"Recent posts
#21
Virtual private networks / Re: Unable to stablish first I...
Last post by malhal - Today at 06:24:55 PMI was following the guide for Roadwarrior EAP-MSCHAPv2 and trying with macOS. Spent hours trying to debug the same problem as the OP, ends with "deleting half open IKE_SA with client after timeout".
What resolved it for me was just deleting the macOS IKEv2 VPN configuration and re-adding it. My theory is something got broken in it when trial and error editing local ID and authentication method. Since this UI is just updating config files maybe certain edits can leave the config in a broken state.
edit: did a quick test and if the macOS IKEv2 VPN is set to user authentication and is working. If changing it to authentication None with any shared secret entered, then attempting to change it back to User authentication with the same info as before then that config will never work again.
In case it helps anyone else, to get EAP-MSCHAPv2 working, in Remote Authentication I set the EAP Id to the client's username and in the Pre-Shared Key->Remote Identifier I leave blank. The seems the only way to get the username to actually be verified. E.g. if EAP Id is set to %any then during connection the username is just ignored and can be set to anything, even if it is set in the Pre-Shared Key->Remote Identifier, which seems strange to me.
What resolved it for me was just deleting the macOS IKEv2 VPN configuration and re-adding it. My theory is something got broken in it when trial and error editing local ID and authentication method. Since this UI is just updating config files maybe certain edits can leave the config in a broken state.
edit: did a quick test and if the macOS IKEv2 VPN is set to user authentication and is working. If changing it to authentication None with any shared secret entered, then attempting to change it back to User authentication with the same info as before then that config will never work again.
In case it helps anyone else, to get EAP-MSCHAPv2 working, in Remote Authentication I set the EAP Id to the client's username and in the Pre-Shared Key->Remote Identifier I leave blank. The seems the only way to get the username to actually be verified. E.g. if EAP Id is set to %any then during connection the username is just ignored and can be set to anything, even if it is set in the Pre-Shared Key->Remote Identifier, which seems strange to me.
#22
German - Deutsch / Re: Dual WAN Setup mit IPv6 Pr...
Last post by Maurice - Today at 06:14:50 PMIn deinem Beitrag sind hier keine Bilder zu sehen. Falls Du die selbst hostest, dann prüfe mal deine Server-Konfiguration und -Erreichbarkeit. Oder einfach direkt hier hochladen.
Grüße
Maurice
Quote from: martine on Today at 04:57:24 PMUngern möchte ich die Clients in zwei Netze TeilenDas wäre aber genau die richtige Lösung. Alles andere geht - falls überhaupt - nur mit viel Gebastel und Workarounds.
Grüße
Maurice
#23
Tutorials and FAQs / Re: [HOWTO] Configure IPv6 in ...
Last post by Maurice - Today at 06:03:50 PMThe "track interface" feature for NPT uses the prefix which is on-link on the selected interface. When using NPT for Internet access, this will typically be the WAN interface. This has several disadvantages; most importantly, you can only use NPT for a single LAN subnet.
What would make more sense is using a subnet of the delegated prefix (like it's done for "track interface" type LAN interfaces), but that's currently not supported.
What would make more sense is using a subnet of the delegated prefix (like it's done for "track interface" type LAN interfaces), but that's currently not supported.
#24
High availability / Re: HAProxy not working / star...
Last post by rohitashs - Today at 06:02:16 PMQuote from: Patrick M. Hausen on December 18, 2025, 06:24:03 PMNotice the small triangles on every tab but the introduction? These open up the menues.
Ah ok! Duh! And for whatever reason the earlier error message has gone away. Did not make any changes but it all seems to be working now.
#25
General Discussion / Re: Unable to remove neighbor ...
Last post by franco - Today at 05:21:09 PMI tested on 25.7.10 and it adds and deletes the neighbor entry from the configuration.
It likely does not remove the neighbor from the ARP table until a reboot. Static ARP in ISC DHCP may change that if you apply there but that's for historic reasons. There are upcoming changes related to these topics in 26.1.
So in case I haven't answered your question or bug can you be more precise?
Thanks,
Franco
It likely does not remove the neighbor from the ARP table until a reboot. Static ARP in ISC DHCP may change that if you apply there but that's for historic reasons. There are upcoming changes related to these topics in 26.1.
So in case I haven't answered your question or bug can you be more precise?
