IP in my firewall state table and deleting the states allows the connection to resume.

Is there any state checking I can implement to keep this from happening? I'm using "port forward" to implement DNAT as I want to redirect these IPs for everything BUT SSH and WG UDP.

What can cause the firewall state to stop forwarding traffic and prevent opening a new connection?

7

23.1 Legacy Series / state of Unbound cache-max-negative-ttl

« on: February 24, 2023, 11:21:53 pm »

Google produced this result:

https://forum.opnsense.org/index.php?topic=23747.msg113055

and it seems there are no "custom options" for Unbound in the GUI. Am I not looking hard enough? How can I configure this in a supported fashion.

8

General Discussion / slow first connection with IPv6

« on: February 23, 2023, 04:27:57 pm »

Since I switched to opnsense a week ago, I've noticed that new IPv6 connections are delayed from one Linux host to another (within my subnet or outside...see below). After the first connection (e.g. ping6 host) then connections are instantaneous until I leave it idle for a few minutes. Windows clients don't seem to have this issue.

At first I thought this was a DNS issue, so I added an IPv6 entry in /etc/hosts on my client PC, but it didn't make a difference. This is response highlights the issue...the delay is long enough that the host initially doesn't believe a connected route exists, but then is able to continue:

Code: [Select]

[root@backup ~]# ping -6 dns.example.com
PING dns.example.com(dns.example.com (::244::10)) 56 data bytes
From backup.example.com (::10::30) icmp_seq=1 Destination unreachable: Address unreachable
64 bytes from dns.example.com (::244::10): icmp_seq=2 ttl=63 time=0.583 ms
64 bytes from dns.example.com (::244::10): icmp_seq=3 ttl=63 time=0.659 ms
This is highly repeatable if I wait just a few minutes between tests. Is there some dynamic routing in IPv6 that I can fix so that it isn't doing the discovery every few minutes? I had no such issues with my Ubiquiti config with the same prefix and tunnel (HE.net) end point.

I just noticed that ipv6.google.com exhibits the same (again from a Linux host) with opnsense as my gateway.

Code: [Select]

[root@backup ~]# ping ipv6.google.com
PING ipv6.google.com(yyz10s05-in-x0e.1e100.net (2607:f8b0:400b:80c::200e)) 56 data bytes
From backup.example.com (::10::30) icmp_seq=1 Destination unreachable: Address unreachable
64 bytes from yyz10s17-in-x0e.1e100.net (2607:f8b0:400b:80c::200e): icmp_seq=2 ttl=120 time=9.44 ms
64 bytes from yyz10s17-in-x0e.1e100.net (2607:f8b0:400b:80c::200e): icmp_seq=3 ttl=120 time=9.06 ms
64 bytes from yyz10s05-in-x0e.1e100.net (2607:f8b0:400b:80c::200e): icmp_seq=4 ttl=120 time=9.31 ms
one consequence is that ssh -6 often fails in a script as it sees the connection as a failure. ssh -4 always works fine.

9

General Discussion / reply to incoming packet not respecting policy based routing

« on: February 20, 2023, 03:45:50 pm »

I'm new to OPNsense and I'm coming from Ubiquiti EdgeOS (similar to old Vyatta). I have policy based routing configured and working for the most part. Connections initiated from my network go out the correct interface (WAN2 - remoteips_server alias). I have NOT configured this as a traditional wan interface, I just wanted to route some traffic through this interface (WireGuard tunnel on a server) instead of the main WAN interface. All other aspects of the network are working as expected (gateways, vlans, firewalls, etc.)

When I initiate an external connection that comes in from WAN2 (remoteips_server alias) to a host, the reply gets routed out WAN1 instead. My initial guess is that the incoming connection uses an existing firewall state to get routed back out the default gateway (WAN1). An alternative is that there are default rules on all interfaces which pass related connections before processing the rest of the rules where my PBR is specified.

How do I get a reply to an incoming connection to either go out the WAN it came in, OR add a firewall rule that will operate on new AND existing connections. My intention is that all internet traffic should go out remoteips_server gateway, except traffic defined in prior rules like local LAN connections.