20.7.5 - can't change settings on or (un-)assign VTI interfaces

[marcquark]

upgraded my lab boxes to 20.7.5 a couple of days ago, now i noticed i can't change the settings on any of my VTI interface. i.e. i cannot add or delete a description, cannot change the enabled state. then i tried unassigning the interface but that doesn't work either. i also can't make any changes to related gateways that i had created.

while i don't recall testing this specifically, i do remember playing around with VTI interfaces quite a bit on 20.7.4 before and never ran into such an issue. does anybody else observe this behaviour? could it be caused by a failed migration? i currently don't have the time to create a clean test setup to check that

[mimugmail]

If using VTI you NEVER should change/disable/assign gateways or interfaces.
Everything happens in the back when using route-based type in Phase2.

[marcquark]

hm i probably just confused pfsense and opnsense handling in my head. in the former, interfaces have to be assigned and enabled manually... thx for the clarification!

regarding gateways: it should be possible to manually create a gateway on a VTI interface though, right? if i want to route WAN traffic from a specific server on site B through the WAN of site A, i'm going to need a gateway to select in the firewall rule on site B for policy routing...

one thing i noticed today though is that somehow the IP(v4) address on one of my VTI interfaces disappeared. i'm currently not certain whether this happened out of nowhere, or after i messed with interface settings and assignments in the GUI. so take that information as a note-to-self for now, i'll see if it happens again on any of my lab boxes and report back.

[mimugmail]

Now you are confusing me ..  :o
If I remember correctly, when you add a routed IPsec tunnel there should already be a gateway created for you?

[marcquark]

Now you are confusing me ..  :o
If I remember correctly, when you add a routed IPsec tunnel there should already be a gateway created for you?

i just double-checked this on two testing VMs. interfaces are automatically created and assigned, but gateways are not. can be created though. so looks like everything is fine, i just mixed up pfs and opns in my head...

another Q: do you have experience in messing with / optimizing MTU and MSS values on VTI interfaces? looks like it's at least possible to set and save them in the GUI. MTU seems to be applied correctly, not sure yet about MSS. would be glad to get some input

also i can now confirm that any VTI interface will lose its IP address when changing and applying config. have to restart the IPSec service to get the tunnel working again.

[mimugmail]

VTI is known to have MTU issues in FreeBSD, there is a bug somewhere around. I'd consider route based only if really necessary

[marcquark]

VTI is known to have MTU issues in FreeBSD, there is a bug somewhere around. I'd consider route based only if really necessary

could u elaborate or do u have any more details? i can't really confirm that statement. sure, one can't just slam it to 1500 and expect things to work without taking IPSec overhead into account. but other than that, i haven't had any issues so far given that MTUs are calculated correctly and confirmed to work. MSS can also become tricky with TLS or SSH because the set the DF bit in Layer3. But again, accounting for encapsulation and doing the math (or simply leaving sufficient headroom) usually does the trick.
i'd be very interested to read about potential bugs so i can avoid them before they bite me though

[mimugmail]

https://github.com/opnsense/core/issues/3542

I think there is one another to find via googe