Thanks,
Franco
#26
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by franco - Today at 05:11:33 PMGreat, thank you! :)
#27
General Discussion / update: kea, almost dynamic WA...
Last post by vimage22 - Today at 05:05:10 PMThe script has been modified to perform 3 functions.
Rewrite the prefix, if it is new, for the subnet and pools.
Restart the Kea service to load the new prefix
Restart Router Advertisements to update clients
Testing is using 'testing.conf'
contents =
The new script:
To make it live, uncomment line 6.
Caveats:
At the moment, this only has the potential to work for a 'simple' WAN IPv6 setup.
'igc0' is hardcoded. You would need to change this in the script to match the interface.
Is there an easy way to trigger this script only when the WAN prefix changes?
I have looked at 'dhcp6c_wan_script.sh', which contains something called 'reason' but I would not want to change a factory script in any way.
Any any comments would be most welcome.
Rewrite the prefix, if it is new, for the subnet and pools.
Restart the Kea service to load the new prefix
Restart Router Advertisements to update clients
Testing is using 'testing.conf'
contents =
Code Select
{
"Dhcp6": {
"subnet6": [
{
"id": 1,
"subnet": "2601:xx:xx:xx::\/64",
"pools": [
{
"pool": "2601:xx:xx:xx::0\/120"
}
]
}
]
}
}
The new script:
Code Select
#!/bin/sh
# /usr/local/sbin/kea_prefix_change.sh
change_log='/var/log/wan_ipv6_change.log'
FILE_NAME='/root/testing.conf'
# FILE_NAME='/usr/local/etc/kea/kea-dhcp6.conf'
VAR1=$(jq -r '.Dhcp6.subnet6[].subnet' $FILE_NAME)
VAR1="$(echo $VAR1 | cut -d'/' -f1)"
echo "VAR1 = $VAR1"
v6Prefix=$(cat /tmp/igc0_prefixv6 | cut -d'/' -f1)
VAR2=$v6Prefix
echo "VAR2 = $VAR2"
if [ "$VAR1" != "$VAR2" ]; then
echo "$(date) Variables are not equal. Running code." >> $change_log
# Perform the find and replace operation
sed -i '' "s/$VAR1/$VAR2/g" "$FILE_NAME"
echo "$(date) Replacement complete in $FILE_NAME." >> $change_log
# Restart the Kea service to load the new prefix
pluginctl -s kea-dhcp restart; sleep 1
# Restart Router Advertisements to update clients
pluginctl -s radvd restart >> $change_log
sleep 1
# Log the event
echo "$(date) WAN IPv6 prefix change detected." >> $change_log
fi
echo "Done..."
exit
To make it live, uncomment line 6.
Caveats:
At the moment, this only has the potential to work for a 'simple' WAN IPv6 setup.
'igc0' is hardcoded. You would need to change this in the script to match the interface.
Is there an easy way to trigger this script only when the WAN prefix changes?
I have looked at 'dhcp6c_wan_script.sh', which contains something called 'reason' but I would not want to change a factory script in any way.
Any any comments would be most welcome.
#28
German - Deutsch / Dual WAN Setup mit IPv6 Proble...
Last post by martine - Today at 04:57:24 PMHallo,
ich habe ein Dual WAN Setup in OpnSense aufgesetzt, mit dem Ziel, dass ich über die Firewall-Rules die jeweilige Leitung einem Client im Netzwerk zuweisen kann.
Der Sinn dahinter ist, dass ich die schnelle Downstream-Leitung für große Downloads, wie Spiele Updates auf der PS5 nutzen kann. Das klappt für IPv4 auch bisher ohne Probleme, nur bei IPv6 will es nicht.
Ich bekomme auf den Clients, auf denen ich die schnelle Leitung nutzen will, einen Mix aus der IPv4 von einem Gateway und der IPv6 vom anderen Gateway, was zu Problemen führt.
Ungern möchte ich die Clients in zwei Netze Teilen oder Load Balancing oder Failover machen. Vielleicht jemand eine Idee, wie man das Problem lösen kann.
Aufbau:
Als WAN Interface habe ich eine Fritzbox 7590 AX mit VDSL und als OPT1 eine PYUR Sagem Kabelbox welche einen Kabelanschluss hat. Der LAN Port geht in einen Switch an dem alle Clients hängen.
So sehen die Gateways aus
Das LAN Interface. Hier nehme ich aktuell bei IPv6 Configuration Type: Track Interface und dort das Interface des Telekom Anschlusses, da dieser der default für alle Clients sein soll. So haben die Clients ohne Firewall-Rule keinen Anbieter-Mix von IPv4 und IPv6.
Interface PYUR
Interface TKom
Die Interface Overview. Hier sehe ich das LAN keine v6 Adresse vom Pyur Gateway bekommen hat, ich vermute weil im LAN Interface Track Interface des Telekom Anschluss ausgewählt ist. Damit erhält auch keiner der Clients eine IPv6 vom Pyur Anschluss.
Übersicht der Firewall Regeln für LAN
Hier eine Firewall Regel für IPv4 für den Pyur Anschluss
Und hier eine für IPv6, welche nicht greift.
Ich habe schon einiges Versucht, wie eine Virtuelle IPv6 zu vergeben, aber das hat leider auch keinen Erfolg gebracht.
Die Router Advertisements habe ich auf Assisted.
Vielleicht hat jemand eine Idee wie ich mein Ziel umsetzen kann. Vielen Dank vorab für das Anschauen des Posts.
ich habe ein Dual WAN Setup in OpnSense aufgesetzt, mit dem Ziel, dass ich über die Firewall-Rules die jeweilige Leitung einem Client im Netzwerk zuweisen kann.
Der Sinn dahinter ist, dass ich die schnelle Downstream-Leitung für große Downloads, wie Spiele Updates auf der PS5 nutzen kann. Das klappt für IPv4 auch bisher ohne Probleme, nur bei IPv6 will es nicht.
Ich bekomme auf den Clients, auf denen ich die schnelle Leitung nutzen will, einen Mix aus der IPv4 von einem Gateway und der IPv6 vom anderen Gateway, was zu Problemen führt.
Ungern möchte ich die Clients in zwei Netze Teilen oder Load Balancing oder Failover machen. Vielleicht jemand eine Idee, wie man das Problem lösen kann.
Aufbau:
Als WAN Interface habe ich eine Fritzbox 7590 AX mit VDSL und als OPT1 eine PYUR Sagem Kabelbox welche einen Kabelanschluss hat. Der LAN Port geht in einen Switch an dem alle Clients hängen.
So sehen die Gateways aus
Das LAN Interface. Hier nehme ich aktuell bei IPv6 Configuration Type: Track Interface und dort das Interface des Telekom Anschlusses, da dieser der default für alle Clients sein soll. So haben die Clients ohne Firewall-Rule keinen Anbieter-Mix von IPv4 und IPv6.
Interface PYUR
Interface TKom
Die Interface Overview. Hier sehe ich das LAN keine v6 Adresse vom Pyur Gateway bekommen hat, ich vermute weil im LAN Interface Track Interface des Telekom Anschluss ausgewählt ist. Damit erhält auch keiner der Clients eine IPv6 vom Pyur Anschluss.
Übersicht der Firewall Regeln für LAN
Hier eine Firewall Regel für IPv4 für den Pyur Anschluss
Und hier eine für IPv6, welche nicht greift.
Ich habe schon einiges Versucht, wie eine Virtuelle IPv6 zu vergeben, aber das hat leider auch keinen Erfolg gebracht.
Die Router Advertisements habe ich auf Assisted.
Vielleicht hat jemand eine Idee wie ich mein Ziel umsetzen kann. Vielen Dank vorab für das Anschauen des Posts.
#29
25.7, 25.10 Series / Re: Version 25.7.9 did not cha...
Last post by franco - Today at 04:39:55 PM@kozistan the only thing I can think of is that the update stopped after
> socat upgraded: 1.8.0.3 -> 1.8.1.0
but it feels rather weird it didn't even mention removing opnsense package.
But it also looks like the files are there which makes me think you don't have many packages in your local database?
# pkg info | wc -l
191
Should be somewhere over 100 packages at least.
The easiest way to fix it would be
# pkg install opnsense
Cheers,
Franco
> socat upgraded: 1.8.0.3 -> 1.8.1.0
but it feels rather weird it didn't even mention removing opnsense package.
But it also looks like the files are there which makes me think you don't have many packages in your local database?
# pkg info | wc -l
191
Should be somewhere over 100 packages at least.
The easiest way to fix it would be
# pkg install opnsense
Cheers,
Franco
#30
General Discussion / Re: 25.7.9 update - xorgproto:...
Last post by ibuka228 - Today at 04:30:46 PMSeems can be fixed by remove and reinstall Zenarmor plugins
